×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple and Mozilla Block Vulnerable Java Plug-ins

Soulskill posted about a year ago | from the no-dogs-allowed dept.

Firefox 88

hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18." Here are some ways to disable Java, if you're not sure how.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

88 comments

LOL (-1, Troll)

Anonymous Coward | about a year ago | (#42561835)

Java is the new ActiveX. Woohoooooo!

Can we please kill this shitty platform already?

Re:LOL (-1)

Anonymous Coward | about a year ago | (#42562045)

How about we just kill the idea of "Enhanced functionality" on the web altogether? Flash games and endless demos of Koch snowflakes aren't worth dealing with this crap.

Re:LOL (2)

Culture20 (968837) | about a year ago | (#42563497)

Because the replacement option is to have users downloading snowflake.exe and running it, possibly with admin creds. Users will have their snowflakes (unless they're a built in aero toy, then the users will want bonzi buddy for 00's nostalgia).

and to unblock? (2, Interesting)

X0563511 (793323) | about a year ago | (#42561861)

... and if I need to unblock it, because I need to support shit that runs in these versions?

Re:and to unblock? (-1)

Anonymous Coward | about a year ago | (#42561905)

Then you manually reactivate it. Wow, so hard to figure out...

Re:and to unblock? (5, Informative)

Desler (1608317) | about a year ago | (#42561949)

From Mozilla:

There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.

With OS X it's blacklisted. But then again everyone is recommending to uninstall these versions anyway. If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.

Re:and to unblock? (1)

Anonymous Coward | about a year ago | (#42562693)

you should beat the developers over the head to fix it

Not only that, but the software should not depend on third and fourth part of the version to function correctly to being with. Those are supposed to be performance updates and bug fixes; not feature additions. So the fix should not be "now it will work with 1.7.10.19." it should be "now it will work with 1.7.x.y". Keep beating them until they get it right.

Re:and to unblock? (1)

Anonymous Coward | about a year ago | (#42562751)

you should beat the developers over the head to fix it

Not only that, but the software should not depend on third and fourth part of the version to function correctly to being with. Those are supposed to be performance updates and bug fixes; not feature additions. So the fix should not be "now it will work with 1.7.10.19." it should be "now it will work with 1.7.x.y". Keep beating them until they get it right.

Could you please make Oracle aware of that? When software vendors do get it right and allow multiple versions of Java, each Java release breaks their apps anyway. For example going from 1.6_11 to 1.6_15 (or something like that) caused an app to display logon credentials text boxes with blue text on a blue background. You could not see if you typed anything. Every version we've updated to has broken some of our enterprise apps - either due to the hard coding of versions or the removal or changing of features. You can't win with this garbage of a runtime. Oracle certainly doesn't get that they are not supposed to change the feature set within a version...

Re:and to unblock? (2)

JonySuede (1908576) | about a year ago | (#42563165)

You must have drunken mokey as coder, our internal swing application are tested to work on any java version from 1.6 to 1.8, no glitch even on 1.8 early access. They also work on ibm version but the l&f is crap. Our external swing app however, mostly the one from oracle, break for no apparent reason other than to charge for maintenance contract.

Re:and to unblock? (0)

Anonymous Coward | about a year ago | (#42562737)

Beat them over the head with money that management may be short off?

Re:and to unblock? (3, Insightful)

X0563511 (793323) | about a year ago | (#42562789)

If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.

I would love to do that, but I'd get fired for it.

Re:and to unblock? (0)

LordLimecat (1103839) | about a year ago | (#42563759)

But then again everyone is recommending to uninstall these versions anyway.

For values where $theseversions >= JRE 0.1, of course.

Re:and to unblock? (0)

BasilBrush (643681) | about a year ago | (#42561953)

Tell whoever is still running those versions that they are no longer supported.

Re:and to unblock? (1)

Anonymous Coward | about a year ago | (#42562021)

Java 7U10 & 6U38 (the ones being blocked) are the latest versions.

Re:and to unblock? (0)

Desler (1608317) | about a year ago | (#42562037)

And since they have critical security vulnerabilities they should no longer be supported.

