Disable Java plugins to avoid new zero-day attack

Topic

New Reply

The Register and others are reporting a new zero-day exploit that targets Java Runtime 1.7. Recommended actions include disabling all browser based Java plugins. Dropping back to JRE 1.6 is not recommended as that may open other vulnerabilities.

Link to original Malware Intelligence article.

Link to The Register article.

Link to Sophos article

/Disclaimer: I have no way to verify the provenance or significance of the reports.

Reply | Quote

Replies

Unless someone has specific needs for Java (an app that needs it or a special website) many are now uninstalling Java altogether. I did and have had no adverse affects.

Reply | Quote

You’re right Ted, removing Java altogether will protect the user, however many websites will not function as the designer intended. Will the user notice if the website doesn’t function correctly? Possibly not, because modern browsers should fail graciously.

There are quite a few programs (albeit some of them are fairly specialised) that require Java to run. I guess the the biggest headline app that requires Java is Open/Libre Office, but there are many others. I have several productivity apps that require Java and although I might be able to find alternatives, they may be a lot more expensive and require testing.

For me, Java is a necessary evil. However, Ted’s advice is valid. If you do not need Java, take an image backup and remove it. If things break, you can always revert to the image.

Reply | Quote

Many websites Tinto? Surely just a few … I’ve not had Java installed for months and I can only think of 3 or so that I’ve visited since that require Java, 1 of them has a Flash alternative anyway.

OOO etc. only require Java to run the wizards from what I recall, the office suites work fine without it.

Reply | Quote

Many websites Tinto? Surely just a few … I’ve not had Java installed for months and I can only think of 3 or so that I’ve visited since that require Java, 1 of them has a Flash alternative anyway.

OOO etc. only require Java to run the wizards from what I recall, the office suites work fine without it.

Not if you have Access databases which need to be used and updated in OOO and then saved back to Access for use on a computer where the office suite is an older version of MS Office. I had this issue until I no longer needed the data on my old Windows 98, Office 95 desktop computer anymore. Just one example, and there are others, including the SMath Module, where OOO is still very JRE dependent. They need to change this!

I’d also like to point out that OOO has had in the past such a lag in implementing new JRE updates, that one or more older JRE versions actually had to remain installed for OOO to work properly, until OOO itself received an update, often after months of delays. And there are other examples of needing one or more older JRE versions on a computer. The same thing can happen with Flash Player.

As noted before, Java, JDK, JRE and Java SE are all different programs, serving different purposes and with different vulnerabilities (although they share a lot in common). And Javascript, contrary to what the Geek at Best Buy said, has nothing whatsoever to do with Oracle’s Java or the Java Programming Language. In fact, Sun once tried to sue to stop the confusion between the Javascript scripting language and the Java Programming Language. Removing JRE or any other Java installation does not affect websites which run Javascript.

-- rc primak

Reply | Quote

In fact, Sun once tried to sue to stop the confusion between the Javascript scripting language and the Java Programming Language.

Javascript has been a registered trademark of Sun/Oracle since 1995: USPTO Mark JAVASCRIPT

It has been used under license by Netscape/Mozilla since that time: Javascript Trademark

Bruce

Reply | Quote

Javascript has been a registered trademark of Sun/Oracle since 1995: USPTO Mark JAVASCRIPT

It has been used under license by Netscape/Mozilla since that time: Javascript Trademark

Bruce

Your Patent Link (#1) is a dead link. It does not display information on any patent. And there is a subtle but important spelling difference between Javascript and the Oracle-patented JavaScript. That difference is critical to those patents.

Once again, you have taken a shortcut and skipped the history of what you were posting about. You have a habit of doing this in your posts.

Wikipedia says that the Patent used by Oracle is as follows:

Today, “JavaScript” is a trademark of Oracle Corporation.^[22] It is used under license for technology invented and implemented by Netscape Communications and current entities such as the Mozilla Foundation.^[23]

The wikipedia article then posts a history of Javascript which does not mention an Oracle JavaScript patent (Birth at Netscape section of the article). In fact, this Section confirms the different origins of Javascript and Java. The Oracle patents came along after Javascript first appeared.

This History of Javascript clearly describes what really happened. Javascript originally had nothing whatsoever to do with Java when Netscape was developing javascript in the early 1990’s. Under threat of a lawsuit, Netscape handed Javascript over to an international standards group. Sun and Oracle had never owned Javascript nor its trademark at that time (prior to 1995).

