
wow
First rule of desktop security is to remove Adobe Flash, Reader and all Java runtimes. As long as those malware portals are on your system if you ever connect to the internet you might as well assume your box is pwned.
A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version …
Well if you use Chrome you get flash sand boxed which is a decent compromise assuming you don't mind Google collecting data. Damned if you do somewhat. As for Java as mentioned virtually no non corporate desktop will notice its gone. Java has largely been a fail on the consumer desktop.
That's not really true any more. You lose a little bit from Flash, but not as much as you'd think. You can use an alternative PDF reader, too. Just keep it up to date (Secunia PSI is useful for some folks in this respect).
As for Java, since being exposed to twelve year-old minecraft bores on my Mumble server, I have never felt an urge to play it, and thus never missed Java on my desktop machines.
This post has been deleted by its author
thus why I said on consumer desktops/laptops. The corporate world is the main place it found its niche. Its not a bad language necessarily (although managed code in general is a joke imho) but the Snoracle VM implementation has always been sh_t. Java's biggest problem has always been its steward.
Very soon, no person in Denmark will be able to interact with a financial institution or the government via the internet without the use of Java. It is already more or less 100% true, but there are a few holes left.
Here in this little duck pond, JAVA is the ONLY GAME IN TOWN.
I think we are not the only ones on the planet having this shoved down our throats.
Or was that just a troll post? People want to do the things that are enabled by your so-called "malware portals".
I think the first rule of security ought to be that companies have some liability for their security failures. Not so bad as to bankrupt them, but at least a significant fraction coming from somewhere near the top. Since I really doubt that most companies could afford to pay for the damage their security incompetence causes, I think the best compromise would probably be to take a fraction of their after-tax profits to be distributed to their victims, where the fraction would go up or down mostly in response to the trends. In other words, delivering more secure software should have an impact on the bottom line.
Just to use the most extreme example of the most extreme abuse, I have to point at Microsoft. They have led the way in disavowing ANY financial liability for the SEVERE consequences of their LOW priority on security. Yes, they have improved in recent years, but other companies like Oracle have picked up the torch for security LAST. My own belief is that if Microsoft had paid for all the damage caused by flaws in their software, they would have gone bankrupt long ago, but their lawyers shucked all those costs on the victims.
Of course the punchline is that most of the victims never even got to choose Microsoft because Microsoft had deliberately destroyed the alternatives and because Microsoft was mostly selling to the computer makers, not the end users. You just use Microsoft because it was already there on your computer--and ditto the bugs and the suffering.
This post has been deleted by its author
i use nothing java (maybe pingtest.net but that's only for the packet loss part, do not really need pingtest.net to tell me my Virgin-media connection is dropping packets), i just unintsalled it my self
for Chrome users if you have Click to play ticked Plugins will not load unless you click on them to start them (Java, flash PDF files or Anything that is not native to chrome)
I have yet to see an online collaboration and conferencing tool which does not use java.
Microsoft netmeeting, WebEx, etc all are 100% java based.
On the positive side these are corporate gimmicks and can be whitelisted leaving the rest of the web javaless.
I really wasn't expecting to upset anyone! You guys are sensitive!
I haven't installed Java for the web for over 7 years.
I grant you that in a corporate environment it may well be required and an asset for maybe one or two apps, but in a domestic setting or a business environment where there is an alternative support method I just haven't seen a useful Java app for web. Clunky old IRC clients and Rich Text Editors don't count.
There is no place for Java on my PC and I also really hope that it will just go away one day as a development runtime for desktop OSs. I don't mind it running on mobile devices, but the way it behaves on desktop PCs is just annoying. That's not to mention that it's very slow, and that original idea of providing a truly cross platform solution didn't quite work out. Unfortunately too many universities still have programming classes that teach Java as introductory courses. Does anyone actually develop applets these days? Come on people, it is time to switch to either Flash or Silverlight. You can already take advantage of the microphone and web camera on Google Chrome using just HTML5. We need to keep supporting innovative promising technologies, not a 20 year old workaround.
I don't think Android can run Java Applets either. Linux? I haven't had a chance to run Silverlight on that OS, but I bet you can still use Flash for pretty much anything applets are capable of. In my recent experience, development of plugin applications is only needed if I have to access hardware (i.e. webcam), which is soon going to unnecessary with extensive HTML5 support. HTML5 and JavaScript backed by, say, Node.js, are more powerful than you probably think.