Re:and to unblock? (1)

gbjbaanb (229885) | about a year ago | (#42562863)

tell you what, I'll unblock it for you... oh wait, you're not running it anymore as its disabled.. damn! I'll have to find a different vector to "assist" you with your computers.

Re:and to unblock? (2)

khaybrak (777640) | about a year ago | (#42563697)

Agreed. I have a vendor site that requires a certificate install that is browser specific. I use Firefox so that is where the certificate is installed. To access their secure website, and run an IBM 3270 emulation app via my web browser, the JVM needs to be running. There isn't an option or page displayed where I can "Click to Play" or activate. The app simply sees that the JVM isn't running within the browser. I have subscribers attempting to get prescriptions but waiting for my override that I can only do through the vendor's secure web site. I appreciate your concern for the general populous via your blocking methodology but you need to provide a way to unblock for specific sites that can be done prior to visiting the site. So, who will be first? Oracle with a patch or Mozilla with better flexibility for those of us who understand the risk but still need to do actual work?

Re:and to unblock? (1)

Nyder (754090) | about a year ago | (#42564173)

... and if I need to unblock it, because I need to support shit that runs in these versions?

I ran into this problem, tried to enable it in Firefox, no luck. I had to use Internet Explorer to get around the block.

No, I did NOT feel safe.

Block Java by default (-1)

Anonymous Coward | about a year ago | (#42561871)

Why after all these years is Java not just blocked by default? Serious, it should be difficult to install Java on a browser. Specially if you don't check the 'allow Java Apps" during the initial install, it should be impossible to install Java plugins later. Even then Java apps should be only allowed from white listed websites.

Re:Block Java by default (2)

sribe (304414) | about a year ago | (#42561931)

Why after all these years is Java not just blocked by default?

Well, on OS X it is. What Apple just did is turn it back off for everyone who had turned it on ;-)

Re:Block Java by default (1)

Sigma 7 (266129) | about a year ago | (#42561983)

Or you could do the obvious route, and block all plugins by default and let you launch known/obvious plugins manually.

Browsers already had enough security holes (including alert loops, semi-forced downloads, and javascript) - there's no reason why you should risk less secure plugins as some auto-executer.

Re:Block Java by default (1)

Anonymous Coward | about a year ago | (#42562005)

All plugins should be disabled by default, you should click to run anything embedded in a web page, with an option to whitelist certain sites / plugins. Who in modern times doesn't have this option enabled?

No need to scaremonger about Java, any plugin is a potential security risk.

really (0)

Anonymous Coward | about a year ago | (#42561879)

people still use java in the browser? this is a good excuse as any to disable it and "forget" to re-enable it i guess.

Re:really (1)

sribe (304414) | about a year ago | (#42561943)

people still use java in the browser?

Clearly, you do not work in the medical industry, where this shit is cutting edge, because it's cross-platform and a real upgrade from building entire applications as ActiveX in the browser. Sigh...

Re:really (0)

Anonymous Coward | about a year ago | (#42562303)

Yes, really.
Since the standalone frontend of SciFinder (which worked perfectly under Wine) was discontinued, I have to use the web frontend with a Java structure drawing plugin :(

Java in Chrome on Windows (0, Offtopic)

Anonymous Coward | about a year ago | (#42561933)

Last week, I was using a java app in Chrome on Windows 7 and Windows died. I could not even get Windows 7 to reinstall. However, I downloaded debian on another computer and burned a cd. Then I put the cd in the machine with broken windows, deleted all partitions, re-formated the hard drive, and installed Linux. Linux installed fine. The Firefox browser (whatever name they go by) worked just fine with Java. Yet, it was old in the debian repository. Would like a newer java, but oracle no longer allow redistribution of java with linux. OpenJDK just does not cut it! I think Sun is shooting themselves in the foot by not allowing normal java to be redistributed with linux anymore.

Since I was able to re-format my hard drive and install linux successfully, I then was successfull re-installing Windows 7.

In short, I had to format my hard drive using Linux so I could reinstall Windows 7. Just so I could use Java in browser on Windows 7 again. At least the re-install of Windows had the latest Chrome and Java 7.

Re:Java in Chrome on Windows (0)

Anonymous Coward | about a year ago | (#42562721)

Why was this modded down?

I believe my computer died because I was using a java applet and it or something compromised my computer so bad that Windows would not start back up. Nor could I re-install Windows. Yet, I used Linux to format my hard drive so I could get the Window install disk to re-install Windows. This happened last week to me. Then today I see there was a vulnerability in java.

Re:Java in Chrome on Windows (1)

Anonymous Coward | about a year ago | (#42563105)

Why was this modded down?

Because you're the type of clueless user that has just enough of a clue to screw yourself.

Oracle Trashing Java? (4, Interesting)

Art Challenor (2621733) | about a year ago | (#42561973)

Sun was either more dedicated or just better at maintaing Java. There were problems, of course, under Sun, but the anti-Java sentiment based on vulnerabilities seems to be mostly post-Oracle (and somewhat justified).

Re:Oracle Trashing Java? (1)

Desler (1608317) | about a year ago | (#42562023)

Not really true. If you look at Secunia the number of vulnerabilities is really not that different between the Sun years and Oracle's.

Re:Oracle Trashing Java? (1)

Art Challenor (2621733) | about a year ago | (#42564987)

True or not, I have the perception that there have been more very serious vulnerabilities and (two?) zero-days under Oracle. I remember very few major holes and no zero-days with Sun. Perception is just about everything here. Java should be an impossible attack vector, but the opinion is currently that it's so insecure you should disable it.

Re:Oracle Trashing Java? (1)

thetoadwarrior (1268702) | about a year ago | (#42566431)

Perception isn't necessarily the truth and nothing will change that perception if you're biased against Oracle.

Re:Oracle Trashing Java? (1)

Art Challenor (2621733) | about a year ago | (#42567997)

The point I'm making is that people now percieve Java as being insecure, to the point where there is advice coming from many quarters to uninstall it. This could have happened under Sun, but didn't, although we'll never know what would have happened if Oracle hadn't acquired them.

It has happened with Oracle at the helm. And it seems that they may have know about this vulnerability for some months and not fixed it.

At the very least, if they care about Java, they need to put some serious resources into fixing the problem(s) and damage control.

Re:Oracle Trashing Java? (1)

Anonymous Coward | about a year ago | (#42562047)

There were problems, of course, under Sun, but

I have seen something else under the sun: the race is not to the swift nor the battle to the strong, nor does food come to the wise nor wealth to the brilliant nor favor to the learned; but time and chance happen to them all.

Re:Oracle Trashing Java? (1)

steelfood (895457) | about a year ago | (#42563149)

More than likely, a core group of competent decision-making employees related to Java left Sun when they got bought out. It's like all the adults leaving, resulting in the teenagers taking charge of the kids.

Re:Oracle Trashing Java? (2)

muddysteel (1404041) | about a year ago | (#42563225)

I think it's more a matter of the knowledge on how to use Java as an attack vector (and the inclusion into Java exploits into easy-to-use-kits) causing the anti-Java sentiment, not who owns Java.

And some of that sentiment is misplaced: These exploits are largely a client-side problem (e.g., browsers running Java applets or downloaded Java apps) brought on by the servers dishing the Java up not being properly secured and/or managed.

Java's a great language in terms of what it's brought to the forefront of application development - both in terms of standardizing what a language can offer (I still loathe the days of having to decide if I would roll my own containers or memory manager in 'C' vs. picking and paying for someone's 3rd party libraries) as well as the OO aspects it forces you to consider.

Re:Oracle Trashing Java? (0)

Anonymous Coward | about a year ago | (#42563633)

I think it's more a matter of the knowledge on how to use Java as an attack vector (and the inclusion into Java exploits into easy-to-use-kits) causing the anti-Java sentiment, not who owns Java.

The problem with this exploit is that it should have been more or less obvious. Java applets are sandboxed by both the bytecode verifier and a lockdown on security sensitive APIs - the bytecode verifier ensurse that a program can only access public fields/methods and the lockdown (SecurityManager) ensures that the accessible methods cannot be misused, as an example the reflection API will fail to access private fields in applet mode.

