Technical Discussion
  >> Windows Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread
Standard User Zadeks
(experienced) Fri 01-Feb-13 21:24:35
Print Post

Java 7 Update 13 now available


[link to this post]
 
Oracle just released the February 2013 Critical Patch Update for Java SE. The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets. In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.


https://blogs.oracle.com/security/entry/february_201...

Update now!
Standard User Apprentice
(knowledge is power) Fri 01-Feb-13 23:08:46
Print Post

Re: Java 7 Update 13 now available


[re: Zadeks] [link to this post]
 
Wonder how long before this version gets vulnerable?

Alastair

omadasafisho
Standard User Oldjim
(fountain of knowledge) Sat 02-Feb-13 10:21:50
Print Post

Re: Java 7 Update 13 now available


[re: Zadeks] [link to this post]
 
I uninstalled java when the problem arose and I haven't found any reason for installing it again - if sites insist on using Java - tough


Register (or login) on our website and you will not see this ad.

Standard User Chrysalis
(eat-sleep-adslguide) Sat 02-Feb-13 10:56:37
Print Post

Re: Java 7 Update 13 now available


[re: Oldjim] [link to this post]
 
I would if I had an option but I have work apps requiring it as well as a few custom apps I use which are java based. Also glasnost uses it as well for its tests. What I still find crazy is the installer still doesnt remove old versions.

BT Infinity 2 Since Dec 2012 - Estimate 65.9/20 - Attainable peak 110/36 - Current Sync 71/20

Edited by Chrysalis (Sat 02-Feb-13 10:57:03)

Standard User XRaySpeX
(eat-sleep-adslguide) Sat 02-Feb-13 14:26:55
Print Post

Re: Java 7 Update 13 now available


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
What I still find crazy is the installer still doesn't remove old versions.
Yes, it does! I've just installed it and every file is dated today.

Years ago it used to keep old versions, but not for a long time has it done so.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 02-Feb-13 14:55:51
Print Post

Re: Java 7 Update 13 now available


[re: Zadeks] [link to this post]
 
Just installed Java 7u13. Keeps asking "Do you want to run this app?" even tho' I ticked "Don't show this again for this app", on XP, for e.g. TBB Speedtest.

Noticed this before with Java 7u11 on Vista but not on XP. Was puzzled by it.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
Standard User David_W
(experienced) Sat 02-Feb-13 15:32:15
Print Post

Re: Java 7 Update 13 now available


[re: XRaySpeX] [link to this post]
 
From Java 7 Update 11 onwards, Oracle have changed the default Java security level from Medium to High. This causes a prompt for each applet, with an option to whitelist the site. The idea is that you cannot unwittingly run an app.

If you want to return to the old Medium setting, go into Control Panel, find Java, then lower the slider on the Security tab to Medium.

Standard User XRaySpeX
(eat-sleep-adslguide) Sat 02-Feb-13 15:44:34
Print Post

Re: Java 7 Update 13 now available


[re: David_W] [link to this post]
 
But why doesn't it obey "Don't ask me again?"? It's a pointless ineffectual Q.

How do you whitelist a site? I see nowt for this.

EDIT: Going Medium defeats object of security update.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC

Edited by XRaySpeX (Sat 02-Feb-13 15:45:56)

Standard User lenaspell
(committed) Sat 02-Feb-13 16:05:13
Print Post

Re: Java 7 Update 13 now available


[re: XRaySpeX] [link to this post]
 
In reply to a post by XRaySpeX:
Just installed Java 7u13. Keeps asking "Do you want to run this app?" even tho' I ticked "Don't show this again for this app", on XP, for e.g. TBB Speedtest.

Noticed this before with Java 7u11 on Vista but not on XP. Was puzzled by it.


Same here. I wonder whether that is connected to me not being able to get beyond the quick download section on the TBB test at which point it freezes? Exactly at the 5% point every time.

Len

Zen Fibre Active. Router Netgear N300 WNR2000.
Windows 7 Pro 64bit and iMac 9.1 running Lion and a MacBook Pro running Mountain Lion smile
Standard User David_W
(experienced) Sat 02-Feb-13 16:28:15
Print Post

Re: Java 7 Update 13 now available


[re: XRaySpeX] [link to this post]
 
In reply to a post by XRaySpeX:
But why doesn't it obey "Don't ask me again?"? It's a pointless ineffectual Q.

How do you whitelist a site? I see nowt for this.
The "Do not show this again for this app" option should whitelist the site. If it doesn't work, that seems about right for Oracle's pathetic QA.

In reply to a post by XRaySpeX:
EDIT: Going Medium defeats object of security update.
That's not true. The higher default security level in Java 7 Update 11 was because Oracle hadn't fully fixed the underlying security issue, also because they felt the overall Java threat environment justified opt-in protection.

In Java 7 Update 13, the security issue in question has, I believe, been fully fixed. If so (the verdict is awaited from the original reporter - he was fairly quick to shoot down Java 7 Update 11), you are fully protected from this issue even if you reset the level to Medium. You do, however, lose the ability to intercept unwanted apps before they run, which may protect you against as yet unknown security issues in Java. If you use something like NoScript in Firefox, where you have to opt in to all forms of active content, this extra protection is arguably unnecessary.


The bigger issue is that Oracle has to get to grips with the exploit potential of Java. Adobe PDF plugins and Flash Player were the historic favourite targets of malware, but Adobe has now sandboxed these plugins to give them restricted privileges (not on Windows XP - they sandboxing code relies on features only found in Vista and up), has given them auto-updating facilities and has become much more responsive to reported security issues. This makes the Adobe plugins much harder to exploit than previously.

Oracle, meanwhile, has not kept up. Java itself is not sandboxed, and its internal sandboxing facilities appear as leaky as a colander considering the number of privilege elevation exploits that have been found. There is no auto-updater and the manual updater is clunky. It's no surprise that the bad guys are increasingly targeting Java.

It seems likely that the response of many people will be to uninstall Java. For now, I'm keeping it on my machines, but none of us use it very much.

Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread

Jump to