Read details HERE

Oracle released an out-of-band patch Sunday to fix two zero-day vulnerabilities in Java that are being actively exploited by attackers.

A security alert from Oracle said that the patched vulnerabilities include CVE-2013-0422 (Oracle Java 7 Security Manager Bypass Vulnerability) as well as "another vulnerability affecting Java running in Web browsers." The Java update also changes the default security level for browser-based Java applets and applications from "medium" to "high," which means that any unsigned Java Web apps won't run without a user's approval. Oracle said the change is meant "to prevent silent exploitation.”

I sent the same info you shared with us to my (ex) brother-in-law. His position is as a senior systems analyst and I trust his recommendations. Due to his reply, I simply deleted Java on both my systems. As he noted in his email:

"Over the past couple of years Java has become responsible for many serious security flaws.

The problem is that it is difficult, even for me, to determine if the Java plug-in is really needed. (Oh, Java and JavaScript are completely different things and have nothing in common except the word Java in their names.)

Each browser has a different method to disable the Java plug-in. The easiest and most foolproof method to disable Java is to uninstall it. There are some websites that use Java, but not too many. After you uninstall it, if a web site doesn't work, or gives you a message that Java is needed, then you may need to re-install Java. To install it, always go to www.java.com rather than use a link or an installation process from a website. www.java.com is the official web site for java.

I hate to be vague, but this is not an easy issue to deal with."

I share the above part of his email for admins who might be at a loss regarding this topic. Again, I uninstalled it, which makes me more comfortable. If needed, I will reinstall it. It is that simple, to me.

Have a great week!

It's easy to disable Java in a browser and turn it back on when required.

Either way, one has to recall how to turn it back on. Turning the option on is for sure a 1000 times faster.

I'll post the link here that I posted in the original topic - instructions for how to disable JAVA per browser.

The part that is forgotten is that a user has to VISIT a site that has code that is exploiting the flaw. The ONLY way to be safe from any exploits (that includes FLASH too) is to have a computer dedicated to web browsing and nothing else. IOW, there's nothing on it you care about.

It's better to be educated on how and why this works since one may get an unjustified feeling of security just because Java is disabled (or deleted).

Most users are exposed to many serious possible system crashes by just not running a UPS. Yet they do not run a UPS. Have you ever wondered what would happen if you lost power while Windows is updating? (hint: it keeps saying not to turn off your computer.)

Short answer - it's not a pretty sight

Threads on this topic are concerning some of our admins planning to attend the webinar tomorrow evening.

If you are attending the webinar, run the test on your computer. Should you need Java, it is up to you to decide to install it or miss the webinar. Personally, I chose to download and reinstall Java. I am NOT missing the webinar, are you?