  Now enter java 7 and invoke dynamic a new way for dynamic languages to get a nice speed up by avoiding the reflection API and getting direct jvm support. Remember that lockdown on the reflection API I mentioned? Not extended for this feature, it has its own set of context oriented visibility rules. It seems that while these rules mostly make sense nobody ever bothered to verify that they would could coexist with the existing code. (Someone posted the decompiled code with comments on reddit in /r/java).

IIRC there was also some critical flaw in early versions of java 1.6. As it looks ORACLE prefers quantity over quality by following the popular "release early, release often" strategy. Current strategie to classify modern software:

* XX.0 early alpha - do not touch with a barge pole
* > XX.3 beta - worst bugs found, but still has bite
* > XX.5 production ready - or at least unlikely to get any better

adjust version numbers to fit versioning scheme and past expiriences with the softwarepackage in question.

Re:Oracle Trashing Java? (1)

Anonymous Coward | about a year ago | (#42563239)

What makes you think Oracle is just screwing up Java.

Get this thread about how an update to Solaris 11 broke ISCSI targets:

iSCSI Broken after 11.1 Update [oracle.com].

Geez, you think they cut out all regression testing?

And, of course, the final word:

Moderator Action:
With apologies to the original poster, but this thread has gotten hijacked too often to continue.
Your original question may not have been completely answered but the discussion has wandered far from that inquiry.

Thread locked.

How DARE they actually discuss the bug, possible workarounds, when it'll be fixed, etc.

Re:Oracle Trashing Java? (1)

marcosdumay (620877) | about a year ago | (#42563983)

That's just great, I get a DNS error from Oracle when I click on that link.

(But I can resolve all the host names involved... Seems like Oracle lost an internal server.)

Class action to focus Oracles mind (-1)

Anonymous Coward | about a year ago | (#42561987)

its quite obvious that Oracle and Adobe are the most incompetant software companies there are, their updaters suck, Oracle is cat & mouse with toolbars and leaving old vunerable versions while installing more software (JavaFX ? wtf) and Adobe couldnt patch their way out of a paper bag

perhaps people should club together and just sue the bastards, maybe that will focus their update and patching strategy, i didnt ask for any of it, but Dell/HP/Samsung/Toshiba thought it was good of them to install it on millions of home users, who do i sue ?

Re:Class action to focus Oracles mind (1)

muddysteel (1404041) | about a year ago | (#42563251)

Reads like a person who doesn't have to deal with managing patches and out-of-cycle fixes, with one public application let alone many, with just one customer let alone millions..

Hypocritical (4, Interesting)

phizi0n (1237812) | about a year ago | (#42561993)

While Java applets are very rare and not of much use to me personally (I mostly see it used for irc clients and bad web games), it seems a bit of an overstep to disable it completely for everyone due to a 0-day vulnerability. How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up. It's not like Firefox and Safari don't also have 0-day vulnerabilities but you don't see them completely shutting themselves down nor do they roll out fixes the same day, so it seems a bit hypocritical. IMO there should be a small grace period of 1-2 weeks where the browser warns people of the known unpatched vulnerability but allows users to choose to load it anyways if they trust the site (yes, most people will just say yes to get past it) to at least give the plugin authors a chance to fix it before it gets completely disabled.

Re:Hypocritical (4, Interesting)

VGPowerlord (621254) | about a year ago | (#42562135)

I really wish I could disable it at work, but we both have an (externally developed) Java applet in our main product and use WebEx to audio-conference and screen-share with the contractors who produce said Java applet.

At home, I occasionally do Java development, but I just install the 64-bit JDK, which doesn't include the plugin for 32-bit web browsers like Chrome and Firefox. Problem solved there!

Re:Hypocritical (1)

Desler (1608317) | about a year ago | (#42562157)

Mozilla does allow you to load it. It's called "Click To Play". Apple's reaction is more extreme but most parties agree it's a bad idea to have those versions installed at all.

