Credit where credit is due...
... I suppose. Nice to see them break the schedule.
In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits. "Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," Eric …
They seem to understand the degree of vulnerability finally.
A USA government backed organisation, CERT could not get a word from them just 24 hours ago and (I suppose) had to suggest removing Java functionality from desktop browser. Instructions (thanks to win) were way complex so a lot of people ended up removing Java for good.
If they are serious, they should hire a real win developer that will code a real installer. Ask any win admin, they are using MSI in most basic and stupid way possible, ignoring built in win scheduler that can even automate security updates (for all users, not just admin) and ignore patching possibilities.
Apple actually works with such people and does all above with their "software update" on win.
This post has been deleted by its author
> Why would Java 6 count as secure just because it doesn't have a single zero day vulnerability?
Why do people assume that every piece of legacy software you use will work with the latest version?
I'm not the OP but various tools I have to use require Java 6, so like the OP I want to know whether this will remove Java 6 and thus break those legacy tools or leave it intact. I do not believe that Java 6 is more secure, in fact I believe Java 6 is probably more insecure, but since I must use it for a couple of tools, I do.
This post has been deleted by its author
At the blog, we read:
"Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments---"
Doesn't this mean that the remote exploit would only sometimes effective?
I need Java for applications, but I don't need it for browsing the web and therefore, for security, disable it in my browsers. However, Oracle has other ideas and enables Java in your browser again (at least with Firefox and Internet Explorer) when you do an update, without asking for permission. When it comes to security, it can be hard to tell the good guys from the bad guys sometimes.
A while back, Mozilla put in some defences against this kind of abuse, at least with ordinary add-ons, but they clearly did not go far enough. We need the ability to remove all add-ons and plug-ins without having to edit the registry etc, and Mozilla should entirely prevent the activation of add-ons and plug-ins without explicit permission.
Usually the Java updates announce themselves, but so far this one hasn't. Sometimes I have triggered it manually by using the plugin updates from my browser (usually Firefox). So far neither of those update paths seems to be working, and I don't trust the Oracle website enough for a more manual approach...
When I run the update check for the plugins, it shows three Java-related plugins. However, there is no option to update any of them. Instead, the only option it is current offering is to disable them. If I do that, I suspect my computer will be at least partially crippled, even more than it currently is (partly by my security software).
Should I wait for the update to appear? Should I disable? If I disable, will that also disable the update when it does appear?
In conclusion, I always hated Oracle, and now I hate them more and with better reason. If I knew that a website or company was using Oracle products, I would count that as a strong reason to avoid that website or to avoid doing ANY business with that company.
Way to go, Oracle. How's that purchase of Sun working out for you? It's certainly screwing with the rest of us.
Pardon me, how else do you interpret "Java is not the new Cobol"?
Nobody writes new Java applets for websites as Java-Script can do the same now without the obvious disadvantages. And that "Java is not the new Cobol" statement probably held off quite a few new deployments in the server/backend area where Java was considered as a replacement for aging Cobol code.
One feature of Enterprise Edition Java web servers is multiple contexts. This is where multiple applications can run on a single server and JVM process but in complete isolation. The advantage of this is greatly increased memory efficiency and simplified management. The disadvantage is increased complexity and the need for a Java Security Manager. From what I've read in the exploit sample code, servers running multiple contexts are vulnerable. Specifically, the big Enterprise Edition servers that big companies pay Oracle support for. A JSP file should be able to execute code outside of its context the same way an applet would. Distributed/Cloud computing servers that execute sandboxed tasks from JAR file may be at risk as well.
Actually, we're counting ourselves lucky to have been advanced to Java 6 in the last couple of months. For the whole three years I've been working here, one of the most critical financial apps was dependent on an unsupported version of Java 5. With the Sun site gone, I can no longer find the web link, but I think Sun had stopped supporting the specific version about 6 months before I started work.
Same AC as the previous 'sucks to be be" AC.
Biting the hand that feeds IT © 1998–2022