Unfortunately many things require java runtime. Many things. I certainly hope Oracle will see their way clear to temporarily ignore their policy at being against the world, and release a patch asap. You just can't hold the keys to something like java and take a few months to patch an existing exploit.
What high profile websites require Java to be enabled? When I last reinstalled my laptop I forgot to install Java and it was over a month before I noticed. I have never noticed Java's absence on my iPhone. Never. Not once.
Flash is going away too. While there are still plenty of videos that require flash on the web, sites that require it for navigation are becoming quite rare, and the videos are less numerous than they used to be. Now that Android can't run flash in the future, that abomination should quickly disappear from the web entirely, at least from any sites that ever hope to attract any mobile users at all.
It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything out there is a disaster waiting to happen. Java code has run in a sandbox since version 1.0, and it still isn't safe even now, so it's quite obvious it never will be. Good riddance.
Maybe someone will try again in the future, running the cross platform managed code in a VM, since they obviously can't be trusted to program a secure sandbox.
Flash may be going away, but, it is still extensively used, and not just for video or navigation. I've no idea what html5 is capable of, but, can it do what car manufacturers use Flash for? Go to most major manufacturers sites and Flash is there, and is very useful. Choose your model, paint colour, interior trim, wheels, and see a picture of your chosen car, in a 360 degree rotational model.
I don't know idea what those sites look like to those poor unfortunate souls who bought inferior devices incapable of running Flash, but, some of them look pretty damn good in all their Flash goodness.
"It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything"
How the picture will be better when cross-platform HTML 5 and HTML 5 Video are the standard?
The problem with Java and flash is that there is one single company with one single codebase that covers every implementation. If there is a security hole, it affects everyone.
HTML5 does not suffer from that issue, there are separate codebases for IE, Firefox, Safari and Chrome. An HTML5 bug in Firefox will not affect Chrome. An HTML5 bug in IE will not affect Safari. OK, Chrome also uses Webkit, so depending on what the bug is it might affect both Safari and Chrome, but at least that's not everyone.
This is important because if there is a bug announced tomorrow that affects every version of Java (rather than fortunately affecting only 1.7.x like this 0-day exploit) and you MUST run Java as some people here have reported they must, you are effectively screwed. If you MUST run HTML5 and there's a nasty 0-day in Firefox, you have the option to safely use IE or Chrome until Firefox is updated.
Not true, cross platform is a good idea BUT the machine specific environments, within which the cross platform software runs, need to be secure.
Developing once for many environments is a huge benefit for developers.
Sun need to make Java environments safe.
This post has been deleted by its author
I'm pretty sure you can still run NoScript with the JRE plugin disabled.
I suspect the OP's point was that NoScript will block applets from non-whitelisted sites unless you tell it to allow them, so you can restrict the JRE plugin to sites you trust. That mitigates the risk of Java-in-the-browser, though it certainly doesn't eliminate it.
Personally, I find Java useful in some domains (I use it for much of my Natural Language Processing research, for example), but I rarely want to run it in the browser. So NoScript's whitelisting is a good solution for me.
Java always has and always will be vulnerable. I have no use for it at home but WebEX etc. at work necessitate it, I use FF for normal browsing, sans-Java and use the exploder only for apps I know are clean.. and in this context, 'apps' is actually pretty much correct as Java apps have always been 'apps' right? Not like this trendy "every program is an app"
I'd put money on the IT department at work doing sweet fa about this.
Pint because the weekend can't come too soon.
"I'd put money on the IT department at work doing sweet fa about this."
The circuit of fail:
The main reason an IT department is needed is because there is an IT department - i.e.: 80% of the problems are internally created; the rest are produced by Larry Ellison, CISCO or God (in that order) over which we have no influence, time & circumstance will cure those.
Who cares? The thing what bringeth the bonus is the cost reduction from "off shoring" ... for the savvy IT manager with an eye on the Game, not the Ball, a decent attack is an opportunity to secure additional ressources and headcount, the raw material for another round of cost-cutting and personal pay increase ;-)
Frankly, I'm beginning to think that Firefox and noScript should become mandatory by law.
If that ever did happen though, then this almost-perfect shield would become the hard target for all the miscreants and issues would be found.
So let the rabble continue with IE and zero protection. I'll just glide by, blissfully oblivious to the carnage until an article like this wakes me up to the fact that there are still people who don't know how to surf securely.
