Java software security freak-out?
ElectricAye
Posts: 4,561
Anyone know anything about this? The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software???
http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755
http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755
Comments
Does that mean it's only a flaw on Windoughs? What about Apple stuff? Anybody know?
I did a bit of looking when I first found it and the report said that the exploit was being used to install malware. My thought was that the malware being installed was windows only. The java exploit exists in java so in theory all OSs are vulnerable in some way shape or form. Of course since most of the malware that would be getting installed are windows only it's windows users that are most at risk.
There isn't a patch right now and the exploit is deployed out there. Ugly stuff. If you have a VM to surf with, I recommend you do so.
Thanks for looking into this. (Initiate panic attack.)
Disable Java in various web browsers - http://www.java.com/en/download/help/disable_browser.xml
Uninstall Java on Windows PCs - http://www.java.com/en/download/uninstall.jsp
Remove Microsoft Java Virtual Machine - http://www.helpwithwindows.com/WindowsXP/howto-21.html
security implications was allowed to monkey with the reflection API.
will tell you which version you have.
And this is exactly how Oracle has reacted to every problem since they bought out Java: By not reacting. To borrow a well-used expression: Watching Oracle and the Java story is like watching a slow motion train crash. It's been a disaster from day one. They simply don't know how to manage a project like Java. It's getting tiring. I've been one of those who kept trying to defend Java and explain the difference between Java applications and Java applets (the latter are those with security problems) to those screaming the loudest, but now I think they were more right than I was: It's simply too impractical to keep them separate.
And I depend on Java applets because all the banks in my country now use them for so-called 'secure login' (yeah...), and every few weeks either the bank software decides that my Java 1.6.x version doesn't have the right 'x' for the week, or Firefox decides to disable it by itself (never mind that my OS distributor actually patches up the problems in that version without upgrading to some newer, untested version - normal practice).
Which leaves me without any possibility to pay my bills, until if and when I have either manually installed some other Java version, or the bank decided it was their fault all along and re-instated my Java version as OK.
As far as I'm concerned Java cannot die fast enough. Tomorrow would be fine with me. If it isn't clear by now that keeping a computer language 'closed' is NOT the right way to do it... are there really anyone believing in that still?
-Tor
Older versions of Java have other vulnerabilities as well. Best thing to do is shutdown Java in you web browser.
I find that this banking issue with secure login very useful information. I've never actually visited my bank in person. First of all it is the USA and I live abroad; secondly, I've only visited the state it is in once when I was 18.
Linux allows Java as well as Windows and some of my sites demand that I use it to gain all their features. So I suppose I need to read up on how to protect myself.
Stockcharts.com requires an active Java for all the charting services to run properly. So this sets up people that follow their investments with a significant problem.
As stated, Oracle has continued on a track of simply not acting when issues arise. As far as I'm concerned they've had plenty of time and have lost my trust.
Jeff
-Tor
So far they have said and done nothing about this latest issue.
That is Java I'm talking about not JavaScript.
No way I would access my banking info via a Java app!! Your better off (money and identity stolen) not accessing your bank remotely if it accessing it means Java!!
I have a tiny hope that the Java-based solution will be replaced with all the current trouble, but I doubt anything will happen - keeping the head in the sand is a good strategy according to bankers.
-Tor
Today's "Taipei Times" mentions Oracle is issuing a fix for this. Usually the "Taipei Times" is a day behind in the news cycle as it is published in English.
I'd love some clarity on whether the issue is the same in Linux as in Windows, or if LInux remains separate and secure. Unlike Windows, Linux not only offers in-house Java. There are several alternative clones.
Does this security problem apply to IcedTea plug-ins for Firefox as well? IcedTea is a Javal alternative provided to Linux users.
Apple seems to have a problem as well.
http://www.zdnet.com/apple-oracle-move-quickly-to-mitigate-java-security-flaw-7000009755/
http://www.javatester.org/version.html
Though I run IcedTed-Web plugin on my Firefox in Ubuntu Linux, it seems I have 1.6.0.34 somewhere included... so I am safe ... for now. This site mentions that version 1.6.xx.xx is scheduled to die in February of 2013.
This is NOT just a Windows issue, it seems all OSes might have an issue... though we know that hackers prefer to use Windows for the widest penetration of abuses.
Start your upgrading now.
Everyone can relax...until next time.
Android seems to not be involved in the current problems.
http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java
Latest news is that Java will continue to be a security liability into the foreseeable future:
http://www.ibtimes.co.uk/articles/423778/20130114/expert-warn-java-security-problems-despite-oracle.htm
Reports claim Android is not affected and the Google Chrome may be the best browser for security at this point.
So far I don't seem to have a serious issue, but with Java6 set to expire in February, that could all change. Oracle could at least extend the useful life of Java6 until they resolve this.
The bank won't allow access with older versions.
I need a new bank.
If you do get a security fix... IT has to be from Oracle.
To keep up-to-date, search Google with "Java Malware".
It seems the preditors are more than happy to pretend to be providing the fix.
http://www.informationweek.com/security/application-security/java-security-fix-is-disguised-malware-a/240146589
https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813
Lol, funny how that wasn't the stance in the early days of IE. And when Win2k turned up that was even worse but the prevailing recommendation was to move to Win2k on the basis of security!
The media were very mum on the subject for a long time. Only talking about it once M$ was roughly on track.