The importance of this scripting language was too great to leave its future development in the hands of the competing browser developers and so in 1996 Javascript was handed over to an international standards body called ECMA who then became responsible for the subsequent development of the language. As a result of this the language was officially renamed ECMAScript or ECMA-262 but most people still refer to it as Javascript.[/B]

Oracle’s trademarks and its implementations within the Java Programming Language (the trademarks and patents you refer to) have no bearing on Javascript’s independent existence as a Web Standard. The Javascript Web Standard is not patented nor trademarked by Oracle to this day.

Javascript has nothing to do with the Java Programming Language, as I stated originally. But the confusion (including yours) lingers on.

-- rc primak

Reply | Quote

Your Patent Link (#1) is a dead link. It does not display information on any patent.

It’s not dead and it gives full information dating back to the first filing in 1995 by Sun of a trademark for JAVASCRIPT.

And there is a subtle but important spelling difference between Javascript and the Oracle-patented JavaScript. That difference is critical to those patents.

It’s a trademark, not a patent. Case of letters not significant in trademarks.Try selling an OS called windows with a lower case w.

Once again, you have taken a shortcut and skipped the history of what you were posting about. You have a habit of doing this in your posts.

No shortcut. I checked history. You’re the one always posting unverified “facts”.

The Oracle patents came along after Javascript first appeared.

No, Sun owned that name from the beginning.

This History of Javascript clearly describes what really happened. Javascript originally had nothing whatsoever to do with Java when Netscape was developing javascript in the early 1990’s. Under threat of a lawsuit, Netscape handed Javascript over to an international standards group. Sun and Oracle had never owned Javascript nor its trademark at that time (prior to 1995).

Javascript didn’t exist in the early 1990s. That’s what your link actually SAYS.

Who says the handing over to an international standards group was under threat of a lawsuit? Just you?

Sun trademarked the name on Dec. 01, 1995 and Netscape’s scripting language was renamed JavaScript on December 4, 1995.

You can read the joint press release here: Netscape and Sun announce JavaScript

Oracle’s trademarks and its implementations within the Java Programming Language (the trademarks and patents you refer to) have no bearing on Javascript’s independent existence as a Web Standard. The Javascript Web Standard is not patented nor trademarked by Oracle to this day.

There is no “Javascript Web Standard”. That would be ECMAscript.

I’m not sure you really grasp trademarks, but Oracle own the rights to the name Javascript; as Sun did when the name was invented in 1995.

So, who exactly did Sun try to sue for using the name Javascript because it was too close to Java?

Javascript has nothing to do with the Java Programming Language, as I stated originally. But the confusion (including yours) lingers on.

You were a week late there. I’d already pointed that out in post #12.

Bruce

Reply | Quote

Many online games use Java. Several of the word games the wife and I play regularly use it. I expect that Java will have an update shortly if it hasn’t already. If you have up to date Virus protection and keep Java updated, I don’t think there’s a major danger. This may be overhyped similar to the “uninstall all you gadgets” warning. But to each his own. All my clients have Java enabled and I haven’t run across a Java infection yet.

Jerry

Reply | Quote

I took a quick look at Install/Remove Programs in Control Panel and didn’t see anything identified as Java. Is it a program that someone would have to choose to install themselves, not automatically included on a PC? Or is there another name I should look for in the Control Panel? Thanks.

Reply | Quote

I took a quick look at Install/Remove Programs in Control Panel and didn’t see anything identified as Java. Is it a program that someone would have to choose to install themselves, not automatically included on a PC? Or is there another name I should look for in the Control Panel? Thanks.

Yes, in most circumstances, you’d need to install it yourself.

Reply | Quote

I took a quick look at Install/Remove Programs in Control Panel and didn’t see anything identified as Java. Is it a program that someone would have to choose to install themselves, not automatically included on a PC? Or is there another name I should look for in the Control Panel? Thanks.

If it isn’t showing in your Programs List, it isn’t installed.

-- rc primak

Reply | Quote

No, it’s not normally included. If it’s not under J you probably haven’t got it: How do I uninstall Java on my Windows computer?

Bruce

Reply | Quote

Java(TM) is easy to spot-at least in Vista-no need to go to Change/Uninstall-just open Control Panel & if Java(TM) is installed you’ll see the ‘steaming’ coffee cup with JAVA under the logo. And yes it could have been included by the OEM along with many other ‘crapware’ programs. I uninstalled it about 4/5 years ago & haven’t looked back. I don’t know if the program is still available or not, it was a open source not connected with, at the time, Sun Java. There were at the time 2 developers whose names I don’t recall.
The name of the program was(is) JavaRa. I suppose Google or whatever search engine you prefer could find it.

