Java 7 security exploit in the wild: edit - now patched

[TonyE]

It has been reported in the last couple of days that there is a zero-day exploit for Java 7 that could allow execution of arbitrary code. The zero-day exploit is only reported to affect Java 7, so until Java 7 is patched a workaround is to uninstall Java 7 and install Java 6 instead.

http://secunia.com/advisories/50133/" onclick="window.open(this.href);return false;
http://www.theregister.co.uk/2012/08/27 ... k_exploit/" onclick="window.open(this.href);return false;
http://www.deependresearch.org/2012/08/ ... ation.html" onclick="window.open(this.href);return false;

Java 6 update 34 can be downloaded from http://www.oracle.com/technetwork/java/ ... 37595.html" onclick="window.open(this.href);return false;

If you install Java 6, you may want to consider turning off automatic updates as well, for details on how to do that see http://kb.mozillazine.org/Java#On_Windows" onclick="window.open(this.href);return false;

Java 6 is being supported until November 2012, but hopefully Java 7 will have been patched by then...

[HansV]

Thanks, Tony!

[aekyall]

Thank you! Have uninstalled JRE 7.5 and installed JRE 6.34 as suggested, and also turned off automatic updates. I note, however, that all the referred websites indicate that it is not advisable to 'regress' to earlier (pre 7) versions as this could lead to other vulnerabilities that JRE 7 'fixed'. Is this a case of 'damned if you do, damned if you don't'? I'm assuming that reverting to JRE6.34 is the lesser of two evils ?
Regards,

[HansV]

For the moment, yes, reverting is the lesser of two evils. Hopefully the vulnerabilities in JRE 7 will be patched soon.

[RonH]

Thanks for this info.
I have both Java 6 & 7 latest versions on pc and have been leaving Java 6 'off' in the Java Control Panel. I have now 'swapped these and Java 7 is off. Is this a satisfactory method of control until 7 is fixed?
Ron

[HansV]

That should be OK.

[RonH]

Thanks Hans ... just for now I have deselected both versions in the Java Control Panel.
Under the Java/Security tab I have found these three listings of 'Trusted Sites'. I don't really know what these mean but I can't recall 'agreeing' these ...do you think I should Remove them just for now?

Java certificates.JPG

[TonyE]

Oracale have released Java 7 Update 7 to fix the security issues.

http://www.kb.cert.org/vuls/id/636312" onclick="window.open(this.href);return false;

Java 7 Update 7 available from http://www.oracle.com/technetwork/java/ ... 36441.html" onclick="window.open(this.href);return false; or http://www.java.com/" onclick="window.open(this.href);return false;
They have also released Java 6 update 35 - http://www.oracle.com/technetwork/java/ ... 36473.html" onclick="window.open(this.href);return false;

[HansV]

Thanks, again, Tony.

[HansV]

Under the Java/Security tab I have found these three listings of 'Trusted Sites'.

Hi Ron,

I wouldn't remove those - Secunia PSI and your online banking would simply redownload these digital certificates next time you use them.

[RonH]

Java 7/7 installed on my Windows 7, thanks. I note that when I uninstall any Java from Control Panel/Programs and install the latest Update, previous versions (Updates 5 & 6) still remain in the Sun/Java Control Panel (LocalLow/Sun/Java folder). Is this correct?

Can I delete any Java programmes in Control Panel/Programs AND completely delete the entire Sun/Java folder that is in LocalLow and then do a complete reinstall to clean up all files and start afresh?

HELP PLEASE. I have just installed this Update 7 on our other Vista pc and it shows in the Control Panel ... but its not working. I have searched for the Java Control Panel to turn on Java (it was still turned off from yesterday when I did the 7/7 Update) but I can't locate it even in the Vista Control Panel How can I locate and turn Java on? Also this pc in LocalLow/Java folder shows Updates 4/5 and7 but no Update6 ... this was never installed. As with the Windows7 pc, only Update 7 shows in Control Panel/Programs.

[HansV]

1) Yes, after uninstalling Java, you can safely remove any remaining folders/files.
2) I'd try uninstalling/reinstalling on the PC where Java doesn't work.

[RonH]

Thanks Hans ... sorted on both pc's. Reinstalling also got rid of past files eg Update 5, 6 etc so now just Update 7 appears in the LocalLow/Java.
What would I do without you

[HansV]

But how about your online banking? Does that work with the new version?

[RonH]

But how about your online banking? Does that work with the new version?

Yes Hans ... funny though that at Update 6 it stopped working again. I contacted bank, saw that their web page was 'off line' this morning (ahha I thought!) and after I had reinstalled Java again I went back to the bank and web page/loggin all OK
Makes one think yet again ... why do they insist on using Java. Another bank I use does not need Java for netbanking.

[RonH]

Running Internet Explorer? ... this may be of interest.
http://www.kb.cert.org/vuls/id/636312

[HansV]

That's the same web page TonyE pointed to yesterday, higher up in this thread. It mentions in passing that "This issue is addressed in Java 7 Update 7".

[Jim Cone]

And now the patch needs a patch...
http://www.pcworld.com/article/261788/r ... #tk.hp_new

I've had Java removed (uninstalled) for a couple of months - can't tell the difference.

[HansV]

Thanks, Jim - at least this new one is not out in the wild yet...

[aekyall]

Having (yet again!) uninstalled JRE 7.7 and re-installed JRE 6.34 (seems the safest thing to do for the time being), I'm now being 'pestered' by requests to download JRE 7.7, even though I've unticked the 'check for updates automatically' and have also ticked the 'never auto download' (see screenshots). I note that when I go back into the Java Control Panel the 'check for updates automatically' box has somehow been re-ticked. I'd rather not go with JRE 7.7 until things settle down a bit (unless someone here recommends otherwise) So, is there any way that I can stop the Java requests to download JRE 7.7 please?

Capture1.JPG