Java is still vulnerable to 0-day despite its update.

 

This week there has been a lot of talk about Java. There was talk at the beginning of version 7 update 10. That it was very vulnerable. So vulnerable and critical was it, that many recommended the complete uninstallation of Java on their computers.

0-day Un zero-day attack (in English zero-day attack or 0-day attack) is an attack against an application or system that aims to execute malicious code thanks to the knowledge of vulnerabilities that, in general, are unknown to people and the manufacturer of the product. This assumes that they have not yet been fixed. This type of exploit it generally circulates among the ranks of potential attackers until it is finally posted on public forums. A zero-day attack is considered one of the most dangerous instruments of a computer warfare1

The vulnerability was quite serious since it allowed the execution and installation of Software on the system without the user knowing, this allowed information to be stolen, and to do practically anything.

In the last days the "genius" of Oracle have released their new version with a supposed patch for the 0-day called Java 7 update 11.

But many claim that the vulnerability still persists. Or rather, it has not been fully patched. According to experts, they say it could take Oracle up to 2 years to fully fix this vulnerability.

From Oracle they offer us to go to the Java control panel and adjust the security level and turn it from medium to high and this will make it more difficult to execute malicious code without our consent. But beware, "It will make it more difficult."

I personally say that Java time is over. Since I read blogs Java has always been shown to be very vulnerable and the truth is I never find out if I have Java installed or not. I mean I don't notice the difference. I personally uninstalled it a long time ago and my life remains the same. Safer of course 😀

I would recommend that if you are desktop users. Common and wild, don't install Java. We have enough with Flash.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

31 comments, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Blaire pascal said

    I don't know why I get a small smile when I read this. Maybe it's me; D

    1.    KZKG ^ Gaara said

      We are already two lol

  2.   diazepam said

    Not even openjdk?

  3.   msx said

    If you do homebanking or use complex sites it is very likely that you need to have Java installed to use them - Java RTE, not OpenJDK where most of these sites do not work.

  4.   Rayonant said

    If msx is right, also in my case for example it is necessary to enter the system of grades and registration of courses of my university. By the way, do not take it the wrong way, but could you put the sources that claim that the vulnerability still continues after the update? I am interested in learning more since the use of java is a necessary evil.

  5.   dwarf said

    I have always been the biggest detractor of Java in these parts. The truth is that these types of critical vulnerabilities always appear in this language and that is one of the many reasons why I decline the use of such a poor quality product.

    Come on, it doesn't take long for one to get back to me answering that Java is this, Android is the other ... to shit Java.

    1.    msx said

      A small correction: what is insecure is not the language (which with its classes and camel case is horrible, yes) but the virtual machine where Java is compiled on the fly.

      1.    dwarf said

        Obviously my mistake for not specifying it, sometimes I tend to generalize it a lot.

        But I don't like everything that has to do with Java.

        1.    Ivan Barra said

          Including the horrible, slow, archaic and painful dalvik engine that android uses.

          1.    m said

            Ugh, it's good to find people with an opinion and without fear of saying things as they are.

            Fortunately, the future is promising with the large number of alternatives that are in their final stage of maturation: D: D

  6.   Giskard said

    It's time to replace all of Java with Python ... I think. As the author said, the time of Java is over.

    1.    VaryHeavy said

      Totally agree.

    2.    merlin the debianite said

      In that if I agree python does not even need to be compiled, but how do I download without jdownloader ?, Tucan does not work for me and ratfat worse, who recommends a multi-protocol download program where depositfile links work ?.

      1.    msx said

        plowshare

  7.   Ricardo said

    Hopefully my boss doesn't read this .. if I'm not going to sell handicrafts in the square… hehehe

  8.   Charlie-Brown said

    Okay with the news; anyway, in the sites where I have read about this Java vulnerability, they only warn Windows and OS X users, I have not seen any mention of GNU / Linux, in any case, as with all things, the degree The danger that it represents will depend on our browsing and safety habits. On the other hand, I am not very clear about disabling and / or uninstalling Java completely, since it is not only used by browsers; if you look closely, the LibreOffice and OpenOffice suites install and use it by default, so I am not sure how effective the "uninstall" will be, if someone has a more precise idea of ​​the matter, I would appreciate explaining it in detail.

    1.    Mario said

      Linux IS vulnerable:

      http://erratasec.blogspot.mx/2012/08/new-java-0day.html
      http://www.securityowned.com/noticias-seguridad/exploit-0-day-java-7-10/

      And although you reduce the risk by not visiting pages of dubious security, the infection can be caused by the simple fact of visiting a compromised page (your school's website, a commercial store, etc.).

      Although Linux is more secure, do not feed the myth that it is untouchable.

      1.    msx said

        It is not like this.

        GNU / Linux is safe, the insecure is Java.
        Windows is insecure with or without Java.

        If you leave an SSH server open on port 22 with root access and without a password, they will logically enter as Pancho at home.

        There is no feed FUD.

        1.    msx said

          And I add: the problem with Java is the low-level requirements of the virtual machine, in this new light it is evident that:

          The virtual machine needs low-level access to the system to function, which in itself is a design error and an attack vector since the system (GNU / Linux in this case) has no way of acting or defending itself since it literally hands over the keys to Java.

          Logically, if the virtual machine asks for unrestricted access to the system to function, this will be the weakest point of the system itself and the general security of the system will be marked by the security of the applications that need to run in kernel space or user space privileged.

          Document yourself, read, understand and - please - don't spread FUD.

          1.    dwarf said

            As far as I remember or understand there is no way that any application can access such a low level of action in the Kernel.

            I've read it but right now I don't remember where and the truth is that I don't know enough to start arguing about it ... I'm not so irresponsible, but I wanted to comment on it anyway.

    2.    jlbaena said

      I have libreoffice and I have not installed java.

    3.    Juan Carlos said

      In the case of Windows, it affects XP and 7. Windows 8 and Explorer 10 without problems. On the Linux PC I already disabled it in the browsers, just in case.

      1.    @Jlcmux said

        Well, if you use Sun Java on Linux, that takes a while to update. Especially if you use Distros like Debian. Then usually the manual .deb is compiled or installed. Therefore they do not update themselves.

      2.    asd said

        just disable plugins, no need to uninstall

        1.    @Jlcmux said

          What is the point of having a plugin installed and disabling it?

          1.    Juan Carlos said

            That when the problem is fixed you enable it, I imagine it will be updated with the patch.

          2.    asd said

            that when they solve the problem and release a new version you enable them again, it is the same as Juan Carlos says except for the patches, since no matter how much they remove them it seems that the problem persists

  9.   Alf said

    @ Charlie-Brown
    Libreoffice installs openjdk, it does not install java, on that side there is no problem, now as msx says, yes

    1.    Blaire pascal said

      Yupiiii, we are sure.

  10.   rainbow_fly said

    How about openjdk?

    I am a minecrafter .. I am not willing to give up so easily 😛

  11.   aleexfrost said

    See clarify one thing for me, does this error affect openjdk? because from what I know most of linux use openjdk, because from what I read is a bug or oracle java error

bool (true)