Just a heads-up that there's at least one zero-day exploit in the wild for Java, possibly two. Oracle apparently almost never patches Java out of cycle; they issue three patches per year, no matter what, and mid-October is the next targeted window.
I suspect they may be pressured into patching sooner, but in the interim, you should seriously consider just removing Java from your system altogether. If you can't do that, disabling the Java plugin in your browser will make you less vulnerable, but the hole in the language will still be present.
It's kind of funny for me, because I just updated java a few days ago for the NASA curiosity stuff. Yesterday I just uninstalled it for good.
Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.
Even the Win8 app store is unsurprisingly only for metro apps, but then MS seem to be on a course to cut off the legacy old windows in the next few windows version, and probably make stuff like Java irrelevant on their platforms, well, besides the enterprise stuff.
Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.
I've been trying secunia PSI - http://www.secunia.com (as a 3rd party central update mechanism).
It seems to be relatively straightforward. Scans installed software and compares versions (either via checksum or possibly registry entries) to an external database. It tells you if your versions are out of date, and provides a "click to upgrade" button.
Unfortunately, this doesn't help with regards to things like this java vulnerability.
Would running NoScript help at all with this?
Scratched wrote:Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.
I've been trying secunia PSI - http://www.secunia.com (as a 3rd party central update mechanism).
It seems to be relatively straightforward. Scans installed software and compares versions (either via checksum or possibly registry entries) to an external database. It tells you if your versions are out of date, and provides a "click to upgrade" button.
Unfortunately, this doesn't help with regards to things like this java vulnerability.
I've looked at/used that before (I think filehippo have a similar app based of the same framework), and it's kind of half-way to the solution. The companies involved in making the products need to place an emphasis on keeping their stuff up to date for anyone who's using it.
Is it really only three times a year? Seems like the bugger is always interrupting things to the extent a policy was put in place that I have to log into every conference room each morning and check for java updates, then turn off auto-updating again (because it always rechecks itself), just to make sure that one of the board doesn't get a popup in the middle of a presentation.
There's too many things that use java to just uninstall it.
Well, this is fantastic. Our time entry system at work runs off of Java and has both stand-alone and browser components that are required for it to work properly. Just great Oracle, just great.
Are you confusing Java and Flash, ibdoomed? It seems like Flash updates about every thirty seconds, as they find yet more security holes in that buggy piece of sh*t, but I haven't seen very many Java updates. And Flash does have that thing where it constantly defaults to updating itself, even when you tell it otherwise.
but then MS seem to be on a course to cut off the legacy old windows in the next few windows version,Which, if they try to actually implement that idea, will probably also cut them off from their customers.
Definitely not confused. We use flash a lot too but the new auto-updater is fantastic.
This on the other hand, is almost always rechecked every morning.
Only Java 7 right? If you are on Java 6 you are fine. At least that seems to be what both articles are indicating. Only my laptop had Java 7 on it so I just removed it and installed Java 6 from here.
edit: Oh I see they are recommending not downgrading. Well, I'll stick with my downgrade for now, I have to have a JRE for my class so I'll stick with 6 for now, lesser of two evils and all that.
Is it really only three times a year? Seems like the bugger is always interrupting things to the extent a policy was put in place that I have to log into every conference room each morning and check for java updates, then turn off auto-updating again (because it always rechecks itself), just to make sure that one of the board doesn't get a popup in the middle of a presentation.
There's too many things that use java to just uninstall it.
A quick Google search found 4 updates this year so far and we still have 4 months left in the year so there are definitely more than 3 a year.
Aaaand uninstalled. Gracias.
Aaaand uninstalled. Gracias.
Ditto
Okay, so if anyone out there, like me up to about a minute ago, doesn't know the difference between Java and JavaScript, this link alternates between being informative and hilarious. For example:
JavaScript was named this way by Netscape to confuse the unwary into thinking it had something to do with Java, the buzzword of the day, and it succeeded.The two languages are entirely distinct.
The more you know (which settings to leave checked in your browser's security preferences).
Had Java6, uninstalled it before I read it was about version 7. Ah well, not taking chances anyway.
Eh, I never enable Java in the browser. A carry-over from the bad old days when Java applets were everywhere and every single one of them was a vector for infection. Seems we're still in the bad old days...
Malor - Oracle has never cared about Java the language only as a platform for delivering their crappy tools; I don't know that this is all that surprising.
The only thing I use Java for is playing Minecraft. I'm going to have to think about this.
Thanks for the head's up, though. I sent it up to our CTO in case he hadn't seen it and didn't realize that it does affect some of our processes at work.
The only thing I use Java for is playing Minecraft. I'm going to have to think about this.
I swear I've seen some games in the past use some form of embedded java just for their game. Techland ones I think. That's probably only of minimal use to Mojang though, seeing as they're a few years down the road they're on already, and I doubt they want to spend time working around someone else's problem, even if it has a major impact on them.
Thanks for the reminder. I read about this on Ars, didn't turn on my computer for a couple of days then forgot about it.
Had Java6, uninstalled it before I read it was about version 7. Ah well, not taking chances anyway.
Does this only concern 7?
I wonder if OpenJDK or any of the other Javas are a possible fix. I feel for any enterprise developers that are stuck between a rock and a hard place.
I just went ahead and uninstalled Java 7 and 6 and FX. Basically anything Java got yanked from all 3 systems here at home, and I'll yank it from the Mac shortly, just in case.
I don't need Java until I decide to build an Android app, so bye-bye Java.
maybe after h-online or Malory tells me the fix actually fixes it, I'll reinstall. Certainly not taking Oracle's word for it.
It seems pretty unlikely that all of them are 7-only, so you would be wise to rid yourself of Java immediately, perhaps permanently.
I can't exactly do that on my two work machines. They are both running 6 and, the one can barely see the web so I think it will be OK.
Well, at least disable the browser plugins. If you can't do that, install NoScript, and then only allow Java on the sites you need to use.
Do the second part anyway.
Selectively whitelist sites for scripting & plugins, don't just let anything that wants to go running crap in your browser.
Chrome has this ability for plug-ins built right in:
(screenshot slightly out-of-date but the option still looks just like that)
Pages