Java Update

I seem to recall that there was a bogus Java update floating around recently - I've been prompted by what appears to be a legit Java update request but I'm not sure - the file is jucheck.exe - does anyone know if this is a legit Java update file ??

Yes it is, and there was just a security update for Java released.

From a security standpoint, you are better off removing java entirely from your computer.  It is one of the principle tools that hackers use to get entry to your computer.

 

Sun/Oracle has a long and disappointing history of severe security failures.

 

----------

 

www.informationweek.com

 

Zero Day Java Vulnerability Allows McRat Trojan Infections

Mathew J. Schwartz

March 1, 2013    <----

 

A newly discovered zero-day vulnerability in the most recent versions of Java 6 and Java 7 is being actively exploited by attackers to install malicious software on vulnerable PCs.

 

"We detected a brand new Java zero-day vulnerability that was used to attack multiple customers," FireEye security researchers Darien Kindlund and Yichong Lin said in a blog posted Thursday. "Specifically, we observed successful exploitation against browsers that have Java v1.6 update 41 and Java v1.7 update 15 installed," they said, referring to the two _most recently_ released versions of Java 6 and Java 7.

 

The discovery of the new bug makes for the THIRD Java zero-day vulnerability to have been reported to Oracle THIS WEEK.

 

----------

 

I removed it from all our computers a couple of months ago, during the then latest java crisis,  Which seems to occur with increasing regularity.

 

It's a risk that few computer users need to take.

 

There was only one website that I frequent that needed java -- a weather website that showed a time sequence "video" of the moving weather pattern.  I said screw it and now just look at the snapshots.  It's not worth it.

 

----------

 

www.nbcnews.com

 

Homeland Security Still Says No to Java

Suzanne Choney

 

The Department of Homeland Security says despite some fixes to Java, it continues to recommend users disable the program in their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes.

 

The Computer Emergency Readiness Team, part of the DHS, first took the unusual step last week of issuing an alert, warning users to disable Java, saying the program could be manipulated by criminals to trick users into visiting malicious websites that could infect their computers with malware, or allow criminals to steal personal financial data on users' PCs.

 

Oracle, maker of Java said on its security blog Sunday that it updated Java 7 for Web browers, fixing two vulnerabilities. The company also switched Java's security settings to "high" by default, which should make it more difficult for malware to run without the user knowing it.

 

** Even so, security experts have since warned that _several critical security flaws remain_. **

 

"All versions of Java 7 through update 10 are affected. Web browsers using the Java 7 plug-in are at high risk," said the Computer Emergency Readiness Team on its website:

 

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers _until adequate updates are available_."

 

---------

 

Which will be _never_, since the hackers are smarter than Adobe's developers.