Re:Hypocritical (3, Informative)

amicusNYCL (1538833) | about a year ago | (#42562773)

While Java applets are very rare

Let's keep that in mind for the rest of this discussion. Java is in no way, shape, or form a necessity for the vast majority of users. It is, however, a huge risk.

How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up.

First, Java has been available for web use since 1994. It's nearly 20 years old. It's not like it hasn't had a chance to take hold. There are plenty of reasons people choose not to use it. It's been an option for several projects I've been involved in, and we've never chosen it. Second, that "every 0-day vulnerability" part.. well, that's part of the problem with it. It has a lot of vulnerabilities, and a lot of them take a while to get fixed. So to answer your question, if browsers keep rightfully disabling a vulnerable POS software then people will not use it. Hopefully it will just go away.

It's not like Firefox and Safari don't also have 0-day vulnerabilities

Actually, it sort of is like that. Mozilla is pretty good about fixing bugs. If you don't believe me, here's [mozilla.org] their list of vulnerabilities. Go ahead and find the section on that page which lists the unfixed vulnerabilities. Here [secunia.com] is the vulnerability page for Firefox 18 on Secunia. Take a look at the stats on the right side to see how many vulnerabilities it is currently affected by, as well as the percentage of unpatched. Here [secunia.com] is the same Secunia page for Java JRE 1.7, go ahead and compare that to Firefox 18.

IMO there should be a small grace period of 1-2 weeks

Java has had a grace period of 19 years. Under Oracle, it's been around 6 years. This shit keeps happening. There is a pattern here. There is a reason why Java is the #1 infection vector for Windows machines [net-security.org]. The browsers are just trying to protect their users. Blocking the #1 infection vector is a pretty decent way to do that. If they also blocked the Acrobat plugin then that would be another step in the right direction.

US CERT has the right idea:

Due to the number and severity of this and prior Java vulnerabilities , it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note "Setting the Security Level of the Java Client."

(emphasis mine)

Re:Hypocritical (0)

Anonymous Coward | about a year ago | (#42564939)

Best response ever.

Re:Hypocritical (0)

Anonymous Coward | about a year ago | (#42565191)

I can see your antagonistic passion for Java is strong enough that makes you not distinguish between Java as a language, as a platform, and the Java browser plug in (JNLP technology which was brought out in Java 6 update 10 which is not 19 years old). This issue is specific to the browser plug-in and it is due to a separate Security Manager in the com.sun.SunToolkit used by the JRE plug-in for browsers, ONLY. So Java as a platform used in other areas and in desktop is just fine. It is ironic that you bring up all this "sky is falling due to Java" talk and your numbers are wrong: Java has been around since 1996 (seems you are confusing it with the first browser that was out in 1994). Next, JNLP has been around since 2008, barely 4 years, and Sun was purchased by Oracle in 2010, just 2 years ago.

If you failed with Java (and could be that you chose the wrong tool for your job) and with all your incorrect numbers, I hardly find you qualified to rant about Java not being anything after you 19 wrong years of life. There are tons and tons of applications that use Java everyday and it works awesome. Heck, look back at your article and its statistics: IE, yes, Microsft's own software written in C++ is the number one infestor of Windows, not JRE.

Re:Hypocritical (1)

amicusNYCL (1538833) | about a year ago | (#42574837)

This issue is specific to the browser plug-in and it is due to a separate Security Manager in the com.sun.SunToolkit used by the JRE plug-in for browsers, ONLY.

I hear the same thing every time any serious Java vulnerability is discovered. "But, it's not the whole thing, it's just this one part that causes ransomware to get installed and all of your files get encrypted and you have to pay some sleazy asshole to get them decrypted! It's just this one little obscure part that does that!" That's great, and I hope you take solace in the fact that, as far as you know, there aren't massive security vulnerabilities also present in the JRE or anywhere else. However, if you follow the link about Java being the #1 infection vector, you'll see the list of vulnerabilities includes the JRE, deployment toolkit, and browser plugins. Those are vulnerabilities that are (or were) actively being exploited specifically to install malware. You can whine about which of the Java components are at fault all you want, but at the end of the day it's still a fact in reality that most infections happen because of Java.

