varigb707
Topic Author
Posts: 1236
Joined: Wed May 10, 2006 6:02 am

Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 8:44 pm

The U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to the hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out a way to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

http://i45.tinypic.com/256xy6o.jpg

[Edited 2013-01-11 12:45:40]

[Edited 2013-01-11 12:48:39]
First, I said 'hey' and then I said 'now'. "Hey Now!" - Hank K.
 
Maverick623
Posts: 4650
Joined: Thu Nov 30, 2006 9:13 am

RE: Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 9:02 pm

Java has always been extremely vulnerable to exploitation... I don't see anything new here that hasn't been said for the last 10 years.
"PHX is Phoenix, PDX is the other city" -777Way
 
User avatar
casinterest
Posts: 5447
Joined: Sat Feb 12, 2005 5:30 am

RE: Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 9:19 pm

Based on what i have read this is basically one of those issues we all have know about for awhile.
Don't click on the links from suspect sites.

Either way , I would expect Sun is working on this one.
Department of Homeland Stupidity apparently has no clue what Java is or does for so many websites and interactions. Shut it down sounds cute, but it's kind of like telling everyone to kill the power to the house because you might stick a fork in the electrical socket.
Older than I just was ,and younger than I will soo be.
 
dragon-wings
Posts: 3942
Joined: Fri Apr 06, 2001 4:55 am

RE: Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 9:58 pm

I just got a automatic update for Java to address the security issues right after I turned on my computer today.
Don't give up don't ever give up - Jim Valvano
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 10:22 pm

Quoting casinterest (Reply 2):
Either way , I would expect Sun is working on this one.

It's Oracle now.

Quoting casinterest (Reply 2):
Department of Homeland Stupidity apparently has no clue what Java is or does for so many websites and interactions. Shut it down sounds cute, but it's kind of like telling everyone to kill the power to the house because you might stick a fork in the electrical socket.

Are you really extra certain you know so much better than your so reviled Homeland Security department?   

Java is indeed used in many server backends, driving what web sites and other services serve back to you, but that is most likely not the issue here. This kind of issue deals with browser-based Java applets, which is a fundamentally different thing, namely Java code being served to your browser so it will actually run it locally on your own machine, not Java running on the server that's answering normal page requests.

So client users should indeed keep the Java plugin in their browsers disabled, ideally at all times unless they are really extra certain that they really, really need Java applets in their browser and they really, really know about the current threat level that entails. Which effectively means practically everybody should throw out Java from their browsers and leave it disabled for good. There is hardly anything on the web that actually still has Java applets, and those sites are generally obsolete and irrelevant anyway.

Which has nothing whatsoever to do with JavaScript which is entirely unrelated to Java (but which can have its own bugs and security issues, in that case usually specific to certain browsers).

Server-based infrastructure is generally not affected by applet security issues since it works completely differently, so 99+% of where Java is actually still needed will not have much of a problem here.

By the way: Apple has automatically blocked the Java browser plugin already on the Mac, until there is a new version that resolves the issue for those users who actually need Java applets (see above).

Quoting dragon-wings (Reply 3):
I just got a automatic update for Java to address the security issues right after I turned on my computer today.

What version is it now, exactly?

[Edited 2013-01-11 14:40:38]
 
dragon-wings
Posts: 3942
Joined: Fri Apr 06, 2001 4:55 am

RE: Experts Warn To Disable Java Over Security Threat

Fri Jan 11, 2013 11:14 pm

Quoting Klaus (Reply 4):
What version is it now, exactly?

For mine it says 1.6.0_37
Don't give up don't ever give up - Jim Valvano
 
Braniff747SP
Posts: 2572
Joined: Sun Oct 26, 2008 4:56 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 1:02 am

Apple has already disabled Java 7 remotely on all Macs.
The 747 will always be the TRUE queen of the skies!
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 2:02 am

Quoting dragon-wings (Reply 5):
For mine it says 1.6.0_37

No, that is not a fixed version – it is still vulnerable!

Your machine may just now accidentally have pulled down a routine update, getting the still-vulnerable version, however:
http://www.oracle.com/technetwork/ja.../javase/7u10-relnotes-1880995.html

There is no fixed version yet as far as I can tell, so please immediately disable the browser Java plugin if you have not done that already!

If the plugin had still been active, your machine may already have been infected by now. Keep your anti-malware programs up to date through the coming weeks at the very least – even if there can't be any guarantee.
 
