Less than a week after fix, Java is broken yet again

With over a billion installations, Java is in everything from your computer to your thermostat, and nefarious hackers are taking note. Attacks have been coming fast and furious, with Flashback hitting the Mac platform last spring, and more recent updates impacting all platforms. The United States government even recommended that users disable Java from their browsers.

Now it appears there is yet another Java vulnerability running rampant in the world, despite the fact that it was updated again last week. According to PC World, researchers at Poland-based Security Explorations found not one, but two new vulnerabilities that allow attackers to run arbitrary code on a user’s machine. Neither vulnerability is related to the ones identified in the past couple of weeks, so further attacks are also possible. The specifics of the attack are not being released, giving Oracle time to fix the problem before the bad guys learn how to break it.

On the bright side, Java 7 Update 11 prompts users to confirm whether an applet should be run or not, making it a bit more difficult to run attack code. Unfortunately, most users blindly click “yes” to any prompt they see, so it’s not a great level of protection. The site “Krebs on Security” has a nice article on how to disable Java on various browsers running on both Windows and Mac, so it’s worth checking out if you don’t know how to do it yourself.

Source: Seclists.org, Via: PC World | Image courtesy of Oracle

Report a problem with article
Previous Story

WikiLeaks says Aaron Swartz may have been a 'source'

Next Story

Microsoft Dynamics Business Analyzer Windows 8 app released

36 Comments

Commenting is disabled on this article.

Good thing I've never installed Java (or Flash, or Acrobat Reader) on my PC. How many people really need to run Java on their computer?

a0me said,
Good thing I've never installed Java (or Flash, or Acrobat Reader) on my PC. How many people really need to run Java on their computer?

Unfortunately, most people can't do without flash, but that is a cinch to disable temporarily.

Those other 2 items are both total junk that anybody can do TOTALLY without!!

Never had either on my computers for more than one use either.

Good, good. Hopefully more people will start to realize what a joke Java is, and that will speed up the movement away from it.

All this constant updating and patching is in itself a target for exploiting - fake prompt message box to urge you to update and patch has been around for a while, clicking yes/no or close has the same effect - stealth download and execute/install....

u11 didn't fix anything; it only changed the default security level to 'high'. Anyone could've done this.

They need to stop all development on new features for a while and focus solely on bug fixes and security. That, or push to a new version of Java (8?!) which should be a full rewrite.

With their 'fix' for u11, I doubt Java is going to improve anytime soon. Shame that I still need it.

I've uninstalled it on all our computers. The one site that needed it, was not critical and we did without it. Good bye, Java. It was nice to have known you.

It's been a week since I've uninstalled Java completely, and I haven't run into anything that needs it, and I'm on here almost 24/7.

LUTZIFER said,
It's been a week since I've uninstalled Java completely, and I haven't run into anything that needs it, and I'm on here almost 24/7.

Ditto... Though I actually did that like 10 years ago. lol Hard to remember now but I think the last thing I ever used that required java was the NetZero client. I simply don't need anything that requires it on the computer now, so it's ancient history to me.

IntelliMoo said,

Ditto... Though I actually did that like 10 years ago. lol Hard to remember now but I think the last thing I ever used that required java was the NetZero client. I simply don't need anything that requires it on the computer now, so it's ancient history to me.


The portable version is your friend.

compl3x said,
If you can do without Java, ditch it. I used to install it all the time as a habit, now I don't even bother.

but... how are you playing minecraft?

Let's face it, if it wasn't for Minecraft, the majority of users wouldn't want or need to install Java.

Dear Oracle: please disable running any unsigned applet on browsers, put a decent automatic updater that doesn't try to install every crapware in the world and turn off the damn Java Quickstarter that keeps trashing the hard drive at every boot. Maybe then Java would stop being considered the clown language of this decade.

Sincerely,
the world.

If only every browser was blocking Java immediately as soon every new vulnerability is discovered, maybe then Oracle would take security seriously?

francescob said,
Dear Oracle: please disable running any unsigned applet on browsers, put a decent automatic updater that doesn't try to install every crapware in the world and turn off the damn Java Quickstarter that keeps trashing the hard drive at every boot. Maybe then Java would stop being considered the clown language of this decade.

