US Dept Homeland Security urges Disable Java

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Re: US Dept Homeland Security urges Disable Java

Postby bUU » Mon Jan 14, 2013 12:37 pm

I bet Reuters gained another few "rating points" of audience from fostering FUD.
User avatar
bUU
 
Posts: 555
Joined: Sun Nov 25, 2012 12:41 pm

Re: US Dept Homeland Security urges Disable Java

Postby sscritic » Mon Jan 14, 2013 12:41 pm

Also here:
Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.
http://www.zdnet.com/security-experts-o ... 000009756/
taken from
http://uk.reuters.com/article/2013/01/1 ... JA20130114
sscritic
 
Posts: 21426
Joined: Thu Sep 06, 2007 9:36 am

Re: US Dept Homeland Security urges Disable Java

Postby Mudpuppy » Mon Jan 14, 2013 1:49 pm

magellan wrote:
Mudpuppy wrote:Separate accounts are both a psychological factor and a removal of low-hanging fruit. On the psychological side, it gets the users into a different mindset and habits, while not being as expensive as a separate machine. On the low-hanging fruit side, not all malware is coded to use privilege escalations to break out of the privileges of the account where the malware was run.

Interesting. Thanks for the explanation. I hadn't heard the advice to use multiple standard user accounts before.

So as I understand it, a typical Windows user should set up three accounts on their machine.
1) An administrator account (that they probably will never log into)
2) A standard user account for everyday use
3) A second standard user account for financial transactions

Also, when switching between accounts, it's safer to use "Log off" rather than 'Switch user'. Is that about right?

Also, for the OP's situation, where he has a a single school website that needs Java, I still think the dual browser approach is workable within the same user account. I suppose the two user accounts model would be marginally safer, but if the Java enabled browser is only used for access to the school website, I'm not sure there's much added risk in doing this in the 'everyday use' account and not having to log off/log in just to visit the school website. Of course, as you've pointed out, adding the second user account for financial stuff would offer still more protection.

Jim

I'm not going to claim this is a "best practice", because the best practice is still to have physical separation (another machine) or strong logical separation (do web browsing in one virtual machine and financial stuff in another virtual machine). But it is what I like to call a "better practice", as in it's better than just doing everything from the same account.
Mudpuppy
 
Posts: 2503
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: US Dept Homeland Security urges Disable Java

Postby Mudpuppy » Mon Jan 14, 2013 1:54 pm

bicker wrote:
richard wrote:Crisis averted if you trust Oracle to find and fix all bugs

The crisis pertains to one bug - not really a bug in the code, per se, but rather an inadequacy in the design. Therefore, the reasonable expectation is that the design inadequacy has been addressed and the code updated to reflect the new design, as it pertains to this one exploit. Not all exploits. The distinction is important, and goes back to what others said earlier about uninstalling Windows etc. if you want to "fix all bugs".

And yet, one must ask oneself: "Is this an isolated inadequacy of design or is there a fundamental and pervasive inadequacy of design, the full consequences of which have yet to be discovered?"
Mudpuppy
 
Posts: 2503
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: US Dept Homeland Security urges Disable Java

Postby Browser » Mon Jan 14, 2013 1:57 pm

I downloaded the update, because I figure if I need to use Java it's better than what it replaced. But I still plan to keep it deactivated in my browser and use it only if really necessary. Also have deactivated Silverlight per another poster's suggestions. Now, anybody know anything about Adobe Air? I've got that on my system for some reason and don't know what it is or if I should deactivate it too.
If we have data, let’s look at data. If all we have are opinions, let’s go with mine. – Jim Barksdale
Browser
 
Posts: 2624
Joined: Wed Sep 05, 2012 5:54 pm

Re: US Dept Homeland Security urges Disable Java

Postby bUU » Mon Jan 14, 2013 2:08 pm

Mudpuppy wrote:And yet, one must ask oneself: "Is this an isolated inadequacy of design or is there a fundamental and pervasive inadequacy of design, the full consequences of which have yet to be discovered?"