Mir
Posts: 19108
Joined: Mon Jan 05, 2004 3:55 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 2:12 am

Quoting Klaus (Reply 4):
There is hardly anything on the web that actually still has Java applets, and those sites are generally obsolete and irrelevant anyway.
http://www.aviationweather.gov/adds/airmets/java/

I use it on a regular basis, and various other Java tools on that site (and they all still work, thankfully).

Quoting Braniff747SP (Reply 6):
Apple has already disabled Java 7 remotely on all Macs.

The fact that they can do that sort of thing is rather unsettling.

-Mir
7 billion, one nation, imagination...it's a beautiful day
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 2:29 am

Quoting Mir (Reply 8):
I use it on a regular basis, and various other Java tools on that site (and they all still work, thankfully).

If you have the plugin enabled, you're at a high risk of having your machine infected.

Java has always been a high-risk entry point for browser attacks, and right now the risk is extremely elevated to the point of recklessness.

Quoting Mir (Reply 8):
The fact that they can do that sort of thing is rather unsettling.

I'd have liked an explicit notification about this particular change, but I am extremely glad they're on top of it. It is part of the Software Update and protection mechanism.

I almost always had the plugin disabled with one specific exception. Exactly yesterday I had such an exceptional need for it. I was aware of the generally problematic nature so I took extensive precautions before temporarily enabling the plugin, but it was apparently blocked already. That is where I would have liked a notification instead of launching into debugging mode, which I ultimately gave up and chose an alternate solution for my problem.

Which now obviates my one residual use for Java, most likely for good, so I'll just leave Java uninstalled completely from now on. That's been it.

[Edited 2013-01-11 18:32:07]
 
Braniff747SP
Posts: 2572
Joined: Sun Oct 26, 2008 4:56 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 4:00 am

Quoting Mir (Reply 8):
he fact that they can do that sort of thing is rather unsettling.
Quoting Klaus (Reply 9):

I'd have liked an explicit notification about this particular change, but I am extremely glad they're on top of it. It is part of the Software Update and protection mechanism.

Well, they don't exactly disable anything, nor does it use software update.

http://www.macrumors.com/2013/01/11/...ddress-widespread-security-threat/

Quoting MacRumors:

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Basically, Apple's built-in malware checks against a list which Apple controls; it seems that Apple has updated the list, similar in the way Google would update Chrome's web browser security.
The 747 will always be the TRUE queen of the skies!
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 5:08 am

Quoting Braniff747SP (Reply 10):
Well, they don't exactly disable anything,

Yes, they do. The plugin has been blocked by this and will not be loaded by Safari any more.

Which is a pretty good point for reconsidering whether to keep Java installed at all any more.

CAUTION: Firefox on the Mac appears to still run Java Applets even so, bypassing the automatic protection and likely exposing the machine to this vulnerability after all. Java must apparently be disabled separately in Firefox like this:
http://support.mozilla.org/en-US/kb/...20to%20turn%20off%20Java%20applets

Quoting Braniff747SP (Reply 10):
nor does it use software update.

Which I have not claimed:

Quoting Klaus (Reply 9):
It is part of the Software Update and protection mechanism.

Software Update is a part of this complex, since it provides and updates the basis on which the protection mechanism operates (and it itself has been rolled into the App Store mechanism in Mountain Lion).
 
Braniff747SP
Posts: 2572
Joined: Sun Oct 26, 2008 4:56 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 5:39 am

Quoting Klaus (Reply 11):
Yes, they do. The plugin has been blocked by this and will not be loaded by Safari any more.

They block it from running, which is not exactly the same. I do see your point.

Quoting Klaus (Reply 11):

Which I have not claimed:

Never said you did. What I meant was that Apple has not actually added or deleted anything from the computer, something which could anger some (and rightly so.) They are merely stoping an action from happening on their web browser; not much different than Norton stopping X applet from running.

Quoting Klaus (Reply 11):
Which is a pretty good point for reconsidering whether to keep Java installed at all any more.

Java is still useful in some instances, and it is not going away anytime soon. I'll still place my faith in Apple (and Oracle) updating their software proactively as they have in the past.
The 747 will always be the TRUE queen of the skies!
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 6:00 am

Quoting Braniff747SP (Reply 12):
Never said you did. What I meant was that Apple has not actually added or deleted anything from the computer, something which could anger some (and rightly so.) They are merely stoping an action from happening on their web browser; not much different than Norton stopping X applet from running.