<disclaimer>this post concerns private use of Internet only - I am very well aware that professionals have a different set of problems, mainly that of not being able to choose their work platform</disclaimer>
You may won't look at a recent article that show Firefox more vulnerable to certain attacks (Tesco article) than i.e.
add that to the fact it's dog slow to launch...
Me I use most of them, i.e.9 FF, Opera, Iron.
Yet to find one that works 100% of the time, so I use the best for the job.
I am aware of threats and I know perfectly well that no platform, anywhere, anytime, is immune against problems.
I also have a brain and use it every time I click on a link.
That said, since I have started using Firefox with AdBlock and NoScript all those years ago, I have not once been infected by anything. That is fact, not smug, and if you don't like it I don't care.
I will continue to use Firefox/NoScript whilst keeping up-to-date about its issues and keeping it up-to-date as well because I trust it and it has never failed my trust yet.
But that does not mean I will click blindly on any link that I see or get sent to my mail.
The day IE has NoScript, I might take it for a whirl outside the very small list of URLs I let it see at this time, but until then, my general surfing will be done on Firefox, because it works.
If using a tool because it works is being smug, then so be it, I'm smug.
My PC is virus-free too.
And hope that your favourite web site isn't attacked and compromised, such as through the adverts.
The linked article mentions news from elsewhere ("VulnDisco") of a zero-day exploit as of 10-Aug-2012, and not sure if it's a different one. The one that they're talking about affects Java 7 (or 1.7) up to and including the latest Update 6, but does not affect Java 6 (or 1.6).
http://en.wikipedia.org/wiki/Java_version_history says that a Java 6 Update 34 was released on 14-Aug-2012 and that might beat the possible second exploit, too - although this release may have been available to hackers before the general public, too.
Really the need is to extend your exposed surface only where it is safe AND necessary to do so. That is - only accept plugin content from a limited set of web sites that you want to use. But I only know the Opera web browser's mechanism for doing that, site by site, and you can't just tell everyone to use Opera. Well... you could...
Not sure about that - we run Oracle's JDK on Linux because the OpenJDK has it's own issues, and because most of our clients are running Oracle's or IBM's.
For example, this one is OpenJDK specific and fatal for certain workflows. http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1013
This post has been deleted by its author
So this exploit existing, doesn't automatically mean that all Java is suddenly a void of horrid death, right?
I mean - the java at my banks webpage isn't all of sudden a Chinese torture device, right?
Furthermore, so long as plug-ins are only activated when I activate them, then all those ghastly sites I visit on how to bake the perfect sponge-cake wont be able to run evil java code, right?
If the answer to all of the above is: "Right!", then I should be fine...
So is it?
Depending on your browser, a plugin is likely to be active on -any- web site that wants to use it - or, if disabled, none.
Opera lets you specify plug-ins, Java, and scripting on or off by site, or, ifn other browsers, you can disable a plug-in until you need it, probably.
You also may be able to run your browser as different user names simultaneously, to have access to different user profiles with different session preference settings.
whether Java and Javascript are the same for the purposes of this safety warning
They're not the same for any purposes.
They're both OO languages that adopt much of their syntax from the C family, and they're both usually executed in an intermediate form and JIT-compiled, but the similarities end there.
Java is a language that originated at Sun and was originally intended for use in embedded applications (which is indeed where most of it is to be found); but Sun implemented an early graphical web browser (HotJava) that included a JRE and popularized the idea of executing downloaded Java applets in the browser. Netscape picked up the idea and eventually all the major browsers included Java runtimes. Java applets lost the popularity contest, though, first to Flash and then to "Javascript".
"Javascript" is two things. First it was the new name of the browser scripting language Livescript, which was renamed to jump on the Java-in-the-browser bandwagon, thereby sowing much confusion. Now it is the name of Mozilla's implementation of the browser scripting language ECMAscript, which is the current descendant of Livescript. Many people use "Javascript" to refer, incorrectly, to all ECMAscript implementations.
ECMAscript and Java are substantially different languages, and their implementations share nothing, except where people have implemented an ECMAscript interpreter in Java (sigh) and a JVM in ECMAscript (double sigh).
This particular vulnerability appears to be the result of a too-clever-by-half change to the Java class loader in Java 7, with insecure use of reflection in the Java runtime classes, which lets an attacker obtain privileged references to private members of restricted classes. Recent discussion on Bugtraq points specifically to parts of the Abstract Windowing Toolkit, and there's some suggestion that this is in effect the reintroduction of a vulnerability originally fixed by Sun back in 2005. That, to my mind, supports the contention made by several respondents here that the Java runtime has grown far too complex.
