Author Topic: Java Update on Tuesday (Read 13162 times)

Tinman57 · « **on:** January 13, 2013, 05:42 PM »

Oracle says Java update coming Tuesday

01.13.2013 6:36 AM

The company says it will release a patch that will fix 86 vulnerabilities in Java 7.

http://www.pcworld.c...-coming-tuesday.html

f0dder · « **Reply #1 on:** January 13, 2013, 06:42 PM »

The company says it will release a patch that will fix 86 vulnerabilities in Java 7.
-Tinman57 (January 13, 2013, 05:42 PM)

...86?

That's gotta be like a whopping 0.1%!

kyrathaba · « **Reply #2 on:** January 13, 2013, 07:22 PM »

That's gotta be like a whopping 0.1%!

paulobrabo · « **Reply #3 on:** January 14, 2013, 02:48 AM »

Java 7 update 11 with security fixes available since yesterday evening:

http://java.com/en/download/manual.jsp

"Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for Web browsers...

"HD Moore, chief security officer with Rapid7... said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” Moore said."

http://dawn.com/2013...rts-say-bugs-remain/

Anyone feeling brave

Renegade · « **Reply #4 on:** January 14, 2013, 07:26 AM »

Meh. Updated. No issues so far.

As for having Java on a desktop machine... sigh... Do you really think I'd have it if I didn't REALLY REALLY NEED it?

Java will be with as for a VERY long time. Get used to it.

Oh, what was that language that so many Android programs are written in?

f0dder · « **Reply #5 on:** January 14, 2013, 07:28 AM »

Oh, what was that language that so many Android programs are written in?
-Renegade (January 14, 2013, 07:26 AM)

Well, the language is Java, but the base libraries are different and Dalvik is different from the Java VM... so I'd be more than a little surprised if a Java exploit would work on Android

Renegade · « **Reply #6 on:** January 14, 2013, 07:33 AM »

Oh, what was that language that so many Android programs are written in?
-Renegade (January 14, 2013, 07:26 AM)
Well, the language is Java, but the base libraries are different and Dalvik is different from the Java VM... so I'd be more than a little surprised if a Java exploit would work on Android
-f0dder (January 14, 2013, 07:28 AM)

Good point. I didn't mean to point to vulnerabilities, but only to the longevity of Java.

FWIW - Mobile and desktop OSes are fundamentally different in a number of ways when you look at them from a programming perspective. Mobile OSes limit the ability of the programmer to cause damage or to be malicious. Not that it's impossible, but simply more difficult. If you look at bada for example, you have almost complete, 100% encapsulation, making any vulnerability (if any turned up) trivial to fix with zero impact on the API.

f0dder · « **Reply #7 on:** January 14, 2013, 08:21 AM »

Good point. I didn't mean to point to vulnerabilities, but only to the longevity of Java.
-Renegade (January 14, 2013, 07:33 AM)

Oh yeah, it's not going away anytime soon.

Most people (except all use Danes, and people who play MineCraft) won't really see (or at least won't really need) Java on the desktop - but it's driving quite a lot of web infrastructure, and then there's the whole mobile thing... I predict Android will be with us for a few years to come

Tinman57 · « **Reply #8 on:** January 15, 2013, 07:48 PM »

[ I noticed this when I installed the latest version. Fortunately I read all of the install windows instead of just clicking away to get things installed....]

Why does crapware still exist? Follow the Silicon Valley money trail

Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads.

But before you begin patting Oracle on the back for its quick response, note two things about that update:

•It might not actually fix the underlying security issues.
•Along with the must-install security update, Oracle continues to include crapware.

Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page.

I have no idea how much money Ask pays and Oracle collects off this seamy, sleazy practice. I can only assume it's enough to justify selling out Java users.

http://www.zdnet.com...ney-trail-7000009830

f0dder · « **Reply #9 on:** January 16, 2013, 02:09 AM »

They've been bundling the Ask toolbar for a while, btw, it's not introduced with the security fix.

But yeah, it's whOracle - #2 on my list of really evil software companies, where crApple still reigns supreme.

mwb1100 · « **Reply #10 on:** January 16, 2013, 02:29 AM »

My understanding is that if you install the Java runtime (JRE) with the optional toolbar, any (or maybe just some) JRE automatic updates will include a pre-checked option to include the toolbar in the update - even if you turned off the toolbar option on the initial install. So you have to remember to deselect that thing each time.

But, if you go to the developer oriented download site:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

and choose the JRE download there, you'll get a version that doesn't package the toolbar at all.

tomos · « **Reply #11 on:** January 16, 2013, 04:07 AM »

thanks for that tip mwb!

My understanding is that if you install the Java runtime (JRE) with the optional toolbar, any (or maybe just some) JRE automatic updates will include a pre-checked option to include the toolbar in the update - even if you turned off the toolbar option on the initial install. So you have to remember to deselect that thing each time.
-mwb1100 (January 16, 2013, 02:29 AM)

-
AFAIK I havent installed the ASK toolbar (but I may have done - and done a quick system restore after). Anyways, just to say the ASK option is always ticked here by default.