The lacking notification does still suck as it is now, however. That sure needs some improvement.

Quoting Braniff747SP (Reply 12):
Java is still useful in some instances, and it is not going away anytime soon.

In the browser it's on its last legs and it is about to go away. Except for a few stragglers it's already dead.

Which is one reason why on the Mac the plugin now automatically deactivates itself after a while of not actively being used and requires an explicit re-activation by the user to run again, which is a good choice, since most people don't even know it's on even though they never need it.

Quoting Braniff747SP (Reply 12):
I'll still place my faith in Apple (and Oracle) updating their software proactively as they have in the past.

Actually, Apple has bounced almost the entire responsibility for Java back to Oracle at this point. There is no Apple-supplied Java any more.

Mac OS X does not install Java any more at all. You now have to explicitly get and install it if you really want to use it.

Apple is only keeping an eye on it, yanking the plug on it in cases like this one if it is actually installed.

Apple had been criticized for sluggish updates of their own Java distribution in earlier times and with some justification; The new policy gets rid of almost the entire problem for pretty much everybody.

Especially for the majority of users who never need Java anyway, who will now not be bothered with it at all any more.

As I've said above, Java running on servers responding to incoming regular web page requests is a completely separate issue and usually is not affected by browser-based security issues. In that niche Java will likely continue to exist.

But in the browser it has long been more trouble than it's worth and should be replaced completely. Sites which still require it put their own users in jeopardy.
 
User avatar
moo
Posts: 4175
Joined: Sun May 13, 2007 2:27 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Jan 12, 2013 10:55 am

Quoting casinterest (Reply 2):
Either way , I would expect Sun is working on this one.

Aside from...

Quoting Klaus (Reply 4):
It's Oracle now.

Oracle knew about this vulnerability as far back as August 2012, but hasn't done anything about it, so don't keep your hopes too high.

Java really is a cluster flick these days - at one point, it was the huge poster child for many open source advocates but its just become totally unmanaged and a pile of smelly stuff.
 
dragon-wings
Posts: 3942
Joined: Fri Apr 06, 2001 4:55 am

RE: Experts Warn To Disable Java Over Security Threat

Sun Jan 13, 2013 12:24 am

Since I had a older version of Java installed on my computer I just un installed it a few minutes ago from my computer. I did download the newest Java version, but I think I will wait a little bit before I install it. If I wait maybe there will be a updated version that addresses the security risk..
Don't give up don't ever give up - Jim Valvano
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Sun Jan 13, 2013 12:44 am

Quoting dragon-wings (Reply 15):
Since I had a older version of Java installed on my computer I just un installed it a few minutes ago from my computer. I did download the newest Java version, but I think I will wait a little bit before I install it. If I wait maybe there will be a updated version that addresses the security risk..

Just throw it away. It is still the vulnerable version.

A fixed version is not available yet, but exploits of the current vulnerability are already active in the wild.
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Mon Jan 14, 2013 2:01 am

Looks like Oracle has provided an update which is supposed to fix the most recent vulnerability:
Version 7 Update 11
http://java.com/en/download/index.jsp

Oracle Ships Critical Security Update for Java

If you still have an older version active, it is most likely advisable to upgrade now if you still intend to keep using Java in the browser.

I would still advise substantial caution:

• If you do not explicitly and seriously need Java applets in the browser, better keep the Java browser plugin disabled in all browsers and keep Java uninstalled completely unless you do still need it for locally installed Java applications (for which the browser plugin is not needed, however).

• If you really need it for specific tasks in the browser, it may still be a good idea to be cautious: It would still enhance security if you normally kept the browser plugin disabled and only before accessing that Java-requiring site you closed all tabs and windows, enabled the plugin, performed the access and disabled the Java plugin again before accessing other sites.

• Keeping the Java browser plugin active all the time will keep you exposed to any further vulnerabilities Java might still have or develop later on, so this should be avoided even if this new version can be hoped to be free of any such holes, but I wouldn't bet on it.

• Downloading and running java applications from dubious sources locally outside of the browser can still be a security risk just as with native applications – the browser plugin vulnerability just allowed criminals to perform an unnoticed "drive by" injection of malware through the browser without you doing anything, but programs you invite in yourself still have free reign and should still be treated with great caution, be they native code, Java, Flash or in other languages (such as executable scripts).

