- It's a browser issue. The CERT bulletin recommends "... that Java be disabled temporarily in web browsers ..." (emphasis added) and provides a link to instructions from Oracle on how to do so. (Better instructions, IMHO, are here, courtesy of a link in the ZDNet article.) They are not recommending that Java be uninstalled. Uninstalling Java is liable to cause various programs (such as the OpenOffice and LibreOffice suites) to become inoperable. You just need to disable the Java browser plugin, either globally through the Java control panel or locally in each browser's plugin control page.
- It may well be limited to Oracle Java. I have no idea whether the flaw exists in the OpenJDK runtime environment and the IcedTea plugin. My feeling is that very few websites require a Java browser plugin, so I'm inclined to disable IcedTea on my system just to be safe.
- Help is coming. According to an article today on the PCWorld website, Oracle has a fix coming within a matter of days. So keep an eye out for notification of a Java update, and install it when it becomes available.
Sunday, January 13, 2013
The U.S. Computer Emergency Readiness Team (US-CERT) recently issued an advisory bulletin regarding a serious security flaw in the Oracle Java Runtime Environment (JRE). I've read news articles about it in several places (here is one), and the comments sections universally show rampant confusion (and the inevitable flaming of the confused). A few key points: