Even with two new versions in two months, Oracle are failing to secure Java. Unless you have a compelling requirement for Java in your browser, turn those browser plug-ins off today.
http://www.theregister.co.uk/2013/01/15 ... _browsers/
http://www.infoworld.com/t/web-browsers ... ers-210882
http://www.telegraph.co.uk/technology/n ... -Java.html
I only use Java in a browser for the Web Admin of GPWiki. That's getting binned in favour of more SHH command line-fu.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10

Keep spreading the word!

_________________
What most people don't understand is what I like to explain as a thing that I understand.

Looks like JRE1.7u11 has been broken after less than a week.
http://www.infoworld.com/d/security/res ... -11-211150
I haven't even finished testing my roll out of the u11 patch and it's already compromised.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10

Well, lets not overreact, just go back to java 1.6, there is no reason at all for running java 1.7 and 1.6 is not affected by the security issues.

I wonder why this java thing makes such big waves, while everyone still uses adobe flash and adobe reader which have such security issues all the time and were actively used by hackers to do real bad stuff that affected the whole internets security, like hacking certificate authorities by sending them 'funny must see flash videos'.

BTW: There are 2 big security things that i just can recommend for everyone:

A) When just browsing the web, i use lynx over a ssh connection, for reading mail, mutt over ssh... If you'll do this too, you already have eliminated most of the security issues (unfortunately there are sites, like forums ;-) , that aren't really fun to use with lynx, or elinks, or w3m)

B) Use QuickJava and if you need flash flashblock extensions if you run firefox, that way you can leave stuff that is known for security issues - like java, flash, silverlight - off until you really need it

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework

I've been packaging and deploying Adobe patches too. Reader and Flash have both had two updates in the last month or so. Thing is, they roll out without too much drama. Java on the other hand is a complete pain.

Interesting comment about 1.6. At work we base our updates on guidance from a range of CERTs and 1.6 has been a no-no for a good while. While it isn't vulnerable to the sandbox exploit, it has had plenty of other issues and goes out of support next month. We have apps that depend on specific older versions and it's a big risk to support those.

I guess the biggest thing for me is that 99% of the malware our protection system has caught recently has been Java based. Quite a bit of has been 0-day stuff and all of it has been delivered in a drive-by manner from compromised sites. I'm looking at whitelisting the sites that NEED the browser plugin. So far the list is quite short.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10

What was before does not matter, at the moment, if you need java, 1.6 is the best choice. Working as a security specialist for - i think the biggest, but at least one of the biggest - technology companies in Germany, i can not really confirm your 99% java based malware, but i guess thats a matter of what customers you deal with. Anyway, flash is and was the bigger security issue out there, and i think it will remain to be, until it's gone, which is hopefully soon.

Nobody ever made such a fuzz about flash security holes, maybe just because there so plenty. Its like with, lets say terrorist attacks, on 9/11 it was big news and the whole world made week long special reports, nowadays every day people get bombed away in Bagdad or so, nobody cares anymore, i think this is the same case here with java vs flash ;-)

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework

Opinions up for grabs: Oracle is lame and Java is lame. Oh yeah and PHP, SQL, Javascript, Adobe, the W3C, Google, Microsoft, Apple... Who else? I let my scourge of pie be known!

_________________
What most people don't understand is what I like to explain as a thing that I understand.

I agree, Flash is a problem too. However, you can turn off Flash in most work places and the will be little or no effect, apart from people's break time surfing.

A large part of our work is defence contracts, the systems are heavily locked down and the security requirements are often dictated to us. On the other hand, we also have some education contracts where regular malware infection and downtime are seen as the norm due to the nature of the end user.

My point is, the browser plug-in simply isn't required for most people's day-to-day work. Some internal systems need older 1.6 plugins (and IE6 ) and the sales guys use WebEx, but they can be white listed. I don't see a need to allow the wider Internet to have the plugin enabled.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10

in your totally unrelated list of companies, programming languages, technologies, standards and gremiums, you definately forgot linux

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework

And Nintendo, they suck too.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10

I agree with both of you, but you've got to give Linux a small thumbs up for being free software (as GNU defines it). Unfortunately, GNU thinks they define what free software means, and so again, they're yet another who suck!

Poor UDI. Killed off as a young creature by a man who I would rather find eating pizzas than exceptional standards. Richard Stallman, someday you will pay with proprietary-ness! Site of the crime: http://gnu.org/philosophy/udi.html

There's talk of doors and locks at the end... Yep. That's not free. You totalitarian bastard!!!! WTF!?

_________________
What most people don't understand is what I like to explain as a thing that I understand.

Best answer: Everything sucks. Get used to it, Buttercup.

_________________
What most people don't understand about "enlightenment" is that it is not an end-goal; but where you find yourself just before taking a new "first step."

I nominate that as the best answer.
Oh, and I see that you also indentify me as a buttercup. My deliciousness is never underestimated.

-Pie Man

_________________
What most people don't understand is what I like to explain as a thing that I understand.