back to article Disable Java NOW, users told, as 0-day exploit hits web

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version …

COMMENTS

This topic is closed for new posts.
  1. asdf
    FAIL

    wow

    First rule of desktop security is to remove Adobe Flash, Reader and all Java runtimes. As long as those malware portals are on your system if you ever connect to the internet you might as well assume your box is pwned.

    1. andreas koch
      Meh

      @asdf - Re: wow

      True.

      Unfortunately, you will also lose half the web removing those.

      1. asdf

        Re: @asdf - wow

        Well if you use Chrome you get flash sand boxed which is a decent compromise assuming you don't mind Google collecting data. Damned if you do somewhat. As for Java as mentioned virtually no non corporate desktop will notice its gone. Java has largely been a fail on the consumer desktop.

        1. eulampios
          Linux

          apparmor

          Can't you just enable the firefox apparmor profile? Yes for this you need to be running GNU/Linux with AppArmor installed.

        2. Anonymous Coward
          Anonymous Coward

          assuming you don't mind Google collecting data.....

          Then use Iron instead of Chrome. Can't belive technical people use Chrome over Iron

      2. Anonymous Coward
        Anonymous Coward

        Re: @asdf - wow

        That's not really true any more. You lose a little bit from Flash, but not as much as you'd think. You can use an alternative PDF reader, too. Just keep it up to date (Secunia PSI is useful for some folks in this respect).

        As for Java, since being exposed to twelve year-old minecraft bores on my Mumble server, I have never felt an urge to play it, and thus never missed Java on my desktop machines.

    2. Alan Denman

      Re: wow

      2nd rule is to then buy an APple tablet.

      Take away all of the stuff that does anything outside of the walled garden and you are in the same territory..

      1. Blitterbug
        Happy

        Re: 2nd rule is to then buy an APple tablet.

        Marvellous trollage, Alan!

    3. Anonymous Coward
      Anonymous Coward

      Re: wow

      I would be lovely to remove Java, but unfortuantly, I'd have to quit my job as a lot of the hardware (and webstes) I use require it.

      So nice in theory, useless in practice.

      1. Anonymous Coward
        Anonymous Coward

        Re: wow

        Yes, I seem to have it installed to run Navisphere and various other management tools provided by hardware suppliers.

        1. This post has been deleted by its author

      2. asdf
        FAIL

        Re: wow

        thus why I said on consumer desktops/laptops. The corporate world is the main place it found its niche. Its not a bad language necessarily (although managed code in general is a joke imho) but the Snoracle VM implementation has always been sh_t. Java's biggest problem has always been its steward.

    4. yossarianuk
      Linux

      Re: wow

      You forgot -> remove windows

      1. Blitterbug
        Meh

        Re: You forgot -> remove windows

        hehe... hehe... hehe... pfft.

        Twat.

    5. JDX Gold badge

      Re: wow

      Not going on the internet is also a wise move. I suggest asdf takes this precaution immediately.

      1. asdf
        Trollface

        Re: wow

        Sounds like another parochial java programmer hoping to make it to retirement before Larry ruins the ecosystem.

    6. Anonymous Coward
      Anonymous Coward

      Re: wow

      Very soon, no person in Denmark will be able to interact with a financial institution or the government via the internet without the use of Java. It is already more or less 100% true, but there are a few holes left.

      Here in this little duck pond, JAVA is the ONLY GAME IN TOWN.

      I think we are not the only ones on the planet having this shoved down our throats.

    7. theloon
      FAIL

      Re: wow

      yeah that will make for an interesting experience online....

    8. Shannon Jacobs
      Holmes

      Let's be realistic, eh?

      Or was that just a troll post? People want to do the things that are enabled by your so-called "malware portals".

      I think the first rule of security ought to be that companies have some liability for their security failures. Not so bad as to bankrupt them, but at least a significant fraction coming from somewhere near the top. Since I really doubt that most companies could afford to pay for the damage their security incompetence causes, I think the best compromise would probably be to take a fraction of their after-tax profits to be distributed to their victims, where the fraction would go up or down mostly in response to the trends. In other words, delivering more secure software should have an impact on the bottom line.

      Just to use the most extreme example of the most extreme abuse, I have to point at Microsoft. They have led the way in disavowing ANY financial liability for the SEVERE consequences of their LOW priority on security. Yes, they have improved in recent years, but other companies like Oracle have picked up the torch for security LAST. My own belief is that if Microsoft had paid for all the damage caused by flaws in their software, they would have gone bankrupt long ago, but their lawyers shucked all those costs on the victims.

      Of course the punchline is that most of the victims never even got to choose Microsoft because Microsoft had deliberately destroyed the alternatives and because Microsoft was mostly selling to the computer makers, not the end users. You just use Microsoft because it was already there on your computer--and ditto the bugs and the suffering.

  2. This post has been deleted by its author

  3. Paul Shirley

    WTF? Java stopped being malware?

    It's disturbing that however hard I try to disable Java updates or Java browser plugins they just keep coming back like zombies. Java behaves like malware before malware tries to use it as a malware vector ;(

    1. Oliver Mayes

      Re: WTF? Java stopped being malware?

