TechSpot

Researcher uncovers new Java exploit, 1 billion Macs and PCs at risk

By Shawn Knight
Sep 26, 2012
Post New Reply
  1. Security researcher Adam Gowdiak has uncovered a new zero-day vulnerability in Oracle's Java software. The bug is said to be present in currently-supported versions including Java 5, Java 6 and Java 7 and has the potential to allow attackers to...

    Read more
  2. andrewdoyle88

    andrewdoyle88 TS Rookie Posts: 19   +8

    My Java is acting up in chrome, says its blocked because its out of date but once updated it does the same thing.
  3. Time to uninstall java....never liked it anyways.
  4. bexwhitt

    bexwhitt TS Enthusiast Posts: 157   +22

    When I fix a pc these days I usually uninstall java
  5. Camikazi

    Camikazi TS Enthusiast Posts: 342   +56

    I haven't found a program that I use that needs Java, so I have had no problems since I uninstalled it a while ago.
  6. pmkrefeld

    pmkrefeld TS Member Posts: 44

    I just loled about people having no idea what they are doing and I do not mean Oracle xD
  7. Alexmx

    Alexmx TS Member Posts: 23

    sadly, here in my work we use a java based platform...=/
  8. ramonsterns

    ramonsterns TS Enthusiast Posts: 752   +12

    If it's not one thing it's another, I'm tired of Java putting out their crap like this. Uninstalled.
  9. Adam Gowdiak has uncovered a potential bug in Java.

    He isn’t aware of any active attacks that exploit this particular vulnerability

    So he,

    Spent a week testing a proof-of-concept before revealing it to Oracle yesterday.

    The software company has since confirmed it will be patched in a future security update.

    What does Gowdiak do?

    before hackers can discover it on their own. Gowdiak decided to go public with his findings :confused:
  10. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,159   +174

    Has he actually publicly disclosed the vulnerability attack vector? Or just it's existence?
  11. treetops

    treetops TS Evangelist Posts: 1,666   +58

    Java has always seemed to have security problems how about they let you click a check box only install month old updates.
     
  12. Wagan8r

    Wagan8r TS Guru Posts: 592   +45

    I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.
  13. Camikazi

    Camikazi TS Enthusiast Posts: 342   +56

    Seems to me they know what Java is and most are right that Java has been full of holes and bugs for a long time, rivaling Flash in that regard. Now unless you have some info on why you think people commenting don't know what Java is I will assume you are confusing it with JavaScript and are really the one in error.
  14. spydercanopus

    spydercanopus TS Guru Posts: 802   +87

    I've been getting 'invalid security certificate' warnings when java checks for updates for the last month or so.
  15. Per Hansson

    Per Hansson TS Server Guru Posts: 1,930   +123 Staff Member

    There exists other unpatched holes in Java and has for a couple of weeks now.
    They are already part of the Blackhole exploit kit so it's out there and being actively exploited.
    I'd advise to either disable Java in all your browsers (Easier on some than others)
    Or just uninstalling Java
  16. cliffordcooley

    cliffordcooley TechSpot Paladin Posts: 5,976   +1,487

    Can someone correct me if I'm mistaken?

    I've always assumed Java was the base code which allows Java-script to run. And even if Java was uninstalled the browser is still capable of the most basic elements of Java.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    I am not a programmer and will never fully understand how applications are coded or how updates are implemented. I am forced to trust others to do programming that I require for my applications. I think I can speak for over half the worlds population and say they don't either. I know I don't keep up with the latest and greatest updates, which might leave my machine at risk the greatest amount of time. It's not that I don't want my PC updated to be the most secure, I just don't spend time checking for updates. Even when an update is presented, I may even ignore them because there are so many applications that want to update regularly.

    I know I might stir up a stink with this comment.
    Maybe applications with potential for security holes should disable themselves or at least the code with the security issue, if there has been an update for over 30 days. Since I'm already dependent on programmers that offer the application, I see no reason why I shouldn't be required to keep the application updated if I plan to continue using it. I would be more apt to stay updated, if what I'm trying to do requires an update before processing. I think this would hold true for more people than just myself.

    Out of all the PC's being compromised, the only way to decrease these numbers is to decrease the potential for these PC's to be compromised.

    I will leave with a final thought.
    Out of all the PC's contributing to bot-nets without the users knowledge, I wonder if some of them could have been protected by applications automatically disabling outdated code.
  17. Wagan8r

    Wagan8r TS Guru Posts: 592   +45

    Yeah, no. Java and JavaScript are two entirely unrelated technologies. Do you really want me to go through each comment and point out how each one only signifies having heard of Java before?

    No software is free from bugs. Something that is installed on a ridiculous amount of devices is going to be hit harder than those which are not, and vulnerabilities WILL be found no matter what the product is. Ever since Oracle bought out Sun, Java has been put on the back burner, so I blame Oracle for not fixing things, and not some fundamental problem with Java.

    No, Java and JavaScript have nothing in common. JavaScript is a scripting language that is used in a lot of webpages to execute conditional/algorithmic logic as HTML can only represent a page's layout.

    Java is a collection of technologies, but is foremost a programming language. However, Java is also designed to be able to run on any platform (Windows, Linux, OSX, AIX, Solaris, etc.) without any code modifications spawning the "write once, run anywhere" (WORA) mantra. To do this however, there has to be a layer between the code that a programmer writes and the OS. This layer transforms the standard Java operations into understandable commands for the particular OS, and is therefore called the Java Virtual Machine (JVM). The JVM must be present on a computer for Java code to execute, so that is why you need to install the Java Runtime Environment (JRE) also known as "installing Java". Now, what might be confusing you in regard to JavaScript is that with Java, you can also embed little Java programs WITHIN a webpage. These programs are called applets (tiny apps). The image used in this article is a screenshot of an applet loading on a webpage. If Java is uninstalled, applets will no longer work within your browser, but JavaScript will still execute because it is not part of the Java platform.
    TJGeezer and cliffordcooley like this.
  18. 3DCGMODELER

    3DCGMODELER TS Enthusiast Posts: 307   +18

    If you disconnect you computer from the internet, the problem will be solved..
    ta da..

    easy fix ya think..
  19. jobeard

    jobeard TS Ambassador Posts: 13,407   +314

    Well said :) Wagan8r knows.

    Great - - life is easy for you. Personally I have a PGP tool that runs on a JRE layer. As it is well written,
    it does not rely upon the commonly installed instance like the browser does. In fact, it is still a Java 5.x JRE (Wagan8r: watch'm carp on that stmt.) installed within the application install area. Runs great, is secure and is reliable. Java is cool when it is handled correctly
  20. spydercanopus

    spydercanopus TS Guru Posts: 802   +87

    You guys have obviously not played MINECRAFT! Requires JRE on server and client. Sweet, sweet Java
  21. TJGeezer

    TJGeezer TS Enthusiast Posts: 385   +10

    @Wagan8r - Thanks for the clearest explanation I've seen, not only of the difference between Java and Java Script, but how Java works and the function of the JRE.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.