Funny how Steve Jobs / Apple were called evil control freaks for keeping everything but HTML5/Javascript off the iPhone. Two years ago Google took out full page ads to boast its openness in supporting buggy proprietary Flash on Android. "We love Apple, but what we don't love is anybody taking away your freedom . . .".
And now everyone's quietly doing the same as Apple, practically every mobile browser is built on Apple's Webkit, and HTML5/Javascript is standard and more or less universal. Remember the days of Internet-Explorer-only web sites, and only-works-properly-on-Windows Flash?
Frankly, thank goodness for Apple (and Google before they switched objectives to world domination).
You may need to refer to Test Man's comment above. To completely clarify: Pretty much the only things Java and Javascript have in common is that they're a) programming languages which start with b) the same four letters. Maybe half the web wants you to run Javascript, which is not the language in question here. Java is used much less, and unless it's part of your office environment or your bank's site, you can get along quite well without it, thank you.
Amazing how many smug comments from those with clearly limited perspective. Just because you don't know about or have to deal with it does not mean it's not a real, valid problem for others. I expected more imagination from Reg readers!
"I can't see any need for java / I never use java and don't miss it" - you obviously don't have to support a business that is forced to use sites or services that require java. It's not so easy to simply banish a mission-critical process.
"Java is disabled by default on Apples" - okay, Apples are crippled by default, woo. A car that won't move is inherently safe from accidents, but a pretty poor transport. Saint Jobs didn't banish Flash to protect you, but to make MO' MONEY. Don't confuse his intent..
On the glum side, anything that reaches popular use is going to become a hack target. Given the complexity of software, everything will probably be somehow hackable. Every massive hacker opening began as a Wonderful Feature. Installing software from a web page, running programs from an e-mail, these and others were signposts to a glowing future of friendly computers. When someone invented doors, his neighbor invented burglary...
> you obviously don't have to support a business that is forced to use sites or services that require java
I do - but there aren't many such businesses. Most sites[1] with Java applets have alternative methods of getting at the data as well, even if they're not quite as slick.
The biggest Java installations I deal with are servers - and they're invariable hidden behind an Apache reverse proxy, and are unlikely to be downloading stuff from the web in the first place.
Vic.
[1] I'm excluding games sites, since fartnig around with Java games doesn't really come under my definition of "business use".
Apparently the only thing they wanted it for was for an on-line Chess game.
I warned them. But would they listen? I also had to re-enable NotScripts and Ghostery because they were 'messing up the way the machine is supposed to work'.
It's all good, because now I get to say "I did tell you so" next time they call me up to fix their computer.
These are people that point-blank REFUSE TO LEARN HOW TO JUST QUICKLY DISABLE/ENABLE A PLUGIN.
Sorry for the shouting, nearly got hot under the collar there. ;-)
I understand how NotScripts cripples half the web, but for deity's sake at least use it on the half you can. Same with Java. In fact. I personally have it turned off ALL THE TIME and only re-enable maybe once a month on my web travels.
It's funny, coz when I was first learning JAVA, ooh, over 10 years ago now it would have been, people were saying: This thing is going to be a MASSIVE security risk. Same thing with Active-X. Few had the foresight to see the monster that FLASH would become though. I remember playing with the thing when it was called Future-Splash, and telling people this is the future of the web. Did anyone listen? No. They just said: There is nice dear.
Oh well, I was right about one or two things, but am probably one of the few failed programmers on this site.
Still, no great loss, apart from the few successful JAVA and whatnot programmers that work for Deutsche Bank and earned £60K a year, most I know are treading water. Still, what is £60K a year anyway.
Alright it's more than my dole, but you know... That was a couple of years ago now, maybe things have changed.........
</rant over>
<new rant begins>
I'm just waiting by my phone - it is inches away from my leg - no obstructions. I shall answer with: "Yes it is I."
"Who speaks? Really? Never!"
My insouciance shall be invisible. Though I bear no great malice, sometimes a quick "I told you so", is worth oh so much more than the £20 I will get for fixing their machine. Bring it on. I shall wait for that sweet-spot moment when the cash hits the claw, then look them in the eye, with an almost undetectable sideways glance - the way a Lion might eye up a Zebra in the Serengeti for example - then, in a James Bond manner, ever so coolly say, TOLD YOU SO, TOLD YOU SO! ARGH ARGH ARGH, TOLD YOU SO!, jumping up and down for good effect and also flapping my arms wildly in the air like a poor earth bound bird that hasn't flown for hundreds of thousands of years, but still tries anyway, just out of pure instinct. Think Emu, think Dodo - no that's not right. Anyway. You get the picture.
