From: "Lew" <
[email protected]>
|
| Java is a programming language. Javascript is a different programming
| language, despite the similarity of names.
|
| There is a vulnerability in the interaction between Java and Javascript within
| a browser that Sun patched in version 1.4.2_06 and later. It is not present in
| version 1.5+. If you aren't even using Java there is no risk from it. If you
| run Java but not Javascript there is no risk from it. The vulnerability only
| occurs when running mini-programs in Java called "applets" in combination with
| certain malicious Javascript scripts in the browser.
|
| There are other Java exploits that require a Trojan (short for "Trojan
| horse"), a program that has already loaded itself onto your computer, to have
| replaced legitimate Java with a malicious version.
|
| You do not need Java unless you want to run Java programs such as applets. If
| you do not run these programs, Java is not an issue. If you run neither Java
| nor Javascript the particular exploit won't bite you.
|
| It is not a bad thing to replace Java 1.4 with Java 1.5 as the other poster
| suggested. Meanwhile I doubt you have anything to fear. You should be much
| more concerned with conventional viruses, Trojans and other malicious software
| ("malware") that does not use Java. Good antivirus, anti-spyware, firewall
| and similar software is your protection.
|
| Avoid panicking just because one person sounds a "sky is falling" alert.
|
| I recommend that you confirm what I told you with your own research. ("Google
| is your friend.") I am not a security expert and I only know what I've been
| able to research so far.
|
| - Lew
Not totally accurate. You said "...It is not present in version 1.5+." V5 update 5 and
below have the vulnerability. The problem exists even if you have a vulnerable version and
a non-vulnerable version as the Exploit code will seek and find the vulnerable version of
Sun Java.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
and
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
I'll repeat, the vulnerability is actively being exploited. Most well know is the Vundo
Trojan/Virtumonde Adware. Since the Vundo has recently morphed (again!) one can vsit a web
site, be infected and the anti virus software may not even catch the Exoploit nor the
subsequent infection. This certainly warrants more attention to the OPs other post about
"Webfldrs XP".
I also find it interesting that while the OP did NOT know anything about Java, she decided
to cross-post this to; comp.lang.java.programmer This is a vulnerability/security issue,
not a programming issue.