Thursday, June 16, 2005
I can't figure out how to make this simple
To start with, click the Edit/Preferences or Tools/Internet Options menu in your web browser, go through the options until you find something related to "Java" (not Javascript), and turn it off. You probably don't need it, and if you do need it you need to fix a security problem before you use it again.
Java is a computer language. Web sites sometimes use it to run small programs on your machine. In theory this is safe because the Java system allows for confining a program to a small set of activities so the program can't install spyware, erase files, or generally vandalize your machine.
Every now and then someone finds a way for a Java program to sneak around those limits. Once that's possible, a web site could take over your machine as soon as you visit, by downloading a hostile Java program to you. Java's supposed to be safe so your browser probably runs it without asking you first.
Now things really start to suck.
There are two different flavors of Java in wide use. One's from Microsoft, one's from Sun. The recently discovered Java bug only affects Java installations from Sun. You might have either one.
Nobody's automatic updates will help. Microsoft had a bitter legal battle with Sun over Java and I don't expect them to help you upgrade a competing product. Browser makers might conceivably help but right now none of them mention the problem on their home pages. You're going to have to install the update yourself.
So how do you tell whether you're affected? This is where it starts to suck like one of those truck-mounted vacuum cleaners that cleans ductwork. Brace yourself:
If you
You could also try Watchguard's instructions for identifying your Java version. If you're comfortable at a command prompt, Sun suggests typing "java -fullversion" which gives you version information just like "java -version" does but gives you less of it. Here things start to suck like the inside of a tornado because Sun has at least two version numbering systems for Java. If you get one or more numbers back, look at the number that begins with "1.4" or maybe "1.3". The version you want to have is 1.4.2_08 but may also be called "J2SE 5.0 Update 2". If you don't get any response typing the command "java" you may be safe.
Head hurting yet?
By the way, this affects every operating system, not just Windows. Linux users are at risk too.
Sun recommends downloading this version of Java to fix the problem. Security firm Secunia suggests you could also get another version from Sun. I don't know which you should prefer.
Angry? I think you're entitled to be. This is a case of the industry installing a vulnerable technology without a clear way to alert users to hazards or to provide updates.
Scared? Well, the Internet is worth quite a bit of risk. I'll quote another Star Trek character, the superbeing called Q:
|
Java is a computer language. Web sites sometimes use it to run small programs on your machine. In theory this is safe because the Java system allows for confining a program to a small set of activities so the program can't install spyware, erase files, or generally vandalize your machine.
Every now and then someone finds a way for a Java program to sneak around those limits. Once that's possible, a web site could take over your machine as soon as you visit, by downloading a hostile Java program to you. Java's supposed to be safe so your browser probably runs it without asking you first.
Now things really start to suck.
There are two different flavors of Java in wide use. One's from Microsoft, one's from Sun. The recently discovered Java bug only affects Java installations from Sun. You might have either one.
Nobody's automatic updates will help. Microsoft had a bitter legal battle with Sun over Java and I don't expect them to help you upgrade a competing product. Browser makers might conceivably help but right now none of them mention the problem on their home pages. You're going to have to install the update yourself.
So how do you tell whether you're affected? This is where it starts to suck like one of those truck-mounted vacuum cleaners that cleans ductwork. Brace yourself:
If you
- Have never installed an alternate browser
- Are running Windows
- You started running Windows with a version earlier than XP Service Pack 1 and got to Service Pack 2 by upgrading instead of reinstalling
You could also try Watchguard's instructions for identifying your Java version. If you're comfortable at a command prompt, Sun suggests typing "java -fullversion" which gives you version information just like "java -version" does but gives you less of it. Here things start to suck like the inside of a tornado because Sun has at least two version numbering systems for Java. If you get one or more numbers back, look at the number that begins with "1.4" or maybe "1.3". The version you want to have is 1.4.2_08 but may also be called "J2SE 5.0 Update 2". If you don't get any response typing the command "java" you may be safe.
Head hurting yet?
By the way, this affects every operating system, not just Windows. Linux users are at risk too.
Sun recommends downloading this version of Java to fix the problem. Security firm Secunia suggests you could also get another version from Sun. I don't know which you should prefer.
Angry? I think you're entitled to be. This is a case of the industry installing a vulnerable technology without a clear way to alert users to hazards or to provide updates.
Scared? Well, the Internet is worth quite a bit of risk. I'll quote another Star Trek character, the superbeing called Q:
"If you can't take a little bloody nose, maybe you should crawl back under your bed. The universe isn't safe, it's wondrous, with wonders to satisfy appetites both subtle and gross, but it's not for the timid."
# posted by Frederick @ 12:26 AM Email to a friend:
Haloscan: they provide trackback