Sponsor Message:
Non Aviation Forum
My Starred Topics | Profile | New Topic | Forum Index | Help | Search 
Experts Warn To Disable Java Over Security Threat  
User currently offlinevarigb707 From , joined Dec 1969, posts, RR:
Posted (1 year 8 months 1 week 6 days 1 hour ago) and read 2906 times:

The U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to the hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out a way to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

http://i45.tinypic.com/256xy6o.jpg

[Edited 2013-01-11 12:45:40]

[Edited 2013-01-11 12:48:39]

26 replies: All unread, showing first 25:
 
User currently offlineMaverick623 From United States of America, joined Nov 2006, 5648 posts, RR: 6
Reply 1, posted (1 year 8 months 1 week 6 days 1 hour ago) and read 2887 times:

Java has always been extremely vulnerable to exploitation... I don't see anything new here that hasn't been said for the last 10 years.


"PHX is Phoenix, PDX is the other city" -777Way
User currently offlinecasinterest From United States of America, joined Feb 2005, 4626 posts, RR: 2
Reply 2, posted (1 year 8 months 1 week 6 days 1 hour ago) and read 2871 times:

Based on what i have read this is basically one of those issues we all have know about for awhile.
Don't click on the links from suspect sites.

Either way , I would expect Sun is working on this one.
Department of Homeland Stupidity apparently has no clue what Java is or does for so many websites and interactions. Shut it down sounds cute, but it's kind of like telling everyone to kill the power to the house because you might stick a fork in the electrical socket.



Older than I just was ,and younger than I will soo be.
User currently offlinedragon-wings From United States of America, joined Apr 2001, 3986 posts, RR: 0
Reply 3, posted (1 year 8 months 1 week 6 days ago) and read 2851 times:

I just got a automatic update for Java to address the security issues right after I turned on my computer today.


Don't give up don't ever give up - Jim Valvano
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 4, posted (1 year 8 months 1 week 6 days ago) and read 2834 times:

Quoting casinterest (Reply 2):
Either way , I would expect Sun is working on this one.

It's Oracle now.

Quoting casinterest (Reply 2):
Department of Homeland Stupidity apparently has no clue what Java is or does for so many websites and interactions. Shut it down sounds cute, but it's kind of like telling everyone to kill the power to the house because you might stick a fork in the electrical socket.

Are you really extra certain you know so much better than your so reviled Homeland Security department?   

Java is indeed used in many server backends, driving what web sites and other services serve back to you, but that is most likely not the issue here. This kind of issue deals with browser-based Java applets, which is a fundamentally different thing, namely Java code being served to your browser so it will actually run it locally on your own machine, not Java running on the server that's answering normal page requests.

So client users should indeed keep the Java plugin in their browsers disabled, ideally at all times unless they are really extra certain that they really, really need Java applets in their browser and they really, really know about the current threat level that entails. Which effectively means practically everybody should throw out Java from their browsers and leave it disabled for good. There is hardly anything on the web that actually still has Java applets, and those sites are generally obsolete and irrelevant anyway.

Which has nothing whatsoever to do with JavaScript which is entirely unrelated to Java (but which can have its own bugs and security issues, in that case usually specific to certain browsers).

Server-based infrastructure is generally not affected by applet security issues since it works completely differently, so 99+% of where Java is actually still needed will not have much of a problem here.

By the way: Apple has automatically blocked the Java browser plugin already on the Mac, until there is a new version that resolves the issue for those users who actually need Java applets (see above).

Quoting dragon-wings (Reply 3):
I just got a automatic update for Java to address the security issues right after I turned on my computer today.

What version is it now, exactly?

[Edited 2013-01-11 14:40:38]

User currently offlinedragon-wings From United States of America, joined Apr 2001, 3986 posts, RR: 0
Reply 5, posted (1 year 8 months 1 week 5 days 23 hours ago) and read 2801 times:

Quoting Klaus (Reply 4):
What version is it now, exactly?

