Two more zero-day vulnerabilities in Java, seemingly

Oracle’s most famous program might be Java, but it has its fair share of vulnerabilities, and the past few weeks seems to have brought a lot of them to the forefront. Java 7 seemingly slips up again, with two potential vulnerabilities found.

A Polish security firm has reported not one, but two new zero-day vulnerabilities, which they call “Issue 54” and “Issue 55”. Oracle is investigating both reports of weaknesses in Java 7, but at present has not confirmed anything. Various security experts have made the suggestion to disable Java’s browser plugin in the past, and it isn't exactly a bad idea.

The Polish firm responsible for the discoveries is Security Explorations, headed by Adam Gowdiak. According to their website, they are a security start-up company, and their aim is to conduct unbiased security analysis. Gowdiak has had some other successes (if you can call vulnerabilities such a thing) with Java in the past, having found more than 50 security issues (explaining how he’s on Issue 54 and 55). It would seem Security Explorations know their stuff; other articles indicate their successes in this field.

Oracle’s security handling means that they release end-of-month reports, so we won’t know about these new issues in Java 7 for a while. Gowdiak’s track record says he knows Java well, so smart money says he's found something.

Source: Security Explorations

Report a problem with article
Previous Story

Bruce Willis talks about his email in new Outlook.com video

Next Story

UK Court orders blocking of more "illegal" websites

31 Comments

View more comments

Java load of pants another bit of software that needs patching every other day. Like flash it should die.

I need it on the odd occasion that some crap app or interface uses it:(

I don't have Java installed at present, but do rely on apps that use it (are distributed with it). Java is a great concept, but the time has come where it needs a bit of a rewrite.

These zero day exploits are just the browser plugin. Disable the plugin and you don't need to worry about them. You can continue to use Jdownloader without having to worry about these exploits

I think I've only ever installed this thing twice, and that was just to do a test for Charter, or some similar stupid thing, that did nothing for what I was pursuing. Uninstalled it immediately afterwards.

Haven't had it installed in years now and will never do so again.

Agree with above poster about this thing needing an update every other day and like flash, either needs to be TOTALLY rewritten or TOTALLY scrapped!

cork1958 said,
TOTALLY rewritten

I agree 100%

Now keeping backwards compatibility is the hard part. Not only that but they could not name it Java as it the same as "security issues"

unfortunatly, as an example, i'm currently working on a server that must have JRE for antivirus and backup software. So removing JRE, altough i wanted to, it's not a viable option

Praetor said,
unfortunatly, as an example, i'm currently working on a server that must have JRE for antivirus and backup software. So removing JRE, altough i wanted to, it's not a viable option

disable the plugins for the browser.

Praetor said,
unfortunatly, as an example, i'm currently working on a server that must have JRE for antivirus and backup software. So removing JRE, altough i wanted to, it's not a viable option

Similar situation; I have a Java webservice which Im in the LONG process of porting it to C#

pes2013 said,

Similar situation; I have a Java webservice which Im in the LONG process of porting it to C#

Have you tried IKVM? It allows you to run Java programs using the .NET runtime, by providing a Java compatibility layer.

It does not work perfectly, but is surprisingly good. You might very well be able to get 95% of your program to work without any changes. That means that you only need to port 5% to .NET before you can get rid of the JRE. Over time, you can then slowly port the rest of the code to skip the compatibility layer and improve performance.

I can't believe some people actually have Java installed on their computers.
I've been computing without it for at least 7 years. Never really missed or needed it.

Can Adobe Flash be the next one to go?

Seeing a new zero day exploit in the latest Java update is frustrating because I love Java. It is a great language and platform that is actually very secure. It is this stupid browser plugin that keeps letting the whole Java platform down

Been completely disabled in my browsers since the first terrible security risk just a short while ago.

Sucks not being able to use java based web apps, but oh well, security rules.

No problem with running actual java programs though, which is quite important.

And the downward spiral continues... Right into the toilet.

Narrowing the blame to the browser plug-in is somewhat convenient for Java developers, but it's likely that the same level of competency went into the browser plug-in as the rest of the Java platform.

The scary part is, there's likely more flaws that have been found, just not by anyone who wants to announce them.

Edited by thomastmc, Mar 1 2013, 4:59am :

Commenting is disabled on this article.