synkr0nized
01-12-2013, 03:18 PM
EDIT/Point to Note: This has nothing to do with Javascript!
A security flaw (http://www.usatoday.com/story/tech/2013/01/11/homeland-security-disable-java-security-vulnerability/1828011/) in Java that allows for (http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/) execution of malicious code has prompted for disabling Java (http://www.slashgear.com/users-advised-to-disable-java-due-to-security-weakness-11265030/) in any/all web browsers.
edit -- In case the articles may give the wrong impression, this doesn't mean simply running Java applets breaks your machine. While it's true that security-minded organizations and professionals haven't been happy with the idea of a run-time environment given all that freedom in a browser, typically the idea is that it is run in a sort of "sandbox" setting. Malicious code, however, is able to escalate the privileges allowed due to this weakness, potentially gaining root/admin access in the worst case. But that's kind of typical for malicious code that users download and run.
Java is cross-platform, mind you, so its flaw is susceptible regardless of your computers' operating systems.
Of course you can disable it easily in your browsers (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/).
Especially with the latest version (http://www.java.com/en/download/help/disable_browser.xml).
Note that this is not the end of Java, nor does it mean you should stop all interactions with Java. I rarely if ever do much on the web with Java applets, but I have worked with Tomcat and Java code on projects before. That kind of thing, of course, is fine -- it's not like writing a program or interface, etc. on your own development machine or in a company setting is going to somehow suddenly introduce malicious code. The vulnerability more or less originates where most of them do -- at the download, acceptance, and execution of malicious code by the user.
As always, don't open attachments/emails you don't recognize or trust, don't follow download links you cannot verify, don't run into "bad" websites, and only run applets, scripts, and the like on sites you feel are trustworthy.
All that said, Oracle is reported to be pushing a fix for this. It (Java updates for security) may become something to keep on top of more regularly, but Java is probably here to stay for a while. You may just not want to run it in your browsers anymore.
As I mentioned, I very rarely come across applets in pages that I frequent or have a need for them, so I have Java disabled in browsers on my machines.
A security flaw (http://www.usatoday.com/story/tech/2013/01/11/homeland-security-disable-java-security-vulnerability/1828011/) in Java that allows for (http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/) execution of malicious code has prompted for disabling Java (http://www.slashgear.com/users-advised-to-disable-java-due-to-security-weakness-11265030/) in any/all web browsers.
edit -- In case the articles may give the wrong impression, this doesn't mean simply running Java applets breaks your machine. While it's true that security-minded organizations and professionals haven't been happy with the idea of a run-time environment given all that freedom in a browser, typically the idea is that it is run in a sort of "sandbox" setting. Malicious code, however, is able to escalate the privileges allowed due to this weakness, potentially gaining root/admin access in the worst case. But that's kind of typical for malicious code that users download and run.
Java is cross-platform, mind you, so its flaw is susceptible regardless of your computers' operating systems.
Of course you can disable it easily in your browsers (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/).
Especially with the latest version (http://www.java.com/en/download/help/disable_browser.xml).
Note that this is not the end of Java, nor does it mean you should stop all interactions with Java. I rarely if ever do much on the web with Java applets, but I have worked with Tomcat and Java code on projects before. That kind of thing, of course, is fine -- it's not like writing a program or interface, etc. on your own development machine or in a company setting is going to somehow suddenly introduce malicious code. The vulnerability more or less originates where most of them do -- at the download, acceptance, and execution of malicious code by the user.
As always, don't open attachments/emails you don't recognize or trust, don't follow download links you cannot verify, don't run into "bad" websites, and only run applets, scripts, and the like on sites you feel are trustworthy.
All that said, Oracle is reported to be pushing a fix for this. It (Java updates for security) may become something to keep on top of more regularly, but Java is probably here to stay for a while. You may just not want to run it in your browsers anymore.
As I mentioned, I very rarely come across applets in pages that I frequent or have a need for them, so I have Java disabled in browsers on my machines.