Apparently, someone has recently discovered a security vulnerability in the Java plug-in. (Oracle says they'll issue a fix soon.) This has caused some concern about using Java here at Pocket-Monkey, and in fact, the Firefox web browser has stopped running Java temporarily, giving a big scary error message instead. (This is Mozilla being massively unhelpful in an attempt to be helpful. But you can click through to run it anyway.)
The message people seem to be hearing (and indeed, people like Mozilla are actually saying) is: "Don't use Java."
The message should be: "Don't use Java on sites you don't know and trust."
There's a huge distinction between those two messages.
So: Be sure to tell your browser not to run Java (aka "the Java plug-in") on any site you haven't specifically approved. Any good browser should do that by default, but sadly not all do. I use Chrome, which by default doesn't run Java unless I tell it it's okay. (It remembers what sites I've approved in the past, and only runs Java on those sites and not others.) I recommend checking what your browser is set up to do. If you're in doubt, well, Chrome is free and it's a truly excellent browser (even though I don't like how it pushes you to "sign in" to Google -- you don't have to, just tell that message to go away).
If you're not sure how to tell your browser not to run Java on sites unless you've approved them, and if you can't find it in your settings, then you're probably best off uninstalling Java until/unless you can get help from someone who can sort out the settings for you. You can still play your games here.
(As an aside: "Java" and "JavaScript" are completely different things. We're talking about Java here, not JavaScript.)
Let me explain how this stuff works.
The pieces are:
Your web browser
The Java plug-in from Oracle Corporation
A Java applet
When a web page contains a Java applet, the browser can either run the Java plug-in and tell the plug-in to run the applet, or not. If it doesn't, there's no way for the applet to do anything malicious. It can only do something malicious if the browser tells the plug-in to run the applet.
Applets shouldn't be able to do anything malicious anyway, because the Java environment is set up to run applets in a "sandbox" where they can't do things like access your files and such. But someone appears to have found a flaw in the sandbox, which means that if someone malicious creates an applet and the browser runs it, there could be trouble.
Obviously, the Pocket-Monkey applet doesn't do anything malicious. :-)
To play your games here on Pocket-Monkey, you can:
1. Use a browser like Chrome that lets you control which sites you allow it to run the Java plug-in on. That way, you can use the plug-in just on sites you trust, and not use it on random sites you don't trust.
2. If you're using Firefox and seeing the "This plug-in has security vulnerabilities. Click here to activate the Java(TM) Platform SE 7 U Plugin.", you can just click it on sites you trust only to continue to the game.
Thanks for the info. Isn't it safe to assume, though, that Java's been alerted to the issue and is scrambling to come up with a fix that will soon be publicly available? or is this a kind of problem that isn't easily fixed?
Yes, very safe to assume that Oracle are "on it." :-) How quickly they can release an update will depend (at least partially) on the nature of the vulnerability.
If it gives you the option to go ahead anyway, then yes, on sites you trust that's perfectly fine.
-- T.J. :-)
Re: Java Plug-In Security Vulnerability
Message #22809 Replies: 1
posted by rooknut (Thomas Kraus) on 01/13 at 12:16
Thanks T.J. for the well written explanation. I wrote to you, via support e-mail and said that I have to quit playing on this site because of security issues with Java. You told me I could still play without Java by using your non-Java format. Now I want to retract my playing resignation because it works perfectly well without Java. Thanks again for making it possible to play without Java. Now I have to get back to my games. Take care. Thom (rooknut)
PART of the family of exploits- Just to give readers an idea of what they might be affected with. (I have removed all Java from my computer for now, until they clear this up.)
Exploit:Java/CVE-2012-1723 is a family of malicious Java applets that attempt to exploit a vulnerability (CVE-2012-1723) in the Java Runtime Environment (JRE) in order to download and install files of an attacker’s choice onto your computer.
If you visit a website containing the malicious code while using a vulnerable version of Java, Exploit:Java/CVE-2012-1723 is loaded. It then attempts to download and execute files from a remote host/URL; the files that are downloaded and executed could include additional malware.
The following versions of Java are vulnerable to this exploit:
JDK and JRE 7 Update 4 and earlier Java SE JDK and JRE 6 Update 32 and earlier Java SE JDK and JRE 5.0 Update 35 and earlier Java SE SDK and JRE 1.4.2_37 and earlier Java SE
Re: Adding some info- after three scans, and same results-
Message #22804 Replies: 0
posted by Blondepickle (Blondepickle) on 01/13 at 07:20
Thank you for such thorough info! Appreciate it. PS I hate java and allll the resources it uses but then I use it often but only on trusted sites. Playing today was no issue at all, just clicked and continued each move-game.
Thanks again!
you CAN enable Java in Firefox on sites you trust
Message #22806 Replies: 1
posted by petr.pavel (Petr 'PePa' Pavel) on 01/13 at 09:25
I just found out that there is a way to permanently enable Java (or any other plugin) on sites that you trust.
The trick is to click a red icon in your address bar. It's very easy to miss so no wonder nobody noticed before.
Full instructions with screenshots on Mozilla's Knowledge Base: http://mzl.la/VYiQ64
Re: you CAN enable Java in Firefox on sites you trust
US government advises computer users to disable Java software
Published January 12, 2013
Associated Press (AP)
WASHINGTON – The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.
The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.
Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.
Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software's creator, Sun Microsystems, in 2010.
Oracle, which is based in Redwood Shores, Calif., had no immediate comment late Friday.
Java has just come out with version 11, and it will ask you that the site you are on is requesting to use java and either or not you trust the site.
Forum
software by
Crowder Software Pocket-Monkey and the Pocket-Monkey logo are trademarks of T.J. Crowder and Jock Murphy. All other trademarks are the property of their respective owners.
