Tag Archives: Java

Java in browsers continues to be dangerous.

Michael Horowitz has updated his helpful javatester.org page. The gist is that Java is fine, as long as it doesn’t run in a browser. To be safe, just remove it from your computer.

We discussed Java’s vulnerabilities last September:

Oracle just doesn’t seem to be fully committed to securing Java. Michael’s page does a good job of sorting out the Java confusion.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

An old Java security flaw is discovered Sept 26.

A small outfit called Security Explorations has again found a serious security hole in Oracle’s Java. This is java flaw 51 that they’ve found.

This latest discovery of a serious security problem with Java has not, as of 29 September, been repaired by Oracle.  A website with malicious code can own any computer (with Java installed) that merely visits the website. This vulnerability exists in all versions of Java for all platforms from release 5 through 7 (the latest). That ‘s the bad news. The good news is that as of today this vulnerability is not known to have been exploited. The ball is in Oracle’s court. They need to patch Java ASAP.

I recommend that, if you don’t need it, you uninstall Java. If you or your business or bank requires Java, leave it on one web browser that you use for that purpose only. Install a second web browser (e.g. Opera, Mozilla Firefox, Google Chrome) without Java, and use this as your main browser.

Note that this is Java, not Javascript. Despite their similar names, the two languages are unrelated.

See Java may still be vulnerable even after Oracle security patch. 3 September

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java may still be vulnerable even after Oracle’s security patch.


diagram: Baptiste MATHUS
This is a comedy of errors.

For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.

Andy Greenberg wrote about the latest Oracle problems with Java in a recent Forbes article.

Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.

The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.

The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.

Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
 
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
 
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695