      Indeed, I distinctly remember disabling JRE in Firefox a few months back when it caused some issues. Just checked and it's been re-enabled, wonder when that happened.

    2. Blitterbug
      Happy

      Re: they just keep coming back like zombies

      Dude, don't disable it - uninstall it! It only takes, what, two minutes to re-install once the panic is over. tbh I'd not bother re-installing, but that's just me.

    3. leexgx

      Re: WTF? Java stopped being malware?

      i use nothing java (maybe pingtest.net but that's only for the packet loss part, do not really need pingtest.net to tell me my Virgin-media connection is dropping packets), i just unintsalled it my self

      for Chrome users if you have Click to play ticked Plugins will not load unless you click on them to start them (Java, flash PDF files or Anything that is not native to chrome)

  4. HMB

    You can at least make a case for Adobe Flash on a computer, but Java? Only the most annoying websites want you to have Java installed.

    1. Anonymous Coward
      Anonymous Coward

      Depends on your definition of annoying

      I have yet to see an online collaboration and conferencing tool which does not use java.

      Microsoft netmeeting, WebEx, etc all are 100% java based.

      On the positive side these are corporate gimmicks and can be whitelisted leaving the rest of the web javaless.

      1. Anonymous Coward
        Anonymous Coward

        Re: Depends on your definition of annoying

        Wasn't NetMeeting last used in Windows 95...? You could enable it in XP, but even all those years ago it was deprecated and hidden...

        1. Giles Jones Gold badge

          Re: Depends on your definition of annoying

          I think it's called Live Meeting now. If you go to any Microsoft presentation on the web about new stuff you tend to use it. Plenty of businesses use it too for video conferencing.

          1. Anonymous Coward
            Anonymous Coward

            Live Meeting and Java

            There's a "native" Live Meeting client, and a "web-access" client. The native client isn't java based, but you need a) Windows, and b) rights to install an application. The web-access client is java based and works for Mac and Linux clients.

    2. HMB

      Wow

      I really wasn't expecting to upset anyone! You guys are sensitive!

      I haven't installed Java for the web for over 7 years.

      I grant you that in a corporate environment it may well be required and an asset for maybe one or two apps, but in a domestic setting or a business environment where there is an alternative support method I just haven't seen a useful Java app for web. Clunky old IRC clients and Rich Text Editors don't count.

      1. Chris Keeble

        Re: Wow

        Anyone using web based applications such as Jira with screenshot paste capabilities etc. relies on the JRE for those features to work.

        (just to share a real, current example)

    3. Anonymous Coward
      Anonymous Coward

      "Most Annoying" - Like the Tax Office?!

      NemID - Common login for @everyting in Denmark is based on Java, obfuscated Java hidden in Gif-files & other Haxor-secrity techniques are used too. ... All of your eggs R belong to Our Basket!

    4. JDX Gold badge

      Only the most annoying websites want you to have Java installed.

      And about a zillion web-based games.

    5. Ilgaz

      Real life

      These days, if you have Java, you have it because you absolutely need it.

      1. Matt Bryant Silver badge
        Alert

        Re: Real life

        Hmmm. I just turned off Javascript on this browser and suddenly El Reg looks a bit different....

        1. Anonymous Coward
          Anonymous Coward

          Re: Real life

          Java != Javascript. 1/10, must try harder.

    6. Anonymous Coward
      Anonymous Coward

      I agree

      There is no place for Java on my PC and I also really hope that it will just go away one day as a development runtime for desktop OSs. I don't mind it running on mobile devices, but the way it behaves on desktop PCs is just annoying. That's not to mention that it's very slow, and that original idea of providing a truly cross platform solution didn't quite work out. Unfortunately too many universities still have programming classes that teach Java as introductory courses. Does anyone actually develop applets these days? Come on people, it is time to switch to either Flash or Silverlight. You can already take advantage of the microphone and web camera on Google Chrome using just HTML5. We need to keep supporting innovative promising technologies, not a 20 year old workaround.

      1. Ilgaz

        Re: I agree

        Can you point me to the latest silverlight for Linux and Android? Official one, same features and support as win one.

        1. Anonymous Coward
          Anonymous Coward

          Re: I agree

          I don't think Android can run Java Applets either. Linux? I haven't had a chance to run Silverlight on that OS, but I bet you can still use Flash for pretty much anything applets are capable of. In my recent experience, development of plugin applications is only needed if I have to access hardware (i.e. webcam), which is soon going to unnecessary with extensive HTML5 support. HTML5 and JavaScript backed by, say, Node.js, are more powerful than you probably think.

  5. Ron 10

    Unfortunately many things require java runtime. Many things. I certainly hope Oracle will see their way clear to temporarily ignore their policy at being against the world, and release a patch asap. You just can't hold the keys to something like java and take a few months to patch an existing exploit.

    1. James 132
      Unhappy

      Unfortunately - as I guess you know - they can, and they do.

    2. Anonymous Coward
      Anonymous Coward

      Such as?

      What high profile websites require Java to be enabled? When I last reinstalled my laptop I forgot to install Java and it was over a month before I noticed. I have never noticed Java's absence on my iPhone. Never. Not once.

