Disable JAVA

Or only use your browser on sites known to be clean.. or use a dedicated ‘browsing’ environment like a ‘boot from cd’ or inside a virtual machine.

Another Java hole:

http://www.theregister.co.uk/2012/09/26/gowdiak_claims_new_java_flaw/

By Simon Sharwood, APAC Editor • Get more from this author

Posted in Security, 26th September 2012 03:08 GMT

Oracle’s Java is making a play to wrest back the title of world’s leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product.

The new claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That’s apparently worse than previous exploits, as they only hit Java 7.

Gowdiak also says “the bug allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”

There’s not much detail beyond what we’ve quoted above, which is a little unusual for a Full Disclosure post.

Another article says Apple has just given up on their version of Java:

http://www.theregister.co.uk/2012/10/19/apple_banishes_java_from_macos_browsers/

Apple banishes Java from Mac browsers
Fanbois told to install Oracle’s plugin

By Simon Sharwood, APAC Editor • Get more from this author
Posted in Software, 19th October 2012 01:32 GMT

Apple has discontinued its own Java plugin, issuing an ‘update’ that removes it from MacOS and encourages users to instead download Oracle’s version of the software.

The update, available now and depicted at the bottom of this story, advises users to install new software with the following effect:

Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

It’s not clear why Apple has taken this decision, but Sophos security researcher Paul Ducklin has blogged his opinion that this regime “may sound like a bug, but for most users, it’s a feature,” given Java’s security issues. Ducklin even suggests Cupertino’s decision may be related to Oracle’s recent release of a security update for Java.

Looks to me like avoiding a security liability and assigning it to Oracle…

Near as I can tell, the folks at Oracle are not very interested in, or capable of, making Java secure.

About these ads

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Disable JAVA

  1. philjourdan says:

    Websites are too dependent on Java. Unless you are surfing text. it is hard to get away from it.

    I guess Microsoft has gotten a lot tighter on the code so the hackers are looking elsewhere.

  2. Steve Crook says:

    Oracle got caught with their pants down. I think they expected that people would be happy to wait for their corporate quarterly patch cycle. Strange, when you think they must have been looking at Microsofts patch Tuesday for some years. Could they not see the need for something similar for Java?

    From what I remember reading, Apple have only recently woken up to releasing security updates as needed, and it wasn’t so long ago they were implying that their fruity OS was safe from malware (unlike Windows).

    As a developer, if you don’t use Java, what do you use? ActiveX? Flash? Javascript? None are exactly known for their robust, bug free state. I’m sure that, when HTML5 is fully available, implementations will also have security problems. Obviously we’d all like code to be reasonably well tested and relatively bug free, but given that there will always be bugs, it’s not a question of how bug free the code is, but how quick the fix/release cycle is.

Comments are closed.