Oracle's Java security head says the company will 'fix Java,' communicate better

[JMH]

Oracle's head of Java security is promising the vendor will "fix" issues with the widely used programming language, as well as improve its outreach efforts to community members, following a spate of high-profile vulnerabilities.

"The plan for Java security is really simple," said Java security lead Milton Smith during a conference call this week with Java user group leaders. "It's to get Java fixed up, number one, and then number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy. We have to fix Java."

Oracle's Java security head says the company will 'fix Java,' communicate better | Application Development - InfoWorld

 

[Corrine]

Not holding my breath. Fortunately, I don't use or need Java on my computer. If you don't, it is past time to uninstall it!

New bug makes moot Java's latest anti-exploit defenses, claims researcher - Computerworld

"What we found ... is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote in a message posted Sunday to the Bugtraq mailing list.

In an email reply to questions Sunday, Gowdiak said there was a single vulnerability that makes the bypass possible. "It could be used to successfully launch unsigned Java code on a target system regardless of the security level set by the user in Java Control Panel. [The] 'High' or 'Very High' security [setting] does not matter here, the code will still run," he said.

After discovering the vulnerability and creating a proof-of-concept exploit that worked on Java 7 Update 11 -- the version released two weeks ago -- running on Windows 7, Gowdiak reported the bug to Oracle.

 

[JMH]

New bug neutralizes latest Java security updates

Researcher finds vulnerability that allows attackers to bypass the plug-in's new protection against silent exploits

Java's new security settings, designed to block drive-by browser attacks, can be bypassed by hackers, a researcher announced Sunday.

The news came in the aftermath of several embarrassing zero-day vulnerabilities, and a recent commitment by the head of Java security that his team would fix bugs in the software.

New bug neutralizes latest Java security updates | Security - InfoWorld

 

[JMH]

'Silent but deadly' Java security update breaks legacy apps - dev

An application developer reports that the latest Java 7 update "silently" deletes Java 6, breaking applications in the process.

Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the days beforehand. Attacks were restricted to systems running Java browser add-ons.

But Oracle's response appears to have caused some collateral damage.

JNBridge, which provides Java and .NET interoperability tools, reports that customers of software providers who use its technology came a cropper in cases where users had applied the latest Java update (Java 7u11). The software developer blogged about the issue here.

'Silent but deadly' Java security update breaks legacy apps - dev ? The Register

 

[JMH]

Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

I'll keep this one short, but I feel I ought to tell you.

"Yet another Java update! Get it while it's hot."

In calmer times, this update would have appeared on 19 February 2013.

Oracle's Critical Patch Updates for Java normally come out on the Tuesday closest to the 17th day in every fourth month. (Yes, I find that a little Byzantine, too.)

But Oracle brought its February 2013 Java patch forward, noting the "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers":

Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole? | Naked Security