msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."

sl4shd0rk writes "In 2012, Oracle took Google to court over the use of Java in Android. Judge William Alsup brought the ruling that the structure of APIs could not be copyrighted at all. Emerging from the proceedings, it was learned that Alsup himself had some programming background and wasn't bedazzled by Oracle's thin arguments on the range-checking function. The ruling came, programmers rejoiced and Oracle vowed Appeal. It seems that time is coming now, nearly a year later, as Microsoft, BSA, EMC, Netapp, et al. get behind Oracle to overturn Alsup's ruling citing 'destabilization' of the 'entire software industry.'"

snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"

Trailrunner7 writes "Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies. Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee's machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software's sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1."

hypnosec writes "Oracle is going to open source JavaFX ports for Android and iOS soon as a part of its efforts to open source the framework. JavaFX, destined to replace Swing GUI library as the default method to develop graphical user interfaces, is a framework used to develop cross-platform rich Internet applications. The ports for iOS and Android are based on an 'unreleased version of JavaSE Embedded for iOS/Android.' Oracle's Richard Bair revealed that the 'first bits and pieces' for JavaFX for iOS should probably be out sometime next week. The rest of the release will be scheduled along with the release of Prism (the next-generation toolkit). Oracle is going to keep javafx-font proprietary, but Bair has said developers are already working toward an open source native replacement of the component through the OpenJFX list."

First time accepted submitter jsmyth writes "MySQL 5.6.10 has been released, marking the General Availability of version 5.6 for production." Here's more on the features of 5.6. Of possible interest to MySQL users, too, is this look at how MySQL spinoff MariaDB (from Monty, one of the three creators of MySQL) is making inroads into the MySQL market, including (as we've mentioned before) as default database system in some Linux distributions.

An anonymous reader writes in with news of the continuing saga of Java patches and exploits. "If you're a Mac user who suddenly can't access websites or run applications that rely on Java, you're not alone. For the second time in a month, Apple has silently blocked the latest version of Java 7 from running on OS X 10.6 Snow Leopard or higher via its XProtect anti-malware tool. Apple hasn't issued any official statements advising users of the change or its reasons, but it's a safe bet that the company has deemed Oracle's most recent update to Java insecure. That's why the company stealthily disabled Java on Macs back on Jan. 10, the same day a Java vulnerability was being exploited in the wild."

theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."

darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."

An anonymous reader writes in with news that IBM's Jeopardy winning supercomputer is going back to school"A modified version of the powerful IBM Watson computer system, able to understand natural spoken language and answer complex questions, will be provided to Rensselaer Polytechnic Institute in New York, making it the first university to receive such a system. IBM announced Wednesday that the Watson system is intended to enable upstate New York-based RPI to find new uses for Watson and deepen the systems' cognitive computing capabilities - for example by broadening the volume, types, and sources of data Watson can draw upon to answer questions."

crankyspice writes "Having recently picked up the Erector set I've wanted since I was a kid, I quickly found myself wanting to plunge deeper into makerspace by adding more sophisticated electronics to moving devices (rovers, maybe eventually flying bots). My first instinct was Arduino (maybe because of brand recognition?), but that got me thinking — what's the 'best' platform out there (most flexible)? Arduino with its myriad options (Nano, Mega, Uno, Mini)? PICAXE? BASIC Stamp? Raspberry Pi? (The latter seems like it would easily be the most flexible, but at greater cost in terms of weight and complexity.) I'm a hobbyist programmer, having learned C and C++ in college and recently re-learning Java (took and passed the Oracle Certified Professional exam, FWIW)..."

Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."

theodp writes "There's a funny thing about the estimated $1.7 trillion that American companies say they have indefinitely invested overseas,' reports the WSJ's Kate Linebaugh (reg. or the old Google trick). 'A lot of it is actually sitting right here at home.' And if tech companies like Google and Microsoft want to keep more than three-quarters of the cash owned by their foreign subsidiaries at U.S. banks, held in U.S. dollars or parked in U.S. government and corporate securities, Linebaugh explains, this money is still overseas in the eyes of the IRS and isn't taxed as long as it doesn't flow back to the U.S. parent company. Helping corporations avoid the need to tap their foreign-held cash are low interest rates at home, which have allowed U.S. companies to borrow cheaply. Oracle, for instance, raised $5 billion last year, paying an interest rate roughly two-thirds of a percentage point above the low post-crash Treasury yield, about 2.5% at the time (by contrast, grad students and parents pay 6.8%-7.9% for Federal student loans). Were the funds it manages to keep in the hands of its foreign subsidiaries brought home and subjected to U.S. income tax, Oracle estimated it could owe Uncle Sam about $6.3 billion."

An anonymous reader writes "Red Hat developers are planning to replace MySQL with MariaDB in Fedora 19. For the next Fedora update, the MariaDB fork would replace MySQL and the official MySQL package would be discontinued after some time. The reasoning for this move is the uncertainty about Oracle's support of MySQL as an open-source project and moves to make the database more closed." Update: 01/22 13:47 GMT by T : Note: "Nixing" may be a bit strong; this move has been proposed, but is not yet officially decided.

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."