Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Security experts on Java: Fixing zero-day exploit could take 'two year


14 Jan 2013   #1
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Security experts on Java: Fixing zero-day exploit could take 'two year

And it just keeps getting better & better.....

Quote:
The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.

Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.
Security experts on Java: Fixing zero-day exploit could take 'two years' | ZDNet

Zero-Day paranoia and the reality of modern web browsing | ZDNet

Quote:
From my understanding of the exploit in question, it uses a weakness inherent in the Java VM that allows remote code execution of malicious software.

What does that mean, exactly?

Well, it means that if you have Java installed on your machine, and you have the plugin for Java web start apps enabled in your browser, that means that a piece of bytecode (software loaded from a website that uses Java) that is executed from within the Java VM installed on your PC can call outside of its supposedly sandboxed environment to your operating system and execute a "payload".

This payload is presumably software that the hacker has managed to get onto your computer through social engineering or even though the Java plugin itself.

In other words, by visiting these illicit sites, you put the software on your computer that the hacker can now command to steal your information, monitor your keystrokes, et cetera.



My System SpecsSystem Spec
.

14 Jan 2013   #2
ICit2lol

Desk1 8 Pro / Desk2 7 Home Prem / Laptop 8.1 Pro all 64bit
 
 

Yep just found this one Borg looks pretty grim for Java / Oracle eh?
My System SpecsSystem Spec
14 Jan 2013   #3
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Yepperz. Considering that there are some sites/programs that just won't work without Java, it's looking pretty bad.

For instance, I'm running OpenOffice & that requires it. If I turn off the scripting when I go to my school site, I can't see 1/2 the stuff OR take my online tests.....

I'm really hoping the experts are wrong on this & Oracle kicks it's butt into high gear to fix this....
My System SpecsSystem Spec
.

14 Jan 2013   #4
Golden

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

I guess this is related?

Quote:
ORACLE is distributing a patch for Java software flaws deemed so dangerous the US Department of Homeland Security says people should stop using it.
Oracle patches dangerous Java holes | adelaidenow
My System SpecsSystem Spec
14 Jan 2013   #5
Da Don

win 7home prem 32bits
 
 

yes sir rie , that is another way to really screw ur world up , patch from hell .
My System SpecsSystem Spec
14 Jan 2013   #6
MWRed

Windows 7 Home Premium
 
 

I mentioned over on the VF that at work, I have a site that I have to go to everyday to put in shipping info for a particular company.
Their site is entirely Java. Slow, crashes, and now this crap.
Maybe this will help them get their head out of their rear and do something different.
They are a well known company(if you're old enough, think "we bring good things to life"), and I can't see why they have such a crap site for their incoming shipments.
My System SpecsSystem Spec
14 Jan 2013   #7
Alejandro85

Windows 7 Ultimate x64
 
 

What about antiviruses to stop the bad guys, firewalls to prevent a virus from calling home, UAC to prevent it from touching system areas, low integrity to prevent it from touching anything user-related, and most important what about common sense?

I think those articles are just to alarming people more than they should. Really, anyone with a serious enough security configuration can probably be reasonably safe. I'm not saying that there are no flaws, every program has its backholes and internet facing ones are particularly dangerous, but from there to hurrying everyone to blow up their Java installs for a security vulnerability that probably existed since many years ago seems too much to me. Take caution, yes, but don't become paranoid.
My System SpecsSystem Spec
14 Jan 2013   #8
mjf

Windows 7x64 Home Premium SP1
 
 

Quote   Quote: Originally Posted by Borg 386 View Post
Yepperz. Considering that there are some sites/programs that just won't work without Java, it's looking pretty bad.

For instance, I'm running OpenOffice & that requires it. If I turn off the scripting when I go to my school site, I can't see 1/2 the stuff OR take my online tests.....

I'm really hoping the experts are wrong on this & Oracle kicks it's butt into high gear to fix this....
I've only played with OpenOffice and LibreOffice but can't you disable the Java requirement by going into Tools>Options. The features disabled may not be important to you.

Separate to the above:
I forgot that I had a Java app that I use from time to time so I'm looking at the Java to exe convert tools.
My System SpecsSystem Spec
14 Jan 2013   #9
bdstx4

Windows 7 professional 64
 
 

Reading about the Java7 update11 patch yesterday it amounts to only changing the given surfing website from Medium to High security. Oracle surmise's a malicious java script will have to ask the user permission to run. Not much of a fix to me.
Ever since Oracle bought Sun, java support from them is lousy. Keep java browser disabled when possible until a "more true" fix is available. Until the next java problem. No Script extension for Firefox can help with toggling off for particular websites. IMHO
My System SpecsSystem Spec
14 Jan 2013   #10
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

I'm wondering why it is taking so long to fix this Java problem. Some say it might take months or even years; why
My System SpecsSystem Spec
Reply

 Security experts on Java: Fixing zero-day exploit could take 'two year




Thread Tools



Similar help and support threads for2: Security experts on Java: Fixing zero-day exploit could take 'two year
Thread Forum
Java 6 users vulnerable to zero day flaw, security experts warn Security News
New Java Exploit Fetches $5,000 Per Buyer; Krebs on Security Security News
JAVA Exploit Remedy? System Security
Yet another Java exploit thread. System Security
Exploit:Java/CVE-2010-0840.IO help. System Security
Exploit Packs Run on Java Juice Security News
Exploit:Java/CVE-2008-5353.B;Trojan:Java/Selace.A and B System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:20 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App