Oracle Patches Java 7 Vulnerability 58
First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem.
In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."
sweet (Score:1, Insightful)
Re:sweet (Score:4, Insightful)
Which is fair given that they hadn't really said much about it until this point. It's possible this is actually oracle policy, it's possible the press made them change or break policy. Everyone had understood their policy to be 'no out of cycle patch', and waiting until Oct 26, that's why a bunch of people came up with a hack patch for it, that's why the press was all over this.
Some of this might just be Oracle not being used to dealing with end users, and they really do out of cycle patches for serious exploits etc. and they just did a shitty job of conveying that. It's also possible Larry got exploited while looking at porn and beat up a minion to make him fix it.
Re:Too little too late (Score:5, Insightful)
If your company didn't need Java to interact with internal or client/vendor/etc websites, you probably shouldn't have it installed in the first place.
Firewalls and antivirus scanners are nice, but reducing the attack surface is better.
Re:Too little too late (Score:2, Insightful)
2 things:
As a sysadmin, you need to have a means to both silently install as remove software. The fact you state you spent half your week testing an emergency uninstall package of Java for multiple platforms indicates you did not have an upgrade path in place. Upgrading java requires removing the old version *unless* you need to keep a an older version for compatibility reasons, *in which case* you just simply cannot uninstall java and say to your management 'Too late' :-) . So Oracle is not the only one messing stuff up in your company's infrastructure, apparently :-) (nothing personal, just business).
Secondly: if you just can say to your management *after* the patch got out: 'Too late' and get away with it, why o why were you loading java on your systems on the first place? This just does not make any sense. Why did you open your company to lines of attack putting them at risk for disrupting its normal operation? No blame on your side? Wow.
I feel a strong anti java sentiment in your story. It is just software and software has bugs. Did you feel and did the same when visiting sites with IE provoked the same problems? Or flash? Or ..., or ... (just fill in the blanks with software listed in http://cve.mitre.org/ ).
So just curious: when management decide they require to run software xyz and this stuff requires the oracle jre, what are you going to tell them? Up yours? :-)
Get real, grow up and accept that people and businesses make mistakes (yes, you too) and are entitled to correct them even if it takes a little longer than what we all would like it.
Bing!!! (Score:5, Insightful)
Wouldn't it be great if Microsoft bundled a bing search toolbar with every .net update..
Well. No.
For the same reason: DieAskToolbarDie.