Way OT even for the campfire, but I thought I should pass this Reuters piece along. CYA.

http://business.financialpost.com/2013/0...-java-software/

The U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team said in a posting on its website late on Thursday.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the agency said. “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents.

Thanks for the heads up Doug.

I disabled the Java plug in both Chrome and Firefox this morning. I don't use Internet Explorer.

Doesn't this also impair a large fraction of the websites?

That was my first thought too. The problem appears to be with Java, not JavaScript. From what I gather these are two very different things, but the similar names are creating a lot of confusion out there.

FWIW, when I checked last night, only two of my PCs had Java installed. The rest, including Windows and Linux boxes, never had it and I haven't had had any problems using websites.

Anyway I'm just the messenger, not a programmer, so please don't consider this to be an expert opinion.

A lot of websites still use Java on the server-side, but not necessarily piped down to your browser. A security flaw like this really impacts corporations more than most regular web surfers realize if it needs to be disabled/removed. Mobile devices use Java, maybe your big screen TV even. It's found in a lot of technology, but this warning only applies to computers connected to the web.

You may find that certain features of your favorite website may not work for a while until a patch is distributed or they come up with a workaround.

Java was Sun's love child but ever since Oracle bought out Sun, Java's been kind of a step-child that doesn't fit in with the rest of the Oracle family so it doesn't get the attention it deserves.

This isn't the first major security flaw discovered recently with Java. ALL software has flaws so it's mostly the effort put into responding to and also proactively looking for flaws that sets the bar on security. Remember how Microsoft products were the butt of jokes not that long ago for the number of high profile security flaws that kept surfacing? Well, Microsoft invested a lot of money and attention to the matter and now how often do you hear about major MS security flaws with their IIS webserver, Internet Explorer, etc?

That explains it. I was thinking of Java Script.

For security, I run Linux (therefore, I obviously don't use IE either). But even with this, I don't allow Java in a web browser (certainly not - never have), but neither do I allow JavaScript or Flash. When I run into friends who ask for computer help and they are unaware enough to be allowing ActiveX, I advise them to disable that. I haven't messed with many Windows computers lately, so I really don't know much about Windows and IE anymore. I abandoned that long ago because of all the security flaws, and just never looked back. Windows could have improved since then, but I really don't care anymore.

I do have a few websites whitelisted and they are allowed to use JavaScript (ETS being one of those), and other specific websites are allowed to run Flash. Very few however. Cookies are disallowed for most sites, I enable that on a site-per-site basis. For example, ETS can set permanent cookies, and when I'm actively buying a product off a website I usually enable cookies (temporarily) for "session only" since most online purchases won't work without that. Ads are blocked as well. The main reason is not because I don't want to support advertisers (although I admit I DO hate intrusive ads!), but because allowing all that stuff into your computer is just another road to potential disaster, as well as a bandwidth hog.

You don't want websites running software on your computer. I may be old-school and hard-assed about this, but my computers don't get compromised.

I have gone through the house and uninstalled Java on all our computers. It won't be reinstalled. I would urge you all to do the same.

I've been playing with the Java & JavaScript settings in Firefox (version 18.0). I lost some functionality when I disabled Firefox's JavaScript (pulldown Tools/Options/Content) but lost nothing when I disabled the runtime environment settings in Java.

So as has been suggested, I removed Java using Windows "Add or Remove Programs" in the control panel. As far as I can tell nothing has been lost.

Thanks to all for the suggestion.

The fix is in the works. Oracle says that they will be releasing the fix on Tuesday. http://www.pcworld.com/article/2025171/oracle-says-java-update-coming-tuesday.html

I wouldn't be any more apprehensive about the Java issue than problems with any other software. MS has smaller fixes every Tuesday and the occassional major fix that is just as exploitive as this Java issue. Obviously, Homeland Security has a zero tolerance for this type of problem, your personal computer is much less at risk.

BTW, this flaw is in the JDK7 (Java Development Kit) version of the software and it "does not affect Java applications directly installed and running on servers, desktops, laptops and other devices," the company said. If you aren't a software developer, you won't have this installed on your computer and this won't be an issue for you.