Options
0 day Java exploit
Fried Kickin
Posts: 60,132
Forum Member
✭✭
Forgive me if it's already been mentioned here ..
It may be an idea to disable java plugins for the moment.
http://www.theregister.co.uk/2013/01/10/java_0day/
It may be an idea to disable java plugins for the moment.
http://www.theregister.co.uk/2013/01/10/java_0day/
0
Comments
I have the browser plugin disabled on every browser anyway as it serves no purpose IMO other than as a malware vector.
I'd uninstall it completely if I didn't need it for PS3 Media Server.
I think we are still a fair way off being able to completely ditch Flash though.
every story i've read only references 7.10 but who knows
Kaspersky have known about and have been blocking this for some time, it seems. http://www.securelist.com/en/blog/208194070/Java_0day_Mass_Exploit_Distribution
This is dramatically different from the panic quote in The Register: "the only way to protect yourself is by disabling Java." - which I do not believe. They really ought not to rely on just one source!
I suspect that other commercial internet security firms will have been blocking it too, so for many people with automatic updating, there isn't much to worry about or do other than taking the usual sensible precautions.
how many exploits for my browser are currently in the wild?
See: "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."
Maybe Oracle should disable the plugin by default and just use browsers to launch external java apps. However Scandinavian banks use Java for online banking so I guess they are not best pleased at the moment.
There's loads of other zero day malware out there, not just with Java 7.
http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html#11
Java 6 will also reach end of life next month, with the final security update expected to be 39. Update 38 is the current patch level for Java 6.
The retirement of Java 6 was originally scheduled for July 2012, then was postponed twice.
"Security Essentials failed largely due to poor protection against 0-day real-world attacks, "
http://www.neowin.net/news/microsoft-security-essentials-fails-av-test-certification-again
http://betanews.com/2013/01/17/security-essentials-fails-av-test-certified-stamp-of-approval-and-microsoft-says-it-does-not-matter
Myself, I've always thought zero day AV protection of high importance.
Hence Java 6 updates going updates 39-41-43-45 and recent Java 7 updates going updates 9-10-11-13-15-17-21 (not sure what happened to 19). This has not always been the case, but has been since late 2012.
You can go into the advanced settings in Java control panel and disable the warning but still stay protected.
Apart from Pogo I have no need for Java.
It was seen as fast to write and fast enough to run too.
The move to block Java, Flash and dare I say it WebGL tells us that a fast open web is unwelcome.
The corporate vision is apps so the web as a lower class citizen suits.
Oracle website : http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Sophos "Naked Security" write-up : http://nakedsecurity.sophos.com/2013/06/15/get-ready-oracle-to-fix-40-holes-in-java-on-tuesday-18-june-2013/
The patch is only for Java 7. Java 6 and its predecessors are now at end of life and will not be patched.