Java 1.7 Security

Why you should probably disable Java now
By Will Oremus, Slate - 9/1/201

---

Hackers have found a flaw in Oracle’s Java software that allows them to break into users’ computers and install nasty malware, security experts report. The attack, first spotted on Sunday by researchers at the security firm FireEye, is what security types call a "zero-day" threat, exploiting a previously unknown vulnerability for which there is currently no fix available.

The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. So far the attacks have been against PCs, but Mac users are vulnerable as well. Businesses should be especially concerned about targeted attacks, but just about anyone who uses Java on the Internet is at risk, especially since the attack has been added to the Internet’s most popular hacking kit, BlackHole.

Given the potential seriousness and pervasiveness of the attacks - and Oracle’s reputation for being slow on the draw in response to Java vulnerabilities - experts say that everyday Internet users should probably just disable Java entirely. Like, right now.

"Java has been the most exploited program for well over a year now and it simply isn’t worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."

That’s not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says.
.....
For those who can’t live without Java, Wisniewski’s blog post at Naked Security offers a few other suggestions.
One final point: This flaw does not appear to affect the previous version of Java (Version 6, aka 1.6), which is the default on most Macs. So while Mac users are theoretically as vulnerable as Windows users, only those who have specifically installed Java 1.7 should be at risk.

---

I uninstalled Java v1.7 downloaded but did not install v1.6.
Browser add-ons
IE9 - no problem
Mozilla 15 - javadeployment plugin shows up after Java uninstall. (C:\Windows\syswow64\npdeployJava1.dll)
---> must have been left over in my registry before I learned more about 32/64 versions (64 bit java only for 64 bit browsers). I renamed it to npdeployJava1.dl0 and cCleaned the registry - only for Java entries (program - not javascript).

While I was at it, I updated OpenOffice to see how it would work without Java. Seems to be ok, but I haven't done much other than open a few Calc and Write files.

If other apps run fine without Java, I'll leave it off.

Side note: I read a discussion about OpenOffice and LibreOffice - seems as though they're the same base (sort of). Oracle donated OpenOffice to Apache - some folks left OpenOffice before that and started LibreOffice, essentially using the same base code (Novell OpenOffice). We'll see how this all plays out.

Hello Slartybart I saw an alert for this in How to Geek this morning plus my Kaspersky is now flashing up alerts for legal software that can be used by crims.

Well removed Java quiet awhile ago and haven't had any problems either. Java has been attacked a lot recently.

Layback Bear said:

Well removed Java quiet awhile ago and haven't had any problems either. Java has been attacked a lot recently.

Hiyya LB so I have got it right - you removed everything? as I sometimes get stuff that says I need Java to run it can't think of one off the top of my head but is there on occasions.

Yes I did. If down the road I need Java for something I'm doing I will just install the newest versions. In the mean time I don't need it and it's being attacked quiet often.
Their are some programs out there that need it and people just have to check Java for updates at least once a day.

Thanks Layback Bear I might just uninstall my self and maybe reinstall as that would the latest updates at least one would hope. Mind you I might just try the watch and wait approach.

Just make sure when and if you decide to install or update Java you use their website. The people attaching Java know people are looking for updates and could put false updates out their on normally good websits.

Ok mate I usually do from their website but I do know what you mean - I had a scam tried on me recently that had a genuine looking PayPal invoice.

If the fellow had not been so greedy and the grammar a tad better plus the fool at the finish wanted a deal that well you would have to be mad to agree to I might have been a few hundred $'s lighter now:)

Umm, according to what I've read - the latest version IS the problem.

Java 1.6 does not appear to have the vulnerability. Of course you should verify that with your own trusted sources.

Slartybart said:

Why you should probably disable Java now
By Will Oremus, Slate - 9/1/201

.....
One final point: This flaw does not appear to affect the previous version of Java (Version 6, aka 1.6), which is the default on most Macs. So while Mac users are theoretically as vulnerable as Windows users, only those who have specifically installed Java 1.7 should be at risk.

---

All day and not one application complained about Java missing. I do recall some apps used to require it (OpenOffice and perhaps Taxcut) - but oOffice is fine. I also changed the configuration - unticked the "Use JRE" box (on the Java sub menu).