There is little doubt that new exploits can always be found. That has always been the case (and therefore should have been factored into the decision to install Java plug-ins in the first place or leave them enabled in your browser) and will always be the case. This exploit has been addressed. While there can be similar doors open to similar exploits, from what I know of Oracle they wouldn't release a "fix" if it didn't actually "fix" what they said it fixed. The flaw is bad enough - releasing something and calling it a "fix" when it actually isn't is something no one but a moron would do, just from a liability perspective (exculpatory clauses aside). The challenge now is for Oracle to discover related exploits faster than hackers, and fix them in a timely manner.
User avatar
bUU
 
Posts: 555
Joined: Sun Nov 25, 2012 12:41 pm

Re: US Dept Homeland Security urges Disable Java

Postby tadamsmar » Mon Jan 14, 2013 2:15 pm

bicker wrote:
Mudpuppy wrote:And yet, one must ask oneself: "Is this an isolated inadequacy of design or is there a fundamental and pervasive inadequacy of design, the full consequences of which have yet to be discovered?"

There is little doubt that new exploits can always be found. That has always been the case (and therefore should have been factored into the decision to install Java plug-ins in the first place or leave them enabled in your browser) and will always be the case. This exploit has been addressed. While there can be similar doors open to similar exploits, from what I know of Oracle they wouldn't release a "fix" if it didn't actually "fix" what they said it fixed. The flaw is bad enough - releasing something and calling it a "fix" when it actually isn't is something no one but a moron would do, just from a liability perspective (exculpatory clauses aside). The challenge now is for Oracle to discover related exploits faster than hackers, and fix them in a timely manner.


When the hacker win the race, it's called a "zero day attack":

http://en.wikipedia.org/wiki/Zero-day_attack

These are pretty common.
User avatar
tadamsmar
 
Posts: 6055
Joined: Mon May 07, 2007 1:33 pm

Re: US Dept Homeland Security urges Disable Java

Postby Mudpuppy » Mon Jan 14, 2013 2:18 pm

bicker wrote:
Mudpuppy wrote:And yet, one must ask oneself: "Is this an isolated inadequacy of design or is there a fundamental and pervasive inadequacy of design, the full consequences of which have yet to be discovered?"

There is little doubt that new exploits can always be found. That has always been the case (and therefore should have been factored into the decision to install Java plug-ins in the first place or leave them enabled in your browser) and will always be the case. This exploit has been addressed. While there can be similar doors open to similar exploits, from what I know of Oracle they wouldn't release a "fix" if it didn't actually "fix" what they said it fixed. The flaw is bad enough - releasing something and calling it a "fix" when it actually isn't is something no one but a moron would do, just from a liability perspective (exculpatory clauses aside). The challenge now is for Oracle to discover related exploits faster than hackers, and fix them in a timely manner.

I try to make it a policy to not bicker with someone whose username indicates that is their primary motivation (and who uses words like "moron"), but you missed my point entirely. I am not speaking in generalities of vulnerabilities, which do come from flaws because humans are flawed and will make mistakes from time to time. I am talking about fundamentally bad design. Design so bad that any software engineer or security professional would recognize as bad design that should be avoided. Design so bad the product should just be scraped and rebuilt from scratch. Any time a product has a string of critical flaws, one must ask if it's just isolated programmer error or fundamentally bad design.
Mudpuppy
 
Posts: 2503
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: US Dept Homeland Security urges Disable Java

Postby bUU » Mon Jan 14, 2013 2:19 pm

tadamsmar wrote:These are pretty common.

And we won't see an end to such things as long as there are computer networks.

Mudpuppy wrote:Design so bad the product should just be scraped and rebuilt from scratch. Any time a product has a string of critical flaws, one must ask if it's just isolated programmer error or fundamentally bad design.

Or a reflection of conflicting requirements, the satisfaction of all being impracticable.
Last edited by bUU on Mon Jan 14, 2013 2:34 pm, edited 1 time in total.
User avatar
bUU
 
Posts: 555
Joined: Sun Nov 25, 2012 12:41 pm

Re: US Dept Homeland Security urges Disable Java

Postby tadamsmar » Mon Jan 14, 2013 2:28 pm

Mudpuppy wrote:
bicker wrote:
Mudpuppy wrote:And yet, one must ask oneself: "Is this an isolated inadequacy of design or is there a fundamental and pervasive inadequacy of design, the full consequences of which have yet to be discovered?"