JNLP has been around since 2008, barely 4 years

That's good, it only takes them 4 years to come up with a piece of software that shovels malware onto your machine. Well done.

So Java as a platform used in other areas and in desktop is just fine.

That's going a little far. It may not be as easy to exploit if you don't have the browser plugins and deployment toolkit installed, but that doesn't mean it's "just fine".

Heck, look back at your article and its statistics: IE, yes, Microsft's own software written in C++ is the number one infestor of Windows, not JRE.

How can you misread that? Attacking IE itself is only responsible for 10% of the infections seen. Java is at 37%. Acrobat is at 32%. That means if you remove Java and Acrobat, you're no longer vulnerable to 69% of the infections that report saw. If you don't use IE in addition, you're not vulnerable to 79%. The other three major causes are Flash player, Windows help files, and Quicktime. Flash is the only thing on that list I'm unwilling to go completely without right now, mostly because of online media. So, no, Java is still #1! Go Java!

If you failed with Java

I didn't fail with Java, Java failed me.

Oh look, this same [slashdot.org] conversation [slashdot.org] happened [slashdot.org] last year too. Well, at least it was the fault of one minor component and not the whole stinking thing.

See you in 6 months when we have this conversation again. You can point out which obscure part of Java is responsible for the newest exploits then.

JAVA = Just A Virus Apploader (1)

Deathlizard (115856) | about a year ago | (#42564151)

Blocking the plugin is the best thing that they can do. It will force Oracle to fix it sooner and keeps it's users protected. I wish IE and Chrome would jump on that bandwagon as well.

Frankly, in the consumer space. Unless you Know what a Creeper or Enderman is chances are you don't need Java. Ever. Just about every virus I see these days comes in from Java. These Virus kits barely bother with Flash or Reader anymore since Adobe changed their Update Policy, Even if the user has an older copy of Adobe Plugins and especially if Java's on the machine. Couple it with a Update system that for all intents and purposes is worthless and you got a Virus Writers Dream Apploader.

Simply put, The faster people understand that the only major Industry programming Java Internet Applets is Exploit Kit Developers that want to Hose your Computer, the Better.

Why this zero-day? Why Java? (3, Interesting)

guanxi (216397) | about a year ago | (#42562105)

There are many zero-day exploits out there for many applications (and operating systems, etc.). Why does this one deserve special treatment?

It's the second time that I remember Mozilla doing it with Java.

Re:Why this zero-day? Why Java? (-1)

Anonymous Coward | about a year ago | (#42562195)

Because Java sucks. Bloated download, high memory footprint with its runtime, updates break functionality.

Good ideas, piece of shit implementations by Sun even before Oracle.

Re:Why this zero-day? Why Java? (5, Insightful)

thsths (31372) | about a year ago | (#42562267)

> Why does this one deserve special treatment?

Because it is
* wide spread, both in terms of users and in terms of malicious sites
* serious: remote exploit with none but the initial user interaction
* arrogant of Oracle not to respond
* avoidable, because nearly nobody needs Java anyway

Oracle really dropped the ball here, and they deserve to be kicked.

Re:Why this zero-day? Why Java? (1)

guanxi (216397) | about a year ago | (#42563191)

nearly nobody needs Java anyway

Java may be unpopular on Slashdot, but that's not a reason to handle it differently

Oracle really dropped the ball here, and they deserve to be kicked.

But it's end users who rely on Java (and there are still many) who are getting kicked. I know a business whose remote access uses Java; now some of their users are going to be cut off.

arrogant of Oracle

It's arrogant of Mozilla and Apple to dictate to people what they need, want, and are allowed to use on their own computers.

Re:Why this zero-day? Why Java? (0)

Anonymous Coward | about a year ago | (#42566003)

It's arrogant of Mozilla and Apple to dictate to people what they need, want, and are allowed to use on their own computers.

They didn't, they just set a sensible default given the circumstances including the previous history.

Re:Why this zero-day? Why Java? (-1)

Anonymous Coward | about a year ago | (#42562523)

There are many zero-day exploits out there for many applications (and operating systems, etc.). Why does this one deserve special treatment?

Because java is a steaming pile of shit.

