Fellow Fumbblers,
apparently there is a SERIOUS security problem with the current Java7 plugin. This may allow Malware to be installed on your computer simply by visiting the wrong website!
I only have a link to a german site right now, but you can probably google for more information easily:
http://www.heise.de/security/meldung/Gefaehrliche-Luecke-in-aktueller-Java-Version-1780850.html.
If anyone has a better link in english, please post below; admin edit:
English Warning
You should deactivate the Java Plugin in your browser and wait for a fix (sadly you cannot play FFB any longer that way), switch back to Java 6 (which seems to be safe at the moment) or have an extra browser installation with Java enabled for FFB playing only.
Take care,
Kalimar
Additional comments by Christer
This vulnerability has now been added to a number of commonly used exploit kits (yes, stuff like that exist). This means that the code is out in the wild and it's likely that exploits will start showing up on compromised websites pretty quickly.
Now, there are a few things to remember here:
1. FFB does NOT require you to have the Java plugin enabled in your browser. You should make an effort to disable applet support in your browser of choice. Usually, it's a "Plugin" or "extension" to your browser with the term Java in its name.
2. Java Web Start applications, which is the technology that allows you to start FFB through the browser, is likely to also be vulnerable. The difference, however, is that Java Web Start applications do not start automatically on accessing a website. Instead, you get a question if you trust the developer enough to execute the program. You should never run anything that you didn't explicitly ask for, so make a point of actually reading the popups that appear and make an informed decision.
3. As always, do not click on links that people (even your friends) send you. It's very possible that their accounts have been compromised by something and the link sent to you is the exploit that was used. Basically, if you haven't confirmed that they are sending you something through a safe channel (through a phone call for example), simply don't click on anything.
4. As a generic policy do not, ever, install anything that you didn't go look for yourself. If you didn't ask for it, you probably don't need it.
The bottom line here is that yes, this vulnerability is pretty severe and it's currently actively being used. However, if you are being careful, you can still keep using whichever Java version you want. Java 6 does seem to be more secure than Java 7 at this point though, so it won't hurt you to go back. You still want to turn off the Java plugins in your browsers though and use a different browser for the places where you *do* need it (some banks require Java for example).
The sad part is that there is a very high probability that there are lots of this kind of vulnerabilities in different plugins and systems you use daily. The best thing you can do to reduce the probability of getting hit is to be aware of this fact and try to behave in a secure manner.
For a quick test if your browser has Applets enabled, I've made a quick
Applet test page. Quite simply, there will be a message in the applet portion of the page if you have them enabled. If not, you'll have a box with some form of icon in it, and your browser will ask you to install a plugin for it (don't let it!).
7699 Reads
18 Comments
![Printer friendly page](images/global/print.gif)