Java update ‘doesn’t prevent silent exploits at all’
Ben Woods at ZDnet (1/28/13) points out that despite the supposed ‘fix’, machines running Java are still “open to further attacks”.
An update for Java Standard Edition 7 (SE7) – which was supposed to fix a high-profile critical vulnerability that left machines susceptible to remote exploits – has failed to solve all the issues with the software, leaving the door open to further attacks.
The zero-day vulnerability, uncovered in January, was widely reported to have been exploited in the wild, leading Homeland Security in the US to recommend disabling Java altogether. Following the bad press, Oracle quickly rolled out a fix for the issue in the form of Java SE7 Update 11.
However, Adam Gowdiak, a researcher from Security Explorations, said on the Full Disclosure mailing list on Sunday that there is another vulnerability in Java that allows remote execution of malicious code – that is, the running of unsigned Java content in a web page.
Java Update is Full of ‘Crapware’
Ed Bott points out that the recent “must install” Java update was bundled with crapware and examines why foistware still exists.
Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads.
But before you begin patting Oracle on the back for its quick response, note two things about that update:
It might not actually fix the underlying security issues. Along with the must-install security update, Oracle continues to include crapware.
Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page.
I’m ready to move Oracle’s Java to the top of my Foistware Hall of Shame, alongside Adobe, for crap like this.
Why does crapware still exist? Follow the Silicon Valley money trail
—Ed Bott | zdnet.com 1/13/2013