Oh no, yet another Java vulnerability discovered

Martin Brinkmann
Sep 26, 2012
Security
|
14

Some time ago I made the decision to ditch Java completely on my system. I had to find a few replacement apps, for instance for the popular file hosting downloader JDownloader or the RSS feed reader RSSOwl, but other than that, I did not really miss Java once I kicked it off the hard drive.

Recent news about Java vulnerabilities have strengthened my belief that this was a good decision after all. Over at Betanews I expressed the belief that most users do not need Java anymore, even though a lot have installed the software on their system.

Reports about a new Java vulnerability began to spread on the Internet when the Polish firm Security Explorations disclosed the vulnerability on Seclists.

We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.

What makes this special is that it is affecting fully updated Java 5,6 and 7 installations. The security researchers were able to successfully exploit the vulnerability on a fully patched Windows 7 test system. All recent web browsers, including Firefox, Internet Explorer and Google Chrome, were exploited successfully. The researchers note that all operating systems running Java are affected by the vulnerability, not only Windows.

Oracle has been notified about the vulnerability, but it may take days or even weeks before an update becomes available. If you have installed Java installed on your system right now it is recommended to either uninstall it completely, if you do not rely on desktop or web applications that depend on Java, disable it for the time being, or at least use other mitigating factors such as NoScript for Firefox or click to play to block plugins from being run automatically.

Windows users can consider using Java portable on their system which does not need to be installed and therefor won't install plugins into web browsers.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. sgr said on September 27, 2012 at 12:54 pm
    Reply

    Hi everybody,
    could any one tell me how danger all that mess with JAVA might be for the person which stick to run his/her machine as a standard/limited user??

    Best Regards

  2. Darren McLaughlin said on September 27, 2012 at 12:24 am
    Reply

    Java has always been such a weird item to install. It’s always been a bit of the pain. Of course the security leaves a lot to be desired. I guess the time to consider getting rid of it completely is here. Who needs the hassle? Thanks for the informative post.

  3. kalmly said on September 26, 2012 at 3:00 pm
    Reply

    I have Java disabled on both of my browsers, but didn’t uninstall it because of two installed can’t-do-without apps that are irreplaceable. I don’t use web applications, and I am online less and less. Am I relatively safe?

  4. Yoav said on September 26, 2012 at 2:35 pm
    Reply

    Ok. Thanks, Martin.

  5. Yoav said on September 26, 2012 at 12:24 pm
    Reply

    How do I know what applications are using Java on my system, so I can decide if I can get rid of it?

    1. Martin Brinkmann said on September 26, 2012 at 12:46 pm
      Reply

      I’d remove Java and see if any application fails to start up. I do not think there is a program that lists all the Java dependent programs on your system.

  6. Peter (NL) said on September 26, 2012 at 10:58 am
    Reply

    Martin, how do you get above mentioned Java information ‘graphic’ ?
    (see picture in your article)

    I haven’t seen that detailed info on my screen when checking the appropriate Java version.

    1. Martin Brinkmann said on September 26, 2012 at 11:41 am
      Reply

      I think it was on this page: http://www.java.com/en/download/testjava.jsp

  7. Damirora said on September 26, 2012 at 10:50 am
    Reply

    I’d like to know what’s the best lightweight replacement for JDownloader. Anything that can auto-download my lists would be acceptable, and especially if I don’t have to enter any silly captcha.
    I’ve been trying different RSS readers, but nothing feels as good as Feed Reader 3, and RSS Owl. What do you currently use Martin?

    1. Martin Brinkmann said on September 26, 2012 at 11:48 am
      Reply

      I’m using GreatNews, a basic feed reader fully sufficient for what I need it for.

      https://www.ghacks.net/2012/03/28/two-rss-reader-alternatives-for-windows/

      1. anony said on September 26, 2012 at 12:37 pm
        Reply

        That seems to use IE shell, try Opera and its really competent feeds reader.

  8. Peter said on September 26, 2012 at 10:33 am
    Reply

    Which app did you find to replace JDownloader and did it include the ability to renew your IP address from within the app? Thanks.

    1. Martin Brinkmann said on September 26, 2012 at 10:47 am
      Reply

      Peter, I have replaced it with MiPony. I’m not really downloading that much from file hosting sites, just checked and it seems not to have that functionality.

      1. Peter said on September 29, 2012 at 9:38 am
        Reply

        Thanks, Martin, I’ll check that out later.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.