Forgot your password?
typodupeerror
Java Oracle Technology

Oracle Knew of Latest Java 0-Day Security Hole In August 265

Posted by timothy
from the when-the-living-is-easy dept.
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
This discussion has been archived. No new comments can be posted.

Oracle Knew of Latest Java 0-Day Security Hole In August

Comments Filter:
  • by Billly Gates (198444) on Saturday January 12, 2013 @12:22AM (#42565135) Journal

    Silverlight is at least used for NetFlex and is much more secure and updated by MS.

    Java is insanely popular with old IE in the enterprise market. Banks which support Chrome and Firefox for us with consumer banking sometimes only support IE 6 - 8 with Java 5 (no I did not mistype that) for corporate customers where security exploits are used in java so accountants can put ole excel spreadsheets inside their browser for the bank to see.

    Apparently these banks have not discovered javascript yet and tools to read excel docs and reformat them internally. I guess many corps still use excel 2003 with binary data in their .xls files unlike .xlsx which make reading and parsing harder.

    Anyway, this is who heavily still uses it.

  • by mark_osmd (812581) on Saturday January 12, 2013 @12:29AM (#42565165)
    I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?
  • by Billly Gates (198444) on Saturday January 12, 2013 @12:32AM (#42565177) Journal

    You can setup IE to use java internally on intranets only.

    Instructions are here [microsoft.com] and is a must in 2013 for any IT support professional! They can still have their netmeetings and be secure at the same time. IE has security zones under preferences. One for Internet, another for intranet if you fiddle in the options. Under Internet disable java scripting, note this is not javascript. Under intranet enable java scripting.

    Instructions for enabling java for intranet security zones only in group policies are here [grouppolicy.biz].

    After that all your users are safe and they can still run their shit ERP apps and Netmeetings. At least this is a temporary solution until they upgrade their software as I agree. Internet wise there is no reason to run it except for a few banks.

  • by Anonymous Coward on Saturday January 12, 2013 @12:37AM (#42565203)

    I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?

    Yep. Instructions are here [microsoft.com] to disable it. Or enable it for corporate folks in a seperate secure zone. IE 6 - 9 maybe retarded in HTML rendering, but knows when it is on the net vs a lan and loads different security settings.

    If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE. You are secure at this point. The security exploit is not java per say but the browser as it executes by default unsigned with no authentication nor permission! A HUGE security risk. BUt without access to run it can't do anything.

  • by BradleyUffner (103496) on Saturday January 12, 2013 @01:22AM (#42565379) Homepage

    There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

    Android is NOT running java. It's applications are written in the java language, but are not compiled to java byte-code.

  • by QuietLagoon (813062) on Saturday January 12, 2013 @01:23AM (#42565381)

    While i see you could think they dont understand security its far more likely they just dont like java and wish to kill it.

    That's my second choice. :)

    .
    However, I cannot shake the feeling that Oracle is just not able to respond quickly to security exploits, that a security vulnerability is something they wish would just "go away" instead of Oracle resolving the root cause of said vulnerability.

    In summary, I think Oracle is clueless about security at the client level..

  • by Anonymous Coward on Saturday January 12, 2013 @01:49AM (#42565477)

    The problem is that security cost usability.

    Completely disable the ability of Java to read/write files on the local filesystem and it'd be a lot more secure for example, but then it'd be more useful as well.
    "" direct access to graphics hardware, "" - well pretty much everything. And once you crack the door open a little it's really hard to find and close all the corner cases that open up.

  • by Dolda2000 (759023) <fredrik@@@dolda2000...com> on Saturday January 12, 2013 @01:59AM (#42565527) Homepage

    It's mostly a matter of incompetence in the implementation, indeed. The Java vulnerabilities I have followed have always included calling some obscure part of the Java class library which is implemented using native code (mostly for optimization reasons) that happened to be buggy in some way.

    It should be said in this case, however, that the new Java 7 dynamic language support infrastructure, which is one of the things Oracle added since they took Java over. Many of the things Oracle has done to Java lately (and especially as additions in Java 7) have struck me as poorly designed features that just allowed Oracle to check of some feature-lists to make Java appear as "feature-complete" as dotnet.

  • by Mathematiker (2759663) on Saturday January 12, 2013 @07:24AM (#42566379)

    An appropriate solution would be to use something like noscript, which automatically blocks all java applets (flash and javascript as well), and makes it easy to maintain a whitelist of websites that are allowed to run java applets/javascript/flash/etc.

  • by buddyglass (925859) on Saturday January 12, 2013 @11:02AM (#42567291)
    Oracle was notified of the vulnerability and attempted to fix it. Their fix was inadequate. So they're just incompetent instead of willfully dismissive of security concerns.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...