      Flash is going away too. While there are still plenty of videos that require flash on the web, sites that require it for navigation are becoming quite rare, and the videos are less numerous than they used to be. Now that Android can't run flash in the future, that abomination should quickly disappear from the web entirely, at least from any sites that ever hope to attract any mobile users at all.

      It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything out there is a disaster waiting to happen. Java code has run in a sandbox since version 1.0, and it still isn't safe even now, so it's quite obvious it never will be. Good riddance.

      Maybe someone will try again in the future, running the cross platform managed code in a VM, since they obviously can't be trusted to program a secure sandbox.

      1. Anonymous Coward
        Anonymous Coward

        What high profile websites require Java to be enabled?

        All the ones required to do my job. Not high profie, but crictical.

      2. Anonymous Coward
        Anonymous Coward

        Re: Such as?

        Flash may be going away, but, it is still extensively used, and not just for video or navigation. I've no idea what html5 is capable of, but, can it do what car manufacturers use Flash for? Go to most major manufacturers sites and Flash is there, and is very useful. Choose your model, paint colour, interior trim, wheels, and see a picture of your chosen car, in a 360 degree rotational model.

        I don't know idea what those sites look like to those poor unfortunate souls who bought inferior devices incapable of running Flash, but, some of them look pretty damn good in all their Flash goodness.

        1. Anonymous Coward
          Anonymous Coward

          Re: in all their Flash goodness?

          If I want an all-round view of my new car I turn up at the local motor auction a bit early.

          1. Anonymous Coward
            Anonymous Coward

            Re: in all their Flash goodness?

            "If I want an all-round view of my new car I turn up at the local motor auction a bit early."

            Do you find their address using the paper copy of the yellow pages and a road atlas?

            Well, if you don't like using technology...

        2. NightFox

          Re: Such as?

          @AC 08:21

          The Land Rover website used to have a Flash car configurator like you describe, but just the other week they replaced it with a non-Flash version. Same end user experience, but now also works on non-Flash devices. So it shouldn't be an issue for any car manufacturer

      3. Alan_Peery

        Re: "It's a good thing cross platform stuff ..."

        "It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything"

        How the picture will be better when cross-platform HTML 5 and HTML 5 Video are the standard?

        1. Anonymous Coward
          Anonymous Coward

          "how will the picture be better when cross-platform HTML 5 and HTML 5 video are standard"

          The problem with Java and flash is that there is one single company with one single codebase that covers every implementation. If there is a security hole, it affects everyone.

          HTML5 does not suffer from that issue, there are separate codebases for IE, Firefox, Safari and Chrome. An HTML5 bug in Firefox will not affect Chrome. An HTML5 bug in IE will not affect Safari. OK, Chrome also uses Webkit, so depending on what the bug is it might affect both Safari and Chrome, but at least that's not everyone.

          This is important because if there is a bug announced tomorrow that affects every version of Java (rather than fortunately affecting only 1.7.x like this 0-day exploit) and you MUST run Java as some people here have reported they must, you are effectively screwed. If you MUST run HTML5 and there's a nasty 0-day in Firefox, you have the option to safely use IE or Chrome until Firefox is updated.

        2. stuff and nonesense

          Re: "It's a good thing cross platform stuff ..."

          Not true, cross platform is a good idea BUT the machine specific environments, within which the cross platform software runs, need to be secure.

          Developing once for many environments is a huge benefit for developers.

          Sun need to make Java environments safe.

          1. Anonymous Coward
            Anonymous Coward

            "Sun need to make Java environments safe"

            THEY CANNOT! Java has been around for how many years, and we still see these types of attacks! It will NEVER be secure, unless they use virtualization technology so that the isolation is enforced by hardware rather than software.

      4. This post has been deleted by its author

      5. Anonymous Coward
        Anonymous Coward

        Re: Such as?

        Well, every damn one of the financial apps at the outfit where I'm working requires it. And it's a damn big shop. Takes months to get things changed. In fact, you might say it practically takes an Act of Congress to do so.

      6. MistoRoboto

        Re: Such as?

        That's not entirely accurate. Android will still run Flash, but for it to run Adobe has to certify the hardware it is running on. If Adobe hasn't certified that specific hardware it will just cancel the installation.

  6. Anonymous Coward
    Anonymous Coward

    I rolled back to version 1.6 until there's a fix. I got to have my Pogo.com. NoScript for Firefox is handy to have too.

    1. Oliver Mayes

      I'm pretty sure you can still run NoScript with the JRE plugin disabled.

      1. Michael Wojcik Silver badge

        NoScript

        I'm pretty sure you can still run NoScript with the JRE plugin disabled.

        I suspect the OP's point was that NoScript will block applets from non-whitelisted sites unless you tell it to allow them, so you can restrict the JRE plugin to sites you trust. That mitigates the risk of Java-in-the-browser, though it certainly doesn't eliminate it.

        Personally, I find Java useful in some domains (I use it for much of my Natural Language Processing research, for example), but I rarely want to run it in the browser. So NoScript's whitelisting is a good solution for me.

