Oh no, yet another Java vulnerability discovered
Some time ago I made the decision to ditch Java completely on my system. I had to find a few replacement apps, for instance for the popular file hosting downloader JDownloader or the RSS feed reader RSSOwl, but other than that, I did not really miss Java once I kicked it off the hard drive.
Recent news about Java vulnerabilities have strengthened my belief that this was a good decision after all. Over at Betanews I expressed the belief that most users do not need Java anymore, even though a lot have installed the software on their system.
Reports about a new Java vulnerability began to spread on the Internet when the Polish firm Security Explorations disclosed the vulnerability on Seclists.
We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.
What makes this special is that it is affecting fully updated Java 5,6 and 7 installations. The security researchers were able to successfully exploit the vulnerability on a fully patched Windows 7 test system. All recent web browsers, including Firefox, Internet Explorer and Google Chrome, were exploited successfully. The researchers note that all operating systems running Java are affected by the vulnerability, not only Windows.
Oracle has been notified about the vulnerability, but it may take days or even weeks before an update becomes available. If you have installed Java installed on your system right now it is recommended to either uninstall it completely, if you do not rely on desktop or web applications that depend on Java, disable it for the time being, or at least use other mitigating factors such as NoScript for Firefox or click to play to block plugins from being run automatically.
Windows users can consider using Java portable on their system which does not need to be installed and therefor won't install plugins into web browsers.
Advertisement
Hi everybody,
could any one tell me how danger all that mess with JAVA might be for the person which stick to run his/her machine as a standard/limited user??
Best Regards
Java has always been such a weird item to install. It’s always been a bit of the pain. Of course the security leaves a lot to be desired. I guess the time to consider getting rid of it completely is here. Who needs the hassle? Thanks for the informative post.
I have Java disabled on both of my browsers, but didn’t uninstall it because of two installed can’t-do-without apps that are irreplaceable. I don’t use web applications, and I am online less and less. Am I relatively safe?
Ok. Thanks, Martin.
How do I know what applications are using Java on my system, so I can decide if I can get rid of it?
I’d remove Java and see if any application fails to start up. I do not think there is a program that lists all the Java dependent programs on your system.
Martin, how do you get above mentioned Java information ‘graphic’ ?
(see picture in your article)
I haven’t seen that detailed info on my screen when checking the appropriate Java version.
I think it was on this page: http://www.java.com/en/download/testjava.jsp
I’d like to know what’s the best lightweight replacement for JDownloader. Anything that can auto-download my lists would be acceptable, and especially if I don’t have to enter any silly captcha.
I’ve been trying different RSS readers, but nothing feels as good as Feed Reader 3, and RSS Owl. What do you currently use Martin?
I’m using GreatNews, a basic feed reader fully sufficient for what I need it for.
https://www.ghacks.net/2012/03/28/two-rss-reader-alternatives-for-windows/
That seems to use IE shell, try Opera and its really competent feeds reader.
Which app did you find to replace JDownloader and did it include the ability to renew your IP address from within the app? Thanks.
Peter, I have replaced it with MiPony. I’m not really downloading that much from file hosting sites, just checked and it seems not to have that functionality.
Thanks, Martin, I’ll check that out later.