Java-Schmava!
Jan. 14th, 2013 10:34 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoI'm fed up with the distorted and incomplete reports from the media, including many sources that ought to know better and provide all the details.
The big terrible dangerous flaw in Java that they are reporting was introduced in version 7, release 10 to be exact. It involves a totally new function call, and poses a risk only for Java run from the web using the Java plug-in (or possibly Java programs downloaded that require version 7.)
Version 7 of the Java plug-in is not present on most PCs yet. Most of us, and especially those who are not running Windows 8, probably have version 6. Scripts designed to take advantage of the flawed function do not work with version 6.
So... Disable or uninstall Java if you wish, but don't buy the pile of BS the media is trying to dump on you. It's true that Java security seems to have declined since Oracle took over, but Java 7 is not installed on "850 million PCs" as the press keeps trying to claim. In fact, I doubt that any version of Java is installed on that many machines. A quick check of about a dozen PCs running XP that I could easily reach at work and at home found version 6 with releases ranging from 24 to 30. No version 7, even on two machines with Windows 7.
The actual US-CERT alert is here. If you read it carefully, you will note near the bottom that it explicitly says that downgrading from Java 7 to Java 6 removes the vulnerability.
I believe in most cases you can find out your Java version by entering the following at a command prompt:
Note that the version appears with a "1." in front of it, so Java 6 is actually version 1.6.0_xx and Java 7 is actually version 1.7.x_xx. If you have 7, you should definitely do something about it.
Of course, caution is always in order when dealing with unfamiliar web sites or untrusted sources.
The big terrible dangerous flaw in Java that they are reporting was introduced in version 7, release 10 to be exact. It involves a totally new function call, and poses a risk only for Java run from the web using the Java plug-in (or possibly Java programs downloaded that require version 7.)
Version 7 of the Java plug-in is not present on most PCs yet. Most of us, and especially those who are not running Windows 8, probably have version 6. Scripts designed to take advantage of the flawed function do not work with version 6.
So... Disable or uninstall Java if you wish, but don't buy the pile of BS the media is trying to dump on you. It's true that Java security seems to have declined since Oracle took over, but Java 7 is not installed on "850 million PCs" as the press keeps trying to claim. In fact, I doubt that any version of Java is installed on that many machines. A quick check of about a dozen PCs running XP that I could easily reach at work and at home found version 6 with releases ranging from 24 to 30. No version 7, even on two machines with Windows 7.
The actual US-CERT alert is here. If you read it carefully, you will note near the bottom that it explicitly says that downgrading from Java 7 to Java 6 removes the vulnerability.
I believe in most cases you can find out your Java version by entering the following at a command prompt:
java -version
Note that the version appears with a "1." in front of it, so Java 6 is actually version 1.6.0_xx and Java 7 is actually version 1.7.x_xx. If you have 7, you should definitely do something about it.
Of course, caution is always in order when dealing with unfamiliar web sites or untrusted sources.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2013-01-14 06:46 pm (UTC)Can't really trust most media to get technical details like version numbers right, can ya? Sigh.
no subject
Date: 2013-01-14 07:41 pm (UTC)I think the craziness is partly inspired by the fact that Homeland Security issued a warning to that effect: "disable all java." They didn't even mention that it was just the web browser plug-in that is at issue. Now frankly, I consider Homeland Security to be so utterly incompetent that I'm not about to take their advice about anything and that's why I investigated this more thoroughly.
no subject
Date: 2013-01-14 08:24 pm (UTC)I'm not inclined to disagree with you about the Department of Homeland Security in general.
no subject
Date: 2013-01-14 09:01 pm (UTC)It is apparently true that Java 6, any release, does not contain the function that has caused all this brouhaha. If I understand the CERT bulletins correctly, this is in part due to the fact that Java runs in its own memory allotment under release 7, where it ran inside the browser's memory in earlier releases. The result is that security limits imposed by the browser become no longer applicable, and that opens a whole can of wiggly worms that Oracle apparently did not take into account. I laughed this morning at one headline that claims it will take two years to truly remove this flaw. No, it takes only long enough to remove Java 7 and put Java 6 back on, as you mentioned.
My Linux releases use Iced Tea or OpenJDK for Java, and none have pushed me past version 6 release 26.
no subject
Date: 2013-01-14 11:37 pm (UTC)Now that Microsoft and Adobe have been getting more on the ball, it does fall on Oracle to stop being the biggest source of exploits.
I don't have a problem with the press Java is getting. While most may not be running 7, many are running unpatched old versions. Action is still required.
no subject
Date: 2013-01-15 02:31 am (UTC)It's like when there's a food contamination scare. If it involves a particular brand or goods from a particular processor, we don't hear "Stop eating all peanut butter until further notice." Instead they give us the most accurate details available. In this case, they've done just the opposite.
no subject
Date: 2013-01-15 07:59 pm (UTC)no subject
Date: 2013-01-15 10:10 pm (UTC)