For mine it says 1.6.0_37



Don't give up don't ever give up - Jim Valvano
User currently offlineBraniff747SP From United States of America, joined Oct 2008, 2986 posts, RR: 1
Reply 6, posted (1 year 8 months 1 week 5 days 21 hours ago) and read 2764 times:

Apple has already disabled Java 7 remotely on all Macs.


The 747 will always be the TRUE queen of the skies!
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 7, posted (1 year 8 months 1 week 5 days 20 hours ago) and read 2744 times:

Quoting dragon-wings (Reply 5):
For mine it says 1.6.0_37

No, that is not a fixed version – it is still vulnerable!

Your machine may just now accidentally have pulled down a routine update, getting the still-vulnerable version, however:
http://www.oracle.com/technetwork/ja.../javase/7u10-relnotes-1880995.html

There is no fixed version yet as far as I can tell, so please immediately disable the browser Java plugin if you have not done that already!

If the plugin had still been active, your machine may already have been infected by now. Keep your anti-malware programs up to date through the coming weeks at the very least – even if there can't be any guarantee.


User currently offlineMir From United States of America, joined Jan 2004, 21637 posts, RR: 55
Reply 8, posted (1 year 8 months 1 week 5 days 20 hours ago) and read 2740 times:

Quoting Klaus (Reply 4):
There is hardly anything on the web that actually still has Java applets, and those sites are generally obsolete and irrelevant anyway.
http://www.aviationweather.gov/adds/airmets/java/

I use it on a regular basis, and various other Java tools on that site (and they all still work, thankfully).

Quoting Braniff747SP (Reply 6):
Apple has already disabled Java 7 remotely on all Macs.

The fact that they can do that sort of thing is rather unsettling.

-Mir



7 billion, one nation, imagination...it's a beautiful day
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 9, posted (1 year 8 months 1 week 5 days 19 hours ago) and read 2731 times:

Quoting Mir (Reply 8):
I use it on a regular basis, and various other Java tools on that site (and they all still work, thankfully).

If you have the plugin enabled, you're at a high risk of having your machine infected.

Java has always been a high-risk entry point for browser attacks, and right now the risk is extremely elevated to the point of recklessness.

Quoting Mir (Reply 8):
The fact that they can do that sort of thing is rather unsettling.

I'd have liked an explicit notification about this particular change, but I am extremely glad they're on top of it. It is part of the Software Update and protection mechanism.

I almost always had the plugin disabled with one specific exception. Exactly yesterday I had such an exceptional need for it. I was aware of the generally problematic nature so I took extensive precautions before temporarily enabling the plugin, but it was apparently blocked already. That is where I would have liked a notification instead of launching into debugging mode, which I ultimately gave up and chose an alternate solution for my problem.

Which now obviates my one residual use for Java, most likely for good, so I'll just leave Java uninstalled completely from now on. That's been it.

[Edited 2013-01-11 18:32:07]

User currently offlineBraniff747SP From United States of America, joined Oct 2008, 2986 posts, RR: 1
Reply 10, posted (1 year 8 months 1 week 5 days 18 hours ago) and read 2701 times:

Quoting Mir (Reply 8):
he fact that they can do that sort of thing is rather unsettling.
Quoting Klaus (Reply 9):

I'd have liked an explicit notification about this particular change, but I am extremely glad they're on top of it. It is part of the Software Update and protection mechanism.

Well, they don't exactly disable anything, nor does it use software update.

http://www.macrumors.com/2013/01/11/...ddress-widespread-security-threat/

Quoting MacRumors:

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Basically, Apple's built-in malware checks against a list which Apple controls; it seems that Apple has updated the list, similar in the way Google would update Chrome's web browser security.



The 747 will always be the TRUE queen of the skies!
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 11, posted (1 year 8 months 1 week 5 days 17 hours ago) and read 2687 times:

Quoting Braniff747SP (Reply 10):
Well, they don't exactly disable anything,

Yes, they do. The plugin has been blocked by this and will not be loaded by Safari any more.

Which is a pretty good point for reconsidering whether to keep Java installed at all any more.

