HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » Good Reads (Forum) » Forget Oracle's Latest Ja...
Introducing Discussionist: A new forum by the creators of DU

Sun Jan 13, 2013, 08:02 PM

 

Forget Oracle's Latest Java Patch. Just Kill The Program In Your Browser For Good

After months of inaction and even a warning from the Department of Homeland Security, Oracle has finally released a fix for yet another security vulnerability in its ubiquitous and notoriously buggy Java software. But there’s already been a fix available that’s remain simpler and far more effective: Kick your Java habit altogether.

Despite Oracle’s new patch, which the company posted to its website Sunday–more than four months after it was informed about the bug by Polish security firm Security Explorations–Java watchers in the security industry are recommending that users give up on the endless cycle of the program’s bugs and fixes and instead turn it off in their browsers for good. “Users should simply disable it,” says H.D. Moore, chief security officer at the security firm Rapid7 who has tested numerous Java exploitation techniques over the last year. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”

-snip-

The bug was just the latest in a series that wracked Oracle for much of 2012. In August a flaw in the software, also reported months earlier by Security Explorations, was exploited by hackers installing malware including the Poison Ivy trojan on target PCs. When Oracle released a patch, Security Explorations quickly found another flaw in the fix that would allow the new security measures to be bypassed. And the company followed that revelation with the discovery of yet another critical bug in the program.

-snip-

Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited “sandbox,” Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. “The attack surface is so big,” Kandek says. “In many ways, you don’t want Java to be able to do all the things that it does anymore.”

More: http://www.forbes.com/sites/andygreenberg/2013/01/13/forget-oracles-latest-java-patch-just-kill-the-program-in-your-browser-for-good/

9 replies, 1398 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 9 replies Author Time Post
Reply Forget Oracle's Latest Java Patch. Just Kill The Program In Your Browser For Good (Original post)
UnrepentantLiberal Jan 2013 OP
GeorgeGist Jan 2013 #1
madrchsod Jan 2013 #2
littlemissmartypants Jan 2013 #3
jsr Jan 2013 #4
Turborama Jan 2013 #5
UnrepentantLiberal Jan 2013 #6
TM99 Jan 2013 #7
UnrepentantLiberal Jan 2013 #8
TM99 Jan 2013 #9

Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 08:29 PM

1. What is Java?

Java allows you to play online games, chat with people around the world, calculate your mortgage interest, and view images in 3D, just to name a few. It's also integral to the intranet applications and other e-business solutions that are the foundation of corporate computing.


http://www.java.com/en/download/whatis_java.jsp

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 09:10 PM

2. got rid of it yesterday

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 12:02 AM

3. Got fed up with it in September,

don't miss it and see no reason to re install it.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 01:36 AM

4. It's unnecessary trash on home computers

(not to be confused with JavaScript)

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 03:00 AM

5. DU becomes unusable on my Blackberry if I disable Java

Don't know how it affects computer users as I haven't been able to afford to replace my broken one for ages and I never turned it off when I did have one.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Turborama (Reply #5)

Mon Jan 14, 2013, 03:12 AM

6. There's no way to turn Java off on my Android.

 

I'm not even sure it's vulnerable to these exploits. I haven't gotten an answer by searching or asking.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Reply #6)

Mon Jan 14, 2013, 08:12 AM

7. No Android is not vulnerable due to this exploit

Google rolls their own version based off of Oracle Java called Davlik. It is not affected by this vulnerability.

And Java the programming language is different from the Java Run-time Environment used in browsers. And yes, while many do not need or use Java, others will need to keep it in their browser for online banking, games, multimedia, etc. that require the JRE. In that case, get the Java JRE 7 update 11 from Oracle.

Either download it directly or use the Update function within the Java Control Panel. It is easy, quick, and painless. Just be sure not to install the McAfee software that is being pushed with it, and you are good to go.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TM99 (Reply #7)

Mon Jan 14, 2013, 03:28 PM

8. My phone does everything (like banking) already.

 

I can't use JRE on this phone. There are a few videos I can't watch and it doesn't work with HTML5. Other than that it browses as well as any laptop.

Thanks for the info. That's good to know.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Reply #8)

Tue Jan 15, 2013, 01:22 AM

9. You are welcome

Most phones don't need the JRE, but laptops and desktops, for specific uses, certainly do.

I do look forward to the day when Flash and the JRE are phased out in favor of HTML5.

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread