# A Warning not to run Java in your Web browser



## lotuseclat79 (Sep 12, 2003)

Java bug exposes users to serious code-execution risk.

*Researchers disclose because Oracle won't*

Note: Links internal to the above article lead to workarounds to problem.

Advice: Turn off Java in your Web browser.

Related: Serious Java Bug Exposes Users To Code Execution.

*This might be a tough one to solve as it's not a typical buffer overflow or programming bug per-se but more of a flaw in the way the Java Virtual Machine functions. Sun don't consider this vulnerability to be critical, which could be a mistake on their part as that means it won't be patched until the next patch in the cycle is released - which should be around July.*

-- Tom


----------



## Mumbodog (Oct 3, 2007)

Also here

http://forums.techguy.org/general-security/915892-serious-new-java-flaw-affects.html

.


----------



## lunarlander (Sep 22, 2007)

I don't see a lot of web sites using Java, so I don't have that installed. But a lot of universities teach Java, so I think the student population is at risk.


----------



## SIR****TMG (Aug 12, 2003)

Good Read


----------



## antimoth (Aug 8, 2009)

I removed Java, thought I didn't need it, but found my GPS support software runs on it. I got out, but they pulled me back. 

Maybe this is overblown and false security. If you remove Java from your PC and your lifestyle involves visits to suspect websites, you are still vulnerable to the existing tried and true Javascript (not the same as Java) and Active-X exploits. Even if your lifestyle is pure as new snow, hundreds of thousands of legit sites contain links to suspect sites. 

I am not sure about Internet Explorer, but Firefox with a script blocker will prevent Javascript exploits as well as the new Java exploiit (so far). And any script blocker is worthless if you go to a site and tell it to allow scripts.


----------



## lotuseclat79 (Sep 12, 2003)

antimoth said:


> I removed Java, thought I didn't need it, but found my GPS support software runs on it. I got out, but they pulled me back.
> 
> Maybe this is overblown and false security. If you remove Java from your PC and your lifestyle involves visits to suspect websites, you are still vulnerable to the existing tried and true Javascript (not the same as Java) and Active-X exploits. Even if your lifestyle is pure as new snow, hundreds of thousands of legit sites contain links to suspect sites.
> 
> I am not sure about Internet Explorer, but Firefox with a script blocker will prevent Javascript exploits as well as the new Java exploiit (so far). And any script blocker is worthless if you go to a site and tell it to allow scripts.


Hi antimoth,

Yes, simply turn off Java in Firefox, and run Firefox with NoScript to provide against cross-scripting JavaScript attacks. Only use IE for Update Tuesdays for Windows Platforms, otherwise, use Firefox.

-- Tom


----------



## Mumbodog (Oct 3, 2007)

In the wild now

http://threatpost.com/en_us/blogs/java-zero-day-attacks-wild-041410

.


----------

