Less than a week after fix, Java is broken yet again

With over a billion installations, Java is in everything from your computer to your thermostat, and nefarious hackers are taking note. Attacks have been coming fast and furious, with Flashback hitting the Mac platform last spring, and more recent updates impacting all platforms. The United States government even recommended that users disable Java from their browsers.

Now it appears there is yet another Java vulnerability running rampant in the world, despite the fact that it was updated again last week. According to PC World, researchers at Poland-based Security Explorations found not one, but two new vulnerabilities that allow attackers to run arbitrary code on a user’s machine. Neither vulnerability is related to the ones identified in the past couple of weeks, so further attacks are also possible. The specifics of the attack are not being released, giving Oracle time to fix the problem before the bad guys learn how to break it.

On the bright side, Java 7 Update 11 prompts users to confirm whether an applet should be run or not, making it a bit more difficult to run attack code. Unfortunately, most users blindly click “yes” to any prompt they see, so it’s not a great level of protection. The site “Krebs on Security” has a nice article on how to disable Java on various browsers running on both Windows and Mac, so it’s worth checking out if you don’t know how to do it yourself.

Source: Seclists.org, Via: PC World | Image courtesy of Oracle

Report a problem with article
Previous Story

WikiLeaks says Aaron Swartz may have been a 'source'

Next Story

Microsoft Dynamics Business Analyzer Windows 8 app released

36 Comments

View more comments

SPEhosting said,
... right so everyone here so far is doubting java... what about your OS? your OS has a lot of security issues and has had lots in the past and more are still being found .... so ye? Dont like how computer security is next to nothing? then do something about it or get out the virtual world cause you are taking up bandwidth ...

It's one thing to have vulnerabilities. It's another to have the vulnerabilities being exploited a little too often in the wild.

Dear Oracle: please disable running any unsigned applet on browsers, put a decent automatic updater that doesn't try to install every crapware in the world and turn off the damn Java Quickstarter that keeps trashing the hard drive at every boot. Maybe then Java would stop being considered the clown language of this decade.

Sincerely,
the world.

If only every browser was blocking Java immediately as soon every new vulnerability is discovered, maybe then Oracle would take security seriously?

francescob said,
Dear Oracle: please disable running any unsigned applet on browsers, put a decent automatic updater that doesn't try to install every crapware in the world and turn off the damn Java Quickstarter that keeps trashing the hard drive at every boot. Maybe then Java would stop being considered the clown language of this decade.

Sincerely,
the world.

If only every browser was blocking Java immediately as soon every new vulnerability is discovered, maybe then Oracle would take security seriously?


I also don't like that behavior.

compl3x said,
If you can do without Java, ditch it. I used to install it all the time as a habit, now I don't even bother.

but... how are you playing minecraft?

Let's face it, if it wasn't for Minecraft, the majority of users wouldn't want or need to install Java.

It's been a week since I've uninstalled Java completely, and I haven't run into anything that needs it, and I'm on here almost 24/7.

LUTZIFER said,
It's been a week since I've uninstalled Java completely, and I haven't run into anything that needs it, and I'm on here almost 24/7.

Ditto... Though I actually did that like 10 years ago. lol Hard to remember now but I think the last thing I ever used that required java was the NetZero client. I simply don't need anything that requires it on the computer now, so it's ancient history to me.

IntelliMoo said,

Ditto... Though I actually did that like 10 years ago. lol Hard to remember now but I think the last thing I ever used that required java was the NetZero client. I simply don't need anything that requires it on the computer now, so it's ancient history to me.


The portable version is your friend.

I've uninstalled it on all our computers. The one site that needed it, was not critical and we did without it. Good bye, Java. It was nice to have known you.

u11 didn't fix anything; it only changed the default security level to 'high'. Anyone could've done this.

They need to stop all development on new features for a while and focus solely on bug fixes and security. That, or push to a new version of Java (8?!) which should be a full rewrite.

With their 'fix' for u11, I doubt Java is going to improve anytime soon. Shame that I still need it.

All this constant updating and patching is in itself a target for exploiting - fake prompt message box to urge you to update and patch has been around for a while, clicking yes/no or close has the same effect - stealth download and execute/install....

Good, good. Hopefully more people will start to realize what a joke Java is, and that will speed up the movement away from it.

Good thing I've never installed Java (or Flash, or Acrobat Reader) on my PC. How many people really need to run Java on their computer?

a0me said,
Good thing I've never installed Java (or Flash, or Acrobat Reader) on my PC. How many people really need to run Java on their computer?

Unfortunately, most people can't do without flash, but that is a cinch to disable temporarily.

Those other 2 items are both total junk that anybody can do TOTALLY without!!

Never had either on my computers for more than one use either.

Commenting is disabled on this article.