Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities 165
msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."
Re:Only one program I miss (Score:5, Informative)
Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.
Warning: Oracle installs ask.com toolbar (Score:5, Informative)
Re:even worse than the vulns (Score:5, Informative)
And proclivity for trying to install the Ask.com toolbar.
Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P
Re:Only one program I miss (Score:5, Informative)
Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.
As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.
Re:Last Java 6 public update (Score:4, Informative)
Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.
It's Upload, Not Download (Score:4, Informative)
When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.
Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.
Re:OpenJDK .. (Score:4, Informative)
So yes, probably.
The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.
Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.
How do I disable Java in my browser (Score:3, Informative)
http://www.java.com/en/download/help/disable_browser.xml [java.com]