Of course at this point I shall be off for the treatment I so rightly deserve. All because some bastard wrote a JAVA exploit. And some other bastard refused how to learn how to use the on/off switch under 'preferences'.
Still. These are the good days... Wait until things really get out of control....
I disabled Java in Firefox long ago, since whenever I hit a page with a Java applet, my browser pauses for a good 30-45 seconds, and then typically just crashes entirely.
I remember trying to report it, and ending up with a lot of finger pointing (bad applet design, bad sandboxing, whatever), but no substantial remedies from my standpoint.
Luckily, it was never a Thing for me to have it off.
[Beer, because it helps me have it off]
I'm no Java expert so did a little digging and I'm not so sure OpenJDK is ok... See statement from Redhat in their bugzilla.
https://bugzilla.redhat.com/show_bug.cgi?id=852051#c9
Most people will have that installed on a linux box but then it doesn't appear as an available browser plugin. So in theory all ok from a drive by exploit point of view....
For the most heinous crime of information terrorism by writing of viruses.. DEATH!
Death by giant hornet enema, and put the execution video on Youtube with a soundtrack of "Toxic" as a deterrent for any idiots who think it is funny to destroy other people's hard work, memories and data.
AC/DC although as a close second the electric chair would be acceptable punishment.
I just had this url in my inbox and I don't remember anything written in this tone for a long time from them.
http://www.kb.cert.org/vuls/id/636312
Does it mean USA government will feel compelled to disable Java on their terminals too?
Do any person remotely connected with Oracle know what it means to have such a alert from an institution like that? Not it seems, nobody heard a out of band, emergency patch yet.
Sorry but I noticed an unbelievable thing. If you check
http://www.kb.cert.org/vuls/id/MORO-8XKL37
You will see even US CERT wasn't contacted in time of writing.
While on it, if you are a win user and have broadband, have no mission critical apps written in Java, easiest way to disable applets seems to be removing/uninstalling Java altogether. Using registry modification seems absurd to me.
Sorry but I noticed an unbelievable thing.
You seem to have a pretty liberal definition of "unbelievable". I didn't have any difficulty believing it.
If you check
http://www.kb.cert.org/vuls/id/MORO-8XKL37
You will see even US CERT wasn't contacted in time of writing.
Discussed on Bugtraq and Full-Disclosure yesterday. Not all researchers feel obliged to inform CERT.
Really; when I do manage to get online these days, all I hear about takes another week of being online to understand, untill I realise that it refers to things that only have any meaning on the internet.
"AMIRITE?"
And yes, I am aware of the nature of the site to which I am posting.
But still.
Get out while you can. Any industry that can make you suddenly twitch at the womb while you reassess . . .
forgot what i was saying while i went to check the spelling of assess.
doesn't matter.
... on my system's browsers. I've rarely had a complaint from any website.
JavaScript is up for all but a few bad actors.
Java (the JRE and JDK, version 1.6) are up on my system. I've got gobs of stand alone (non browser) applications to run. But it sounds like this is a vulnerability of Java running under the plugin rather than standalone. Correct me if I'm wrong.
At any rate, I can like with v1.6 until the patch comes out.
First, I must admit, I have not been to much that uses Java. But, I do have java installed. I'm not worried about malware though. Why?
1) Linux uses an executable bit. It's Windows where you (well, "they") can download an .exe and just run it. Also my copy of Firefox does run under AppArmor so potential malware would be contained.
2) *I'm not using Oracle's JVM*. Due to Oracle's licensing, Ubuntu dropped Sun/Oracle Java even as an option a while back. I thought I was screwed, because Eclipse says it requires Sun/Oracle Java and is incompatible with OpenJDK. Not so! It may have used to be true, but I've been running Eclipse on OpenJDK (with IcedTea6 browser plugin), and have coded, debugged, and published a signed Android app onto the market. No sweat at all.
So, if you are using Java, I would try OpenJDK and see if it works. What can I say? At least if people find OpenJDK holes they are not on a every-4-months release schedule! 8-)
It probably has many names; there's no central authority for naming exploits, you know.
Security Explorations, who have been talking about it on Bugtraq and Full-Disclosure, and are one of the groups to discover the issue, have been calling it SE-2012-01.
See http://www.security-explorations.com/en/SE-2012-01.html.