It's time to run Java out of town

Discussion in 'other security issues & news' started by ronjor, Apr 10, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,773
    Location:
    Texas
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I still heavn't read the article, but it's pretty obvious that Java is a target. But, if it weren't Java, it would be something else; whatever gets used a lot.

    In the case of the infections that happend on the Macs, it would never have happened, had Apple delivered the update when Oracle released. On the other hand, Oracle also needs to be faster releasing the patches.

    Not to mention, it also actually needs to have a working updating mechanism, because according to many people, it simply doesn't work. No wonder Java exploits are so successful. o_O

    In addition to that, they need to make Java work within Internet Explorer's Protected Mode and Google Chrome's sandbox. It's all about making attackers lives harder, and Oracle for sure makes it a hell lot easier than it really should. :thumbd:
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Apr 10, 2012
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Or used a lot and never gets updated by users when the updates - patches come through.
     
  5. My completely non-expert opinion...

    The ability to run versatile, cross-platform code in a browser necessarily involves some loss of security. Cross-platform code implies cross-platform exploits; you just can't have it any other way. This applies not just to Java, but to Silverlight, Flash, and even to some extent Javascript.

    To my mind, there are two ways you can deal with this problem...
    1. Remove the security risk completely, and accept the loss of functionality.
    2. Keep the functionality and implement some other security measure(s), but ultimately accept that you cannot prevent 100% of exploits.

    (1) may be practical for most people in this case, but I think most reasonable security strategies are some variation on (2). "Running Java out of town" is not a permanent solution; there is no permanent solution. There are just a bunch of things Apple and its user base can do to reduce the likelihood of future exploits, or mitigate their effects.

    (In this case, implementing click-to-play functionality by default in Safari might be a good decision!)

    tl;dr "Running Java out of town" is the wrong idea, even if it does solve the problem.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    So when we get to the point that we all run plugin-less browsers, what then? HTML5/WebGL loopholes I guess?
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Javascript VM overflows, HTML5 video (or audio?) buffers perhaps (though less likely), WebGL certainly. Text parsing overflow happens once in a while though not often. You can pretty much exploit any part of a program that does anything because every program has to dynamically allocate memory and that's where the weaknesses are.

    Gullible Jones, you are 100% correct. Java is a great language and portability is a huge win. While it's an easy target (portable, rarely patched, no DEP or ASLR or JIT Hardening) it's not beyond saving, you can stop many exploits on the VM with EMET (not all, recently there was a fun design exploit) and something like Sandboxie could prevent serious infection.

    It's a shame that the solution is to completely kill Java as a webapp when you can do so much with it. I doubt we'll see it really go anywhere though.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm just mentioning what I've seen mentioned at this very same forum, reported by many other users. I've actually seen it not update in a relative's system.

    You do realize that it gets pretty much impossible for millions of users to hunt down for individual upgrades to all applications they use. Which is why they should have an updating mechanism... or, should I say a working update mechanism.

    Unless something has changed very recently in Java, it actually fails to automatically update. There's no point in having an auto-update functionality, if it doesn't work. :blink:

    Also, and for example, in our country, Java is required to do our IRS, both in the website and the IRS official application. This means that whenever someone buys a new computer, I'm 99% certain that it will come with Java installed, otherwise clients will complain something isn't working, but they don't exactly know that they have something called Java, etc. And, if it doesn't automatically update as it should, then one can already imagine the kind of problematic situation this is.

    Now, imagine any other targeted software, which is also needed, such as Adobe Flash Player, specially if we consider that Youtube is a service millions of people access. If they also install it to millions of users, who got not clue they got something called Flash Player installed, that it can be a security liability, that it should be kept up-to-date, and how to do it... I don't know... But, I'm sensing another nightmare...

    Luckily, newest Adobe Flash Player versions come with an auto-updater. I hope it works! But, that still doesn't change the fact that, older versions won't automatically update, and if millions of users don't know what Adobe Flash Player is, that they have it, and all that... What do we get? One more problematic situation.

    So, we have two very targeted applications: Java and Flash Player.

    One, to the best of my knowledge, doesn't have a functional update mechanism... it has a flawed one... The other one, how many millions of users may actually be running a version prior to the most recent stable one, that has an auto-updating function? If these people got not clue they have such application...
     
    Last edited: Apr 10, 2012
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Very true and good points.:thumb:
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    I agree. Java is very useful, I couldn't run OpenOffice without it. It needs to be improved drastically, security-wise, definitely. This problem is not new, IDK why the problem hasn't been tackled properly.
     
  11. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    InfoWorld should first get their own security act together and UPDATE their Security Certificates on their Website
    before publicizing to the World how to implement security.

    InfoWorld.JPG


    HKEY1952
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Priceless! :D :thumb:
     
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Good eyes there HKEY,priceless indeed.
     
  14. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    My biggest complaint with updating Java (I assuming we're consistently referring to Oracle/Sun here) is not so much that auto-updating doesn't work, and even "check for updates" typically takes several weeks before it recognizes there's one available. Rather, Oracle keeps changing their download addy and procedure ... I used to make a point of always getting the offline installer version, but as of the latest version (JRE 7 U3) that no longer seems to be available.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I hit the same answer i posted among other like-mindeds in the Wilder's Poll here. I just use a Java Portable for when java is needed and before that making sure my HIPS are standing at the ready to intercept.
     
Loading...
Thread Status:
Not open for further replies.