Critical Java exploit found, puts 1 billion computers at risk

Oh look, another critical Java security vulnerability has been discovered, something that seems to be a trend for Oracle's widely used software. The exploit, as detailed by Seclists' Full Disclosure mailing list, bypasses the Java security sandbox in all versions of Java from SE 5 to the latest SE 7 Update 7 in the latest versions of all popular browsers.

Basically, if you have a computer - Mac or PC - and it has Java installed, it could be vulnerable to this new exploit. Adam Gowdiak, who discovered the Java vulnerability, said that he found the bug last week, created a proof-of-concept exploit and then reported the issue to Oracle on Tuesday, who have confirmed the issue. He is "not aware of any active attacks that would exploit this vulnerability" but claims the potential impact is bigger than previous exploits.

October 16 is the next scheduled Java update, and its likely Oracle will wait until this date to patch the vulnerability. If you are concerned about your security, it's recommended either to uninstall Java from your system (if you don't use it) or temporarily disable it until a patch is released.

Via: ComputerWorld
Source: SecLists | Locks image via Shutterstock

Report a problem with article
Previous Story

Nook HD and Nook HD+ tablets announced

Next Story

Ballmer: $1,500 can buy "some" Microsoft Surface units

42 Comments

Commenting is disabled on this article.

Oracle require use to use an old old version of java as their new versions don't work with their Opera system, needless to say we have major issues with users getting infected

I'm with you. I stopped installing Java on any of my machines about a dozen years ago, and I haven't looked back. I couldn't name anything that relies on it that doesn't have an alternative.

omg yeh java was banned from my life many many years ago, if something requires it I just pass as it's usually worth nothing (or otherwise clunky as hell).

IntelliMoo said,
omg yeh java was banned from my life many many years ago, if something requires it I just pass as it's usually worth nothing (or otherwise clunky as hell).

+1 ^ this!!

Never ever install it anywhere. If a site needs it, I shrug, pass on and go to a different site. There is no way I am dealing with all that.

IntelliMoo said,
omg yeh java was banned from my life many many years ago, if something requires it I just pass as it's usually worth nothing (or otherwise clunky as hell).

Make that MANY, MANY years ago and I'll give you a +1!!

Thanks for reminding me to uninstall this piece of crap, only installed it a week ago to try out Minecraft

Damn, if it weren't for Minecraft, Adobe and a couple of retarded developers insisting on using Java to program desktop applications, this crap would be loooong gone from my system!

GS:mac

Wasn't SE 5 back before Oracle had Java in house? Seems a bit off to blame them for a vulnerability that preceded them that has only now been publicised...

mrbester said,
Wasn't SE 5 back before Oracle had Java in house? Seems a bit off to blame them for a vulnerability that preceded them that has only now been publicised...

Oracle didn't buy Java, they bought Sun along with all it's assets including the dev team behind the Java runtime. I guess those assets include the blame too.

Uninstalled it years ago. I don't have anything that needs it. Although I did come across site that required it, in which case I temporarily installed it in a VM. Sun Java is a security nightmare.

I just toggle Java with QuickJava addon in Firefox instead of uninstalling it from the system. Still need java for some desktop apps I use.

'October 16 is the next scheduled Java update, and its likely Oracle will wait until this date to patch the vulnerability.'

You think with something this big, they'd send out a patch ASAP, but they are just as bad as Sun Microsystems was when patching or updating Java.

I uninstalled Java from my netbook and when I reinstalled Windows on my desktop, I didn't bother installing Java.

I just don't have a need for it.

I don't understand why people install it. For biggest majority is useless.
In the last 10 years i never need it. Before, yes, I have it installed for some applications, but the number of applications who require Java is so small today, that it's insignifiant.

Larry Ellison probably stopped giving two ****s about Java as soon as he realized that he couldn't use it to milk Google through litigation.

There is always a exploit in something - java is just targeted more often so just be wise on where you visit on line - shouldn't be that hard.

Like over 5 years ago, when some horrible Java vulnerabilities were sitting un-patched, I decided to uninstall Java and I have never installed it since on any computers I set up. I also try and uninstall it on any family/friends computers I touch.

Those guys are so lax on security, it's long been a good idea to just be rid of Java. My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.

a1ien said,
Like over 5 years ago, when some horrible Java vulnerabilities were sitting un-patched, I decided to uninstall Java and I have never installed it since on any computers I set up. I also try and uninstall it on any family/friends computers I touch.

Those guys are so lax on security, it's long been a good idea to just be rid of Java. My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.


I will install it for a spacific task and then uninstall it when I am finished.

a1ien said,
My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.

That's my policy too. Java has no place on any computer I manage.

a1ien said,
Like over 5 years ago, when some horrible Java vulnerabilities were sitting un-patched, I decided to uninstall Java and I have never installed it since on any computers I set up. I also try and uninstall it on any family/friends computers I touch.

Those guys are so lax on security, it's long been a good idea to just be rid of Java. My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.

LULWUT?!

Care to explain why? Especially seeing as a lot of quality stuff is written in Java.

a1ien said,
Like over 5 years ago, when some horrible Java vulnerabilities were sitting un-patched, I decided to uninstall Java and I have never installed it since on any computers I set up. I also try and uninstall it on any family/friends computers I touch.

Those guys are so lax on security, it's long been a good idea to just be rid of Java. My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.

I just keep firefox java plugin always off. And turn it on only for rare moments when i need it.

Stocker360 said,

LULWUT?!

Care to explain why? Especially seeing as a lot of quality stuff is written in Java.

I think he did explain why: Oracle does not take security seriously in Java.

I personally don't install Java because it's a slow, resource hogging, insecure runtime that's 5 years behind the competition and despite being "open" and "portable" constantly had compatibility issues that required me to install multiple JRE versions. In summary, Java is a pile of rubbish that needs to quietly fade out of existence...

JonathanMarston said,

I think he did explain why: Oracle does not take security seriously in Java.

I personally don't install Java because it's a slow, resource hogging, insecure runtime that's 5 years behind the competition and despite being "open" and "portable" constantly had compatibility issues that required me to install multiple JRE versions. In summary, Java is a pile of rubbish that needs to quietly fade out of existence...


Java, because C# insulted their mom or something.

Java developers are babies.

a1ien said,
Like over 5 years ago, when some horrible Java vulnerabilities were sitting un-patched, I decided to uninstall Java and I have never installed it since on any computers I set up. I also try and uninstall it on any family/friends computers I touch.

Those guys are so lax on security, it's long been a good idea to just be rid of Java. My policy is that, if some (web) application is built on Java, it's not good enough for me or mine to use.

I sadly have to use it, at least Chrome makes you grant permissions every time it runs. Otherwise id just not be surfing the web.

Stocker360 said,

LULWUT?!

Care to explain why? Especially seeing as a lot of quality stuff is written in Java.

If by "quality", you mean "quality malware", than yes.