"Write Once, Exploit Everywhere..."
LOL!
And thats the reason I read the Reg!
A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …
Java 7 is available for the mac from oracle not as a developer preview just a normal release since java 7u4.
It is just not provided by apple or via software update, so unless you had a specific reason to download and install you will stay on java 6. Macs should thus be safe for almost all users.
Java is the gift that just keeps giving.. "Inb4" the humourless and misguided souls who will write long boring screeds about how home users should have java enabled in their browsers, based on a website that they saw ten years ago.
Maybe if I were Danish, it'd still be on my win7 machine, but restricted to certain sites, but otherwise, no thanks.
(People with god-awful corporate intranet things that need it and so forth are another matter, but I assume they make work pony up for the machine and manage it for them- so not their problem).
You can block the java plug-in (and other things) in firefox by using the noscript plugin then enable it on a temporary page-by-page or site-by-site basis if you really have to have java. You can even allow it on whitelisted sites if you feel brave.
Not that it is that important for me ... I just checked my setup and discovered that as well as being blocked my java is at 1.6 anyway. Ho hum.
Oracle has been the major force which made me seriously consider ditching Java. I already replaced MySQL with Postgres on all (2) office servers (internet servers running customer websites obviously can't be migrated "just like that") and I want to have as little to do with Oracle as possible.
And here we are... I recently 'upgraded' to version 7 to get to know it better. Put differently; even though I keep both JDK SE6 and SE7 on my Win7 PC I recently changed the path so that SE7 would come first. even though the SE6 JDK is favoured on my commandline (even on Windows with NetBeans available I like to play on the commandline too from time to time, backed up by Metapad).
Although I am using NoScript I'm seriously considering to 'switch' back to SE6 as the primary JDK and ignore SE7 for quite some time to come.
IMO Oracle, as always, does an excellent job in ruining the whole thing.
in Windows 7 (its a work machine) I have tried the control-panel, java, updates, automatically check for updates - but it ignores you. Revisiting the updates tab shows the automatic updates as enabled, again. OK they don't install, but every time i reconnect the machine, java is there.
doesn't this seriously nix the entire concept of a sandbox? - i know they're supposed to work, but this lot are the first and foremost, and its never worked, and never will.
CERT is now pointing to "This issue is addressed in Java 7 Update 7."
http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html
Tra-la...
"Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."
Strangely, I didn't have a Java 7 installed at all previously. Troglodyte that I am, by installing the update, aren't I regressing more?
Sean Sullivan, a security adviser
who has never heard of reducing the attack surface, applying the principle of least privilege, or other basic concepts in security theory
at F-Secure, commented: "... There being no latest patch against this, the only solution is to totally disable Java."
Yes, there's no middle ground between "patch it" and "disable it entirely". Oh, except perhaps "don't let attackers run it automatically" - say with Firefox and NoScript, as has been mentioned approximately one million times in the forums here, and is no doubt well known to any "security adviser" worth his salt.
Really, why does the Reg feel the need to publish people like this? You couldn't find a comment from someone who was at least minimally competent?
Even if Sullivan were correct, his comment doesn't add anything to the article anyway. People who are capable of understanding updating and disabling Java are capable of figuring out that those are two of the ways the problem might be addressed. The Reg already publishes plenty of Java-bashing. Let's try to keep it to just the mildly interesting stuff, shall we?