• If you still need Java applets, you might also install Java on an OS in a virtual machine which does not contain any exploitable data of yours and which you use for nothing else; That at least puts up another line of defense which is not trivial to break through for invasive malware. Keeping such a VM up to date and as free of vulnerabilities as possible is still a good idea. VMs such as VMWare also have the option to make a "snapshot" of the VM in a pristine state to which you can always reset it after using it, so that any infection would also be reset if one should have occurred.

I personally have just scrapped my last use of Java and I'll most likely keep it disabled from now on.

Whatever you do, be cautious, apply common sense and use safely!

[Edited 2013-01-13 18:06:32]
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Mon Jan 21, 2013 5:55 am

Unfortunately, Oracle's "fix" appears to be more like a preliminary band-aid which leaves some attack vectors open:
Oracle's Java patch leaves a loophole

So remain extremely careful, uninstall Java or at least the Java browser plugin from your browsers if you can, or if you decide to leave it in there, at least disable execution of all unsigned applets.

Also, criminals are using this situation to attack users via bogus "Java updates" which are in fact trojans loaded with malware. So be extremely cautious about where you get such updates from (the original updates are to be downloaded directly from Oracle).

[Edited 2013-01-20 21:58:10]
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Tue Jan 29, 2013 5:24 pm

The loophole that's still open is in fact exploitable. The warnings above unfortunately need to be reiterated.

http://seclists.org/fulldisclosure/2013/Jan/241
 
Elite
Posts: 2296
Joined: Thu Jun 29, 2006 6:31 pm

RE: Experts Warn To Disable Java Over Security Threat

Tue Jan 29, 2013 5:48 pm

Quoting Klaus (Reply 19):

What's taking so long for this to be patched?
 
User avatar
moo
Posts: 4175
Joined: Sun May 13, 2007 2:27 am

RE: Experts Warn To Disable Java Over Security Threat

Tue Jan 29, 2013 9:06 pm

Elite, the issue is rooted in the fact that the Java VM security model is not a layered one, it's a called one - in other words, when a developer implements a JVM feature they have to do the security checks there and then, rather than there being an over arching security model which sits between the feature and the core method they are calling. All too often the developer is either not handling the securit call correctly, or omitting it altogether.

Just one of Javas deep bedded issues...
 
Birdwatching
Posts: 3578
Joined: Sat Sep 06, 2003 10:48 am

RE: Experts Warn To Disable Java Over Security Threat

Wed Jan 30, 2013 10:47 am

I got rid of Java a while ago and I haven't missed it for anything on the internet. Seems to be really obsolete now.

But then I realized I can't play Minecraft anymore!

Is there a way I can have the Java Runtime environment on my PC but not be vulnerable / not have the browser extensions?

Soren   
All the things you probably hate about travelling are warm reminders that I'm home
 
Klaus
Posts: 20649
Joined: Wed Jul 11, 2001 7:41 am

RE: Experts Warn To Disable Java Over Security Threat

Thu Jan 31, 2013 4:00 am

Quoting Birdwatching (Reply 22):
Is there a way I can have the Java Runtime environment on my PC but not be vulnerable / not have the browser extensions?

Yes, but you need to be sure to disable the Java plugins in all your browsers – don't miss one or it can be an opening for an attack.

And you must re-check every time you've updated a browser.

[Edited 2013-01-30 20:01:18]
 
Braniff747SP
Posts: 2572
Joined: Sun Oct 26, 2008 4:56 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Feb 02, 2013 2:59 pm

The 747 will always be the TRUE queen of the skies!
 
User avatar
moo
Posts: 4175
Joined: Sun May 13, 2007 2:27 am

RE: Experts Warn To Disable Java Over Security Threat

Sat Feb 02, 2013 3:52 pm

Quoting Braniff747SP (Reply 24):

Possibly. We shall see.
 
Braniff747SP
Posts: 2572
Joined: Sun Oct 26, 2008 4:56 am

RE: Experts Warn To Disable Java Over Security Threat

Sun Feb 03, 2013 4:48 am

Quoting moo (Reply 25):
Possibly. We shall see.

Well, it'll be exploited again... but for now, it's safe.
The 747 will always be the TRUE queen of the skies!

Who is online

Users browsing this forum: KLDC10, Tugger, wagz and 19 guests

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos