New
#1
Yep just found this one Borg looks pretty grim for Java / Oracle eh?
And it just keeps getting better & better.....
Security experts on Java: Fixing zero-day exploit could take 'two years' | ZDNetThe problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.
Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.
"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.
Zero-Day paranoia and the reality of modern web browsing | ZDNet
From my understanding of the exploit in question, it uses a weakness inherent in the Java VM that allows remote code execution of malicious software.
What does that mean, exactly?
Well, it means that if you have Java installed on your machine, and you have the plugin for Java web start apps enabled in your browser, that means that a piece of bytecode (software loaded from a website that uses Java) that is executed from within the Java VM installed on your PC can call outside of its supposedly sandboxed environment to your operating system and execute a "payload".
This payload is presumably software that the hacker has managed to get onto your computer through social engineering or even though the Java plugin itself.
In other words, by visiting these illicit sites, you put the software on your computer that the hacker can now command to steal your information, monitor your keystrokes, et cetera.
Yepperz. Considering that there are some sites/programs that just won't work without Java, it's looking pretty bad.
For instance, I'm running OpenOffice & that requires it. If I turn off the scripting when I go to my school site, I can't see 1/2 the stuff OR take my online tests.....
I'm really hoping the experts are wrong on this & Oracle kicks it's butt into high gear to fix this....
I guess this is related?
Oracle patches dangerous Java holes | adelaidenowORACLE is distributing a patch for Java software flaws deemed so dangerous the US Department of Homeland Security says people should stop using it.
I mentioned over on the VF that at work, I have a site that I have to go to everyday to put in shipping info for a particular company.
Their site is entirely Java. Slow, crashes, and now this crap.
Maybe this will help them get their head out of their rear and do something different.
They are a well known company(if you're old enough, think "we bring good things to life"), and I can't see why they have such a crap site for their incoming shipments.
What about antiviruses to stop the bad guys, firewalls to prevent a virus from calling home, UAC to prevent it from touching system areas, low integrity to prevent it from touching anything user-related, and most important what about common sense?
I think those articles are just to alarming people more than they should. Really, anyone with a serious enough security configuration can probably be reasonably safe. I'm not saying that there are no flaws, every program has its backholes and internet facing ones are particularly dangerous, but from there to hurrying everyone to blow up their Java installs for a security vulnerability that probably existed since many years ago seems too much to me. Take caution, yes, but don't become paranoid.
I've only played with OpenOffice and LibreOffice but can't you disable the Java requirement by going into Tools>Options. The features disabled may not be important to you.
Separate to the above:
I forgot that I had a Java app that I use from time to time so I'm looking at the Java to exe convert tools.
Reading about the Java7 update11 patch yesterday it amounts to only changing the given surfing website from Medium to High security. Oracle surmise's a malicious java script will have to ask the user permission to run. Not much of a fix to me.
Ever since Oracle bought Sun, java support from them is lousy. Keep java browser disabled when possible until a "more true" fix is available. Until the next java problem. No Script extension for Firefox can help with toggling off for particular websites. IMHO
I'm wondering why it is taking so long to fix this Java problem. Some say it might take months or even years; why