  7. This post has been deleted by a moderator

  8. Dave 62
    Pint

    another one?

    Java always has and always will be vulnerable. I have no use for it at home but WebEX etc. at work necessitate it, I use FF for normal browsing, sans-Java and use the exploder only for apps I know are clean.. and in this context, 'apps' is actually pretty much correct as Java apps have always been 'apps' right? Not like this trendy "every program is an app"

    I'd put money on the IT department at work doing sweet fa about this.

    Pint because the weekend can't come too soon.

    1. Anonymous Coward
      Anonymous Coward

      Re: another one?

      "Pint because the weekend can't come too soon."

      A sad comment for a Tuesday morning. : (((

    2. Anonymous Coward
      Anonymous Coward

      Re: another one?

      "I'd put money on the IT department at work doing sweet fa about this."

      The circuit of fail:

      The main reason an IT department is needed is because there is an IT department - i.e.: 80% of the problems are internally created; the rest are produced by Larry Ellison, CISCO or God (in that order) over which we have no influence, time & circumstance will cure those.

  9. Kobus Botes
    Linux

    IcedTea?

    Would IcedTea also be vulnerable?

    1. Anonymous Coward
      Anonymous Coward

      Re: IcedTea?

      If it's based on OpenJDK - which I'm pretty sure it is, then no. It appears to be a regression specific to Oracle's distribution of 1.7

  10. Peter Johnstone
    FAIL

    Not so easy

    Not so easy to disable java if you're a java developer!

    1. scrubber
      Flame

      Re: Not so easy

      Don't know - our offshore team seem to get by coding java using only notepad...

      1. despairing citizen
        Big Brother

        Re: Not so easy

        For "off shore development team" read "root access malware portal".

        I have yet to see an offshore op that has revised it's audit and change control to reflect the additional risk exposures to insider threats.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not so easy

          Who cares? The thing what bringeth the bonus is the cost reduction from "off shoring" ... for the savvy IT manager with an eye on the Game, not the Ball, a decent attack is an opportunity to secure additional ressources and headcount, the raw material for another round of cost-cutting and personal pay increase ;-)

    2. MrXavia
      FAIL

      Re: Not so easy

      Disable Java plugins in the browser! and then only run your apps locally... Sorted...

  11. Fuzz

    roll back

    As long as you don't need 1.7 you can roll back to the latest version of 1.6

    1.6 is still supported and receiving security patches on the same 4 month schedule.

  12. Rubber chicken

    Have not run Java @ home for years now

    Not found a single instance when it's been needed for home apps. Work another story unfortunately.

    Unfortunately flash is still required for most "educational" websites still.

  13. John Smith 19 Gold badge
    Unhappy

    Cross platform IE *non* Windows specific is exactly the spirit of the Web.

    But it looks like Java is one of those languages that not "too simple to have a bug in" but "too complex to find a bug simply".

    <sigh>

  14. Cox & Ball

    All very well harping on about "disable Java!!!11" but it's heavily used on corp desktops where web app access is secured via smart card. In those situations you can't simply disable it or your whole business falls over.

  15. Pascal Monett Silver badge

    Once again, thank you NoScript

    Frankly, I'm beginning to think that Firefox and noScript should become mandatory by law.

    If that ever did happen though, then this almost-perfect shield would become the hard target for all the miscreants and issues would be found.

    So let the rabble continue with IE and zero protection. I'll just glide by, blissfully oblivious to the carnage until an article like this wakes me up to the fact that there are still people who don't know how to surf securely.

    <disclaimer>this post concerns private use of Internet only - I am very well aware that professionals have a different set of problems, mainly that of not being able to choose their work platform</disclaimer>

    1. Anonymous Coward
      Anonymous Coward

      Re: Once again, thank you NoScript

      You may won't look at a recent article that show Firefox more vulnerable to certain attacks (Tesco article) than i.e.

      add that to the fact it's dog slow to launch...

      Me I use most of them, i.e.9 FF, Opera, Iron.

      Yet to find one that works 100% of the time, so I use the best for the job.

      1. Piro Silver badge

        Re: Once again, thank you NoScript

        Dog slow to launch? Doesn't everyone + dog have an SSD these days?

    2. Wize

      Re: Once again, thank you NoScript

      Don't you hate the time between someone sitting acting smug thinking they are bullet proof and the time when malware comes out that bypasses their impenetrable security like a hot knife through butter.

    3. RICHTO
      Mushroom

      Re: Once again, thank you NoScript

      Erm, but Firefox has had more recent security vulnerabilities than current versions of IE....

    4. JDX Gold badge

      Frankly, I'm beginning to think that Firefox and noScript should become mandatory by law.

      Why don't you just use Lynx.

      1. Pascal Monett Silver badge

        I'm not "sitting smug"

        I am aware of threats and I know perfectly well that no platform, anywhere, anytime, is immune against problems.

        I also have a brain and use it every time I click on a link.

        That said, since I have started using Firefox with AdBlock and NoScript all those years ago, I have not once been infected by anything. That is fact, not smug, and if you don't like it I don't care.

