Press "Enter" to skip to content

Posts tagged as “java”

Five, Count ‘Em, Five New Security Holes In Java

Those who thought it was safe to re-up Java on their browsers will need to go back and turn it off again.

If you listen to us, after you do you’ll never turn it back on. Browser side Java has been made pretty much obsolete by newer technologies, which means you don’t need it, especially since it’s proving to be about as easy to keep secure as ActiveX, sandbox or no. Here at FOSS Force, we haven’t had it enabled on our browsers for years, with no noticeable problems when we surf the web.

You may remember that back on January 10th it was announced that Java had a security vulnerability that was already being exploited in the wild. This security hole was serious enough to prompt the U.S. Department of Homeland Security to suggest that browser side Java be turned-off on all computers.

Java: Where Oracle, Twitter and Black Hats Meet


Back on January 24th, Oracle was sitting on their hands after issuing incomplete patches to not handle security issues in Java, issues bad enough to evoke dire warnings from the U.S. Department of Homeland Security. I opined on that day that Ellison’s hired help needed to get off their duffs and come up with a good fix quick, even if Java has turned-out to be a puppy Larry Ellison no longer wants to keep. Evidently, somebody in Deadwood City felt the same way, as Oracle pushed a patch this past Friday addressing 50 security holes in the beleaguered programming language.

Wait a minutes, did I just write that the patch addressed 50 security holes? I’ve got a five pound block of Swiss cheese in the fridge that has fewer holes than that. I think if I was Larry Ellison I would be ashamed to admit I’d allowed that many security vulnerabilities to accrue unfixed while any project was under my care. I think I’d fix ten a day or something in five separate patches and try to make it look like I had my security eagles working overtime finding new holes ahead of the bad guys.

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Will Oracle Wake Up & Smell the Java?

Does Oracle not know their own code?

I’m talking about Java. You know, the write-once-run-anywhere platform that seems to be severely broken from a security viewpoint, rendering it more than useless when used inside a browser.

Oracle, the company that’s owned Java since purchasing Sun Microsystems in 2010, seems to be clueless. Back in October the company pushed out a patch to fix some security holes that were already being exploited. There were complaints at the time that they were being secretive, saying little to nothing publicly about the problem, acting as if they were sweeping dust under a rug. Indeed, two months earlier, in August, the founder and CEO of the Polish security firm Security Explorations, Adam Gowdiak, told PCWorld that Oracle had known about the security problem for months:

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Java Still Isn’t Safe – Possible New Vulnerability

I was just guessing on Monday when I said that the Java security patch pushed by Oracle on Sunday was “too little too late.” This appears to have been a lucky good guess on my part, as word is out now that the Java browser plugin still isn’t safe.

At least that’s what Brian Krebs is reporting on his blog Krebs On Security. Evidently there’s a black hat on a hacker forum who’s offering-up info to two buyers on a new vulnerability in the latest and greatest version of Java (that would be version 7, update 11) for the sum of $5,000 each.

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Oracle’s Quick Java Patch–Too Little Too Late?

On Sunday, Oracle pushed an “unscheduled” patch to fix a security hole in Java that had prompted the U.S. Department of Homeland Security to take the unprecedented step of advising all Internet users to disable browser-side Java. The hole was already being exploited in the wild when white hats brought it to the public’s attention last week, mainly being used to install “ransomware.”

Despite Oracle’s assurances that it’s safe for surfers to go back in the water, security experts remain uncertain about the safety of Java. On Information Week, writer Mathew J. Schwartz quotes at least one security expert who gives the security patch a thumbs up:

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Java Security Vulnerability – How To Disable Java In Linux Browsers

When the Homeland Security folks get into the mix and urge all computer users to disable Java in their browsers, you know it’s serious. Indeed, the exploit announced yesterday seems to affect all operating systems, including Linux, and it’s already being exploited. According to Trend Micro the flaw is already being used by blackhat toolkits mainly to distribute ransomware. In a blog posted yesterday, the company advises all users to disable or uninstall Java:

To prevent this exploit, and subsequently the related payload, we recommend users to consider if they need Java in their systems. If it is needed, users must use the security feature to disable Java content via the Java Control Panel, that shipped in the latest version of Java 7. The said feature disables Java content in webpages. If Java content is not needed, users may opt to uninstall Java as it can pose certain security risk.

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Ellison & the GPL Part I

You would think a firm that fancies itself a Linux development company would have some respect for the GPL. With most companies, you’d be right. But not with Oracle. It becomes more obvious with each passing day that Larry Ellison has absolutely no respect for the GPL. The FOSS community would do well to consider Ellison to be the proverbial wolf in sheep’s clothing and act accordingly – for “FOSS-friendly” Oracle might pose more of a threat than Microsoft ever did.

Ellison seems to be making the GPL his play toy, shamelessly looking for holes in the license to exploit to his own advantage. Several years back, to show his displeasure at Red Hat for potentially moving into his territory when they acquired JBoss, he boldly announced the release of Unbreakable Linux, which was really Red Hat Enterprise Linux (RHEL) rebranded as an Oracle product (which he was perfectly free to do under the terms of the GPL).

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Latest FOSS News: