It's time to run Java out of town

I still heavn't read the article, but it's pretty obvious that Java is a target. But, if it weren't Java, it would be something else; whatever gets used a lot.

In the case of the infections that happend on the Macs, it would never have happened, had Apple delivered the update when Oracle released. On the other hand, Oracle also needs to be faster releasing the patches.

Not to mention, it also actually needs to have a working updating mechanism, because according to many people, it simply doesn't work. No wonder Java exploits are so successful.

In addition to that, they need to make Java work within Internet Explorer's Protected Mode and Google Chrome's sandbox. It's all about making attackers lives harder, and Oracle for sure makes it a hell lot easier than it really should.

 

I'm happily running a Win 7 installation sans Sun Java. Additional information on the OSX/Flashback trojan

 

Or used a lot and never gets updated by users when the updates - patches come through.

 

My completely non-expert opinion...

The ability to run versatile, cross-platform code in a browser necessarily involves some loss of security. Cross-platform code implies cross-platform exploits; you just can't have it any other way. This applies not just to Java, but to Silverlight, Flash, and even to some extent Javascript.

To my mind, there are two ways you can deal with this problem...
1. Remove the security risk completely, and accept the loss of functionality.
2. Keep the functionality and implement some other security measure(s), but ultimately accept that you cannot prevent 100% of exploits.

(1) may be practical for most people in this case, but I think most reasonable security strategies are some variation on (2). "Running Java out of town" is not a permanent solution; there is no permanent solution. There are just a bunch of things Apple and its user base can do to reduce the likelihood of future exploits, or mitigate their effects.

(In this case, implementing click-to-play functionality by default in Safari might be a good decision!)

tl;dr "Running Java out of town" is the wrong idea, even if it does solve the problem.

 

So when we get to the point that we all run plugin-less browsers, what then? HTML5/WebGL loopholes I guess?

 

Javascript VM overflows, HTML5 video (or audio?) buffers perhaps (though less likely), WebGL certainly. Text parsing overflow happens once in a while though not often. You can pretty much exploit any part of a program that does anything because every program has to dynamically allocate memory and that's where the weaknesses are.

Gullible Jones, you are 100% correct. Java is a great language and portability is a huge win. While it's an easy target (portable, rarely patched, no DEP or ASLR or JIT Hardening) it's not beyond saving, you can stop many exploits on the VM with EMET (not all, recently there was a fun design exploit) and something like Sandboxie could prevent serious infection.

It's a shame that the solution is to completely kill Java as a webapp when you can do so much with it. I doubt we'll see it really go anywhere though.

 

I'm just mentioning what I've seen mentioned at this very same forum, reported by many other users. I've actually seen it not update in a relative's system.

You do realize that it gets pretty much impossible for millions of users to hunt down for individual upgrades to all applications they use. Which is why they should have an updating mechanism... or, should I say a working update mechanism.

Unless something has changed very recently in Java, it actually fails to automatically update. There's no point in having an auto-update functionality, if it doesn't work.

Also, and for example, in our country, Java is required to do our IRS, both in the website and the IRS official application. This means that whenever someone buys a new computer, I'm 99% certain that it will come with Java installed, otherwise clients will complain something isn't working, but they don't exactly know that they have something called Java, etc. And, if it doesn't automatically update as it should, then one can already imagine the kind of problematic situation this is.

Now, imagine any other targeted software, which is also needed, such as Adobe Flash Player, specially if we consider that Youtube is a service millions of people access. If they also install it to millions of users, who got not clue they got something called Flash Player installed, that it can be a security liability, that it should be kept up-to-date, and how to do it... I don't know... But, I'm sensing another nightmare...

Luckily, newest Adobe Flash Player versions come with an auto-updater. I hope it works! But, that still doesn't change the fact that, older versions won't automatically update, and if millions of users don't know what Adobe Flash Player is, that they have it, and all that... What do we get? One more problematic situation.

So, we have two very targeted applications: Java and Flash Player.

One, to the best of my knowledge, doesn't have a functional update mechanism... it has a flawed one... The other one, how many millions of users may actually be running a version prior to the most recent stable one, that has an auto-updating function? If these people got not clue they have such application...

 

Very true and good points.

 

I agree. Java is very useful, I couldn't run OpenOffice without it. It needs to be improved drastically, security-wise, definitely. This problem is not new, IDK why the problem hasn't been tackled properly.

 

InfoWorld should first get their own security act together and UPDATE their Security Certificates on their Website
before publicizing to the World how to implement security.




HKEY1952

 

Priceless!

 

Good eyes there HKEY,priceless indeed.

 

My biggest complaint with updating Java (I assuming we're consistently referring to Oracle/Sun here) is not so much that auto-updating doesn't work, and even "check for updates" typically takes several weeks before it recognizes there's one available. Rather, Oracle keeps changing their download addy and procedure ... I used to make a point of always getting the offline installer version, but as of the latest version (JRE 7 U3) that no longer seems to be available.

 

I hit the same answer i posted among other like-mindeds in the Wilder's Poll here. I just use a Java Portable for when java is needed and before that making sure my HIPS are standing at the ready to intercept.