        I will continue to use Firefox/NoScript whilst keeping up-to-date about its issues and keeping it up-to-date as well because I trust it and it has never failed my trust yet.

        But that does not mean I will click blindly on any link that I see or get sent to my mail.

        The day IE has NoScript, I might take it for a whirl outside the very small list of URLs I let it see at this time, but until then, my general surfing will be done on Firefox, because it works.

        If using a tool because it works is being smug, then so be it, I'm smug.

        My PC is virus-free too.

        1. Pascal Monett Silver badge

          Then again

          Having re-read my initial post, I have to admit that it does sound a bit smug.

          So be it, guilty as charged.

          But still virus-free.

          1. Anonymous Coward
            Anonymous Coward

            Re: Then again

            Good God, he just can't stop, can he?

        2. Anonymous Coward
          Anonymous Coward

          Re: I'm not "sitting smug"

          Maybe you should reread your original post. If you can't see the smug in there your ego has blinded you. For that matter, reread your response as well.

  16. Robert Carnegie Silver badge

    Don't visit compromised web sites

    And hope that your favourite web site isn't attacked and compromised, such as through the adverts.

    The linked article mentions news from elsewhere ("VulnDisco") of a zero-day exploit as of 10-Aug-2012, and not sure if it's a different one. The one that they're talking about affects Java 7 (or 1.7) up to and including the latest Update 6, but does not affect Java 6 (or 1.6).

    http://en.wikipedia.org/wiki/Java_version_history says that a Java 6 Update 34 was released on 14-Aug-2012 and that might beat the possible second exploit, too - although this release may have been available to hackers before the general public, too.

    Really the need is to extend your exposed surface only where it is safe AND necessary to do so. That is - only accept plugin content from a limited set of web sites that you want to use. But I only know the Opera web browser's mechanism for doing that, site by site, and you can't just tell everyone to use Opera. Well... you could...

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't visit compromised web sites

      Adverts? Websites have those?

  17. yossarianuk

    Is OpenJDK also effected ?

    Is anyone aware if this is a flaw in Sun/Oracle Java or is the openJDK 1.7 also effected?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is OpenJDK also effected ?

      According to the Ars article on this, they were only able to demonstrate this vulnerability on Linux by removing OpenJDK and replacing it with Oracle's official 1.7 distro (i.e. a pretty rare config on Linux these days)... so OpenJDK and 1.6 are ok.

      1. Androgynous Cupboard Silver badge

        Re: Is OpenJDK also effected ?

        Not sure about that - we run Oracle's JDK on Linux because the OpenJDK has it's own issues, and because most of our clients are running Oracle's or IBM's.

        For example, this one is OpenJDK specific and fatal for certain workflows. http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1013

  18. yossarianuk

    Many Switches require Java also

    A lot of switches in our DC use java to interface with them.

    Also every KVM I have used (keyboard,mouse,video devices - not the amazing Linux virtualisation) also need java...

  19. David Schmidt

    Procrastination pays!

    I haven't updated any java runtime to 1.7... I haven't needed anything new since 1.5 save for patches. Hard work pays off eventually. Procrastination pays off immediately!

  20. vic 4
    Unhappy

    Could be some reluctance

    Seems like the latest java update for 1.7 on windows also wants to uninstall any 1.6 installation installed. I'm guessing this was some bright sparks idea at oracle to try and get the 1.7 migration going. This is going to really discourage people when a fix is released.

  21. Anonymous Coward
    Anonymous Coward

    Problem for 3-D Secure?

    Don't the Verified-by-Visa and Mastercard SecureCode use Java, as do some online banking sites?

    As such, doesn't this create rather a large problem for them?

    1. Def Silver badge
      FAIL

      Re: Problem for 3-D Secure?

      Yep, pretty much all online banking in Norway uses a Java based system as its preferred client ID verification.

      That's the *only* reason I have Java installed anywhere at home. (I'm still on 1.6 too because the Java update system has never worked on Windows 7 - it seems to think I need to change the settings of my non-existent proxy server.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Problem for 3-D Secure?

      Fucking hope so! I so hate that bloody crap!

    3. richardcox13

      Re: Problem for 3-D Secure?

      Certainly Verified by Visa does *not* use Java (remember the only link between JavaScript and Java is in their names).

      1. dkjd

        Re: Problem for 3-D Secure?

        Norwegian verified by visa uses a java applet and a paper set of one-time codes iirc, so its nothing to do with javascript.

  22. Eguro
    Paris Hilton

    Eeeh

    So this exploit existing, doesn't automatically mean that all Java is suddenly a void of horrid death, right?

    I mean - the java at my banks webpage isn't all of sudden a Chinese torture device, right?

    Furthermore, so long as plug-ins are only activated when I activate them, then all those ghastly sites I visit on how to bake the perfect sponge-cake wont be able to run evil java code, right?

    If the answer to all of the above is: "Right!", then I should be fine...

    So is it?

    1. Robert Carnegie Silver badge

      No...?

      Depending on your browser, a plugin is likely to be active on -any- web site that wants to use it - or, if disabled, none.

      Opera lets you specify plug-ins, Java, and scripting on or off by site, or, ifn other browsers, you can disable a plug-in until you need it, probably.