Good luck & I hope this helps.

Reply | Quote

The Windows 7 laptop that one of my clients gifted me with is currently at Best Buy, having all the programs loaded by the Geek Squad (hope I don’t regret that). Anyway, I just got a call and they said that an older accounting program that I’ve used for many years needed to have Java installed in order for it to run. It would be more convenient to be able to use my old accounting software, since my needs are modest because my accoutning is very simple and there would be no learning curve or expense of going to another program. However, I decided NOT to have them install Java.

The tech at Geek Squad told me two things, and I wonder if either was correct:

(1) He said there is no way to install Java and disable it (only enabling it when I want to use the accounting program offline).

(2) He said that Hotmail and Yahoo both need Java to access email accounts. I don’t see how that could be true, since I don’t have Java on this computer and I can access Hotmail (haven’t tried Yahoo) just fine.

He also said as long as I have my security software (Webroot SecureAnywhere) on the computer, I didn’t have to worry about Java being explolited. I definitely don’t believe that. I’ve seen plenty of people who are very careful and keep their security software up-to-date but still end up with some kind of infection.

Reply | Quote

The tech at Geek Squad told me two things, and I wonder if either was correct:

I think both were really incorrect.

(1) He said there is no way to install Java and disable it (only enabling it when I want to use the accounting program offline).

It’s possible to disable Java use from a browser but leave it installed for use by a trusted program.

The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) just issued instructions on how to do that (due to this Java 1.7 issue):

US-CERT Vulnerability Note VU#636312

(2) He said that Hotmail and Yahoo both need Java to access email accounts. I don’t see how that could be true, since I don’t have Java on this computer and I can access Hotmail (haven’t tried Yahoo) just fine.

Most webmail sites require Javascript to be enabled (“Active Scripting” in Internet Explorer), but that is different from Java (applets, often animations or games).

Dropping back to JRE 1.6 is not recommended as that may open other vulnerabilities.

Despite The Register’s general comment about not downgrading to earlier versions, US-CERT do recommend that as a viable alternative and they provide a link at the bottom of US-CERT Vulnerability Note VU#636312 to download Java 1.6.34.

Bruce

Reply | Quote

Java(TM) is easy to spot-at least in Vista-no need to go to Change/Uninstall-just open Control Panel & if Java(TM) is installed you’ll see the ‘steaming’ coffee cup with JAVA under the logo. And yes it could have been included by the OEM along with many other ‘crapware’ programs. I uninstalled it about 4/5 years ago & haven’t looked back. I don’t know if the program is still available or not, it was a open source not connected with, at the time, Sun Java. There were at the time 2 developers whose names I don’t recall.
The name of the program was(is) JavaRa. I suppose Google or whatever search engine you prefer could find it.

Good luck & I hope this helps.

I have had Java JRE installed on three Operating Systems, and never once had a permanent Java Logo showing anywhere, unless the Updater was set to act as a Windows Startup (which I choose not to allow).

-- rc primak

Reply | Quote

I have had Java JRE installed on three Operating Systems, and never once had a permanent Java Logo showing anywhere, unless the Updater was set to act as a Windows Startup (which I choose not to allow).

You just referred someone to Java Control Panel. That’s what was being referenced here too (“… just open Control Panel …”)

Bruce

Reply | Quote

You just referred someone to Java Control Panel. That’s what was being referenced here too (“… just open Control Panel …”)

Bruce

The Java Control Panel by default is not shown on the Windows Desktop nor in the Tray Area. That is what was being referenced here. I made a special shortcut for Java CPL on my Windows XP laptop. I have other ways to access it if need be in Windows 7 and 8, but none is built-in from the Java installer. As long as I don’t activate Java Automatic Updates, that is. That Startup Item is a real resource hog during Windows launching.

-- rc primak

Reply | Quote

The Java Control Panel by default is not shown on the Windows Desktop nor in the Tray Area. That is what was being referenced here.

No, the Control Panel was being referenced here. As indicated by “… just open Control Panel …” in the post you quoted.

Bruce

Reply | Quote

Well I access Hotmail and Outlook.com from both the website and WLM 2012 without Java installed, so that’s not correct.

Reply | Quote

An update to Java 7.7 is now available to fix this vulnerability: Java SE Runtime Environment 7 Downloads

(As just announced in an amended US-CERT Vulnerability Note VU#636312)

Bruce

Reply | Quote

Thanks, Medico and Bruce, for your replies. You confirmed my suspicions. When I asked him if he meant Javascript when he was speaking about Hotmail and Yahoo mail, he curtly replied, No, I mean Java.”

