Thread: PSA for Java devs -- critical security patch released for Java Runtime Environment
View Single Post
  #7   Spotlight this post!  
Unread 31-08-2012, 13:01
techhelpbb's Avatar
techhelpbb techhelpbb is offline
Registered User
FRC #0011 (MORT - Team 11)
Team Role: Mentor
  
Join Date: Nov 2010
Rookie Year: 1997
Location: New Jersey
Posts: 1,624
techhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond repute
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
Several products that require Java carry the Java Virtual Machine (JVM) bundled within their installs.

So you remove Java from the browser. You uninstall the JVM you downloaded from Sun/Oracle.

If you've still got an old version of Internet Explorer you might have Microsoft Java. If you're running Linux you might have OpenJDK.

You still may have Java. Sure now you can't call it from Javascript (which is not Java BTW) but you still may have a JVM and more importantly the update system probably neither updates that JVM hidden in that install directory or possibly even the one someone put on your computer (some versions require you to acknowledge the updates manually).

Sure newer technology like Socket.IO and websockets are increasingly closing the gap on some core Java upsides for web-centric applications. However, there are so many existing tools for Java that just having a way (with a ton of work) someone might eventually be able to achieve the same result may not make good business sense.

Then we have to consider that Java keeps a local cache of previously loaded .JAR files. Further that Java can reach out of it's sandbox with privilege escalation (generally this does require you to accept it....not that the messages are really clear to most users).

I can't say not to use Java. If I start doing that I'd have to face the fact that I have more than 100 open technical matters with Microsoft and some of them are unaddressed years later.

If you turn off JavaScript you'd not be able to start Java.

If you did all your web browsing in a disposable environment it wouldn't matter, just assume it's full of trouble and erase it and start all over (I do that all the time).

If you use FireFox a lot and just want granular control over whether or not web pages can get to Java with javascript:
https://addons.mozilla.org/en-US/fir...don/quickjava/

* IMPORTANT PLEASE READ BELOW *
As a follow up to this (next day):

First a private patch was created by a small group of people.
That patch was distributed to a limited number of people by request.

Then Oracle broke their normal release schedule and patched this hole.

Now it appears that the patch for the original hole is also compromised and with limited effort new malware could be written.

Here comes new trouble. At least it has yet to be found in the wild.

I'm advocating backing up to Java 6 with the latest update and disabling Java in the browser (hopefully using a tool to make it easy to turn back on when you trust the code) until this gets fixed the right way. This vector is far too hot a subject right now and even if it hasn't been found in the wild I"m sure it soon will be. Dismantling Java to look for a known exploit is far too easy.
Last edited by techhelpbb : 01-09-2012 at 11:09.