Some of you may have heard that there is a serious security problem with JAVA 7 (the default version). Luckily most patent attorneys are still running Java 6 in order to interact with the USPTO’s PAIR and EFS-Web servers. According to reports, JAVA 6 does not suffer from the problem?

5 thoughts on “

  1. 3

    I’ll also plug iEFS (http://iefsapp.com), with which I am inextricably and financially affiliated. iEFS maintains its own secure, compatible version of Java so that incidents like this don’t affect your access to PAIR and EFS-Web.

    Also, a correction to my earlier comment: Justice.gov was not defaced, only sent offline. The Java vulnerability cannot be exploited by such an attack. However, the DOJ site has been defaced in the past: link to articles.latimes.com

  2. 2

    You’re correct that the vulnerability does not affect Java 6, according to US-CERT: link to us-cert.gov

    But there may be more patent practitioners running Java 7 than you think. Carl Oppedahl has established that, contrary to USPTO warnings, PAIR and EFS-Web are compatible with Java 7 in practice; only E-Patent Reference is inoperable. I believe his firm had upgraded when the vulnerability was published.

    If you’re running Java 7 and need Private PAIR, you have two options.

    1. You can disable Java applets in your browser. (If you use Firefox, this has already been done for you.) You may then selectively re-enable applets on uspto.gov sites: link to support.mozilla.org.

      This is theoretically safe because one expects USPTO never to host a malicious applet that exploits the vulnerability. Of course, bets are off if uspto.gov is ever compromised the way jusice.gov was today: “>http://www.huffingtonpost.com/2013/01/14/anonymous-hacks-mit_n_2472728.html.

    2. You can uninstall Java 7 and install Java 6. Downloading the Java 6 installer from Oracle (link to java.com ) is an involved process; you may rather download the installer that Oppedahl hosts: “>http://www.oppedahl.com/temp/jre-6u26-windows-i586.exe
  3. 1

    Adam Gowdiak, a researcher with Poland’s Security Explorations who has discovered several bugs in the software over the past year, told Reuters that the update leaves unfixed several other, notable security issues.

    “We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak told Reuters. Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology, the site reported

    But no liability for the distributor of the flawed software, right?

Comments are closed.