Ditching Java might be a good move

It would be nice if there were an alternative VM for Windows. I'm a bit surprised there isn't one - perhaps licensing issues.

 

Users having it isn't the problem. It's all the old websites, special functions of business sites and more that is the issue. I agree that it's time to go, but, telling users to dump something they may need has never worked well. Flash is a huge issue as well still, but try getting rid of that for a few days and see how well you do on the web, you know?

 

I don't see Flash as being as big an issue as Java.

Flash actually rolls out updates and supports basic things like ASLR. They seem to at least be trying.

Oracle doesn't do **** and their product is god awful.

And Java is a much more likable target since exploits will be cross platform.

 

I still think Flash is a big issue simply because there are so many opportunities to get your payload out there. That being said, Adobe has come a long way in trying to keep Flash as safe as humanly possible. More can always be done, but, like you said, they're trying. In a better world, neither would be needed, but we're not there yet.

 

Speaking of Java, I only realised that there had been a new update to Version 6 Update 30 earlier today. I think it's been out at least a week! I must be slipping.

Check here

 

This debate is getting old *yawn*

 

If it were just HTML, CCS, and JS, we'd just see exploits in those.

As it stands we have nice easy targets like Flash and Javascript. I see fewer and fewer Flash exploits and more and more Reader/ Java exploits though.

 

Go to sleep, we'll wake you when something of your interest comes back up.

 

I wouldn't count out Flash exploits just yet. It's going to be here a long time still. Unlike Flash/Java exploits, PDF exploits are ridiculously easy to avoid. Turn off Javascript in your reader of choice, and disable the browser plugin, and you've taken a huge chunk of danger out of it. Reader X does a good job of thwarting them as it is (not saying perfect), and with those two tweaks added in you're pretty safe. Meanwhile, there's very little you can do against Flash/Java without not using them, sandboxing the browser or another measure like that.

 

Oh I'm not counting them out, I just mean that they used to be much more popular than they are now.

 

I've already moved on from this thread. If you want to be involved in a discussion keeps going round and round in circles be my guest.

 

I don't really know what you mean. I mean, if this were about Firefox v Chrome or CIS or whatever I'd get it.

But Java doesn't even come up that often in this context and there seems to be a fair consensus.

 

Rather than stressing the need to update frequently, as well as suggesting ways to restrain the use of Java, the author instead takes the week-kneed easy way out, pandering to the complacent and apathetic by simply suggesting its removal as the ultimate solution to Java's security weaknesses

 

@wat

I think the issues with Java is that it's not used very often and every time an exploit gets patched a new one is out in a very short time. The updater doesn't work very well either and users often ignore it.

 

You're not alone. I had forgotten all about it as well.

 

I dont even have Java installed,Have found no reason to have it or needed it.

 

True enough, but it can be manually downloaded and installed, and it's there when needed, even if it's rarely used. For me the concept of removing it is like admitting defeat to it's potential dangers, when really it's not the epic danger so many make it out to be.

 

It is fairly dangerous.

But saying "remove it" is a bit silly because you either:

1) Need it and can't install it

2) Don't need it in which case duh, dont have it installed

At the moment I just try to run it with EMET and hope for the best.

 

You don't need to hope for the best. You can set the browser only to allow Java for specific websites.

 

Chrome already prompts before it runs Java. I'd rather not try to whitelist every site I might run into that uses Java.

 

Well, if you hardly ever use it, as opposed to those who "don't even miss it", then whitelisting is a highly viable option.

 

Any tips to achieve this in IE9, Opera,Chrome/Iron/Chromium, and Firefox ?

Thanks so much

SKA

 

I haven't installed Java in a good while now and don't miss it.

 

With IE9, you can make use of ActiveX Filtering. -http://windows.microsoft.com/en-GB/windows7/how-to-use-tracking-protection-and-activex-filtering

In Chrome/Chromium, you can go to chrome://settings/content and in Plugins, choose Block all, and then click Manage exceptions; in Hostname Pattern type the name of the domain, such as [*.]wilderssecurity.com, and then in Behavior, choose Allow.

Another alternative is to enable the flag Click to play under chrome://flags. This option will then appear on top of Block all, mentioned above.

Be aware that, whichever option you choose, it will apply to all plugins, unfortunately. It would be great to have a more refined configuration, so that we could choose individual plugins. Something like this should be part of the settings already, since day one.

So, if you block all plugins, you'll be blocking Java, Flash, etc., and you'll have to white list every website you know that requires any one those plugins.

I cannot be of any assistance in what comes to Opera and Firefox. Maybe someone else can assist you. I don't know if Firefox has such native feature; I do know NoScript allows that kind of control, though.