Tinman57 · « **Reply #12 on:** January 17, 2013, 07:20 PM »

But, if you go to the developer oriented download site:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
and choose the JRE download there, you'll get a version that doesn't package the toolbar at all.
-mwb1100 (January 16, 2013, 02:29 AM)

I downloaded my offline version directly from Oracle's site at http://www.java.com/.../download/manual.jsp[/url] , why would that be any different from the technetwork page?

That's really strange! WTF?

x16wda · « **Reply #13 on:** January 17, 2013, 07:32 PM »

why would that be any different from the technetwork page?
-Tinman57 (January 17, 2013, 07:20 PM)

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)

Tinman57 · « **Reply #14 on:** January 17, 2013, 07:45 PM »

why would that be any different from the technetwork page?
-Tinman57 (January 17, 2013, 07:20 PM)

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)

-x16wda (January 17, 2013, 07:32 PM)

And then it finally clicked, this is the Developers Kit, which is the one that I, and most ordinary folks don't want or need.

Renegade · « **Reply #15 on:** January 17, 2013, 08:15 PM »

But yeah, it's whOracle - #2 on my list of really evil software companies, where crApple still reigns supreme.
-f0dder (January 16, 2013, 02:09 AM)

WHahahaha!

Very subtle. Almost CRied laughing!

Who is #3?

why would that be any different from the technetwork page?
-Tinman57 (January 17, 2013, 07:20 PM)

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)

-x16wda (January 17, 2013, 07:32 PM)

Excellent observation.

xtabber · « **Reply #16 on:** January 18, 2013, 08:53 AM »

The exploits in question only affect JDK 7, not JDK 6, which is much more secure, to say nothing of more stable. Although Oracle is threatening to stop upgrades for jre6 in the near future, there is no reason that I can see for the vast majority of users to "upgrade" to jre7.

Also, these exploits only affect in-browser user, so there is no reason to dump any software that is written in Java and runs on your local system, rather than in a browser.

mwb1100 · « **Reply #17 on:** January 18, 2013, 09:43 AM »

And then it finally clicked, this is the Developers Kit, which is the one that I, and most ordinary folks don't want or need.
-Tinman57 (January 17, 2013, 07:45 PM)

On the 'developer download' page there are download buttons for various things like the JDK, which is the developer kit, JavaFX (I don't know what this is - examples?), and other things.

You'll want the JRE download, which is just the Java runtime.

f0dder · « **Reply #18 on:** January 18, 2013, 10:28 AM »

WHahahaha! Very subtle. Almost CRied laughing!
Who is #3?
-Renegade (January 17, 2013, 08:15 PM)

At the moment (well, for a pretty long time), Microsoft. The list is based on a mix of evilness, douchebaggery, (wrong) public opinion, and market influence.

The exploits in question only affect JDK 7, not JDK 6, which is much more secure, to say nothing of more stable.
-xtabber (January 18, 2013, 08:53 AM)

Ah yes, there were never any exploits for Java 6?

If you have the Java browser plugin, no matter which version, you shouldn't feel safe. End of story.

Also, these exploits only affect in-browser user, so there is no reason to dump any software that is written in Java and runs on your local system, rather than in a browser.
-xtabber (January 18, 2013, 08:53 AM)

True - no reason to dump Eclipse or Minecraft, you just need to get rid of the browser plugin

. Sure, there's very likely other security holes in the JRE, but if an attacker has reached the level where he's going to compromise non-browser JRE, you've got more serious security issues.

Tinman57 · « **Reply #19 on:** January 18, 2013, 06:52 PM »

And then......

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found
Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

http://threatpost.co...s-flaws-found-011813

TaoPhoenix · « **Reply #20 on:** January 18, 2013, 07:45 PM »

WHahahaha! Very subtle. Almost Cried laughing!
Who is #3?
-Renegade (January 17, 2013, 08:15 PM)
At the moment (well, for a pretty long time), Microsoft. The list is based on a mix of evilness, douchebaggery, ...
-f0dder (January 18, 2013, 10:28 AM)

For a few years there Microsoft managed the most brilliant combination of Evilness and Incompetence, such that you could not quite figure out which was which, which made rational responses INCREDIBLY difficult! It almost calls for one of those Yin-Yang graphics with Evilness on the Yang/Aggressive side and Incompetence on the Yin/Pitiful side.

Anyone wanna help?

Renegade · « **Reply #21 on:** January 26, 2013, 10:16 PM »

Sigh... Java 7 makes me very not happy.

Had to uninstall and go back to Java 6... Checking shortly to see if it solves problems...

rgdot · « **Reply #22 on:** March 18, 2013, 01:22 PM »

Sad and funny at the same time

http://java-0day.com/

Screenshot - 18_03_2013 , 2_20_35 PM.png