Critical security issue affecting Java SE 5/6/7

Discussion in 'other security issues & news' started by iammike, Sep 26, 2012.

Thread Status:
Not open for further replies.
  1. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    Link: -http://seclists.org/fulldisclosure/2012/Sep/170-
     
  2. Amin

    Amin Registered Member

    Joined:
    May 16, 2012
    Posts:
    437
    Location:
    UK
    now all the versions of java are vulnerable !
    maybe i'd have to turn off the computer or continue using fedora !
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Here we go again,Is this anything new with Java junk.
     
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Ive uninstalled java.So far there hasnt been any issues in doing this.:thumb:
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    The best feature of Java is the uninstall button.:p I never had to remove something thats never touched my system in the first place.
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Is Oracle trying to go for a record here, or does anyone at Oracle do any sort of looking at the code they release? The occasional flaw is completely normal, just part of the game. However, this is what, the third or fourth problem in maybe 2 months? I mean, they patched an exploit with an exploitable patch..it was found the day after I think.

    Oracle is really showing they can't be trusted, in my own opinion of course. I can't sit here and act like what the developers and coders do is easy, but enough is enough. Java applets need to be dumped. Whether for games, office software or whatever, it is time to go.
     
  8. In Oracle's defense, ActiveX used to be plagued with similar problems; and JS engines have ahd their share of vulnerabilities, though Javascript is not as big a vector as it used to be. IMO any full-featured language that can be run inside a browser is a potential hazard, sandbox or no.
     
  9. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    And Active-X, outside of use with MS applications, has all but vanished. I'd also say that Javascript is still doing just fine at getting malware on a system, although both Flash in the past and now Java are riskier.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Java is an incredibly tempting target. This is not going to change.

    1) Oracle is slow to patch.

    2) Java exploits are cross platform.

    3) Java takes no extraordinary measures to secure itself

    4) JIT'd code can't benefit from DEP. You need all new hardening techniques.

    The fact that Oracle only patches every 4 months, they rarely release critical patches, and their installer is crap only makes things worse.

    But Java is still used on various sites.
     
  11. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    The updater isn't worth a darn either. I don't remember the last time I was actually informed of an update by Java itself. It takes finding out on one of the tech websites and a trip to the Java site for a manual install. Come to think of it, Secunia PSI didn't even tell me of the last security update. But that's not really relevant here.
     
  12. ZZZ7

    ZZZ7 Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    72
    Very,very few.

    I've had java disabled in all my browsers for years and very seldom have had to enable it ,unless it's to play games at either Pogo or Yahoo.

    It should be disabled at all times for most users.

    Oracle and Adobe are both joke companies with their porous software.
     
  13. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Ahh, Pogo for you too, huh? That's the sole reason I still have Java. You'd think that after they went through and made some older games Flash, they'd finish the job. Then again, it looks like they are kind of letting the place just slowly die out. No longer do you usually get put in rooms with other players, games you used to be able to play a while suddenly cut you off after so long, and the "ad breaks" are starting to increase. Maybe soon those in the house that like the place will get frustrated and quit (the above mentioned things are actually starting to have that affect).

    As far as Adobe being a joke, they've come a long way. Sandboxing Reader, tightening up Flash and patches coming quicker and without the idiocy of new patches that actually have the same flaw as the issue that was being patched. I still can't wrap my head around that Oracle debacle...by the way, have they even fixed this new problem yet?
     
  14. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    When is the next patch due? October ?
     
  15. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    I'm thinking those bad guys must be getting paid good wages to take Java apart how much do you suppose Java gets paid to fight back?
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    True, the bad guys make good money. The money in Java would have come from the patent lawsuits they don't seem to be winning. :ouch:
     
  17. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I haven't been to Pogo in years, since it was already starting to go downhill, but do try to get into Freeslots more or less daily since I like video poker and that's one of the rare slots which is at least partly skill on top of luck.

    Now that Firefox has added that click-to-play feature, supposedly affecting all plug-ins, I've set permissions to allow Java there but globally "ask" otherwise. Hopefully that will shield me from the current vulnerabilities.

    I was interested that in the notice quoted in the OP, it includes Firefox 15.0.1 as one of the vulnerable browsers, but makes no mention at all of whether or not click-to-play was active when they tested it.
     
Loading...
Thread Status:
Not open for further replies.