Sophos Cloud Optix
A security research team that has alerted Oracle to a series of security flaws in Java in the past, says that it has uncovered new zero-day vulnerabilities in the software.
According to Polish firm update posted by Security Explorations, it has sent proof-of-concept code to Oracle’s security team – so they can investigate the issue.
The concern is that the flaws could be exploited to completely bypass Java’s security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft.
In those cases, cybercriminals hacked legitimate websites and planted code which exploited Java vulnerabilities when developers visited using web browsers that had a vulnerable version of the Java plugin.
Softpedia reports Security Explorations CEO Adam Gowdiak as saying:
"Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way... Without going into further details, everything indicates that the ball is in Oracle's court. Again."
So, many computer users find themselves in what is becoming a disturbingly familiar situation – looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java.
Here’s the best piece of advice we can give you right now:
If you don’t need Java enabled in your browser, here’s how to turn it off now
Many people who have Java enabled in their browser simply do not need it (By the way, don’t mix up Java with JavaScript – they’re different things), so the best solution for many folks is to rip Java out of their browser entirely.
If you don’t need Java, why put yourself at risk?
Dirty cup of coffee image from Shutterstock.
Well java must be almost completely killed as a product by now with all this advice to turn it off in your browser! If people don’t use it it will die.
not likely.
Too many programs use Java and wont run without it.
Case in point is the wife's work. Need java (extremely old java 1.1) to log into the companies site to do just about everything.
Your comment might be true if the only way to run Java were as a browser applet plugin. But it's not. There are applications that require Java without any need for a web browser. People who use browsers are not the only people who use Java.
There’s nothing wrong with Java as an application language, with applications acquired from trusted sources, any more than there is with C++ or COBOL for that matter. It’s the applets running in browsers that are the problem.
And there’s no reason the rules for applets can’t be changed to make them safe at the expense of full Java functionality.
Java's not dead, but all the hysteria sure is exciting for someone who writes the same sort of code but rebranded it as dot something or other. Don't write bad code, don't be a drooling maroon and run around being a complete idiot either.
Java exploits in the browser have been used to infiltrate multiple companies. Say what you will about it being no different than other technologies, but it doesn’t change the fact that it IS a major vector for hackers to infiltrate companies.
And to be clear, it is more than just a browser problem. There is working code to exploit RMI services.
I've been following your posts on Java. A person I casually help with software stuff needed me to logon to his computer using GoToMyPC. That required me to install Java. -Is this the focal point of the warnings? If so, GoToMyPC needs an alternate method.
I completely agree..if you don’t need java,why put yourself at risk?
But I am really concern about Java,when will this end?I don’t think it will end..Oracle must take this seriously
IT WOULD BE NICE IF YOU WOULD POST A LIST OF THINGS THAT WE DO NEED JAVA FOR, AND DON'T NEED IT FOR. THAT WAY WE CAN BETTER CHOOSE TO DISABLE OR CONTINUE USING THE PROGRAM. THANKS.