Hasta La Gadget!

It’s far from the first time that computer users have been warned to disable Java, but this latest security issue has risen to some high levels at a particularly rapid pace. After first being reported by security researchers on Thursday, the United States Computer Emergency Readiness Team (or US-CERT, a part of the Homeland Security department) stepped in with a warning of its own on Friday, which bluntly suggested that all computer users should disable Java in their web browsers (for its part, Oracle says that a fix is coming “shortly”). The flaw itself is a vulnerability in the Java Security Manager, which an attacker could exploit to run code on a user’s computer.

Not content to wait for a fix, some companies have already taken steps to block possible exploits. That includes Apple, which has added recent versions of Java to its blacklist covering all OS X users, and Mozilla, which has enabled its “Click To Play” functionality in Firefox for all recent versions of Java across all platforms (it was previously only enabled by default for older versions of Java). Apple’s move follows an earlier decision to remove the Java plug-in from browsers in OS X 10.7 and up last fall. You can find the full alert issued by US-CERT and additional details on the vulnerability at the links below.

Filed under: Internet, Software

Comments

Via: The Verge

Source: US-CERT, Mozilla

Yesterday, the Department of Homeland Security issued a warning regarding Java, advising users to disable it in their web browsers. Following this was a Critical Patch Update Pre-Release Announcement from Oracle, which suggests that users temporarily disable it because of security issues. Says the advisement, Java leaves the computer open to attack.

The warning was posted by the Department of Homeland Security’s Emergency Readiness Team, which issued Vulnerability Note VU#625617 to address the issue. Says the advisory, “Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers as described in the “Solution” section of the US-CERT Alert and in the Oracle Technical Note ‘Setting the Security Level of the Java Client.’”

Using the vulnerability in Java, individuals with malicious intent can exploit the weakness to infect the machine. Ready-made exploit kits are available for sale online that take advantage of the issue, making it a fairly simple task for anyone to perform. With the kits, randsomeware can be placed on machines and identities can be stolen, among other things.

Oracle has stated that it will release a patch for the issue on January 15 that will fix 86 security vulnerabilities. The company is requesting that users update Java as soon as the possible after the patch is released. In response to the advisory from the Department of Homeland Security, Mozilla announced that newer Java plug-ins on Firefox are now blocked from auto-loading unless the user manually authorizes it.

[via Mercury News]

Users advised to disable Java due to security weakness is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

In an attempt to distance itself still further from Java, Apple released a Mac update Wednesday which removes Java plugins from any web browser running on OS X. More »

Apple has recently released a Mac update for OS X Lion and Mountain Lion that removes its Java plugin from all OS X browsers. If you install the update, you’ll find a region labeled “Missing plug-in” in place of a Java applet; of course, Apple can’t stop you from clicking on it to download a Java plug-in directly from Oracle. The Cupertino-based company had previously halted pre-installing Java in OS X partially due to the exploitable factors of the platform, so this update signifies further distancing from Larry Ellison’s pride and joy.

Filed under: Internet, Apple

Apple says no Java for you, removes plugin from browsers on OS X 10.7 and up originally appeared on Engadget on Thu, 18 Oct 2012 19:34:00 EDT. Please see our terms for use of feeds.

Permalink Ars Technica  |  Apple Support  | Email this | Comments

Oracle has recently been at the receiving end of criticism when a zero-day exploit was discovered in Java, an exploit which we were told had been brought to Oracle’s notice months ago. Oracle broke its quarterly schedule to ship out a patch for the exploit once the web became abuzz with it. However, that doesn’t mark the end of Oracle’s Java woes.

A security firm has revealed a new vulnerability in Java which affects multiple versions of Java and even the latest patch from Oracle doesn’t do anything to fix it. The flaw is related to the way Java handles data types, leaving a gaping vulnerability which allows for a complete bypass of Java sandbox. (more…)

By Ubergizmo. Related articles: Jury rules that Google violated copyright laws in Oracle trial, Android contains code copied from Java?,