Tag Archives: Oracle

Prevent Java updates from installing annoying toolbars

As of Java 7 update 67, administrators may request that future Java updates not install useless annoying browser toolbars (such as the Ask toolbar).

Java adware disableBy default, Oracle allows Java updates to install this junk. You must explicitly opt out:

  • Within Windows Control Panel, click on the Java applet.
  • Click on the Advanced tab.
  • Scroll down to the bottom of the sheet.
  • Beneath the Miscellaneous heading you’ll see “Suppress sponsor offers when installing or updating Java”.
  • Click on its check box. (By default, it will be unchecked.)
  • Click the Apply button.
  • Click the OK button.

You’re done.

I applaud Oracle for giving us this option. I’d give them a standing ovation if they’d add this junky Ask toolbar only if we opted in.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java in browsers continues to be dangerous.

Michael Horowitz has updated his helpful javatester.org page. The gist is that Java is fine, as long as it doesn’t run in a browser. To be safe, just remove it from your computer.

We discussed Java’s vulnerabilities last September:

Oracle just doesn’t seem to be fully committed to securing Java. Michael’s page does a good job of sorting out the Java confusion.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

An old Java security flaw is discovered Sept 26.

A small outfit called Security Explorations has again found a serious security hole in Oracle’s Java. This is java flaw 51 that they’ve found.

This latest discovery of a serious security problem with Java has not, as of 29 September, been repaired by Oracle.  A website with malicious code can own any computer (with Java installed) that merely visits the website. This vulnerability exists in all versions of Java for all platforms from release 5 through 7 (the latest). That ‘s the bad news. The good news is that as of today this vulnerability is not known to have been exploited. The ball is in Oracle’s court. They need to patch Java ASAP.

I recommend that, if you don’t need it, you uninstall Java. If you or your business or bank requires Java, leave it on one web browser that you use for that purpose only. Install a second web browser (e.g. Opera, Mozilla Firefox, Google Chrome) without Java, and use this as your main browser.

Note that this is Java, not Javascript. Despite their similar names, the two languages are unrelated.

See Java may still be vulnerable even after Oracle security patch. 3 September

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java may still be vulnerable even after Oracle’s security patch.


diagram: Baptiste MATHUS
This is a comedy of errors.

For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.

Andy Greenberg wrote about the latest Oracle problems with Java in a recent Forbes article.

Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.

The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.

The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.

Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
 
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
 
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

What’s the future for OpenOffice and MySQL?

 

On April 20, Sun Microsystems agreed to be purchased by Oracle (http://www.sun.com/third-party/global/oracle/).

 
Oracle is the leader in heavy-duty relational database systems. Sun Microsystems has overseen two popular software products: OpenOffice (an excellent free alternative to Microsoft Office); and MySQL, a relational database with over 6 million installations. Both OpenOffice and MySQL are open source products, meaning that for all practical purposes they are available to users at no cost. In practice, most organizations either purchase support contracts or hire IT staff to provide support. MySQL has won wide acceptance since its creation in 1996. Heavy-hitters Flickr, Facebook, Wikipedia, Google, Nokia, and YouTube are built upon MySQL database engines.

 

Wither MySQL?
MySQL has steadily grown into a heavy-duty product that poses a potential threat to Oracle. The TCO (Total Cost of Ownership) of MySQL is about one-sixteenth of the TCO for Oracle: http://www.mysql.com/tcosavings/  I had feared that Oracle, if allowed by the US Department of Justice to control MySQL, would find a way to kill MySQL.

One of the creators of MySQL, a Finnish programmer named Ulf Michael Widenius (nickname Monty), recently left Sun Microsystems and formed a company called Monty Program AB (http://askmonty.org/). Read Monty’s blog: http://monty-says.blogspot.com/  Monty has also recently formed the Open Database Alliance http://opendatabasealliance.com/

It appears that Monty’s moves — effectively forking the development of MySQL — will pull the rug out from under Oracle’s purchase of MySQL, should the DOJ approve the acquisition of MySQL by Oracle.

 

Wither OpenOffice?
Release 3.1 of OpenOffice was just published a few weeks ago. I hope that its development continues. There’s no love lost between Oracle’s chairman Larry Ellison and Microsoft’s chairman Bill Gates, so my hope is that Mr. Ellison will provide the resources necessary to keep OpenOffice a strong competitor to Microsoft Office.

 
Both futures look good
The conclusion? If we’re lucky, both OpenOffice and MySQL will continue to thrive, despite Oracle’s purchase of Sun Microsystems.


Visit my website:
http://russbellew.com