Java taking heat...

[Darren Dirt]

...public opinion turning cold and bitter...
http://www.telegraph.co.uk/technology/news/9803426/Web-users-must-disable-Java.html

http://news.google.com/nwshp?q=Java+vulnerability

details: http://www.zdnet.com/homeland-security-warns-java-still-poses-risks-after-security-fix-7000009785/


"How to disable Java in your web browser" , http://www.java.com/en/download/help/disable_browser.xml (fortunately(?) I am only running Java 6, not 7)



related:
http://www.zdnet.com/if-you-need-java-use-this-one-instead-7000010157/
http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

[Mr. Analog]

People are dumb, there has been Java hate since the very first plugins started lumbering their way into browsers. Then the confusion between Java and JavaScript... don't even get me started. It has a reputation way before any security crap.

HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins. This falls directly on the shoulders of Oracle who have not kept a tidy house.

I find the most amusing quotes from the articles so far, stuff like "they should just take a muligan and rewrite Java"

Suuuuuuuuuuure, and while we're at it we'll pave the roads with rubber and put concrete tires on all cars.

[Thorin]

I wonder how this will affect Minecraft playing hours...

[Darren Dirt]

HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins.

The bolded/underlined above is the key fact here -- countless idiots will disable Java, not just as a plugin in the web browser, but ENTIRELY on their PCs ... and then get angry at Windows or whatever when their non-web stuff suddenly doesn't work quite right. ...months later.

[Mr. Analog]

I wonder how this will affect Minecraft playing hours...

For gamers that use the browser client, if they have disabled the Java plug in they will be outta luck

[Tom]

HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins.

The bolded/underlined above is the key fact here -- countless idiots will disable Java, not just as a plugin in the web browser, but ENTIRELY on their PCs ... and then get angry at Windows or whatever when their non-web stuff suddenly doesn't work quite right. ...months later.

The vulnerabilities are in java. Not just the plugin. So its not entirely a bad idea to disable java entirely. All it takes is using it along with another vulnerability to get full system access.

[Mr. Analog]

While true, the weak point where remote code can be executed has been demonstrated through a plugin on software you're already running (your browser).

If you've downloaded and run a malicious piece of software it wouldn't matter if it was in the JVM or not, it's already on your system running as you.

[Tom]

While true, the weak point where remote code can be executed has been demonstrated through a plugin on software you're already running (your browser).

If you've downloaded and run a malicious piece of software it wouldn't matter if it was in the JVM or not, it's already on your system running as you.

Or like in some cases, they get in through js or flash vulnerabilities, then execute some java to get even greater permissions.

[Mr. Analog]

Not sure about which js exploit you mean, there are a few out there that can grant remote execution to anything, Flash is still a plugin though.

[Tom]

Not sure about which js exploit you mean, there are a few out there that can grant remote execution to anything, Flash is still a plugin though.

It really doesn't matter which exploit. So long as it lets you execute code you can then get admin permissions via other exploits on the system, including via java.

[Mr. Analog]

Which is the statement I made earlier about plugins