Java update ‘doesn’t prevent silent exploits at all’ (ZDNet)

Java update ‘doesn’t prevent silent exploits at all’

Ben Woods at ZDnet (1/28/13) points out that despite the supposed ‘fix’, machines running Java are still “open to further attacks”.

An update for Java Standard Edition 7 (SE7) – which was supposed to fix a high-profile critical vulnerability that left machines susceptible to remote exploits – has failed to solve all the issues with the software, leaving the door open to further attacks.

The zero-day vulnerability, uncovered in January, was widely reported to have been exploited in the wild, leading Homeland Security in the US to recommend disabling Java altogether. Following the bad press, Oracle quickly rolled out a fix for the issue in the form of Java SE7 Update 11.

However, Adam Gowdiak, a researcher from Security Explorations, said on the Full Disclosure mailing list on Sunday that there is another vulnerability in Java that allows remote execution of malicious code – that is, the running of unsigned Java content in a web page. 1/28/13

Java Update is Full of ‘Crapware’

Ed Bott points out that the recent “must install” Java update was bundled with crapware and examines why foistware still exists.

Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads.

But before you begin patting Oracle on the back for its quick response, note two things about that update:

  • It might not actually fix the underlying security issues.
  • Along with the must-install security update, Oracle continues to include crapware.
  • Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page.

    I’m ready to move Oracle’s Java to the top of my Foistware Hall of Shame, alongside Adobe, for crap like this.

    Why does crapware still exist? Follow the Silicon Valley money trail
    Ed Bott | 1/13/2013

     1,795 total views,  1 views today

    (Visited 1 times, 1 visits today)

    24 thoughts on “Java update ‘doesn’t prevent silent exploits at all’ (ZDNet)”

    1. It’s all very well saying uninstall Java etc, but if you want to trade with eBay or buy from Amazon you have no choice. Also many local authorities use Oracle based systems (especially for payments) and you can’t bypass Java even if you wanted to.

    2. haven't most browsers disabled java , i, ve been using firefox for years with no problems , I would think other browsers would too, one reason I stopped using I/E 10 yrs ago & tell all my friends no to use I/E , check your browsers plug-ins to see if javas disabled to be safe.

    3. I understand them mentioning the “Ask Toolbar”, but if you’re actually reading when you do the updates, they’ve been doing that for a while. So have other programs and you check off the extra stuff you don’t want.

    4. Denise Touchstone

      Just untick the box for the Ask Toolbar when you install the Java Update. Problem solved. Unfortunately this is a common occurance with many programs. Look carefully when installing and untick those add ons.

    5. Java has always had security holes. And the ask toolbar is just a toolbar. No different than the bing bar, and all the others that others that software manufacturers condone for installs.

    6. crapware, malware, foistware, screwware, hideware, slyware, slipittoyouware or whatever you want to call it, what kind of a world are we living in? If we let all the tool bars from Sun, Adobe, Microsoft, Ask, AVG, Norton and others who all want to be on top and in control, there is no room left to browse.
      We have gone from buyer beware to buyer be screwed.

      1. @Leandra Lynne: Linux appears to be the best route. ubantu can be installed alongside WIN 7 via the WIN install tool which enables easy uninstall if you don’t like it. Time to give it a try, I’d say. Mike

          1. @Dave H:
            It depends on the software. Getting Microsoft software on Ubuntu can be difficult, although you can run some of it through WINE (Windows emulator). A lot of other commercial software has Linux versions.

    7. Why with Java so plaqued with problems can’t another company come up with a program to replace Java altogether??

    8. I print a lot of shipping labels on PayPal. The Mozilla work around does not work as it disables the print icon. Makes it kind of hard to print those labels. I am using an old PC running XP service pack 1 and Internet Explorer to make up and print the labels. Go figure.

    9. Rommuel Sam Bulda Mamuric

      Does this include javascript or just the java? if so I'll say "Oh shit now it can exploit browsers" 🙂

    10. The reason I got PC Pitstop was to get rid of a popup I get on most emails or web sites.
      I states “this site has a coupon” and I cannot get rid of it. Another message that comes up whith it is ” an error has occured on the script of this page”. It is very annoying and I was hoping PC Pitstop would help me get rid of it. Any suggestions would be appreciated. Thanks

    Leave a Comment

    Your email address will not be published.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.