Latest Java Update Broken

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Why can't these guys seem to get anything right?

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list. Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities.
Click to expand...
 
That explains why my firefox still is spazing out about me using the latest version, after I updated earlier in the week it shut up but was at it again today.
 
I uninstalled Java from my PC... but Javascript is still running on my browsers, IE and FF. I am told JS and Java are not the same.
 
So this guys only job is to play around with Java all day? And you would think they would test a fix before putting it out, or was the "researcher" holding back info just to keep his name out there?
 
BoogerBomb said:
So this guys only job is to play around with Java all day? And you would think they would test a fix before putting it out, or was the "researcher" holding back info just to keep his name out there?
Click to expand...

Eh, no... You have it all confused. This is after the last vulnerability was found & supposedly patched by Oracle. Now we have security researchers finding more flaws after the last update was supposed to eliminate the original flaw. Oracle has more issues fixing Java than Sun did...
 
What ever happened to making sure you test all input and write code so it doesn't mess up if you try to overflow a buffer?

People need to learn how to program and test code.
 
Heh, I can't go a week without it. At home or at work. Java is necessary for a lot of people.
 
Galvin said:
Don't a lot of websites not work without java?
Click to expand...

I personally don't visit any that require it. Most video and game sites use Flash which is equally bad from a security standpoint. I don't have either installed on my machine but I do have a VM with both.
 
Gomeeting / Gotowebinar is work fast and furious on versions that will not require java so after that we will be good at where I work except for 1 person who needs java because of Saas.
 
If you work in or on the Java team, you should be embarrassed at this point and never show your face or let people know that you do. You disgust me.
 
As I said in the post here announcing this exploit, someone should sticky this. :D We need one thread announcing a new exploit, one thread announcing the updated version release and one thread to announce that the updated version failed.

An easy three stop shop for the latest in Java news!
 
I went ahead and uninstalled java day before yesterday. Everything seems to be just fine. Seems this "broken update" is of no consequence. I guess from now on, I make sure it's not installed on any further os installs.

I really never knew all that much about java. I've got html, javascript, batch, css, and a few others....just never learned java.
 
I've installed my own Java update to all my systems and now I'll never need another. It's simple, just remove Java entirely. It's full of win, As they say.
 
I can't function without this crap due to some corporate sites that require it to get anything done. Java is about as secure as IE6. I uninstalled it for all users that dont require it. I've received whining but too bad for now.
 
I'd have to say every java update is broken, if it was not, it would not require another update the next day. Though Adobe is just as bad if worse. :D
 
Why don't we organise a worldwide "Uninstall Java Week"

Promote it on all the social sites etc. and get as many people to uninstall it as possible. Also highlight to companies that insist on using it to make the plan to switch ASAP.

Would be interesting to see the malware infection traffic stats afterwards.
 
Java is relatively easy to go without for home users, but enterprise software and even newer network appliances still require it unless you want to go without a GUI. Until they can get away from it, the world is stuck with Java.
 
I know i couldn't go more than a day or two with out it... what a pain in the butt.
 
Galvin said:
Can't we just ditch java for something more secure?
Click to expand...

Some people can... Others don't have that luxury. For Example: our local University requires the instructors of Online Courses have Java Installed. NO ifs, ands, or buts! Seriously ALL Online curriculum requires Java period. Which is part of what makes this whole scenario so pathetic.
 
Cannydog said:
Some people can... Others don't have that luxury. For Example: our local University requires the instructors of Online Courses have Java Installed. NO ifs, ands, or buts! Seriously ALL Online curriculum requires Java period. Which is part of what makes this whole scenario so pathetic.
Click to expand...

Heck I think my institution has implemented Blackboard so it cries about not having Java.
 
Many of my enterprise management tools at work require Java. Getting rid of it means I can't manage the SAN or firewall. So that's a no go.

At home, it's required for the protein databank, so I need it there.

It's just necessary for many people.
 
kumquat said:
Many of my enterprise management tools at work require Java. Getting rid of it means I can't manage the SAN or firewall. So that's a no go.

At home, it's required for the protein databank, so I need it there.

It's just necessary for many people.
Click to expand...

Exactly. Since Cisco seems to be so enamoured with Java I dont have a choice but to use it. At least HP seems to be getting away from it with their switch GUIs.
 
By now you think they would have installed a way to default it off and then prompt, 'If you trust this website, enable java for this webpage only?' prompt.
 
Warrior said:
ORACLE?? YOU HAVE SOME 'SPLAINING TO DO!!!!


WHAAAAAAA!!!
Click to expand...

Here is the thing: NOTHING will happen.

Oracle has a long and disgraceful record of security failures which have impacted huge numbers of enterprises, but they're still used all over the place because the people making the purchasing decisions aren't the ones who have to support their crap.

It wouldn't be so bad if they weren't so cocky despite their repeated failures. Way back in 2001 when they were even worse, Ellison had the fricking nerve as to call their database unhackable. Even after dozens of additional zero-day attacks they're still insecure and still cocky despite it.
 
Really sucks since as of mid-last year the company I work for switched over to a new ERP system that relies heavily on JAVA.
 
You must log in or register to reply here.
Back
Top