Java still has a crucial role to play—despite security risks

[lotuseclat79]

Java still has a crucial role to play—despite security risks

Quote:

Many Ars readers block Java plugins, but say Java apps are important in business.

Note: This article puts the blame where it belongs, i.e. on the browser Java plugins!

-- Tom

[Mman79]

I've uninstalled Java entirely, but I already understood the language was not necessarily the problem. I don't do online banking yet and I no longer use the extremely tiny amount of websites that require the java plugin, so said plugin can kiss it for all I care

[Ocky]

Most interactive stock charts use it, so in my case I need it. I do however nowadays disable java (the Oracle version) in the browsers if not needed.

[PJC]

Java still has a crucial role to play...

Unfortunately...

[TOMxEU]

Well, people still think, that they need it, eventhough HTML5/flash/silverlight took its place just fine, and it comes preinstalled on new computers from "IT experts" as well.

[AMIGA500]

Not that crucial to me,Ive uninstalled java without any issues so far.

[pabrate]

Never liked it, never used it, don't need it at all, haven't encountered anything so far that requires it.
Even if I find something that needs java I wouldn't install it

[The GLoW]

Like so many others, I assumed Java was necessary. I cautiously uninstalled it from one system, and then another system, until no system was running it anymore. Haven't missed it yet!

[jo3blac1]

I need Java for one specific application. But I use SBIE, which should contain it.

[Wild Hunter]

I stopped installing Java more than a year ago. LibreOffice Portable was the only software I had that needed Java for some non-essential functions without use for me. Now I don't even need LibreOffice Portable too, but I keep an updated copy just to accompany its development. As for websites requiring Java, they can all FOAD.

[chrisretusn]

I use several Java programs that need it. I'm not all that worried about it.

[BoerenkoolMetWorst]

If you have to use it, keep in mind that Java does not check certificates neither through OCSP or CRL's, but you can enable both in Java control panel.

[siljaline]

Do you really need Java Just my .02

[Kerodo]

I used to install it automatically with every new install of Win, but now I don't anymore, and I haven't needed it for a long time.

[Rmus]

Java comes with my browsers, and I need it for one site.

I've never understood why Java is more of a security risk than other such applications.

As the article points out, the problem resides with the browser plugin, and is easily dealt with:

Quote:

Some users run Java plugins on a case-by-case basis, either by using a "click-to-play" browser feature, or by disabling Java in a primary browser while leaving it enabled in a secondary one.

However, articles about exploits can be misleading without careful scrutiny.

Recently, a isc.sans.edu diary included this:

Patched your Java yet?
Published: 2012-11-01
http://isc.sans.edu/diary/Patched+your+Java+yet+/14428

Quote:

Looking through the logs even further back, we were able to determine that the original infection had happened when the user visited a - perfectly benign - newspaper web site, which at the time apparently was featuring a poisoned advertisement banner somewhere within the page content. The entire attack happened compeletely stealthily, there is nothing the user could have seen or done...

A couple of years ago when such poisoned advertisements were all the rage, it was assumed by many that the banner ad carried the exploit and its payload.

An Avast blog had a nice article about this type of poisoning, and I posted a comment asking about this, and the author answered:

Ads poisoning - JS: Prontexi
February 2010
http://blog.avast.com/2010/02/18/ads...texi/#more-871

Quote:

The ad code is redirecting to the randomly generated distribution domains -> payload itself is located out of the ad services.

So, that clarified things: these are redirection exploits. (back then, PDF was the favored exploit!)

A year later:

Red Alert on legendarydevils.com
http://stopmalvertising.com/tag/exploit-kit.html

Quote:

As reported 24 hours ago, the site legendarydevils.com with an Alexa rank of 21,012 has made the terrible mistake of choosing YesUp / Clicksor as their advertising network.

Visitors of the high traffic warez site are exploited by malware through several malvertisement redirections.

Back to the sans.edu Diary: One of the comments explains the attack method:

Quote:

The DNS entries are very short-lived, and the exploit and payload URIs are one-time and restricted to a single IP. The landing page is usually full of random junk words and includes the Java exploit and some encrypted payload URLs (the encryption varies once or twice a day).

All of this means that if the user takes the advice of the original article, even if Java is enabled for that newspaper site (for whatever reason), once redirected via a poisoned banner ad to a malware site, a Java exploit fails to run because Java is not enabled for that site.

In such a case, the browser window just sits there and does nothing:



Thus, if one needs Java for whatever reason, there are ways to be protected from exploits.


----
rich

[chrisretusn]

Quote:

Originally Posted by siljaline

Do you really need Java Just my .02

Yes I do. I do not need it to browse. I have java programs that need java to run.

[PJC]

Quote:

Originally Posted by chrisretusn

Yes, I do. I do not need it to browse. I have java programs that need java to run.

Same, here.
Just Another Vulnerability Added (JAVA) is a...Necessary Evil...

[chrisretusn]

Quote:

Originally Posted by Mr.PC

Same, here.
Just Another Vulnerability Added (JAVA) is a...Necessary Evil...

I don't look at Java as being evil. Everything has it vulnerabilities. HeHe, I still run Windows because I need it for a couple of programs.

[siljaline]

If it's necessary to run your apps, it's a necessary evil.

Quote:

Originally Posted by chrisretusn

Yes I do. I do not need it to browse. I have java programs that need java to run.

[chrisretusn]

To you perhaps. To me it's not evil, just necessary. I just added yet another java program to my java programs list.

[siljaline]

And likewise. Java has not seen this Win 7 PC yet and never will.