      You also may be able to run your browser as different user names simultaneously, to have access to different user profiles with different session preference settings.

      1. Eguro
        Thumb Up

        Re: No...?

        Thank you kind sir! (have an upvote)

        I should have of course mentioned my browser - but you figured that out all on your own :)

  23. Tapeador
    Pint

    Can anyone please advise me ...

    whether Java and Javascript are the same for the purposes of this safety warning?

    And is it really true Flash is just as dangerous and Chrome is the only browser to make it safe by 'sandboxing' it as one of the commenters here wrote?

    Thanks

    1. Test Man
      Stop

      Re: Can anyone please advise me ...

      No, clearly not. If Javascript was the same as Java, it'd be called Java.

      1. Tapeador
        Thumb Up

        Re: Can anyone please advise me ...

        I am not sure your logic takes account of the fact we truncate many of our words, but I thank you for answering my question.

    2. sleepy

      Re: Can anyone please advise me ...

      Chrome is not the only browser to sandbox Flash/plugins. Safari and Internet Explorer also sandbox. But a sandbox won't necessarily save your system from a vulnerability.

    3. Michael Wojcik Silver badge

      Re: Can anyone please advise me ...

      whether Java and Javascript are the same for the purposes of this safety warning

      They're not the same for any purposes.

      They're both OO languages that adopt much of their syntax from the C family, and they're both usually executed in an intermediate form and JIT-compiled, but the similarities end there.

      Java is a language that originated at Sun and was originally intended for use in embedded applications (which is indeed where most of it is to be found); but Sun implemented an early graphical web browser (HotJava) that included a JRE and popularized the idea of executing downloaded Java applets in the browser. Netscape picked up the idea and eventually all the major browsers included Java runtimes. Java applets lost the popularity contest, though, first to Flash and then to "Javascript".

      "Javascript" is two things. First it was the new name of the browser scripting language Livescript, which was renamed to jump on the Java-in-the-browser bandwagon, thereby sowing much confusion. Now it is the name of Mozilla's implementation of the browser scripting language ECMAscript, which is the current descendant of Livescript. Many people use "Javascript" to refer, incorrectly, to all ECMAscript implementations.

      ECMAscript and Java are substantially different languages, and their implementations share nothing, except where people have implemented an ECMAscript interpreter in Java (sigh) and a JVM in ECMAscript (double sigh).

      This particular vulnerability appears to be the result of a too-clever-by-half change to the Java class loader in Java 7, with insecure use of reflection in the Java runtime classes, which lets an attacker obtain privileged references to private members of restricted classes. Recent discussion on Bugtraq points specifically to parts of the Abstract Windowing Toolkit, and there's some suggestion that this is in effect the reintroduction of a vulnerability originally fixed by Sun back in 2005. That, to my mind, supports the contention made by several respondents here that the Java runtime has grown far too complex.

  24. Test Man
    Go

    Java

    Got a new 64-bit Windows 7 laptop last week. Haven't installed Java on it, and I reckon I probably never will - I can't think of any website or app that I used recently that needed Java.

  25. sleepy

    Funny

    Funny how Steve Jobs / Apple were called evil control freaks for keeping everything but HTML5/Javascript off the iPhone. Two years ago Google took out full page ads to boast its openness in supporting buggy proprietary Flash on Android. "We love Apple, but what we don't love is anybody taking away your freedom . . .".

    And now everyone's quietly doing the same as Apple, practically every mobile browser is built on Apple's Webkit, and HTML5/Javascript is standard and more or less universal. Remember the days of Internet-Explorer-only web sites, and only-works-properly-on-Windows Flash?

    Frankly, thank goodness for Apple (and Google before they switched objectives to world domination).

  26. sleepy

    And by the way

    Java is disabled by default on MacOS and is automatically re-disabled if unused for a period of time.

  27. digismith
    FAIL

    I COULD disable java but then

    99 percent of my job would be un doable

    and the marjority of the web would be unuseable

    Every e comerce site uses it

    the Register itself uses it for log in log out

    Just about every site you go to for social networking

    1. Brewster's Angle Grinder Silver badge
      Facepalm

      Re: I COULD disable java but then

      I can absolutely assure you I don't have java install on my machine. But I was still able to log in and downvote you.

    2. Terry Cloth
      Boffin

      Don't sweat the Javascript

      You may need to refer to Test Man's comment above. To completely clarify: Pretty much the only things Java and Javascript have in common is that they're a) programming languages which start with b) the same four letters. Maybe half the web wants you to run Javascript, which is not the language in question here. Java is used much less, and unless it's part of your office environment or your bank's site, you can get along quite well without it, thank you.

  28. Anonymous Coward
    Anonymous Coward

    Write once, run anywhere

    Unfortunately that applies to viruses too :)

    1. Vic

      Re: Write once, run anywhere

      > Unfortunately that applies to viruses too

      ITYM "only applies to viruses".

      The Java mantra has turned into "Write Once, Debug Everywhere" :-(

      Vic.

  29. Tikimon
    Meh

    From the sanctity of your little worlds ye proclaim...