There is little doubt that new exploits can always be found. That has always been the case (and therefore should have been factored into the decision to install Java plug-ins in the first place or leave them enabled in your browser) and will always be the case. This exploit has been addressed. While there can be similar doors open to similar exploits, from what I know of Oracle they wouldn't release a "fix" if it didn't actually "fix" what they said it fixed. The flaw is bad enough - releasing something and calling it a "fix" when it actually isn't is something no one but a moron would do, just from a liability perspective (exculpatory clauses aside). The challenge now is for Oracle to discover related exploits faster than hackers, and fix them in a timely manner.

I try to make it a policy to not bicker with someone whose username indicates that is their primary motivation (and who uses words like "moron"), but you missed my point entirely. I am not speaking in generalities of vulnerabilities, which do come from flaws because humans are flawed and will make mistakes from time to time. I am talking about fundamentally bad design. Design so bad that any software engineer or security professional would recognize as bad design that should be avoided. Design so bad the product should just be scraped and rebuilt from scratch. Any time a product has a string of critical flaws, one must ask if it's just isolated programmer error or fundamentally bad design.


It might be a problem of neglect. Java was pretty well designed. But the browser plug-in might be a bit of a step-child since it was developed by Sun Microsystems and Sun was bought by Oracle in 2010. And the Java programming language was made public via GNU in 2007, so it's perhaps not a big profit center for Oracle.
User avatar
tadamsmar
 
Posts: 6055
Joined: Mon May 07, 2007 1:33 pm

Re: US Dept Homeland Security urges Disable Java

Postby bUU » Mon Jan 14, 2013 2:40 pm

I think it goes beyond that. Java was to a great extent Sun's pride and joy - the practically non-profit foundation on which they built their profit business. Yet, there have been issues of concern with Java plug-ins since Day One - really, with all plug-ins. ActiveX controls were arguably worse. We built a product the UI functionality for which hinged greatly on a specific built-in control that Microsoft shipped as part of the operating system. Fast forward five years later and they kill-bit'ed it.

The right answer unfortunately won't look like the right answer to many people: Throw everything we have now away, and build new. There's the cost of doing so, for starters, but then you also need to insist that all your users upgrade to the latest and greatest and the resistance when you demand something like that of users is significant. They "blame" you for not being good enough to figure out a way of giving them what they want without them having to do anything invasive like that.

It's coming though. If Microsoft sticks to their guns (which is 50/50 at this point), and Apple and Google cooperate (even less likely), then ActiveX, Silverlight, Flash, Java, etc. will all be gone from browsers, and everything will be HTML5.

Not that that won't have its own set of unique exposures.
User avatar
bUU
 
Posts: 555
Joined: Sun Nov 25, 2012 12:41 pm

Re: US Dept Homeland Security urges Disable Java

Postby richard » Tue Jan 15, 2013 1:22 pm

The US government adds its voice to those who continue to recommend that users disable Java in web browsers unless absolutely necessary. Seems update 11 did not do enough to fix problems.
Update to Java 7u11

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
http://www.kb.cert.org/vuls/id/625617
richard
 
Posts: 7365
Joined: Tue Feb 20, 2007 4:38 pm

Re: US Dept Homeland Security urges Disable Java

Postby SSSS » Tue Jan 15, 2013 1:56 pm

Given the latest recommendation, I feel compelled to plug the QuickJava extension for Firefox again:

https://addons.mozilla.org/en-US/firefo ... quickjava/

This allows you to toggle Java off & on with a single click. I leave Java turned off most of the time, and only rarely encounter any websites that require it (except on my work PC). The extension also has toggle buttons for Javascript, Flash, Silverlight, etc.
User avatar
SSSS
 
Posts: 1865
Joined: Fri Jun 18, 2010 12:50 pm

Re: US Dept Homeland Security urges Disable Java

Postby Epsilon Delta » Tue Jan 15, 2013 2:05 pm

bUU wrote:It's coming though. If Microsoft sticks to their guns (which is 50/50 at this point), and Apple and Google cooperate (even less likely), then ActiveX, Silverlight, Flash, Java, etc. will all be gone from browsers, and everything will be HTML5.