I told him not to install it and I would try to find another accounting program that would work without Java. If I am unable to find something that will work for me, I may consider installing my old accounting program and then installing Java, but disabling it from doing anything other than run with my accounting program.

I certainly do appreciate the robust support at this site; it’s my go-to site when I’m not sure how to do something (which happens often).

Reply | Quote

This is really discouraging for me. I’m a retired, widowed senior living alone, and I know all about exercising the brain. [heh, about the only exercise I get]

So I belong to several user groups and news sites to play many games of Sudoku and crossword puzzles. I believe they all require Java.

Sooo…hmmm…what to do now

Reply | Quote

This is really discouraging for me. I’m a retired, widowed senior living alone, and I know all about exercising the brain. [heh, about the only exercise I get]

So I belong to several user groups and news sites to play many games of Sudoku and crossword puzzles. I believe they all require Java.

Sooo…hmmm…what to do now

Update to 1.7.7 at the link in post 13; problem solved.

Bruce

Reply | Quote

Update to 1.7.7 at the link in post 13; problem solved.

Bruce

Did that. Many thanks

Reply | Quote

One of the primary software tools I use is Lacerte tax software by Intuit, and they recently re-wrote the code to use Java. I supposed that means I have to leave it installed so I can do my work – but that is different than disabling it for use by a browser isn’t it?

Scott

Reply | Quote

One of the primary software tools I use is Lacerte tax software by Intuit, and they recently re-wrote the code to use Java. I supposed that means I have to leave it installed so I can do my work – but that is different than disabling it for use by a browser isn’t it?

Scott

Yes, you can disable the browser extensions while keeping Java installed, allowing the software that needs Java to keep functioning properly.

Reply | Quote

One of the primary software tools I use is Lacerte tax software by Intuit, and they recently re-wrote the code to use Java. I supposed that means I have to leave it installed so I can do my work – but that is different than disabling it for use by a browser isn’t it?

Scott

Yes, you can disable the browser extensions while keeping Java installed, allowing the software that needs Java to keep functioning properly.

To clarify, open Java Control Panel. Go to the Tab for Advanced features. Uncheck the browser plugin items for any browser where you have Java installed. This still allows full Java access to other programs while protecting you when you’re using the browsers.

-- rc primak

Reply | Quote

I’m using VISTA Home Professional SP 2. When I try to update or uninstall JAVA I get the following message, “The Windows Installer could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.”

Any ideas on how to correct the problem?

Thanks.

Reply | Quote

I’m using VISTA Home Professional SP 2. When I try to update or uninstall JAVA I get the following message, “The Windows Installer could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.”

Any ideas on how to correct the problem?

Try installing this first: Windows Installer 4.5 is available

Bruce

Reply | Quote

Thanks Bruce,

I used the link and downloaded Installer 4.5 but did not have any luck. Each time I try I get a message, “The update does not apply to your system.” Any other ideas?

Thanks again

Reply | Quote

Hi Loungers,

New threat, read here.

Reply | Quote

Some tips to minimize the Java fiasco:
1. In Windows 7, IE has both 32 bit and 64 bit versions. A separate Java is required for both of these.
Decide on either one browser bit version to use for your Java needs, but avoid using both..
Which Java download should I choose for my 64-bit Windows operating system?
2. Keep your Java up to date by configure your Java to notify you when an update is available.
3. Do not allow several versions of java to coexist on your machine, completely uninstall all prior versions prior to installing new ones.
4. Clear your Java’s cache on a regular basis; How do I clear the Java cache? Become familiar with the Java Control Panel.

Reply | Quote

Thanks,CLiNT, but I have no idea which is 32 or 64. Fire Fox v15 installed the Java.
I have
Java Deployment Toolkit 7.0.60.24; 10.6.2.24; NPRunTime Script for Library Java
and
Jave (TM) platform SE7 U6; 10.6.2.24 for Mozilla browser.

Reply | Quote

If you don’t have any applications or web sites that use Java, there’s really no reason to have java installed. But if like me and robertpri you have web sites that use java, there’s really no reason to obsess about vulnerabilities. Sure you can get infected. But the same thing applies to Windows itself. As long as you keep one antivirus up to date and keep java itself updated, you will be fine. I’ve used java for many years and have never had an infection from it.

Jerry

Reply | Quote

Hi,

Looks like update 7 still hasn’t resolved Java issues!

http://news.softpedia.com/news/Java-Users-Still-Not-Safe-Experts-Report-New-Vulnerability-to-Oracle-Exclusive-289249.shtml

Reply | Quote

The zero day exploit was fixed in Java release 6 u35/7 u7 which was released last week.
http://www.computerworld.com/s/article/9230786/Oracle_s_emergency_Java_patch_blocks_zero_day_exploits_researchers_confirm

Reply | Quote

Not to discount threats, be they zero or many days, but if you use an application requiring Java, chill out.
Threats come up every and each day. I suppose we all could turn off our computers, or unplug the cable modem.
No reason to panic and take drastic measures.
Keep your security software up-to-date.
Keep everything up-to-date. Secunia is a good tool.

As far as the recommendation earlier of not using both the 32 and the 64 bit versions; if you use Java (or have it installed) on Win7 I’d install both versions of Java. A pain to keep updated, but how can you make sure that only one of the browsers (32 or 64) is ever used?

Reply | Quote

Not to discount threats, be they zero or many days, but if you use an application requiring Java, chill out.
Threats come up every and each day. I suppose we all could turn off our computers, or unplug the cable modem.
No reason to panic and take drastic measures.
Keep your security software up-to-date.
Keep everything up-to-date. Secunia is a good tool.

Agreed.

As far as the recommendation earlier of not using both the 32 and the 64 bit versions; if you use Java (or have it installed) on Win7 I’d install both versions of Java. A pain to keep updated, but how can you make sure that only one of the browsers (32 or 64) is ever used?

Unless someone has gone to extreme lengths to use IE 64-bit as the default browser, then IE 32-bit will always be used unless IE 64-bit is specifically started from a special shortcut.

So it would be quite easy to install only 64-bit Java and invoke that version of the browser when Java was actually needed. (Not so easy the other way round with normal defaults.)

(With IE10 on Windows 8 I think you could make the same distinction by using 64-bit mode with Java only for trusted sites.)

Bruce

Reply | Quote

Agreed.

Unless someone has gone to extreme lengths to use IE 64-bit as the default browser, then IE 32-bit will always be used unless IE 64-bit is specifically started from a special shortcut.

So it would be quite easy to install only 64-bit Java and invoke that version of the browser when Java was actually needed. (Not so easy the other way round with normal defaults.)

(With IE10 on Windows 8 I think you could make the same distinction by using 64-bit mode with Java only for trusted sites.)

Bruce

In many cases, only the 64-bit JRE is needed. Many 32-bit JRE dependent Apps and websites will run just fine with only JRE 64-bit installed.

While for pure Java programs it doesn’t matter which JRE is installed, some programs use external libraries which may require 32bit or 64bit JRE. – AndrejaKoDec 26 ’10 at 13:29[/FONT][/COLOR]

— http://superuser.com/questions/225532/running-java-32bit-and-64bit-on-same-computer

But there may be some JRE dependencies which do use external Libraries, and these will need 32-bit JRE if they are written for that version.

-- rc primak

Reply | Quote

The zero day exploit was fixed in Java release 6 u35/7 u7 which was released last week.
http://www.computerworld.com/s/article/9230786/Oracle_s_emergency_Java_patch_blocks_zero_day_exploits_researchers_confirm

According toAskWoody.com, “Within hours of Update 7 being posted, the same security researchers announced that the new version had a similar security hole.” So take your pick — either believe the latest claims or not, and act accordingly.

This was in reference to JRE 7, Update 7, which is the most up to date version, both 32-bit and 64-bit, of JRE.

-- rc primak

Reply | Quote

The elephant in the room for java is Oracle. The lion’s share of Oracle app run under java. I’ve work for several business where Oracle is the core of their inventory, order entry and project management systems. For them, Java is a “big deal”. And since Oracle bought out Sun just to have control over Java, I can’t believe they waited this long to plug these holes.

Reply | Quote

I’ve left the Java automatic updater in most of the PCs I service and have never noted it to be a resource hog. It doesn’t affect boot time in any noticeable difference. Most of my clients would never update Java on their own without it.

Jerry

Reply | Quote

I’ve left the Java automatic updater in most of the PCs I service and have never noted it to be a resource hog. It doesn’t affect boot time in any noticeable difference. Most of my clients would never update Java on their own without it.