Sincerely,
the world.

If only every browser was blocking Java immediately as soon every new vulnerability is discovered, maybe then Oracle would take security seriously?


I also don't like that behavior.

... right so everyone here so far is doubting java... what about your OS? your OS has a lot of security issues and has had lots in the past and more are still being found .... so ye? Dont like how computer security is next to nothing? then do something about it or get out the virtual world cause you are taking up bandwidth ...

SPEhosting said,
... right so everyone here so far is doubting java... what about your OS? your OS has a lot of security issues and has had lots in the past and more are still being found .... so ye? Dont like how computer security is next to nothing? then do something about it or get out the virtual world cause you are taking up bandwidth ...

My OS takes security seriously, Oracle is a joke.

SPEhosting said,
... right so everyone here so far is doubting java... what about your OS? your OS has a lot of security issues and has had lots in the past and more are still being found .... so ye? Dont like how computer security is next to nothing? then do something about it or get out the virtual world cause you are taking up bandwidth ...

It's one thing to have vulnerabilities. It's another to have the vulnerabilities being exploited a little too often in the wild.

Java just needs to do what Microsoft did with ActiveX in XP SP2: it must run only signed applets by default unless on a local or "intranet" website. But apparently Oracle developers are too busy finding all sorts of crapware to push with the updates rather than thinking about users security. I really hope other browsers will start blocking vulnerable versions of Java immediately (like Firefox does), that would probably be enough to kill Java applets entirely since due to the current flood of Java 0-days the plugin would be disabled for enough time to force developers to use alternatives.

francescob said,
Java just needs to do what Microsoft did with ActiveX in XP SP2: it must run only signed applets by default unless on a local or "intranet" website. But apparently Oracle developers are too busy finding all sorts of crapware to push with the updates rather than thinking about users security. I really hope other browsers will start blocking vulnerable versions of Java immediately (like Firefox does), that would probably be enough to kill Java applets entirely since due to the current flood of Java 0-days the plugin would be disabled for enough time to force developers to use alternatives.

The craplets themselves are not the reason why i disable java auto update. If the craplets were not autocheck marked by default.

Javik said,
Sigh. If I could afford to do away with Java I would but I can't yet.

yea.. Minecraft eh.

Does anyone know if there are any 3rd party Minecraft clients?

sagum said,

yea.. Minecraft eh.

Does anyone know if there are any 3rd party Minecraft clients?

All clients are java based anyway. There is MagicLauncher, mineshafter, and mineshafter^2

sagum said,
Does anyone know if there are any 3rd party Minecraft clients?
I use Minecraft with a portable Java installation. That way any and all vulnerabilities are only exposed on your system while the game is running.

First install using jPortable (for 64-bit systems scroll down the page and use the 64-bit version)

http://portableapps.com/apps/utilities/java_portable

Then make a shortcut to javaw and add Minecraft as as parameter to the shortcut with the full target looking something like this:

D:\PortableApps\CommonFiles\Java64\bin\javaw.exe -jar D:\Minecraft\minecraft.exe

...with the paths being adjusted for wherever things are on your system, of course.

When new Java versions are released you can simply re-run the jPortable installer to update your portable version.

Arkose said,
I use Minecraft with a portable Java installation. That way any and all vulnerabilities are only exposed on your system while the game is running.

First install using jPortable (for 64-bit systems scroll down the page and use the 64-bit version)

http://portableapps.com/apps/utilities/java_portable

Then make a shortcut to javaw and add Minecraft as as parameter to the shortcut with the full target looking something like this:

D:\PortableApps\CommonFiles\Java64\bin\javaw.exe -jar D:\Minecraft\minecraft.exe

...with the paths being adjusted for wherever things are on your system, of course.

When new Java versions are released you can simply re-run the jPortable installer to update your portable version.


I also switched over to the portable java as well. it's safer.