Forgot your password?
typodupeerror
Bug Java Oracle Security

Java Exploit Patched? Not So Fast 87

Posted by timothy
from the few-beans-short dept.
PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"
This discussion has been archived. No new comments can be posted.

Java Exploit Patched? Not So Fast

Comments Filter:
  • Not surprising (Score:5, Interesting)

    by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Friday August 31, 2012 @07:15PM (#41195609) Homepage Journal

    They've patched 6 of the 19 [security-e...ations.com] vulns that were reported back in April. Three were patched a couple months back as part of their usual 4-month patch cycle. As far as I know, those were never used in the wild. Three more were patched just recently, in response to rampant in-the-wild use and inclusion in exploit kits, etc.

    Of course, that leaves 13 still unpatched, and while apparently quite a few of them are defense-in-depth (insufficient, on their own, for full compromise), when you've got that many unpatched vulns it is totally unsurprising that somebody can chain a few of them together into a working exploit.

  • Re:WORE (Score:5, Interesting)

    by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Friday August 31, 2012 @09:28PM (#41196481) Homepage Journal

    Normally I'd agree with you, but the exact same thing is true of JavaScript and yet very, very few people are calling for a universal end to that. Now, a handful of people (relative to the global computer userbase) use NoScript, but even among NoScript users most realize that it's either too complex or too difficult for most people to use correctly all the time.

    As it happens, I do block plug-ins (especially Flash and Java) by default, permitting them only on a case-by-case basis, except where I can remove them entirely. However, even to my (highly technical; he's been coding since he was in high school) father, that's too much of a hassle. He expects (rightly, if not wisely) that software vendors will keep their software as secure as possible, and respond quickly to any threats. That's the standard to which I'm holding Oracle here, and they're failing to meet it.

  • by someones (2687911) on Saturday September 01, 2012 @08:58AM (#41198961)

    I switched to OpenJDK a while back.
    In its early days it was bugged and crashed all the time, but that time seems long forgotten past.

    Is there a reason to favor Oracle's Java over OpenJDK?

  • Re:about:addons (Score:3, Interesting)

    by BlackThorne_DK (688564) on Saturday September 01, 2012 @10:14AM (#41199241)

    Oh well, welcome to my world. In Denmark, not only does the bank require Java. The _state_ require you to use the same braindead java-infested login (NemID), not only on all banks, but also on every public accessible site (Pensions, Healthcare, Unemployment benefits, Student benefits...).
    No matter what I do, and which bank I choose, I need to use NemID, and Java.

    I just disabled Java on my work machine. Now I need to make a virtual machine or something, if I actually want to pay my bills. :-(

It seems that more and more mathematicians are using a new, high level language named "research student".

Working...