And java has always been a steaming pile of shit.

Re:Why this zero-day? Why Java? (1)

BZ (40346) | about a year ago | (#42565657)

Most applications are not automatically launched when you visit random websites.

In fact, that's the change Mozilla made: they turned on click to play for Java so that it is no longer launched automatically when you visit a site with a java plug-in.

What Comments? (-1)

Anonymous Coward | about a year ago | (#42562111)

I clicked "Read the 22 Comments" for this article and there's nothing here. Is Slashdot getting so old that it's having counting problems? The slider says 0 Full, 0 Abbreviated, and 0 Hidden... Where's the 22 comments?

Re:What Comments? (0)

Anonymous Coward | about a year ago | (#42562137)

After two refreshes they showed up. Sorry, it was probably my college's overextended and slow wireless network. (I still dislike Web 2.0 sites anyway).

Re:What Comments? (0)

Anonymous Coward | about a year ago | (#42562165)

I saw that too. F5, bro.

Am I understanding this correctly? (0)

Anonymous Coward | about a year ago | (#42562117)

Sounds like OS X has a patched/non-affected version of Java, while Windows and Linux don't?

My Java was still siabled from the last Java (0)

scorp1us (235526) | about a year ago | (#42562143)

I can't say I've missed it. Now if we could do the same thing with flash...

Chrome - "Click to Play" (5, Informative)

adisakp (705706) | about a year ago | (#42562173)

Chrome has a "Click to Play" mode that won't run any plug-ins on a page without user intervention but it's fairly easy (one click) to run the plug-in on content you want to see.

In Chrome select "Settings" from options menu or navigate to "chrome://chrome/settings/"

Click Link "Show advanced Settings"

Click button "Content settings..." under Privacy

Look Under "Plug-ins"

Select the option "Click to play" which will prevent plug-ins from running on a page unless you manually click on a bar which allows them to run.

Re:Chrome - "Click to Play" (2)

adisakp (705706) | about a year ago | (#42562199)

This blocks Java, Quicktime, Flash, etc. You can say Good-Bye to most of the Internet's annoying adverts when you enable "Click to Play".

Re:Chrome - "Click to Play" (1)

robmv (855035) | about a year ago | (#42562513)

For Firefox you can go to about:config and enable "plugins.click_to_play", there is no preference UI for it yet

What changed? (1)

140Mandak262Jamuna (970587) | about a year ago | (#42562273)

What changed in these updates? What "new and exciting" feature Oracle decided Java must have and pushed it out? Will there be notification when the hole is fixed by Oracle? Will we be nagged till then "Your browser does not support Java. Download java from..."?

Re:What changed? (4, Informative)

140Mandak262Jamuna (970587) | about a year ago | (#42562301)

http://www.kb.cert.org/vuls/id/625617 [cert.org] says:

Description The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

So Oracle patched the Mac version but not Windows? (0)

Anonymous Coward | about a year ago | (#42562509)

It says Java 7u10 (latest version for Windows) is vulnerable, but 1.7.10.19 for Mac is not vulnerable?

Le Sigh (0)

Anonymous Coward | about a year ago | (#42562639)

This should be loads of fun with my online classes using applets.

and the biggest joke is (2)

gbjbaanb (229885) | about a year ago | (#42562967)

I have java 7u10 plugin installed, and its now disabled (ok, good). So I check the latest version from Oracle so I can install the fixed, safe version.... which is Java 7u10.

ho hum.

Mozilla: Why break stuff instead of fixing it? (5, Interesting)

OMG (669971) | about a year ago | (#42563053)

Why is no one recommending to raise the security level for Java applets from "medium" to "high" or "very high"?

Since Update 10 there is this new control that could be employed exactly right now:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html [oracle.com]

Re:Mozilla: Why break stuff instead of fixing it? (0)

Anonymous Coward | about a year ago | (#42563967)

They are.

Needs whitelisting (3, Insightful)

Dwedit (232252) | about a year ago | (#42564135)

I think this kind of mass disabling should be combined with a list of known "Good" java applets, possibly matched by URL or file hash.
The list doesn't necessarily have to come from some authority from the internet, it could possibly be provided by a company's IT department to run the specific Java applets they need to use.
So when people hit the "good" java applets, their Java plugin isn't disabled, and it runs the applet just like normal.

