diagram: Baptiste MATHUS
This is a comedy of errors.
For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.
Andy Greenberg wrote about the latest Oracle problems with Java in a recent Forbes article.
Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.
The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.
The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.
Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695
Today’s bad guys on the web jeopardize on-line shopping, bank accounts . . . even national security.
A good estimate of the cost of cyber-crime is over 1 trillion dollars a year.
Has your computer ever been infected by a virus and slowed to a crawl? Maybe it had become a member of a botnet and was busily sending spam or participating in a denial of service attack on a website, under the control of someone on the other side of the globe.
Today I listened to a fascinating discussion of Internet-based crimes and criminals. NPR’s Fresh Air interviewed two young Internet security professionals: Joseph Menn, author of a new book titled Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet., and Barrett Lyon, who does battle with the Internet’s bad guys, mano a mano.
These two guys claim
- many botnet bosses are teenagers
- many reside in Russia and former Soviet states
- websites are routinely hacked by nation-states such as Russia and China to suppress dissent and steal state secrets
- the Internet may not survive this onslaught of crime
To listen: http://www.npr.org/templates/story/story.php?storyId=122958695#
Visit my website: http://russbellew.com