Zero-day Java exploit in the wild - first attempted patch still vulnerable

Scratched wrote:
trueheart78 wrote:

t.co

Please don't use url shorteners, you're on a forum that allows links as long as you like, especially when you're linking to something security oriented where it would be nice to know I'm not being diverted somewhere malicious.

It was on a copy / paste on my mobile - not intentional.

Here's your updated URL, and the original has been updated as well.

Oracle emergency Java release

Huzzah!

Scratched wrote:

Huzzah!

'twould truly be ironic if "Trueheart" ended up being a filthy spreader of malicious software :p

Parallax Abstraction wrote:

It burns my IT soul every day to know that our time entry system requires that every machine in our company have Java installed.

The CMS we develop on uses a Java Applet to display part of the editing navigation. So it's even more mission-critical for us to leave the stupid thing enabled. Fortunately, Java 7 doesn't work quite right with it so we've managed to keep our clients from "upgrading" because of that fact. Although I can't remember if the most recent exploits impact Version 6 as well.

shoptroll wrote:

Although I can't remember if the most recent exploits impact Version 6 as well.

From the security advisory, it looks like the most recent one only affected 7, but I seem to remember the previous one affecting a lot more.

trueheart78 wrote:

You should be good for a few hours...

Right on the money. The patch (java 7u11) was aimed at fixing two equally severe vulnerabilities. The one that made headlines this past week seems to have been successfully resolved, but the other one was not. This fun bedtime read explains some things, and points out that java 6 seems to remain safe from at least these two buggers.

A close look at how Oracle installs deceptive software with Java updates

Summary: Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.

Congratulations, Oracle.

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

Yeah, you really don't want anything from Oracle on your machine if you can possibly help it. It is where software goes to die.

Any updates on this whole thing? I install Java when I have to and then rip it out when I'm done (say, drafting in fantasy football).

garion333 wrote:

Any updates on this whole thing? I install Java when I have to and then rip it out when I'm done (say, drafting in fantasy football).

You don't need to do that. It would be sufficient to just make Java be click-to-run in your browser environment. Chrome has this capability natively, other browsers can get the same behavior with plugins.

Or, in Chrome, you can disable the Java plugin in chrome://plugins/, and re-enable it when you need it.

At the bare minimum, everyone should do the first one. Plugins ought not be automatically run. Especially now in the HTML5 era, plugins are fewer and it's not so inconvenient to click-to-run them when needed.

With the extra foistware in Java, though.... honestly, I think it's best just never to let an Oracle product run on your computer, if you can avoid it. They are not to be trusted.

It's kind of a shame, because Java itself got surprisingly good in its era at Sun, but the place that's maintaining it now is the worst of the large software companies. by a huge margin.