The original report from FireEye indicates that initial attacks exploiting this weakness, emanating from a Chinese web server, have been targeted and not widespread. However, subsequent information from security sources is suggesting that the exploit code is now public and being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole (the most commonly used exploit pack utilized by criminals).
What you should know:
- The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier remain unaffected.
- Unless Oracle departs from its normal update release policy, the next patch is not scheduled until the middle of October.
- All major browsers are affected. Initial reports indicating that the exploit code would not work against Google Chrome have now been debunked with the news that there is a Metasploit module under development which is successful against the Chrome browser.
What you should do:
- To find out if java is installed on your system and identify which version, go to java.com and click on the “Do I have Java” link.
- Immediately disable the Java plug-in in your browser(s) – (guides pertaining to each browser can be accessed via this advisory.)
- If you absolutely must have Java for certain sites – utilize a secondary browser for those sites only, with the plug-in enabled.
- The ultimate solution would be to uninstall Java altogether.
Credit where credit is due:
You heard it first on DCT – Our fearless leader (yes Dave) published an article back in November last year … You should junk your Java! … which explains the ultimate (and permanent) solution in detail. Dave’s article was not only very sound advice but, as it turns out, also somewhat prophetic
I don’t like Java – unless its in a coffee cup 🙂
Agreed! I stopped installing it several years ago-not due to security concerns (at the time),but because I never found a need for it.Still haven’t!
My daughter indicates a couple websites she visits require it,so it’s disabled and used on demand.I would just as soon see it gone,but you can’t tell a 14 year old anything-apparently they already know everything!
i uninstalled java when i first heard about the problem..a week or so ago? anyway nothing has changed..in other words i don’t miss it and no need for it has come up. so what was the point of java in the first place lo those many years ago?
A wise decision IMHO!
Oracle released updates for both Java 7 and Java 6 several days after this article was published. Obviously, the widespread [bad] publicity motivated Oracle to act outside its normal update regimen.
Now news is rife that the update issued to fix the flaw includes yet another new/different vulnerability… it appears that it will now be necessary for Oracle to issue a patch to patch the flaw in the patch which was issued to patch the flaw. 🙂
And on it goes!
Maybe they should change their name to Orifice D:
LOL – Cracked me up!
If I ditch Java won’t I loose all the functionality that Java applets offer? i.e., what is the downside to ditching Java?