|
|
|
 That wheel appears to have been forged deep within the fires of Mount Awesome. - viking1902 [more] |
 |
|
|||||||
|
||||||||
 |
| Thread Tools | Rate Thread | Display Modes |
|
|
|
| That wheel appears to have been forged deep within the fires of Mount Awesome. - viking1902 [more] |
|
|
|||||||
|
||||||||
|
| Thread Tools | Rate Thread | Display Modes |
|
#1
|
||||
|
||||
|
PSA for Java devs -- critical security patch released for Java Runtime Environment
Some background for those who don't know:
Recently a major security flaw in the JRE was discovered which would allow rogue websites to execute code on Windows, Linux, and Macintosh computers without any form of user consent. It has since been widely adopted as a means of attack, and Oracle themselves recommended disabling Java until a patch could be released. Though there is now a patch, the JRE has chronic security problems and unless otherwise needed for web apps such as GoToMeeting, many security experts recommend disabling it from the browser (this would not affect Java development otherwise.) http://arstechnica.com/security/2012...-disable-java/ http://arstechnica.com/security/2012...cal-java-bugs/ Download the updated Java executable here http://www.oracle.com/technetwork/ja...s-1836441.html Instructions for disabling Java plugins in Firefox, Safari, IE, and Chrome https://krebsonsecurity.com/how-to-u...m-the-browser/ |
|
#2
31-08-2012, 08:44
|
||||
|
||||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
So what? Even the free anti-virus clients would have caught most of the exploits because the exploits are designed to install common trojans rather than being the backdoor themselves.
The JRE is no more of a "chronic" security problem than any other standard software. Its only main issue is that it's more easily reverse-engineerable than other high-level languages (vars & strings are written right into the bytecode, even when they're parameterized...). Good PSA, but perhaps keep your opinions founded in fact next time. |
|
#3
31-08-2012, 09:06
|
|||
|
|||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
I agree with Jesse about keeping opinion on the sideline, but Java is kind of icky for web technology that doesn't desperately need its functionality anyway. Don't write applets, kids! Learn Python or Rails or Javascript!
 |
|
#4
31-08-2012, 11:15
|
||||
|
||||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
Quote:
  Not to be rude, but a few google searches would reveal that Java *is* a much larger security issue than most standard software. Technically speaking it may not have more flaws than most software, but it's highly multiplatform, installed on a very large number of devices, and not kept updated very well, which makes it a gigantic target. The recent Macintosh botnet which infected 650,000 computers exploited Java, as has several of the largest pieces of malware in the last few years. The United States Computer Emergency Response Team recommends: Quote:
As does Mozilla https://blog.mozilla.org/security/20...vulnerability/ It's not like I'm just pulling this out of nowhere. Last edited by F22Rapture : 31-08-2012 at 11:31. |
|
#5
31-08-2012, 12:39
|
||||
|
||||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
What they're posting makes sense... to protect yourself against any vulnerabilities in any specific piece of software, stop using it! For example, to protect yourself against future vulnerabilities in Windows (and we've all seen enough of those to know there will be some in the future), install a different OS.
The fact is, you shouldn't have something available to be exploited if you aren't using it, and protection goes way beyond just uninstalling or disabling something. Otherwise, everyone would have ditched Windows back in the 90's. As far as it goes, I have personally never had an issue caused by a java vulnerability. I've had ones caused by Windows vulnerabilities before, tons of them. But never Java. The best solution for keeping yourself safe is to keep your antivirus up to date, and keep all of your software patched. If you keep things patched, then you usually don't have to worry much about exploits - the exploit is patched quickly after it's discovered (like this Java one was), and thus stops being an issue. And F22Rapture, can you post the source for your images? |
|
#6
31-08-2012, 12:58
|
||||
|
||||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
Quote:
http://www.microsoft.com/security/sir/default.aspx Relevant accompanying quote: Quote:
And Kasperky for the second one |
|
#7
31-08-2012, 13:01
|
||||
|
||||
|
Re: PSA for Java devs -- critical security patch released for Java Runtime Environmen
Several products that require Java carry the Java Virtual Machine (JVM) bundled within their installs.
So you remove Java from the browser. You uninstall the JVM you downloaded from Sun/Oracle. If you've still got an old version of Internet Explorer you might have Microsoft Java. If you're running Linux you might have OpenJDK. You still may have Java. Sure now you can't call it from Javascript (which is not Java BTW) but you still may have a JVM and more importantly the update system probably neither updates that JVM hidden in that install directory or possibly even the one someone put on your computer (some versions require you to acknowledge the updates manually). Sure newer technology like Socket.IO and websockets are increasingly closing the gap on some core Java upsides for web-centric applications. However, there are so many existing tools for Java that just having a way (with a ton of work) someone might eventually be able to achieve the same result may not make good business sense. Then we have to consider that Java keeps a local cache of previously loaded .JAR files. Further that Java can reach out of it's sandbox with privilege escalation (generally this does require you to accept it....not that the messages are really clear to most users). I can't say not to use Java. If I start doing that I'd have to face the fact that I have more than 100 open technical matters with Microsoft and some of them are unaddressed years later. If you turn off JavaScript you'd not be able to start Java. If you did all your web browsing in a disposable environment it wouldn't matter, just assume it's full of trouble and erase it and start all over (I do that all the time). If you use FireFox a lot and just want granular control over whether or not web pages can get to Java with javascript: https://addons.mozilla.org/en-US/fir...don/quickjava/ * IMPORTANT PLEASE READ BELOW * As a follow up to this (next day): First a private patch was created by a small group of people. That patch was distributed to a limited number of people by request. Then Oracle broke their normal release schedule and patched this hole. Now it appears that the patch for the original hole is also compromised and with limited effort new malware could be written. Here comes new trouble. At least it has yet to be found in the wild. I'm advocating backing up to Java 6 with the latest update and disabling Java in the browser (hopefully using a tool to make it easy to turn back on when you trust the code) until this gets fixed the right way. This vector is far too hot a subject right now and even if it hasn't been found in the wild I"m sure it soon will be. Dismantling Java to look for a known exploit is far too easy. Last edited by techhelpbb : 01-09-2012 at 11:09. |
|
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