I don't think HTML5 will make any difference. As I see it the problem is that we want the "good guys" to be able to execute arbitrary* code on our PCs while preventing the "bad guys" from doing so. We all have different definitions of who the "good guys" are; and, worse, individual definitions are internally inconsistent, and change from day to day.

* And we don't actually mean arbitrary we mean what we want what we want and don't want what we don't want. What do you mean that's not a good enough definition?
User avatar
Epsilon Delta
 
Posts: 3276
Joined: Thu Apr 28, 2011 8:00 pm

Re: US Dept Homeland Security urges Disable Java

Postby Default User BR » Tue Jan 15, 2013 2:14 pm

Epsilon Delta wrote:I don't think HTML5 will make any difference. As I see it the problem is that we want the "good guys" to be able to execute arbitrary* code on our PCs while preventing the "bad guys" from doing so.

Perhaps you do, but I'd rather none of them were doing so. There are few instances, like streaming video, where it might be necessary, but that's not arbitrary.


Brian
Default User BR
 
Posts: 7503
Joined: Mon Dec 17, 2007 8:32 pm

Re: US Dept Homeland Security urges Disable Java

Postby SSSS » Tue Jan 15, 2013 2:30 pm

Epsilon Delta wrote:As I see it the problem is that we want the "good guys" to be able to execute arbitrary* code on our PCs while preventing the "bad guys" from doing so.


If the bad guys were all RFC3514-compliant, this would be a non-issue. They've had almost ten years and most are still not marking their traffic appropriately.
User avatar
SSSS
 
Posts: 1865
Joined: Fri Jun 18, 2010 12:50 pm

Re: US Dept Homeland Security urges Disable Java

Postby Mudpuppy » Tue Jan 15, 2013 2:52 pm

SSSS wrote:
Epsilon Delta wrote:As I see it the problem is that we want the "good guys" to be able to execute arbitrary* code on our PCs while preventing the "bad guys" from doing so.


If the bad guys were all RFC3514-compliant, this would be a non-issue. They've had almost ten years and most are still not marking their traffic appropriately.

They're still working on infecting RFC1149 traffic. They haven't had time to get to RFC3514.
Mudpuppy
 
Posts: 2503
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: US Dept Homeland Security urges Disable Java

Postby Epsilon Delta » Tue Jan 15, 2013 3:01 pm

Default User BR wrote:
Epsilon Delta wrote:I don't think HTML5 will make any difference. As I see it the problem is that we want the "good guys" to be able to execute arbitrary* code on our PCs while preventing the "bad guys" from doing so.

Perhaps you do, but I'd rather none of them were doing so. There are few instances, like streaming video, where it might be necessary, but that's not arbitrary.


Brian

It's a generic "we", my list of good guys is very short. :twisted:

Arbitrary code is needed for anything new. If it's genuinely new it needs to run code that was not even thought of when your system was designed. An OS or malware scanner can't tell good new things from bad new things when asked to install them. Usually the OS punts to the user, but users can't tell good from bad either. Sometimes users can't even do it years later after we have years of experience with the no longer new thing.
User avatar
Epsilon Delta
 
Posts: 3276
Joined: Thu Apr 28, 2011 8:00 pm

Re: US Dept Homeland Security urges Disable Java

Postby Browser » Tue Jan 15, 2013 6:50 pm

SSSS wrote:Given the latest recommendation, I feel compelled to plug the QuickJava extension for Firefox again:

https://addons.mozilla.org/en-US/firefo ... quickjava/

This allows you to toggle Java off & on with a single click. I leave Java turned off most of the time, and only rarely encounter any websites that require it (except on my work PC). The extension also has toggle buttons for Javascript, Flash, Silverlight, etc.

Anything like that for Chrome?
If we have data, let’s look at data. If all we have are opinions, let’s go with mine. – Jim Barksdale
Browser
 
Posts: 2624
Joined: Wed Sep 05, 2012 5:54 pm

Re: US Dept Homeland Security urges Disable Java

Postby SSSS » Tue Jan 15, 2013 6:59 pm

Browser wrote:
SSSS wrote:Given the latest recommendation, I feel compelled to plug the QuickJava extension for Firefox again:

https://addons.mozilla.org/en-US/firefo ... quickjava/

This allows you to toggle Java off & on with a single click. I leave Java turned off most of the time, and only rarely encounter any websites that require it (except on my work PC). The extension also has toggle buttons for Javascript, Flash, Silverlight, etc.