Opera ALREADY does this (1st & best)... apk (-1)

Anonymous Coward | about a year ago | (#42564159)

By setting "by site preferences" - you can make a GLOBAL policy, for ALL sites, of NO:

---

1.) Plugins (plus ONLY ON DEMAND too here)
2.) IFrames/Frames
3.) Scripting
4.) Cookies
5.) Tracking

etc./et al...

---

* I set this as my "GLOBAL POLICY" for ALL SITES, & surf faster because of it, as well as SAFER, bigtime because those things are massively exploited & have been for ages!

(Plus - For SPEED? Well - I think many'd be amazed how much faster you go by not using javascript alone, especially IF you don't REALLY need it, and on most sites? You really don't!)

Then, as needed, IF needed @ all (for say, ecommerce or banking type sites or online tests etc./et al)?

Then - I set up an "exception site" which allows all of those, or only some etc.!

And, "there you go" it does the job & has for ages in Opera - see subject-line above, says it all!

APK

P.S.=> This is & HAS BEEN "natively built-in" to Opera, since I don't even KNOW when (& I've been using it since version 3.0 in 32-bit + in 64-bit since it was in beta)...

... apk

Re:Opera ALREADY does this (1st & best)... apk (-1)

Anonymous Coward | about a year ago | (#42565137)

This story isn't about host files. I think you got lost.

Re:Opera ALREADY does this (1st & best)... apk (-1)

Anonymous Coward | about a year ago | (#42566609)

He didn't post anything about hosts files. Learn to read moron.

To scumbags downmodding my post - a challenge (0)

Anonymous Coward | about a year ago | (#42573799)

Disprove my points here -> http://apple.slashdot.org/comments.pl?sid=3376499&cid=42564159 [slashdot.org]

* GO FOR IT, & good luck (you'll NEED it).

(It's a PROVEN "layered-security"/"defense-in-depth" measure OPERA has implemented since nearly day 1... other browers don't natively!)

APK

P.S.=> Lastly, if/when the "best you've got" is unjustifiable downmods (lacking computer technical VALID critique & disproval of my points posted)?

You only prove my point, & running from a FAIR CHALLENGE only does it moreso...

... apk

Re:To scumbags downmodding my post - a challenge (0)

Anonymous Coward | about a year ago | (#42577321)

APK asked you a question which you ran away from, STUPID TROLL!

Re:To scumbags downmodding my post - a challenge (0)

Anonymous Coward | about a year ago | (#42590913)

You just replied to APK, you stupid shithead. Oh, we see. You're a stupid troll playing games again.

How can it affect Apple? (0)

Anonymous Coward | about a year ago | (#42565881)

Apple says that OS-X is so powerful, it's immune from Viruses! Won't OS-X protect me? How can this possibly affect Apple? Are you guys Windows zealots who hate Apple?

What a joke (0)

Anonymous Coward | about a year ago | (#42565917)

All the more reason not to upgrade ANYTHING after 2008.

Funniest thing after I disabled Javascript I got this message from Slashdot:

"There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead."

Nice try bitches.

I need jave plugin on osX, still waiting for Linux (0)

Anonymous Coward | about a year ago | (#42566319)

I need the java plugin in os x, (i manually disable it when unneeded) though i'm still waiting for Linux to catch up
or i would be back on Linux on my laptop. Not sure if the exploit is as serious or works on Linux,

I'm still waiting for Linux (my OS of choice since 1997) to support my 2009 Macbook Pro's hardware, properly
or i'd be running on there .. hopefully dodging the java bullet ..

Ah, first obsolesence (1)

fa2k (881632) | about a year ago | (#42566425)

So applets will never work again for most people, and the services that require them will be gradually (slowly) phased out. Maybe a narcissistic comment, but my first game was an applet. Now it will never be playable again without great effort. it's kind of sad that with all the computing power we have today, we can't just automatically load old software and have it work.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...