    Amazing how many smug comments from those with clearly limited perspective. Just because you don't know about or have to deal with it does not mean it's not a real, valid problem for others. I expected more imagination from Reg readers!

    "I can't see any need for java / I never use java and don't miss it" - you obviously don't have to support a business that is forced to use sites or services that require java. It's not so easy to simply banish a mission-critical process.

    "Java is disabled by default on Apples" - okay, Apples are crippled by default, woo. A car that won't move is inherently safe from accidents, but a pretty poor transport. Saint Jobs didn't banish Flash to protect you, but to make MO' MONEY. Don't confuse his intent..

    On the glum side, anything that reaches popular use is going to become a hack target. Given the complexity of software, everything will probably be somehow hackable. Every massive hacker opening began as a Wonderful Feature. Installing software from a web page, running programs from an e-mail, these and others were signposts to a glowing future of friendly computers. When someone invented doors, his neighbor invented burglary...

    1. Vic

      Re: From the sanctity of your little worlds ye proclaim...

      > you obviously don't have to support a business that is forced to use sites or services that require java

      I do - but there aren't many such businesses. Most sites[1] with Java applets have alternative methods of getting at the data as well, even if they're not quite as slick.

      The biggest Java installations I deal with are servers - and they're invariable hidden behind an Apache reverse proxy, and are unlikely to be downloading stuff from the web in the first place.

      Vic.

      [1] I'm excluding games sites, since fartnig around with Java games doesn't really come under my definition of "business use".

  30. Bradley Hardleigh-Hadderchance
    Windows

    Just re-enabled Java on a friend's machine

    Apparently the only thing they wanted it for was for an on-line Chess game.

    I warned them. But would they listen? I also had to re-enable NotScripts and Ghostery because they were 'messing up the way the machine is supposed to work'.

    It's all good, because now I get to say "I did tell you so" next time they call me up to fix their computer.

    These are people that point-blank REFUSE TO LEARN HOW TO JUST QUICKLY DISABLE/ENABLE A PLUGIN.

    Sorry for the shouting, nearly got hot under the collar there. ;-)

    I understand how NotScripts cripples half the web, but for deity's sake at least use it on the half you can. Same with Java. In fact. I personally have it turned off ALL THE TIME and only re-enable maybe once a month on my web travels.

    It's funny, coz when I was first learning JAVA, ooh, over 10 years ago now it would have been, people were saying: This thing is going to be a MASSIVE security risk. Same thing with Active-X. Few had the foresight to see the monster that FLASH would become though. I remember playing with the thing when it was called Future-Splash, and telling people this is the future of the web. Did anyone listen? No. They just said: There is nice dear.

    Oh well, I was right about one or two things, but am probably one of the few failed programmers on this site.

    Still, no great loss, apart from the few successful JAVA and whatnot programmers that work for Deutsche Bank and earned £60K a year, most I know are treading water. Still, what is £60K a year anyway.

    Alright it's more than my dole, but you know... That was a couple of years ago now, maybe things have changed.........

    </rant over>

    <new rant begins>

    I'm just waiting by my phone - it is inches away from my leg - no obstructions. I shall answer with: "Yes it is I."

    "Who speaks? Really? Never!"

    My insouciance shall be invisible. Though I bear no great malice, sometimes a quick "I told you so", is worth oh so much more than the £20 I will get for fixing their machine. Bring it on. I shall wait for that sweet-spot moment when the cash hits the claw, then look them in the eye, with an almost undetectable sideways glance - the way a Lion might eye up a Zebra in the Serengeti for example - then, in a James Bond manner, ever so coolly say, TOLD YOU SO, TOLD YOU SO! ARGH ARGH ARGH, TOLD YOU SO!, jumping up and down for good effect and also flapping my arms wildly in the air like a poor earth bound bird that hasn't flown for hundreds of thousands of years, but still tries anyway, just out of pure instinct. Think Emu, think Dodo - no that's not right. Anyway. You get the picture.

    Of course at this point I shall be off for the treatment I so rightly deserve. All because some bastard wrote a JAVA exploit. And some other bastard refused how to learn how to use the on/off switch under 'preferences'.

    Still. These are the good days... Wait until things really get out of control....

  31. Bucky 2
    Pint

    Already Disabled?

    I disabled Java in Firefox long ago, since whenever I hit a page with a Java applet, my browser pauses for a good 30-45 seconds, and then typically just crashes entirely.

    I remember trying to report it, and ending up with a lot of finger pointing (bad applet design, bad sandboxing, whatever), but no substantial remedies from my standpoint.

    Luckily, it was never a Thing for me to have it off.

    [Beer, because it helps me have it off]

  32. ~mico
    Trollface

    Java? Vulnerability? Online? But java doesn't work online unless clicked upon.

    Don't people know about NoScript?

  33. nuked
    Trollface

    Wait...

    ...Java is vulnerable?!

    Run for the hills.

  34. Joe Montana
    Pint

    OpenJDK

    Is there a patch for OpenJDK yet? Could you just use that instead?

    1. Not That Andrew

      Re: OpenJDK

      Apparently not affected, so you're ok on Linux. But the Windows version of OpenJDK is outdated and has other security problems.

