altivo: Geekish ham radio pony (geek)
[personal profile] altivo
I'm fed up with the distorted and incomplete reports from the media, including many sources that ought to know better and provide all the details.

The big terrible dangerous flaw in Java that they are reporting was introduced in version 7, release 10 to be exact. It involves a totally new function call, and poses a risk only for Java run from the web using the Java plug-in (or possibly Java programs downloaded that require version 7.)

Version 7 of the Java plug-in is not present on most PCs yet. Most of us, and especially those who are not running Windows 8, probably have version 6. Scripts designed to take advantage of the flawed function do not work with version 6.

So... Disable or uninstall Java if you wish, but don't buy the pile of BS the media is trying to dump on you. It's true that Java security seems to have declined since Oracle took over, but Java 7 is not installed on "850 million PCs" as the press keeps trying to claim. In fact, I doubt that any version of Java is installed on that many machines. A quick check of about a dozen PCs running XP that I could easily reach at work and at home found version 6 with releases ranging from 24 to 30. No version 7, even on two machines with Windows 7.

The actual US-CERT alert is here. If you read it carefully, you will note near the bottom that it explicitly says that downgrading from Java 7 to Java 6 removes the vulnerability.

I believe in most cases you can find out your Java version by entering the following at a command prompt:

java -version

Note that the version appears with a "1." in front of it, so Java 6 is actually version 1.6.0_xx and Java 7 is actually version 1.7.x_xx. If you have 7, you should definitely do something about it.

Of course, caution is always in order when dealing with unfamiliar web sites or untrusted sources.

Date: 2013-01-14 06:46 pm (UTC)
ext_238564: (Default)
From: [identity profile]
Thanks for this. I was mildly concerned last week, but not enough concerned to take any action. It appears that's just as well -- although I guess I will need to check my home laptop, which runs Win7. But not the desktop (WinXP) and I followed your direction to check my Mac (which is 1.6-something -- I just got an upgrade from the Mac sysadmin that I'll have to apply today, but I'm sure it's not dangerous).

Can't really trust most media to get technical details like version numbers right, can ya? Sigh.

Date: 2013-01-14 08:24 pm (UTC)
ext_238564: (Default)
From: [identity profile]
My partner just reported that his WinXP desktop had Java 7, which surprised me. He easily rolled it back to 6.x. My thought early on was that disabling Java wasn't terribly practical, either, if you wanted websites to work properly.

I'm not inclined to disagree with you about the Department of Homeland Security in general.

Date: 2013-01-14 11:37 pm (UTC)
ext_415373: (Default)
From: [identity profile]
For the last year or two I've automatically uninstalled Java on any computer I work on. A few times now I've dealt with virus infected machines where it had an old version of Java. Usually it came from an OpenOffice install from before the LibreOffice split.

Now that Microsoft and Adobe have been getting more on the ball, it does fall on Oracle to stop being the biggest source of exploits.

I don't have a problem with the press Java is getting. While most may not be running 7, many are running unpatched old versions. Action is still required.

Date: 2013-01-15 07:59 pm (UTC)
avon_deer: (Default)
From: [personal profile] avon_deer
I think my place of work is still running v3. :D

August 2017


Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 22nd, 2017 11:36 am
Powered by Dreamwidth Studios