CAUTION: Firefox on the Mac appears to still run Java Applets even so, bypassing the automatic protection and likely exposing the machine to this vulnerability after all. Java must apparently be disabled separately in Firefox like this:
http://support.mozilla.org/en-US/kb/...20to%20turn%20off%20Java%20applets

Quoting Braniff747SP (Reply 10):
nor does it use software update.

Which I have not claimed:

Quoting Klaus (Reply 9):
It is part of the Software Update and protection mechanism.

Software Update is a part of this complex, since it provides and updates the basis on which the protection mechanism operates (and it itself has been rolled into the App Store mechanism in Mountain Lion).


User currently offlineBraniff747SP From United States of America, joined Oct 2008, 2986 posts, RR: 1
Reply 12, posted (1 year 8 months 1 week 5 days 16 hours ago) and read 2682 times:

Quoting Klaus (Reply 11):
Yes, they do. The plugin has been blocked by this and will not be loaded by Safari any more.

They block it from running, which is not exactly the same. I do see your point.

Quoting Klaus (Reply 11):

Which I have not claimed:

Never said you did. What I meant was that Apple has not actually added or deleted anything from the computer, something which could anger some (and rightly so.) They are merely stoping an action from happening on their web browser; not much different than Norton stopping X applet from running.

Quoting Klaus (Reply 11):
Which is a pretty good point for reconsidering whether to keep Java installed at all any more.

Java is still useful in some instances, and it is not going away anytime soon. I'll still place my faith in Apple (and Oracle) updating their software proactively as they have in the past.



The 747 will always be the TRUE queen of the skies!
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 13, posted (1 year 8 months 1 week 5 days 16 hours ago) and read 2678 times:

Quoting Braniff747SP (Reply 12):
Never said you did. What I meant was that Apple has not actually added or deleted anything from the computer, something which could anger some (and rightly so.) They are merely stoping an action from happening on their web browser; not much different than Norton stopping X applet from running.

The lacking notification does still suck as it is now, however. That sure needs some improvement.

Quoting Braniff747SP (Reply 12):
Java is still useful in some instances, and it is not going away anytime soon.

In the browser it's on its last legs and it is about to go away. Except for a few stragglers it's already dead.

Which is one reason why on the Mac the plugin now automatically deactivates itself after a while of not actively being used and requires an explicit re-activation by the user to run again, which is a good choice, since most people don't even know it's on even though they never need it.

Quoting Braniff747SP (Reply 12):
I'll still place my faith in Apple (and Oracle) updating their software proactively as they have in the past.

Actually, Apple has bounced almost the entire responsibility for Java back to Oracle at this point. There is no Apple-supplied Java any more.

Mac OS X does not install Java any more at all. You now have to explicitly get and install it if you really want to use it.

Apple is only keeping an eye on it, yanking the plug on it in cases like this one if it is actually installed.

Apple had been criticized for sluggish updates of their own Java distribution in earlier times and with some justification; The new policy gets rid of almost the entire problem for pretty much everybody.

Especially for the majority of users who never need Java anyway, who will now not be bothered with it at all any more.

As I've said above, Java running on servers responding to incoming regular web page requests is a completely separate issue and usually is not affected by browser-based security issues. In that niche Java will likely continue to exist.

But in the browser it has long been more trouble than it's worth and should be replaced completely. Sites which still require it put their own users in jeopardy.


User currently offlinemoo From Falkland Islands, joined May 2007, 3948 posts, RR: 4
Reply 14, posted (1 year 8 months 1 week 5 days 11 hours ago) and read 2637 times:

Quoting casinterest (Reply 2):
Either way , I would expect Sun is working on this one.

Aside from...

Quoting Klaus (Reply 4):
It's Oracle now.

Oracle knew about this vulnerability as far back as August 2012, but hasn't done anything about it, so don't keep your hopes too high.

Java really is a cluster flick these days - at one point, it was the huge poster child for many open source advocates but its just become totally unmanaged and a pile of smelly stuff.