      1. Anonymous Coward
        Anonymous Coward

        Re: OpenJDK

        I'm no Java expert so did a little digging and I'm not so sure OpenJDK is ok... See statement from Redhat in their bugzilla.

        https://bugzilla.redhat.com/show_bug.cgi?id=852051#c9

        Most people will have that installed on a linux box but then it doesn't appear as an available browser plugin. So in theory all ok from a drive by exploit point of view....

  35. Anonymous Coward
    Anonymous Coward

    >2012

    >still using Java

    ISHYGDDT.

  36. Anonymous Coward
    Anonymous Coward

    Simple solution

    For the most heinous crime of information terrorism by writing of viruses.. DEATH!

    Death by giant hornet enema, and put the execution video on Youtube with a soundtrack of "Toxic" as a deterrent for any idiots who think it is funny to destroy other people's hard work, memories and data.

    AC/DC although as a close second the electric chair would be acceptable punishment.

  37. Ilgaz

    US CERT agreed, disable applets

    I just had this url in my inbox and I don't remember anything written in this tone for a long time from them.

    http://www.kb.cert.org/vuls/id/636312

    Does it mean USA government will feel compelled to disable Java on their terminals too?

    Do any person remotely connected with Oracle know what it means to have such a alert from an institution like that? Not it seems, nobody heard a out of band, emergency patch yet.

    1. Ilgaz

      No word from oracle yet

      Sorry but I noticed an unbelievable thing. If you check

      http://www.kb.cert.org/vuls/id/MORO-8XKL37

      You will see even US CERT wasn't contacted in time of writing.

      While on it, if you are a win user and have broadband, have no mission critical apps written in Java, easiest way to disable applets seems to be removing/uninstalling Java altogether. Using registry modification seems absurd to me.

      1. Michael Wojcik Silver badge

        Re: No word from oracle yet

        Sorry but I noticed an unbelievable thing.

        You seem to have a pretty liberal definition of "unbelievable". I didn't have any difficulty believing it.

        If you check

        http://www.kb.cert.org/vuls/id/MORO-8XKL37

        You will see even US CERT wasn't contacted in time of writing.

        Discussed on Bugtraq and Full-Disclosure yesterday. Not all researchers feel obliged to inform CERT.

  38. number-g
    Stop

    Good thing none of my computers are on the internet anymore.

    Really; when I do manage to get online these days, all I hear about takes another week of being online to understand, untill I realise that it refers to things that only have any meaning on the internet.

    "AMIRITE?"

    And yes, I am aware of the nature of the site to which I am posting.

    But still.

    Get out while you can. Any industry that can make you suddenly twitch at the womb while you reassess . . .

    forgot what i was saying while i went to check the spelling of assess.

    doesn't matter.

  39. Anonymous Coward
    Anonymous Coward

    "All operating systems, browsers vulnerable"

    All operating systems?

    Including the ones that say they don't need virus checker because they are bullet proof?

    Yes?

    Good.

  40. Paul Hovnanian Silver badge
    Boffin

    Java plugin disabled ...

    ... on my system's browsers. I've rarely had a complaint from any website.

    JavaScript is up for all but a few bad actors.

    Java (the JRE and JDK, version 1.6) are up on my system. I've got gobs of stand alone (non browser) applications to run. But it sounds like this is a vulnerability of Java running under the plugin rather than standalone. Correct me if I'm wrong.

    At any rate, I can like with v1.6 until the patch comes out.

  41. Alan Firminger

    Does this put Bonusprint out of nusiness ?

    Bonusprint depend on Java for their upload. Can someone tell me why ?

  42. Henry Wertz 1 Gold badge
    Thumb Up

    Other choices...

    First, I must admit, I have not been to much that uses Java. But, I do have java installed. I'm not worried about malware though. Why?

    1) Linux uses an executable bit. It's Windows where you (well, "they") can download an .exe and just run it. Also my copy of Firefox does run under AppArmor so potential malware would be contained.

    2) *I'm not using Oracle's JVM*. Due to Oracle's licensing, Ubuntu dropped Sun/Oracle Java even as an option a while back. I thought I was screwed, because Eclipse says it requires Sun/Oracle Java and is incompatible with OpenJDK. Not so! It may have used to be true, but I've been running Eclipse on OpenJDK (with IcedTea6 browser plugin), and have coded, debugged, and published a signed Android app onto the market. No sweat at all.

    So, if you are using Java, I would try OpenJDK and see if it works. What can I say? At least if people find OpenJDK holes they are not on a every-4-months release schedule! 8-)

  43. Paul Anderson
    Alert

    Does This Exploit Have a Name ?

    Does this exploit have a name. Symantec's reference to Java.Awetook may be it, I'm not sure. Anybody know ?

    1. Michael Wojcik Silver badge

      Re: Does This Exploit Have a Name ?

      It probably has many names; there's no central authority for naming exploits, you know.

      Security Explorations, who have been talking about it on Bugtraq and Full-Disclosure, and are one of the groups to discover the issue, have been calling it SE-2012-01.

      See http://www.security-explorations.com/en/SE-2012-01.html.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021