Java: Disable your browser plug-in and update for safety.

[Blane Doyle]

EDIT: SECURITY FIX UPDATE AVAILABLE.
http://news.cnet.com/8301-1009_3-575637 ... erability/
You can also simply download it from the main site.

Java screwed up.

Short version: As RenPy kinda needs Java for some people, uninstalling it may be a bit extreme so disable it in your browsers. All of them. Now. SERIOUSLY.

Long version: Java screwed up and now it has a massive security flaw. Just typing Java into Google will pull up the full story, but basically? The GOVERNMENT is telling users to disable or uninstall Java. Like right now. Not only on PCs but on Macs too.

Why?

Hackers know about this flaw and they are having a field day extravaganza.

Now if you have an older version of Java (why tho?) you might be safe. But just to be on the safe side, either go directly into Java or your browser settings and just disable it right now for your computer's safety.

I've disallowed temp internet files directly through my Java and I disabled the plug in through Chrome (chrome://plugins). Just in case.
Cause I am paranoid.

https://krebsonsecurity.com/how-to-unpl ... e-browser/
You might want to follow these instructions. Just to be careful.

[Blue Lemma]

I just went ahead and uninstalled it on one of my computers. It was always bugging me to update and then failing to update anyway. Very annoying.

Of course, I forgot I was using jEdit... ^_^; So now I'm using Editra or whatever that new thing Ren'Py is hooked up to now is.

[Blane Doyle]

I am leaving mine installed (I don't have the NEWEST update, but I am up to date to this point and afraid to try now), but only because disabling it in your browser will apparently make most of the danger diminish.

I also also turned my (previously disabled) ad blocker onto max and disabled JavaScript for anything but YouTube for now because... paranoid. Again. (I know JavaScript is not the same as Java the program, paranoia does not use logic.)

[Hijiri]

On the downside, you're now running a crippled brower. Sad to say, much of the internet is dependent on Java, from the looks of things.

[Blue Lemma]

@Hijiri: If I'm not mistaken, most of the uses of Java are on the server side, not client side. I remember when Java first came out and there was all that hype about Java OSes and applets running in browsers. Those didn't really pan out, though.

Does anyone know of anything major you'd reach by browser that relies on Java (not JavaScript)?

[Blane Doyle]

Yeah, I may have overreacted. JavaScript itself apparently has nothing to do with this. That's back on (mostly because, you know, I actually need to access Google Reader and other stuff).

Java the Program itself is what has been hit, and most stuff (that I use and know of) on the net doesn't need it (except weather websites apparently, and porn sites of course. I know there are games that require Java but I doubt they'll get hit that hard, and there are also some chat clients that require it). Nothing I normally use requires it, it seems. I can literally go about my life without Java for a while until they fix this.

Basically, if you disable it in your browser and check a site that needs it (for example, the official Java test page) and it says you need it? You're safe. At least, the probably 15 articles I have read say you are.

[Reikun]

You can read the US Government warning on the issue here: http://www.us-cert.gov/cas/techalerts/TA13-010A.html

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

This seems to be the main method of "attack" according to the source. I know next to nothing about the actual code behind Java so I'm not sure if someone would be able to hack your system from existing java applets/applications. Better safe than sorry I guess?

And don't forget to back up your games!

[Sapphi]

Now if you have an older version of Java (why tho?) you might be safe.

I don't know why I still have Java 6... I think it's because every time that annoying thing pops up like "Update me, update me!" I'm like "Grahh, you're annoying, close now!" Anyway, I disabled it, just to be safe. Thanks for the heads-up!

[PyTom]

The risk of something like this is why I've been trying to get people on Editra. Too late.

(Everyone, disable java applets.)

[Lishy]

Luckily I do not use Java.

This might be answering my own question too, but if I do not see anything Java related as an extension or plugin for Firefox, I'm safe. Correct?

I once installed Java to use jEdit but after jEdit STILL didnt work after installing Java, I uninstalled it. That said, I am safe since the installer EXE is the only trace of Java I can visibly find on my computer, yes?

[mugenjohncel]

this is why I've been trying to get people on Editra

But... but... I can't get Editra or any of the Text editor to work on Ren'py 6.14

I'm practically stuck on 6.13 (and will be for a very long time) and heavily dependent on JEdit to get anything done because it's the only thing that works on my Ren'py machine...

Guess I'll just work on a computer that is not connected to the internet...

"POOF" (Disappears)

[PyTom]

You can also just turn off java applets.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

[Blue Lemma]

@mugen: I had errors with Editra from Ren'Py at first too. I just tried it a couple more times and it suddenly worked :p

I liked jEdit, though... It's ironic because one of the whole selling points of Java originally was that it was supposed to be more secure!

[LVUER]

Well, fortunately I almost never update things unless it's absolutely necessary (my Java is version 6.0) and always disable it since there was a warning about Java security holes even before this.

[Blane Doyle]

@PyTom That seems to be the way to go about it, PyTom. Everything I can find seems to say that it is only when used online that it becomes dangerous. Using Java for things offline, or when your net is disconnected, should (in theory) prove no issue.

Disabling it in the program itself is a more sure fire way of preventing this, but if you only use one browser (like me) just disabling it in the browser itself should work. But I know other people might use Chrome, FF, and IE simultaneously so that's a good thing to note here.

If you have 7.10, PLEASE follow the instructions PyTom posted.

@Mugen I hope you don't have to resort to that...
I'd miss your Twitter updates too much! D8
(But no, seriously, I REALLY hope you don't have to go that far and that you can work on your games, this has to be exceedingly annoying for anyone who relies on Java here... I prefer jEdit actually, but only because I used it for so long.)