Critical security issue affecting Java SE 5/6/7

Link: -http://seclists.org/fulldisclosure/2012/Sep/170-

 

now all the versions of java are vulnerable !
maybe i'd have to turn off the computer or continue using fedora !

 

Here we go again,Is this anything new with Java junk.

 

Ive uninstalled java.So far there hasnt been any issues in doing this.

 

The best feature of Java is the uninstall button. I never had to remove something thats never touched my system in the first place.

 

Newly-Discovered Java Vulnerability Enables Bypass of Security Sandbox. Another Serious Java Flaw Emerges. New Java exploit puts 1 billion Macs and PCs at risk Now is the time, more than ever, do you need Java ?

 

Is Oracle trying to go for a record here, or does anyone at Oracle do any sort of looking at the code they release? The occasional flaw is completely normal, just part of the game. However, this is what, the third or fourth problem in maybe 2 months? I mean, they patched an exploit with an exploitable patch..it was found the day after I think.

Oracle is really showing they can't be trusted, in my own opinion of course. I can't sit here and act like what the developers and coders do is easy, but enough is enough. Java applets need to be dumped. Whether for games, office software or whatever, it is time to go.

 

In Oracle's defense, ActiveX used to be plagued with similar problems; and JS engines have ahd their share of vulnerabilities, though Javascript is not as big a vector as it used to be. IMO any full-featured language that can be run inside a browser is a potential hazard, sandbox or no.

 

And Active-X, outside of use with MS applications, has all but vanished. I'd also say that Javascript is still doing just fine at getting malware on a system, although both Flash in the past and now Java are riskier.

 

Java is an incredibly tempting target. This is not going to change.

1) Oracle is slow to patch.

2) Java exploits are cross platform.

3) Java takes no extraordinary measures to secure itself

4) JIT'd code can't benefit from DEP. You need all new hardening techniques.

The fact that Oracle only patches every 4 months, they rarely release critical patches, and their installer is crap only makes things worse.

But Java is still used on various sites.

 

The updater isn't worth a darn either. I don't remember the last time I was actually informed of an update by Java itself. It takes finding out on one of the tech websites and a trip to the Java site for a manual install. Come to think of it, Secunia PSI didn't even tell me of the last security update. But that's not really relevant here.

 

Very,very few.

I've had java disabled in all my browsers for years and very seldom have had to enable it ,unless it's to play games at either Pogo or Yahoo.

It should be disabled at all times for most users.

Oracle and Adobe are both joke companies with their porous software.

 

Ahh, Pogo for you too, huh? That's the sole reason I still have Java. You'd think that after they went through and made some older games Flash, they'd finish the job. Then again, it looks like they are kind of letting the place just slowly die out. No longer do you usually get put in rooms with other players, games you used to be able to play a while suddenly cut you off after so long, and the "ad breaks" are starting to increase. Maybe soon those in the house that like the place will get frustrated and quit (the above mentioned things are actually starting to have that affect).

As far as Adobe being a joke, they've come a long way. Sandboxing Reader, tightening up Flash and patches coming quicker and without the idiocy of new patches that actually have the same flaw as the issue that was being patched. I still can't wrap my head around that Oracle debacle...by the way, have they even fixed this new problem yet?

 

When is the next patch due? October ?

 

I'm thinking those bad guys must be getting paid good wages to take Java apart how much do you suppose Java gets paid to fight back?

 

True, the bad guys make good money. The money in Java would have come from the patent lawsuits they don't seem to be winning.

 

I haven't been to Pogo in years, since it was already starting to go downhill, but do try to get into Freeslots more or less daily since I like video poker and that's one of the rare slots which is at least partly skill on top of luck.

Now that Firefox has added that click-to-play feature, supposedly affecting all plug-ins, I've set permissions to allow Java there but globally "ask" otherwise. Hopefully that will shield me from the current vulnerabilities.

I was interested that in the notice quoted in the OP, it includes Firefox 15.0.1 as one of the vulnerable browsers, but makes no mention at all of whether or not click-to-play was active when they tested it.