General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsDon't re-enable Java! The latest security updates to Java still have vulnerabilities!
Last edited Fri Jan 18, 2013, 08:23 PM - Edit history (2)
https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.
We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11, Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.
Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.
Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.
lpbk2713
(42,766 posts)Link: http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/
And by that time most users will be saying "what's Java?" .
MattBaggins
(7,904 posts)As seen on this thread people think Java is some obscure unused plugin when in fact Java is all over the place and embedded in just about everything.
"I uninstalled java so I'm java free... Now let me get back to playing minecraft"
Google "Java is everywhere"
Sekhmets Daughter
(7,515 posts)I have a new Mac desktop...OS X 10.8.2....Apple no longer installs Java on their new computers and I would have to go to Oracle and download Java from their site. The thing is I haven't a clue what Java does so I don't know if I should download it once the bugs are cleaned out.
backscatter712
(26,355 posts)Java is a programming language, and a computing environment consisting of a virtual machine running Java programs in what should be (but isn't really) a controlled environment.
These days, Java's used a lot on the server-side, but you can also run java programs, called applets, in your web browser if you have Java installed. In theory, Java applets are kept in a "sandbox" that ensures the program can only do stuff in its own little space and can't mess with things it's not allowed to touch. In practice, the sandbox leaks like a sieve, and malicious Java applets can do nasty things like installing malware on your system or stealing your information.
Oilwellian
(12,647 posts)Sekhmets Daughter
(7,515 posts)I haven't missed it to date...but how would I know which sites use Java?
Oilwellian
(12,647 posts)I've never understood what Java does. Evidently, not much since I haven't missed a thing since I uninstalled it.
dixiegrrrrl
(60,010 posts)The Plug ins menu does not show it. And I have had no problems accessing anything on the web.
So I guess it is not even needed????
edited...hmm...it is not on my Opera browser either.
running Linux.
I think may have removed it some time ago for some reason or the other.
Sekhmets Daughter
(7,515 posts)I'm using FireFox right now, haven't a clue where to look.
tkmorris
(11,138 posts)Sekhmets Daughter
(7,515 posts)Looks like I have nothing but a "placeholder"
lpbk2713
(42,766 posts)Then "Plugins" Tab
Enable or Disable at will.
Sekhmets Daughter
(7,515 posts)Doesn't seem to work on my Mac, but someone else told me how to find it. Thanks, though.
lpbk2713
(42,766 posts)Glad you got it taken care of. Yes, it's a PC keyboard shortcut, doesn't apply to you.
War Horse
(931 posts)Only device that doesn't have Java (yet) is my Droid. Doesn't really seem to be a way to avoid it.
backscatter712
(26,355 posts)For example, for general web browsing, you might use Firefox, and make sure Java is disabled completely there.
Then you use a second browser, say Opera, for that one place like your bank where Java is required, and you make sure you use that browser only for that single site, and nothing else.
War Horse
(931 posts)And IE 10, some of the time
War Horse
(931 posts)my bank's site seems to require Java regardless
backscatter712
(26,355 posts)Use the second browser for the bank site, only the bank site, and nothing else - that can keep Java under quarantine.
MattBaggins
(7,904 posts)if one were to be pendantic.
War Horse
(931 posts)Skidmore
(37,364 posts)Perhaps a tutorial for the illiterate.