altivo: Geekish ham radio pony (geek)
[personal profile] altivo
I'm fed up with the distorted and incomplete reports from the media, including many sources that ought to know better and provide all the details.

The big terrible dangerous flaw in Java that they are reporting was introduced in version 7, release 10 to be exact. It involves a totally new function call, and poses a risk only for Java run from the web using the Java plug-in (or possibly Java programs downloaded that require version 7.)

Version 7 of the Java plug-in is not present on most PCs yet. Most of us, and especially those who are not running Windows 8, probably have version 6. Scripts designed to take advantage of the flawed function do not work with version 6.

So... Disable or uninstall Java if you wish, but don't buy the pile of BS the media is trying to dump on you. It's true that Java security seems to have declined since Oracle took over, but Java 7 is not installed on "850 million PCs" as the press keeps trying to claim. In fact, I doubt that any version of Java is installed on that many machines. A quick check of about a dozen PCs running XP that I could easily reach at work and at home found version 6 with releases ranging from 24 to 30. No version 7, even on two machines with Windows 7.

The actual US-CERT alert is here. If you read it carefully, you will note near the bottom that it explicitly says that downgrading from Java 7 to Java 6 removes the vulnerability.

I believe in most cases you can find out your Java version by entering the following at a command prompt:

java -version


Note that the version appears with a "1." in front of it, so Java 6 is actually version 1.6.0_xx and Java 7 is actually version 1.7.x_xx. If you have 7, you should definitely do something about it.

Of course, caution is always in order when dealing with unfamiliar web sites or untrusted sources.

Date: 2013-01-14 08:24 pm (UTC)
ext_238564: (Default)
From: [identity profile] songdogmi.livejournal.com
My partner just reported that his WinXP desktop had Java 7, which surprised me. He easily rolled it back to 6.x. My thought early on was that disabling Java wasn't terribly practical, either, if you wanted websites to work properly.

I'm not inclined to disagree with you about the Department of Homeland Security in general.

August 2017

S M T W T F S
   12345
6789101112
13141516171819
20212223242526
2728293031  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 07:58 am
Powered by Dreamwidth Studios