Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Oracle Security Java IT

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 64

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.
This discussion has been archived. No new comments can be posted.

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder

Comments Filter:
  • Duplicate (Score:4, Informative)

    by Nicopa ( 87617 ) <nico@lichtmaier.gmail@com> on Monday February 08, 2016 @07:44PM (#51466367)

    Just hours ago: http://it.slashdot.org/story/1... [slashdot.org]

  • by NotInHere ( 3654617 ) on Monday February 08, 2016 @08:09PM (#51466487)

    nuget, apt-get, pacman, whatever. The package manager's installer code was written _once_. No need for reinventing the wheel for every damn installer in the world. No need for fixing the same bugs all over again. Just something that works, and offers updates out of the box without having to spam the user with update notices.

    • Be careful what you wish for. The windows store is a reality and... well it feels like reinventing the wheel one more time could be a good idea there.
      • by Threni ( 635302 )

        Windows has a store? I'll have to fire up my windows vm and take a look. If I can find it; it's been a while. I'm sure I have a windows vm somewhere. You know, for when I really need to use windows for something.

        • Not only you have to find your VM, you also have to update it to windows 10. And then, you'll have to do your best not to remove this scrap before checking it out.
    • Doesn't really address the problem here.

      In this case the installer is affected by DLL side loading, but it's not like installers are the only time this happens. Most of the examples in the previous link are in running installed executables, like Chrome.

      You're correct about package managers in that they've long had useful package signing, but then once things are installed there's a handful of people on earth that can properly maintain a SELinux configuration (accepting the vendor default doesn't count).

  • Enough already! (Score:5, Informative)

    by b1ng0 ( 7449 ) on Monday February 08, 2016 @08:17PM (#51466519)

    Get rid of this paid itwbennett schill! Two articles in one day all going to the same website. Look at his post history. Every post goes to one of two sites! If this is what whiplash meant by improving Slashdot, there is no hope left for this site.

  • What I learned from this post is that Oracle still does Java security patches for Java 6. I thought that it was End Of Life three years ago!

    • Sure if you buy an expensive RDMS you don't need they will fix their own products

    • You can't download the 6u113 update unless you have a support contract with Oracle. Without one the latest version you can get in Java 6 is 6u45, from 2013, when it officially went end of life.
  • You had me... (Score:5, Insightful)

    by mortonda ( 5175 ) on Monday February 08, 2016 @10:14PM (#51466871)

    at "delete all the Java installers".

  • Hello,

    Not sure if it is still the case (it's been years since I've installed Java) but didn't the runtime installer display a message saying something like three billion devices run Java? I wonder if the reason for not uninstalling old version was to help inflate that count.

    Regards,

    Aryeh Goretsky

  • Why should I go rooting around deleting things when they know what should be deleted in the first place?

    Seriously.

  • The latest JRE updater elevates permissions before it even needs to, so the first inkling you have that something is taking place is the UAC prompt. Only after denying it did I find out that it was from the Java updater... the prompt only said "Java". I don't know about y'all, but my first impulse upon getting a mystery UAC prompt from Java is not to grant permission to rape my PC

  • java-1.8.0-openjdk-1.8.0.71-1.b15.fc23.x86_64 installed fine by dnf/yum, who cares about Oracle?
  • Java Installer Flaw Shows Why You Should Not Install Java

    FTFY.

  • Wait, people let their Downloads directory fill up with stuff? Mine is cleaned at least weekly. I treat it like the os treats /tmp

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...