No surprise: latest Java still not secure

It looks like Java is currently the target of choice for malware authors, which must be a relief for Microsoft, since Windows was the target of choice for years. That means Java’s developer (Oracle/Sun) is in for a rough ride: the rate at which new Java vulnerabilities are found and exploits developed to use them is going to increase. The only thing that will reverse the trend is a big push by Oracle/Sun to make the core of Java a lot more healthy in terms of security. Until that happens, you’re going to keep hearing the same advice: don’t enable Java in your web browser unless you need it, limit Java use in the browser to sites and applications that require it, and even remove Java completely if you really don’t need it at all.

Relevant links:

Windows 8 Pro Upgrade price will quintuple at end of January 2013

If you’re going to buy Windows 8, you should do it soon. The promotional price of $40 for Windows 8 Pro Upgrade will end on January 31, 2012. After that, the price will be $200. I had hoped Microsoft would keep the price for Windows 8 low; $200 is excessive, especially if Microsoft really wants people to upgrade. Most people hesitate before spending $200 on anything, but $40 is a no-brainer, and even if you end up going back to Windows 7, at that price you won’t feel like you’ve been cheated. The accountants at Microsoft clearly haven’t yet learned that lowering software prices solves a lot of problems, including piracy.

Implications of Windows 8 Start menu software downloads

Over at The Verge, Tom Warren has an interesting post about Pokki, a Windows Start menu replacement for Windows XP, 7 and 8.

Apparently, the Windows 8 version of Pokki has been downloaded over 1.5 million times since its introduction in October 2012. That would seem to imply that there is a strong demand for a Start menu in Windows 8, which Microsoft consistently denies. Similar surges in downloads of Windows 8 Start menu software like Stardock’s Start8 and Classic Shell reinforce the notion that a significant portion of Windows 8 users are not happy with the lack of a Start menu.

Java Update (hopefully) fixes recent 0-day vulnerability

A new update for Java (Version 7, Update 11) was released today. This update is supposed to fix the serious 0-day vulnerability discovered last week. Anyone using Java 7 in a web browser should install this update immediately. Given the recent track record of Oracle/Sun (Java’s developer), it remains to be seen whether this update actually fixes the vulnerability. I will wait for Adam Gowdiak to weigh in before I’m certain one way or the other.

Technical details:

Update 2013Jan17: An interesting post over at NetworkWorld reviews what’s being said about the state of Java’s vulnerability.

Latest Java still vulnerable, new exploits in the wild

A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.

The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.

Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.

For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.

Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.

And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.