If you haven't already run in the latest Java patch (issued yesterday), here's another good reason to do so: someone has turned up an exploit that uses signed code. In this post, Eric Romang looks at a malicious applet that comes with a signature using credentials stolen from Clearesult Consulting in the US. The stolen …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 5th March 2013 23:21 GMT pixl97

Other Java Issues.

Off on a tanget to the article, but

The Java installer sucks (yes we already knew that with the Ask toolbar)

Resets Java update settings. Set java to download before installing and set it to daily. Install new update. It's now reset to monthly and warn before downloading.

I've had to reinstall J7v17 twice on many systems as it doesn't install the browser plug-in to IE or Firefox correctly. These days I'd consider this a benefit other then the computers really needed it for apps to work.

0 0
1. Wednesday 6th March 2013 09:45 GMT Dan 55
  
  Re: Other Java Issues.
  
  Hate to say this but even Adobe have pulled their finger out with Flash, updating is almost invisible. Not sure what Oracle's excuse is.
  
  2 0
This post has been deleted by its author
This post has been deleted by its author
Wednesday 6th March 2013 00:20 GMT Captain DaFt

Waiting for it to happen.

Given all the press about Java exploits, and the high rate of patches lately, I'm a bit surprised that no one's tried pushing out a zero-day exploit disguised as a Java patch yet.

1 0
1. Wednesday 6th March 2013 03:53 GMT Ole Juul
  
  Re: Waiting for it to happen.
  
  Actually, there should be quite a number of opportunities for AV hawkers of all kinds.
  
  0 0
2. Wednesday 6th March 2013 08:15 GMT TeeCee
  
  Re: Waiting for it to happen.
  
  I'm a bit surprised that no one's tried pushing out a zero-day exploit disguised as a Java patch yet.
  
  Yet? Ask.com have been doing that for years......
  
  0 0
Wednesday 6th March 2013 09:43 GMT Dan 55

Too much confusion over Java security settings

Sorry to say this but I told you so. Oracle's advice is wrong, Oracle's spokesbloke says, 'In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin' but 'high' does not pop up a dialog when it runs signed code so it contradicts this advice and wouldn't have stopped this app. You need the settings on 'very high' for it to do that.

Secondly signed applets do not mean malware free applets, as shown here.

Finally do we trust Oracle's new security settings enough to believe that it always pops up dialogs when it should and that a applet with malware can't be engineered to get round them? I don't.

1 0
1. Wednesday 6th March 2013 10:53 GMT Anonymous Coward
  
  Re: Too much confusion over Java security settings
  
  To put that more simply, Java is malware.
  
  The sooner a new pope is appointed, and Java is declared a heresy punishable by excommunication the better. As a non-catholic myself that'd only be symbolic, but we're a bit short of alternative (quasi-valid) claimants to any form of moral authority.
  
  1 0
Wednesday 6th March 2013 20:10 GMT g7rp0

Just dont user it

I have a Windows XP vm for when I actually need to use java, the rest of the time I use a machine that doesnt even have a whisper of Java on it, even having it installed is asking for trouble tbh

0 0
Thursday 7th March 2013 23:42 GMT Anonymous Coward

J7 17 triggers Tamper Protection alert

I just installed JRE 7 Update 17 on an XP machine that's running Symantec Endpoint Protect, and got 7 Tamper Protection Alerts. I've managed to eliminate java from all but a handful of machines that need it to access specific tools, but I'm not sure whether this latest update isn't a bigger risk than what it's supposed to protect from!

0 0