topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 3:31 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Java Update on Tuesday  (Read 11818 times)

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Java Update on Tuesday
« on: January 13, 2013, 05:42 PM »
Oracle says Java update coming Tuesday

01.13.2013 6:36 AM

The company says it will release a patch that will fix 86 vulnerabilities in Java 7.

http://www.pcworld.c...-coming-tuesday.html

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #1 on: January 13, 2013, 06:42 PM »
The company says it will release a patch that will fix 86 vulnerabilities in Java 7.
...86? :'( :'( :'(

That's gotta be like a whopping 0.1%!
- carpe noctem

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #2 on: January 13, 2013, 07:22 PM »
That's gotta be like a whopping 0.1%!

 :P

paulobrabo

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 88
  • The Brazilian Bomber
    • View Profile
    • Brabo Illustration
    • Donate to Member
Java 7 update 11 with security fixes available since yesterday evening:

http://java.com/en/download/manual.jsp

"Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for Web browsers...

"HD Moore, chief security officer with Rapid7... said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” Moore said."

http://dawn.com/2013...rts-say-bugs-remain/

Anyone feeling brave  :-[
English will never be my first language, it doesn't meter how hard I try.
« Last Edit: January 14, 2013, 03:00 AM by paulobrabo, Reason: Added links and snarky quotes »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Java Update on Tuesday
« Reply #4 on: January 14, 2013, 07:26 AM »
Meh. Updated. No issues so far.

As for having Java on a desktop machine... sigh... Do you really think I'd have it if I didn't REALLY REALLY NEED it? ;)

Java will be with as for a VERY long time. Get used to it.

Oh, what was that language that so many Android programs are written in? ;)

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #5 on: January 14, 2013, 07:28 AM »
Oh, what was that language that so many Android programs are written in? ;)
Well, the language is Java, but the base libraries are different and Dalvik is different from the Java VM... so I'd be more than a little surprised if a Java exploit would work on Android :)
- carpe noctem

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Java Update on Tuesday
« Reply #6 on: January 14, 2013, 07:33 AM »
Oh, what was that language that so many Android programs are written in? ;)
Well, the language is Java, but the base libraries are different and Dalvik is different from the Java VM... so I'd be more than a little surprised if a Java exploit would work on Android :)

Good point. I didn't mean to point to vulnerabilities, but only to the longevity of Java.

FWIW - Mobile and desktop OSes are fundamentally different in a number of ways when you look at them from a programming perspective. Mobile OSes limit the ability of the programmer to cause damage or to be malicious. Not that it's impossible, but simply more difficult. If you look at bada for example, you have almost complete, 100% encapsulation, making any vulnerability (if any turned up) trivial to fix with zero impact on the API.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #7 on: January 14, 2013, 08:21 AM »
Good point. I didn't mean to point to vulnerabilities, but only to the longevity of Java.
Oh yeah, it's not going away anytime soon.

Most people (except all use Danes, and people who play MineCraft) won't really see (or at least won't really need) Java on the desktop - but it's driving quite a lot of web infrastructure, and then there's the whole mobile thing... I predict Android will be with us for a few years to come :)
- carpe noctem

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Java Installing Crapware
« Reply #8 on: January 15, 2013, 07:48 PM »
[ I noticed this when I installed the latest version.  Fortunately I read all of the install windows instead of just clicking away to get things installed....]

Why does crapware still exist? Follow the Silicon Valley money trail

Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads.

But before you begin patting Oracle on the back for its quick response, note two things about that update:

•It might not actually fix the underlying security issues.
•Along with the must-install security update, Oracle continues to include crapware.

Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page.

I have no idea how much money Ask pays and Oracle collects off this seamy, sleazy practice. I can only assume it's enough to justify selling out Java users.

http://www.zdnet.com...ney-trail-7000009830

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #9 on: January 16, 2013, 02:09 AM »
They've been bundling the Ask toolbar for a while, btw, it's not introduced with the security fix.

But yeah, it's whOracle - #2 on my list of really evil software companies, where crApple still reigns supreme.

- carpe noctem

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #10 on: January 16, 2013, 02:29 AM »
My understanding is that if you install the Java runtime (JRE) with the optional toolbar, any (or maybe just some) JRE automatic updates will include a pre-checked option to include the toolbar in the update - even if you turned off the toolbar option on the initial install. So you have to remember to deselect that thing each time.

But, if you go to the developer oriented download site:

    http://www.oracle.com/technetwork/java/javase/downloads/index.html

and choose the JRE download there, you'll get a version that doesn't package the toolbar at all.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #11 on: January 16, 2013, 04:07 AM »
thanks for that tip mwb!