User currently offlinedragon-wings From United States of America, joined Apr 2001, 3986 posts, RR: 0
Reply 15, posted (1 year 8 months 1 week 4 days 22 hours ago) and read 2548 times:

Since I had a older version of Java installed on my computer I just un installed it a few minutes ago from my computer. I did download the newest Java version, but I think I will wait a little bit before I install it. If I wait maybe there will be a updated version that addresses the security risk..


Don't give up don't ever give up - Jim Valvano
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 16, posted (1 year 8 months 1 week 4 days 21 hours ago) and read 2544 times:

Quoting dragon-wings (Reply 15):
Since I had a older version of Java installed on my computer I just un installed it a few minutes ago from my computer. I did download the newest Java version, but I think I will wait a little bit before I install it. If I wait maybe there will be a updated version that addresses the security risk..

Just throw it away. It is still the vulnerable version.

A fixed version is not available yet, but exploits of the current vulnerability are already active in the wild.


User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 17, posted (1 year 8 months 1 week 3 days 20 hours ago) and read 2461 times:

Looks like Oracle has provided an update which is supposed to fix the most recent vulnerability:
Version 7 Update 11
http://java.com/en/download/index.jsp

Oracle Ships Critical Security Update for Java

If you still have an older version active, it is most likely advisable to upgrade now if you still intend to keep using Java in the browser.

I would still advise substantial caution:

• If you do not explicitly and seriously need Java applets in the browser, better keep the Java browser plugin disabled in all browsers and keep Java uninstalled completely unless you do still need it for locally installed Java applications (for which the browser plugin is not needed, however).

• If you really need it for specific tasks in the browser, it may still be a good idea to be cautious: It would still enhance security if you normally kept the browser plugin disabled and only before accessing that Java-requiring site you closed all tabs and windows, enabled the plugin, performed the access and disabled the Java plugin again before accessing other sites.

• Keeping the Java browser plugin active all the time will keep you exposed to any further vulnerabilities Java might still have or develop later on, so this should be avoided even if this new version can be hoped to be free of any such holes, but I wouldn't bet on it.

• Downloading and running java applications from dubious sources locally outside of the browser can still be a security risk just as with native applications – the browser plugin vulnerability just allowed criminals to perform an unnoticed "drive by" injection of malware through the browser without you doing anything, but programs you invite in yourself still have free reign and should still be treated with great caution, be they native code, Java, Flash or in other languages (such as executable scripts).

• If you still need Java applets, you might also install Java on an OS in a virtual machine which does not contain any exploitable data of yours and which you use for nothing else; That at least puts up another line of defense which is not trivial to break through for invasive malware. Keeping such a VM up to date and as free of vulnerabilities as possible is still a good idea. VMs such as VMWare also have the option to make a "snapshot" of the VM in a pristine state to which you can always reset it after using it, so that any infection would also be reset if one should have occurred.

I personally have just scrapped my last use of Java and I'll most likely keep it disabled from now on.

Whatever you do, be cautious, apply common sense and use safely!

[Edited 2013-01-13 18:06:32]

User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 18, posted (1 year 8 months 3 days 16 hours ago) and read 2271 times:

Unfortunately, Oracle's "fix" appears to be more like a preliminary band-aid which leaves some attack vectors open:
Oracle's Java patch leaves a loophole

So remain extremely careful, uninstall Java or at least the Java browser plugin from your browsers if you can, or if you decide to leave it in there, at least disable execution of all unsigned applets.

Also, criminals are using this situation to attack users via bogus "Java updates" which are in fact trojans loaded with malware. So be extremely cautious about where you get such updates from (the original updates are to be downloaded directly from Oracle).

[Edited 2013-01-20 21:58:10]

User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 19, posted (1 year 7 months 3 weeks 4 days 5 hours ago) and read 2044 times:

The loophole that's still open is in fact exploitable. The warnings above unfortunately need to be reiterated.

http://seclists.org/fulldisclosure/2013/Jan/241


User currently offlineElite From Hong Kong, joined Jun 2006, 2803 posts, RR: 10
Reply 20, posted (1 year 7 months 3 weeks 4 days 4 hours ago) and read 2038 times:

Quoting Klaus (Reply 19):

What's taking so long for this to be patched?


