Yet another zero-day exploit :rolleyes:
Read all about it here:
http://www.theregister.co.uk/2012/08...block_exploit/
Printable View
Yet another zero-day exploit :rolleyes:
Read all about it here:
http://www.theregister.co.uk/2012/08...block_exploit/
Thanks for the heads up. I've disabled Java and haven't found any sites I regularly go to that actually need it. I thought a couple of the financial/stock market chart and speed test pages I use did but it seems that they use Flash now.
I just have disabled Java on Firefox, but how can I disable it in IE 8 ?
I tried to disable Java in Control Panel and in IE8 Properties. No joy.
I just had to uninstall it.
By the way, there is a new version, Version 7 Update 6. Will it have the same vulnerability ?
Now, how are we going to find out when it is safe to install Java again ?
(BTW: The forum is quite slow again)
Not very soon it seems.
http://blogs.computerworld.com/malwa...-oracle-itbwcwQuote:
There are some zero-day vulnerabilities in Java that are already being exploited. However, these aren't new bugs: Oracle (NASDAQ:ORCL) has known about them since early April, and doesn't plan to fix them until October.
Thanks for your answer, Train.
Thanks for your heads up Nick. I just simply deleted Java. It is (or has been) easy to install in the past.
Thanks for your links SpywareDr, they are very useful.
There is now an update from Java, version 7.0.70.
http://java.com/en/download/manual.jsp
I uninstalled the old and installed 7.0.70 and ran the test from ZScaler. It said I was still vulnerable.
However, a day or so ago, before installing the new update I had disabled Java(tm) Plug-in SSV Helper and Java(tm) Plug-in 2 SSV Helper BHO's, and when I ran ZScaler it said I was still vulnerable.
So I wonder how meaningful the ZScaler test is.
Oracle says version 7.0.70 is not vulnerable to the zero-day exploits, and testers agree.
http://www.computerworld.com/s/artic...rchers_confirm
I do not know why there is a small difference in version number, comparing the installed version in my Control Panel (7.0.70) versus Oracle's nomenclature "The full version string for this update release is 1.7.0_07-b10 ".
Only hours after Oracle released its latest Java 7 update to address active exploits, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.
http://reviews.cnet.com/8301-13727_7...t-java-update/
My understanding is versions 1.7.0_00-000 through 1.7.0_06-FFF are vulnerable to the 0-day exploit.
And, according to this Zscaler page, the latest version, "1.7.0_07-000", (aka: "Version 7 Update 7", "7u7", "7.0.70", "Java SE 7 Update 07", "Java 7 Update 7"), is not vulnerable.
Here's a screenshot:
http://www.SpywareDrGuide.com/Virtua...zscaler_03.gif
(Click it for a larger view)
I do not know (yet) if 7u7 is vulnerable to some other "currently in the wild" vulnerability.
The ZScaler test now says my installation of Java 7.0.07 (1.7.0_07) is not vulnerable.
I do not know where the http://reviews.cnet.com/8301-13727_7...t-java-update/ leaves things. It says the data so far is only a Proof of Concept and is not so concerned.
If you don't need Java then you might consider simply uninstalling it. If you do though, but you're still not comfortable with any version 7 of Java, the well-tested "Version 6 Update 35" is still available for download.
Personally, I stopped using Java at least 5 years ago, and I've never missed it at all. In the unlikely event that I find I ever do need it for something I'll install it in a virtual machine. At least that way it will be sandboxed.