Anything like that for Chrome?


I don't actively use Chrome, but a quick bit of searching indicated there's not a direct equivalent. I did find some information that Chrome has an option where you can set certain plugins like Java to only be invoked with user permission.

http://superuser.com/questions/138245/q ... gle-chrome

The latest chrome (10.x) has something called "Click to play" which lets chrome display a little icon where normally the flash/java/silverlight would be. The user has to click the area to play it.

You can enable that feature by going to 'about:flags' and activate it. After that you can choose under 'Options' -> 'Under the Hood' -> 'Content Settings' -> 'Plugins' what to do when Chrome encounters a plugin.
User avatar
SSSS
 
Posts: 1865
Joined: Fri Jun 18, 2010 12:50 pm

Re: US Dept Homeland Security urges Disable Java

Postby Calm Man » Tue Jan 15, 2013 8:18 pm

I don't know anything about java. But after reading the post and checking the link I disabled it in my mozilla firefox. After a few days with a lot of internet use I have observed no loss of anything.
Calm Man
 
Posts: 2620
Joined: Wed Sep 19, 2012 10:35 am

Re: US Dept Homeland Security urges Disable Java

Postby SSSS » Tue Jan 15, 2013 8:36 pm

Calm Man wrote:I don't know anything about java. But after reading the post and checking the link I disabled it in my mozilla firefox. After a few days with a lot of internet use I have observed no loss of anything.


To verify you've actually disabled it, you can visit one of these sites:

http://javatester.org/version.html
http://www.java.com/en/download/testjava.jsp
User avatar
SSSS
 
Posts: 1865
Joined: Fri Jun 18, 2010 12:50 pm

Re: US Dept Homeland Security urges Disable Java

Postby Peculiar_Investor » Tue Jan 15, 2013 8:54 pm

For those using either Firefox or Chrome as your browser. If Java is not working, check out Can't install Java 7 update 11 on Firefox 18.0 | Firefox Support Forum | Mozilla Support. Apparently a known bug (Bug ID: 8005410 bad mozilla plugin registry entry after 7u10 is installed) is preventing Firefox and Chrome from recognizing that the Java plugin is installed.

The only workaround I've found involves editing the registry. My workaround, use IE 9, if Java functionality is required.

BTW, the latest stable Chrome is version 24, so I'd be careful replying on an article that mentions "The latest chrome (10.x)"
User avatar
Peculiar_Investor
 
Posts: 386
Joined: Thu Oct 20, 2011 1:23 am
Location: Calgary, AB

Re: US Dept Homeland Security urges Disable Java

Postby tadamsmar » Thu Jan 17, 2013 9:01 pm

New zero-day emerges in Java, just four days after previous flaw was patched

http://www.scmagazineuk.com/new-zero-da ... le/276368/
User avatar
tadamsmar
 
Posts: 6055
Joined: Mon May 07, 2007 1:33 pm

Re: US Dept Homeland Security urges Disable Java

Postby Browser » Fri Jan 18, 2013 1:28 am

I don't actively use Chrome, but a quick bit of searching indicated there's not a direct equivalent. I did find some information that Chrome has an option where you can set certain plugins like Java to only be invoked with user permission.

http://superuser.com/questions/138245/q ... gle-chrome

I'm running the current version of Chrome. I found that this version now has a button setting for Plug-ins that can be set to Click-to-Play. You get to it by navigating Settings->Show Advanced Settings->Content Settings. Java has to be enabled in the browser. Now when a website attempts to run Java a box comes up on screen and you have to give it permission. This is a lot more convenient, and I hope it is as secure as simply disabling Java in the browser or disabling Java in the java control panel.
If we have data, let’s look at data. If all we have are opinions, let’s go with mine. – Jim Barksdale
Browser
 
Posts: 2624
Joined: Wed Sep 05, 2012 5:54 pm

Previous

Return to Personal Consumer Issues

Who is online

Users browsing this forum: Epsilon Delta, Mudpuppy and 31 guests