User currently offlinemoo From Falkland Islands, joined May 2007, 3948 posts, RR: 4
Reply 21, posted (1 year 7 months 3 weeks 4 days 1 hour ago) and read 2017 times:

Elite, the issue is rooted in the fact that the Java VM security model is not a layered one, it's a called one - in other words, when a developer implements a JVM feature they have to do the security checks there and then, rather than there being an over arching security model which sits between the feature and the core method they are calling. All too often the developer is either not handling the securit call correctly, or omitting it altogether.

Just one of Javas deep bedded issues...


User currently offlineBirdwatching From Germany, joined Sep 2003, 3822 posts, RR: 51
Reply 22, posted (1 year 7 months 3 weeks 3 days 11 hours ago) and read 1987 times:

I got rid of Java a while ago and I haven't missed it for anything on the internet. Seems to be really obsolete now.

But then I realized I can't play Minecraft anymore!

Is there a way I can have the Java Runtime environment on my PC but not be vulnerable / not have the browser extensions?

Soren   



All the things you probably hate about travelling are warm reminders that I'm home
User currently offlineKlaus From Germany, joined Jul 2001, 21467 posts, RR: 53
Reply 23, posted (1 year 7 months 3 weeks 2 days 18 hours ago) and read 1944 times:

Quoting Birdwatching (Reply 22):
Is there a way I can have the Java Runtime environment on my PC but not be vulnerable / not have the browser extensions?

Yes, but you need to be sure to disable the Java plugins in all your browsers – don't miss one or it can be an opening for an attack.

And you must re-check every time you've updated a browser.

[Edited 2013-01-30 20:01:18]

User currently offlineBraniff747SP From United States of America, joined Oct 2008, 2986 posts, RR: 1
Reply 24, posted (1 year 7 months 3 weeks 7 hours ago) and read 1848 times:

It's fixed.

http://www.macrumors.com/2013/02/01/...sues-reenable-web-plug-in-on-os-x/



The 747 will always be the TRUE queen of the skies!
User currently offlinemoo From Falkland Islands, joined May 2007, 3948 posts, RR: 4
Reply 25, posted (1 year 7 months 3 weeks 6 hours ago) and read 1833 times:

Quoting Braniff747SP (Reply 24):

Possibly. We shall see.


User currently offlineBraniff747SP From United States of America, joined Oct 2008, 2986 posts, RR: 1
Reply 26, posted (1 year 7 months 2 weeks 6 days 17 hours ago) and read 1788 times:

Quoting moo (Reply 25):
Possibly. We shall see.

Well, it'll be exploited again... but for now, it's safe.



The 747 will always be the TRUE queen of the skies!
Top Of Page
Forum Index

This topic is archived and can not be replied to any more.

Printer friendly format

Similar topics:More similar topics...
Threats Linked To H/C Bill Votes Prompt Security posted Wed Mar 24 2010 15:39:18 by futurepilot16
Pope Apologises To Irish People Over Abuse Cases posted Sat Mar 20 2010 04:55:51 by kaitak
McDonald's 'wrong' To Fire Worker Over Cheese posted Wed Jan 27 2010 11:05:23 by OA260
Why Does NBC Have To Be Neutral Over The Olympics? posted Sun Aug 17 2008 18:27:18 by AA7295
How To Strengthen Our National Security? posted Thu Jan 18 2007 07:18:49 by AerospaceFan
Who Would You Like To See Take Over Royal Mail? posted Thu Dec 14 2006 11:39:04 by Express1
Experts Warn Of Accidental U.S.-Russia Nuclear War posted Sat Oct 7 2006 22:27:41 by AerospaceFan
Unable To Download Java Software. posted Fri Dec 16 2005 12:30:22 by BDKLEZ
Muslim Youths To Guard Churches Over Christmas... posted Sat Dec 10 2005 20:34:55 by Joness0154
Are Google Satellite Images A Security Threat? posted Sat Jul 9 2005 20:14:26 by Cha747