Jerry

There are two components which are running automatically on my laptops if Java Automatic Updates is enabled. One is the Java Quick-Launcher, the actual resource hog here. The other is the updater itself, which seems not to want to run if Java Quick Launcher is not enabled. The Quick Launcher is a Startup Item, and Java Automatic Updates does run itself to check for updates at many Windows logins. These two components frequently or always slow down my Windows log-ins, if either is enabled with the updates default setting — to check every day or every week.

In any event, I disabled both on all my computers, as the updater seems never to have the critical security updates until a week or two after they are issued by Oracle. I always end up having to download the Java Security Updates I keep reading about online manually if I want them in a timely fashion.

Yes, manual updating is a pain and involves a big download and a slow installer, but automatic updates also run the installer, and if you’re working on anything important at the time, this can be a drag on your work speed. At least on my laptops. The security advantage of having timely critical updates is to me worth the extra effort. Maybe not in a large-scale deployment environment, but I only update three Windows OSes.

Your mileage may vary.

-- rc primak

Reply | Quote

I have Java updater enabled in my startup and I don’t see any reference to Java Quick Launcher either in startup or running processes. Perhaps that was true in the past, but I see no evidence of it now. As I said, it has no measurable impact on startup times or runtimes as far I can see. The javaupdate scheduler process it spawns takes up 800k of memory. There’s nothing wrong with killing it and doing your updates manually if you want to keep your PC cleaner but I don’t believe you save much and as I stated before very few of my clients would manually update.

Jerry

Reply | Quote

@BruceR, Post#40. Learn how to read English. I stand by everything I said, including the Dead Link.

-- rc primak

Reply | Quote

@BruceR, Post#40. Learn how to read English. I stand by everything I said, including the Dead Link.

Including the bit of history you invented? Oh well.

Bruce

Reply | Quote

For the average user, the place likely places they use Java are with most of the HP Printer/AIO software, and Facebook games. So removing Java is not practical for them. So though about 90% of the viral infections I clean up (about 4 per week) appear to have entered their machine through Java exploits (regardless of their security programs), I tell them to make sure they respond to every prompt to update Java. Currently that release is 7 release 7 or 6 release 35 (which appears to be the better choice if they play online games). So far, no one who has kept their Java up to date has needed to call me back for another cleaning – probably near 200 households. Of course, there are just a few that still don’t…

Reply | Quote

Bob, the patent link is not dead. Works fine for me.

Jerry

Reply | Quote

Strange, it said for all versions of Vista. EDIT; Actually, it only said Vista and SP1, not SP2.

Try this, which is specifically for your error message “The Windows Installer Service could not be accessed.”:

Diagnose and fix program installing and uninstalling problems automatically

Bruce

Reply | Quote

Hi Loungers,

I just found this:-

31999-RR

Read more here.

Reply | Quote

People sometimes confuse Java with JavaScript. These are totally different. Virtually every web page in existence uses JavaScript. This is not the problem child. Java is.

Reply | Quote

There’s a patch coming out this week with Windows Update..

Reply | Quote

Unless you have an app installed that requires Java, it is just too insecure to take the chance. I have uninstalled it and say good riddance.

Reply | Quote

Hi Ted, As their are some sites I use that require Java, it is still on my pc’s but disabled in FF, I very very rarely use IE.

Reply | Quote

I’ve been following this thread and as a result have disabled but not yet uninstalled Java on my Windows 7 PC and laptop.

Today I was asked to install “jucheck.exe”, a Java update.

Question:
Should I install it?

Thanks for any input on this.

Linda

Reply | Quote

I’ve been following this thread and as a result have disabled but not yet uninstalled Java on my Windows 7 PC and laptop.

Today I was asked to install “jucheck.exe”, a Java update.

Question:
Should I install it?

Thanks for any input on this.

Linda

Java was just updated four days ago to patch vulnerabilities; so it’s safe again, for a while, if you really need it: Java Runtime Environment 1.7.0.9

Bruce

Reply | Quote

I personally would hold off until and unless you re-enable Java. This is the Java Update Checker. This is the portion of Java, I believe, that when installed, installs itself in the Start Up folder and starts with Windows. Even when I had Java, I would not allow the Update Checker to run. FileHippo.com check this for you.

Reply | Quote

At least one known Java vulnerability is still unpatched

Gowdiak said that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java. According to the researcher, Oracle told him that the October CPU was already in its final testing phase when he reported the vulnerability. Therefore, this vulnerability and another, less critical hole will be closed at the next scheduled Java patch day on 19 February 2013.

http://www.h-online.com/security/news/item/Stormy-October-patch-day-for-Oracle-1731176.html

Reply | Quote