More Java Drama… Just Disable It Already (and Anon releases something)

Oracle’s released Java 7 Update 13, plugging 50 (!) security holes in one go. This comes three days after Apple remote-disabled Java on all OS X 10.6+ equipped machines due to security issues.

Yes, you should patch, just in case. But first — Firefox users, go up to Tools | Add-Ons | (whatever has the Lego block icon). If you see “Java,” click Disable. If you still have questions: http://www.zdnet.com/how-to-disable-java-in-your-browser-on-windows-mac-7000009732/

Anonymous also posted login data of a bunch of bank executives (http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/). Oddly enough no “too big to fail” banks are on the list.

http://www.infoworld.com/t/application-security/apple-ticks-mac-users-silent-shutdown-of-java-7-212028?source=footer
http://www.zdnet.com/forget-the-super-bowl-critical-java-patch-released-update-now-7000010732/

“Oracle has issued an update to its latest Java software that plugs more than 50 security vulnerabilities, including one particularly nasty flaw that was being actively exploited in the wild.

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here’s how you do it.

The latest patch, Java 7 Update 13—critical updates are issued in consecutive odd numbers—was due to be released on February 19, but was pushed forward by two weeks.

In an advisory, Oracle said, “it felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.”

The enterprise software giant said that 44 of the vulnerabilities patched in the latest ‘Update 13’ only affect Java in Web browsers on desktops, along with one vulnerability that affected the client deployment installation process. Also patched includes three vulnerabilities that apply to client and server deployments, while the remaining two vulnerabilities only affected server deployments of the Java Secure Socket Extension (JSSE).

Oracle has also switched the security settings to “high” in the Java settings by default, which now requires users to expressly permit the execution of unsigned Java applet. This means users accessing malicious Web sites will be notified before a Java applet is run. “

Advertisements
%d bloggers like this: