New Java Exploits Detected -- You DID Uninstall Java, Right?

rated by 0 users
This post has 6 Replies | 1 Follower

Top 10 Contributor
Posts 26,182
Points 1,186,015
Joined: Sep 2007
ForumsAdministrator
News Posted: Sat, Jan 19 2013 1:04 AM
When Oracle released its Java Update 11 earlier this week, it patched several zero-day exploits that security researchers had previously identified. Nevertheless, a number of firms still recommended uninstalling Java due to a number of remaining bugs. It's taken less than a week for new flaws to surface -- and these are issues that hadn't previously been identified.

Adam Gowdiak, of Security Explorations, noticed that while Update 11 fixed some outstanding issues, it did nothing to repair a flaw in the Java MbeanInstantiator that still allows for the execution of malicious code. Oracle's decision to leave the problem less-than-fixed inspired Adam Gowdiak, of Security Explorations, to go looking for other flaws that the company might have missed. A fresh examination of Java 7 Update 11 has yielded another pair of exploitable flaws that are unrelated to the MBeanInstantiator issue.

We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," Gowdiak wrote. "MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues. As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).


These flaws underscores the problems Oracle is having with Java, but they're scarcely insurmountable. Microsoft has transformed itself from a company whose products had all the security of a sieve to a company that's respected and considered security conscious. At the same time, however, it's worth noting that it took Redmond the better part of a decade to repair its own reputation. If Oracle wants Java to continue to be important to web development, it needs to devote the necessary resources to closing the security holes. If it doesn't, other programs will eventually evolve to fill the void. That might take awhile -- Google's own engineers certainly didn't think much of the Java alternatives when it was working on Android -- but ever-present security flaws are an unacceptable risk in enterprise environments. If Oracle can't secure Java, companies will eventually have no choice but to look elsewhere.

There's no word on when these latest flaws will be fixed. As we've said before, the safest way to secure your system from Java bugs is to disable the software and only reactivate it if you actually need to use it. Unless you start seeing prompts warning you that software needs Java to run, you'll probably never miss it.
  • | Post Points: 50
Top 500 Contributor
Posts 271
Points 3,015
Joined: Sep 2009
Location: Port Orchard, WA

I did installed java (both 32 and 64 bit) out of my PC after I read this post. Thanks for put the post (news about Java) So wait bit longer until more stabled java come out or find other software (like to Java)

  • | Post Points: 20
Top 500 Contributor
Posts 271
Points 3,015
Joined: Sep 2009
Location: Port Orchard, WA

I try to Edit it I means Uninstalled (not Installed)

  • | Post Points: 5
Top 25 Contributor
Posts 3,593
Points 54,950
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Sat, Jan 19 2013 11:47 AM

Yes, I'm sure they'll react quickly with another patch but better safe than sorry.

Editor In Chief
http://hothardware.com


  • | Post Points: 20
Top 10 Contributor
Posts 8,651
Points 104,115
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Sat, Jan 19 2013 10:58 PM

I have it disabled on all my boxes. Oracle is turning into the slop-meisters of coding. It's as bad as IE was.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Jan 20 2013 12:37 AM

This is when, as a Linux user, I appreciate that Java's just not installed by default. There was a time for java applets... but that day is long and gone, given the relative power of HTML5 and javascript.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 5
Top 200 Contributor
Posts 358
Points 2,565
Joined: Sep 2011

I have not uninstalled java, but i disabled it on IE, Firefox, and Chrome.

  • | Post Points: 5
Page 1 of 1 (7 items) | RSS