Oracle Knew of Latest Java 0-Day Security Hole In August 265
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Re:Time to just remove Java (and Silverlight)? (Score:4, Informative)
Silverlight is at least used for NetFlex and is much more secure and updated by MS.
Java is insanely popular with old IE in the enterprise market. Banks which support Chrome and Firefox for us with consumer banking sometimes only support IE 6 - 8 with Java 5 (no I did not mistype that) for corporate customers where security exploits are used in java so accountants can put ole excel spreadsheets inside their browser for the bank to see.
Apparently these banks have not discovered javascript yet and tools to read excel docs and reformat them internally. I guess many corps still use excel 2003 with binary data in their .xls files unlike .xlsx which make reading and parsing harder.
Anyway, this is who heavily still uses it.
Comment removed (Score:5, Informative)
Re:How to run java on the intranet safely (Score:4, Informative)
You can setup IE to use java internally on intranets only.
Instructions are here [microsoft.com] and is a must in 2013 for any IT support professional! They can still have their netmeetings and be secure at the same time. IE has security zones under preferences. One for Internet, another for intranet if you fiddle in the options. Under Internet disable java scripting, note this is not javascript. Under intranet enable java scripting.
Instructions for enabling java for intranet security zones only in group policies are here [grouppolicy.biz].
After that all your users are safe and they can still run their shit ERP apps and Netmeetings. At least this is a temporary solution until they upgrade their software as I agree. Internet wise there is no reason to run it except for a few banks.
Re:The hole is only relevant to the Java plugin? (Score:4, Informative)
I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?
Yep. Instructions are here [microsoft.com] to disable it. Or enable it for corporate folks in a seperate secure zone. IE 6 - 9 maybe retarded in HTML rendering, but knows when it is on the net vs a lan and loads different security settings.
If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE. You are secure at this point. The security exploit is not java per say but the browser as it executes by default unsigned with no authentication nor permission! A HUGE security risk. BUt without access to run it can't do anything.
Re:Time to just remove Java (and Silverlight)? (Score:4, Informative)
There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them
Android is NOT running java. It's applications are written in the java language, but are not compiled to java byte-code.
Re:Wrong. They want to kill java. (Score:2, Informative)
While i see you could think they dont understand security its far more likely they just dont like java and wish to kill it.
That's my second choice. :)
.
However, I cannot shake the feeling that Oracle is just not able to respond quickly to security exploits, that a security vulnerability is something they wish would just "go away" instead of Oracle resolving the root cause of said vulnerability.
In summary, I think Oracle is clueless about security at the client level..
Re:What happened to Java? (Score:2, Informative)
The problem is that security cost usability.
Completely disable the ability of Java to read/write files on the local filesystem and it'd be a lot more secure for example, but then it'd be more useful as well.
"" direct access to graphics hardware, "" - well pretty much everything. And once you crack the door open a little it's really hard to find and close all the corner cases that open up.
Re:What happened to Java? (Score:5, Informative)
It's mostly a matter of incompetence in the implementation, indeed. The Java vulnerabilities I have followed have always included calling some obscure part of the Java class library which is implemented using native code (mostly for optimization reasons) that happened to be buggy in some way.
It should be said in this case, however, that the new Java 7 dynamic language support infrastructure, which is one of the things Oracle added since they took Java over. Many of the things Oracle has done to Java lately (and especially as additions in Java 7) have struck me as poorly designed features that just allowed Oracle to check of some feature-lists to make Java appear as "feature-complete" as dotnet.
Re:Be careful what you wish for. (Score:4, Informative)
An appropriate solution would be to use something like noscript, which automatically blocks all java applets (flash and javascript as well), and makes it easy to maintain a whitelist of websites that are allowed to run java applets/javascript/flash/etc.
horribly misleading title (Score:4, Informative)