Oh no, yet another Java vulnerability discovered

Some time ago I made the decision to ditch Java completely on my system. I had to find a few replacement apps, for instance for the popular file hosting downloader JDownloader or the RSS feed reader RSSOwl, but other than that, I did not really miss Java once I kicked it off the hard drive.

Recent news about Java vulnerabilities have strengthened my belief that this was a good decision after all. Over at Betanews I expressed the belief that most users do not need Java anymore, even though a lot have installed the software on their system.

Reports about a new Java vulnerability began to spread on the Internet when the Polish firm Security Explorations disclosed the vulnerability on Seclists.

We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.

What makes this special is that it is affecting fully updated Java 5,6 and 7 installations. The security researchers were able to successfully exploit the vulnerability on a fully patched Windows 7 test system. All recent web browsers, including Firefox, Internet Explorer and Google Chrome, were exploited successfully. The researchers note that all operating systems running Java are affected by the vulnerability, not only Windows.

test java version

Oracle has been notified about the vulnerability, but it may take days or even weeks before an update becomes available. If you have installed Java installed on your system right now it is recommended to either uninstall it completely, if you do not rely on desktop or web applications that depend on Java, disable it for the time being, or at least use other mitigating factors such as NoScript for Firefox or click to play to block plugins from being run automatically.

Read also:  A look at 1Password's Travel Mode

Windows users can consider using Java portable on their system which does not need to be installed and therefor won't install plugins into web browsers.



Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Oh no, yet another Java vulnerability discovered

  1. Peter September 26, 2012 at 10:33 am #

    Which app did you find to replace JDownloader and did it include the ability to renew your IP address from within the app? Thanks.

    • Martin Brinkmann September 26, 2012 at 10:47 am #

      Peter, I have replaced it with MiPony. I'm not really downloading that much from file hosting sites, just checked and it seems not to have that functionality.

      • Peter September 29, 2012 at 9:38 am #

        Thanks, Martin, I'll check that out later.

  2. Damirora September 26, 2012 at 10:50 am #

    I'd like to know what's the best lightweight replacement for JDownloader. Anything that can auto-download my lists would be acceptable, and especially if I don't have to enter any silly captcha.
    I've been trying different RSS readers, but nothing feels as good as Feed Reader 3, and RSS Owl. What do you currently use Martin?

  3. Peter (NL) September 26, 2012 at 10:58 am #

    Martin, how do you get above mentioned Java information 'graphic' ?
    (see picture in your article)

    I haven't seen that detailed info on my screen when checking the appropriate Java version.

  4. Yoav September 26, 2012 at 12:24 pm #

    How do I know what applications are using Java on my system, so I can decide if I can get rid of it?

    • Martin Brinkmann September 26, 2012 at 12:46 pm #

      I'd remove Java and see if any application fails to start up. I do not think there is a program that lists all the Java dependent programs on your system.

  5. Yoav September 26, 2012 at 2:35 pm #

    Ok. Thanks, Martin.

  6. kalmly September 26, 2012 at 3:00 pm #

    I have Java disabled on both of my browsers, but didn't uninstall it because of two installed can't-do-without apps that are irreplaceable. I don't use web applications, and I am online less and less. Am I relatively safe?

  7. Darren McLaughlin September 27, 2012 at 12:24 am #

    Java has always been such a weird item to install. It's always been a bit of the pain. Of course the security leaves a lot to be desired. I guess the time to consider getting rid of it completely is here. Who needs the hassle? Thanks for the informative post.

  8. sgr September 27, 2012 at 12:54 pm #

    Hi everybody,
    could any one tell me how danger all that mess with JAVA might be for the person which stick to run his/her machine as a standard/limited user??

    Best Regards

Leave a Reply