Yet another Java flaw allows “complete” bypass of security sandbox

[abarbarian]

http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

 

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

 

Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.

 

We asked Oracle for comment this afternoon and have not heard back yet.

 

[V.T. Eric Layton]

Time to fix it, I guess. Huh?

[Guest LilBambi]

Oracle really needs to get rolling on being proactive on this type of thing instead of reactive.

 

There are way too many commercial programs and other programs too that use Java to throw it away because of repeated vulnerabilities like this.

[Corrine]

I haven't missed having Java on my computer. I removed it well over two years ago and have yet run into a program or website that needed it.

[ross549]

I need java for LogMeIn, but that's about it.

 

Adam

[Guest LilBambi]

There are quite a few programs out there similar to LogMeIn that use Java too including GoToAssist/Citrix.

 

Plus the military could do better than requiring users to run an older version for a site the user has no control over.

 

Additional information regarding accessing myInvoice: Java 7 does not currently work with Oracle Forms and Reports, so a high version of Java 6 is required ...

 

I am not going to post the link but that's not good at all.

[V.T. Eric Layton]

I need java every morning... sometimes, in the afternoon, too.

[zlim]

Unfortunately OpenOffice needs Java; not surprising when you know they are both Oracle products.

LibreOffice needs it too but they are going to do away with Java in the next version. Currently only the database part, I think requires it.

Edited September 29, 2012 by zlim

[ross549]

That is excellent.... because Java made it slow as molasses flowing uphill in January.

[Guest LilBambi]

I am sure LibreOffice also uses it and I definitely use that.

 

It is an excellent thing that LibreOffice is moving away from Java. But there are still many things that need it.

 

I bet there are still many medical programs that are using an ANCIENT version of Java too.

[mac]

NWS radar is one that I use regularly that runs on Java.

[Guest LilBambi]

Yes, they used to use java for that, but didn't they move to Flash? Pretty sure they did.

 

Which I thought was so silly when they first did that because Flash isn't much better.

[mac]

Yes, they used to use java for that, but didn't they move to Flash? Pretty sure they did.

 

Which I thought was so silly when they first did that because Flash isn't much better.

 

Whoops, you're correct. They switched to Flash. My bad.

[Corrine]

At least Adobe updates Flash Player faster than Oracle addresses Java issues.

[zlim]

Flash is also a lot easier to turn off and on when you need to use it briefly. Too bad there is not a site by site java turn on tool. :'(

I haven't gone to the site I use that requires java.

[zlim]

Only temmu could come up with an answer like that!

[Guest LilBambi]

So true!