My understanding is that if you install the Java runtime (JRE) with the optional toolbar, any (or maybe just some) JRE automatic updates will include a pre-checked option to include the toolbar in the update - even if you turned off the toolbar option on the initial install. So you have to remember to deselect that thing each time.
-
AFAIK I havent installed the ASK toolbar (but I may have done - and done a quick system restore after). Anyways, just to say the ASK option is always ticked here by default.
Tom

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #12 on: January 17, 2013, 07:20 PM »
But, if you go to the developer oriented download site:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html
and choose the JRE download there, you'll get a version that doesn't package the toolbar at all.
  I downloaded my offline version directly from Oracle's site at http://www.java.com/.../download/manual.jsp[/url] , why would that be any different from the technetwork page?   :tellme:  That's really strange! WTF?

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #13 on: January 17, 2013, 07:32 PM »
why would that be any different from the technetwork page?

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)
vi vi vi - editor of the beast

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #14 on: January 17, 2013, 07:45 PM »
why would that be any different from the technetwork page?

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)

  And then it finally clicked, this is the Developers Kit, which is the one that I, and most ordinary folks don't want or need.   ::)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Java Update on Tuesday
« Reply #15 on: January 17, 2013, 08:15 PM »
But yeah, it's whOracle - #2 on my list of really evil software companies, where crApple still reigns supreme.

WHahahaha! ;) Very subtle. Almost CRied laughing! :D

Who is #3?

why would that be any different from the technetwork page?

Because the more dev-oriented types probably wouldn't want the dratted thing, and it's generally poor practice to tick off your developers?

Of course, Joe User apparently doesn't mind toolbars... (have we had a poll asking the most toolbars you've had to clean off someone's pc?)


Excellent observation.  :up:
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #16 on: January 18, 2013, 08:53 AM »
The exploits in question only affect JDK 7, not JDK 6, which is much more secure, to say nothing of more stable.  Although Oracle is threatening to stop upgrades for jre6 in the near future, there is no reason that I can see for the vast majority of users to "upgrade" to jre7.

Also, these exploits only affect in-browser user, so there is no reason to dump any software that is written in Java and runs on your local system, rather than in a browser.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #17 on: January 18, 2013, 09:43 AM »
And then it finally clicked, this is the Developers Kit, which is the one that I, and most ordinary folks don't want or need.

On the 'developer download'  page there are download buttons for various things like the JDK, which is the developer kit, JavaFX (I don't know what this is - examples?), and other things.

You'll want the JRE download, which is just the Java runtime.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Java Update on Tuesday
« Reply #18 on: January 18, 2013, 10:28 AM »
WHahahaha! ;) Very subtle. Almost CRied laughing! :D
Who is #3?
At the moment (well, for a pretty long time), Microsoft. The list is based on a mix of evilness, douchebaggery, (wrong) public opinion, and market influence.

The exploits in question only affect JDK 7, not JDK 6, which is much more secure, to say nothing of more stable.
Ah yes, there were never any exploits for Java 6?

If you have the Java browser plugin, no matter which version, you shouldn't feel safe. End of story.

Also, these exploits only affect in-browser user, so there is no reason to dump any software that is written in Java and runs on your local system, rather than in a browser.
True - no reason to dump Eclipse or Minecraft, you just need to get rid of the browser plugin :). Sure, there's very likely other security holes in the JRE, but if an attacker has reached the level where he's going to compromise non-browser JRE, you've got more serious security issues.
- carpe noctem

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Latest Java Update Broken.....AGAIN
« Reply #19 on: January 18, 2013, 06:52 PM »
  And then......

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found
Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

http://threatpost.co...s-flaws-found-011813

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #20 on: January 18, 2013, 07:45 PM »
WHahahaha! ;) Very subtle. Almost Cried laughing! :D
Who is #3?
At the moment (well, for a pretty long time), Microsoft. The list is based on a mix of evilness, douchebaggery, ...

For a few years there Microsoft managed the most brilliant combination of Evilness and Incompetence, such that you could not quite figure out which was which, which made rational responses INCREDIBLY difficult! It almost calls for one of those Yin-Yang graphics with Evilness on the Yang/Aggressive side and Incompetence on the Yin/Pitiful side.

Anyone wanna help?  8)


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Java Update on Tuesday
« Reply #21 on: January 26, 2013, 10:16 PM »
Sigh... Java 7 makes me very not happy. :(

Had to uninstall and go back to Java 6... Checking shortly to see if it solves problems... :(
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: Java Update on Tuesday
« Reply #22 on: March 18, 2013, 01:22 PM »
Sad and funny at the same time

http://java-0day.com/

Screenshot - 18_03_2013 , 2_20_35 PM.png