New the new thing here is, hopefully, the long awaited disappearance of Java:)
Perhaps if it screws up often enough my bank, for example, will ditch it.
I can only hope...
I strong doubt that Java will disappear. The internet has evolved into a global advertising empire and at its core Java allows advertisers to do a lot of things they love to do within browsers.
I strong doubt that Java will disappear. The internet has evolved into a global advertising empire and at its core Java allows advertisers to do a lot of things they love to do within browsers.
Keep in mind that JavaScript is what is built into and used by most browsers, not the same as Java.
Seriously people, it has been stated several times in this thread - Java and JavaScript are two completely different things. Stop confusing them. Read this article from an earlier post in this thread, it explains things very well. Java is useless and unnecessary for most people.
...just as C, C++, Javascript, ??.net, Go, C#, VB, Python, Perl, Fortran, COBOL, BASIC, etc, etc, etc are useless and unnecessary for most people. If you aren't writing programs, you have no need for those. But you have the .net runtime and other runtimes on your computer.
Java has this quirky feature called an applet which is the Pandora's box that has caused the problems. From Oracle's Java Tutorials:
A Java applet is a special kind of Java program that a browser enabled with Java technology can download from the internet and run. An applet is typically embedded inside a web page and runs in the context of a browser. An applet must be a subclass of the java.applet.Applet class. The Applet class provides the standard interface between the applet and the browser environment.
Friends don't let friend's browsers run untrusted Java applets. Disable, remove, sandbox or whatever your Java plugin and you won't run applets.
Java applets are very powerful and can access your computer. With power comes responsibility and untrusted applets are responsible.
We have a number of internal applications and vendor tools that are applets (some are GIGANTIC applets) and they work well. Ok, they work ok. We're trending away from them. But they are in a trusted environment.
You may very well need or want to have the Java runtime (JRE) on your computer to support some java written application you use. This fine and safe BUT DO NOT RUN THE JAVA PLUGIN in your browser unless you know what you are doing....or fire it up on a VM if you must.
There were problems like this with ActiveX controls, ASP.net and other similar technologies. It's cool stuff in a perfect world where everybody is honest and kind.
Not surprisingly, I have it disabled for all sites myself, including even places like youtube where I externally download and save the vids for offline viewing. Other similar places that make heavy use of scripting, like facebook for example, where I have little or no interest I simply don't bother with. For online shopping, if there is tracking scripts on the purchasing pages and the checkout doesn't have an HTML fall-back mode then I don't buy the products.
What precautions should be taken with Java SE 7 Update 4? Is it ok to use on a Windows box, or should I go with Ubuntu? This rig is to be used for games,, surfing, Facebook, iTunes, etc.
Well, that's one reason I don't have Minecraft. However, you can have Java disabled in your web browser(s) and still play Minecraft as long as the JRE is installed.
I got an email with (no subject) from a tech colleague. It just said "check this out" with a link in the body. I suspected it might be bogus, but as my browser is firefox, and I have scripts turned off by default, I figured it was ok to take a look. Of course the link was to some bogus site.
24 hours later, folks started getting the same email from my account, (no subject) and a link in the body. The account was accessed from South Korea, according to Yahoo. The interesting thing is that the message was sent from all three of my email accounts, yahoo, google, and hotmail.
The PC had java installed, and had the passwords "remembered" for those accounts. I thought I had uninstalled java on all my machines, but had missed this one.
I imagine that the bogus site executed a java script that captured my remembered passwords and other information from cookies, and sent them in to a bot queue, possibly why it took 24 hours to start spewing.
I deleted my cache and cookies, and changed my passwords on the accounts, and the problem seemed to stop. I caught it within three hours for the first bogus email being sent from my account.
Does this sound like the correct vector and solution? Or should there be more actions taken on my part?
Javascript has nothing to do with Java.
So removing Java wouldn't matter if the attack was script-based, likewise disabling scripting wouldn't help against a Java applet vector. But as to the actual vector I don't know - I have never been on the receiving end of one (and I don't run Windows, which may have something to do with it)
I'm asking which one of these two separate things is the most likely culprit, or if its something else.
By turning the the browser scripting (java scripts) off, I seem to have been safe so far. By having the java executable installed, I seem to have compromised security.
Anyway, if you get any emails with (no subject) in the subject line, be warned not to click the link.
Your email reader/editor is a whole other executable that can view web content contained in the emails.
And now that you've mentioned it I've gone hunting in my own reader, Thunderbird, and there is no setting in the menus. So I dug into the Advanced Config of parameters and found there is a setting "javascript.enabled;true" that is surprisingly enabled! I've now turned that off myself.
Aside from that I tend to always set my readers to render HTML but not load or access any references within the HTML, ie: No further downloading when viewing the email, and also ignore cookies.
Comments
Perhaps if it screws up often enough my bank, for example, will ditch it.
I can only hope...
Keep in mind that JavaScript is what is built into and used by most browsers, not the same as Java.
C.W.
Do I need Java and JavaScript?
...just as C, C++, Javascript, ??.net, Go, C#, VB, Python, Perl, Fortran, COBOL, BASIC, etc, etc, etc are useless and unnecessary for most people. If you aren't writing programs, you have no need for those. But you have the .net runtime and other runtimes on your computer.
Java has this quirky feature called an applet which is the Pandora's box that has caused the problems. From Oracle's Java Tutorials:
Friends don't let friend's browsers run untrusted Java applets. Disable, remove, sandbox or whatever your Java plugin and you won't run applets.
Java applets are very powerful and can access your computer. With power comes responsibility and untrusted applets are responsible.
We have a number of internal applications and vendor tools that are applets (some are GIGANTIC applets) and they work well. Ok, they work ok. We're trending away from them. But they are in a trusted environment.
You may very well need or want to have the Java runtime (JRE) on your computer to support some java written application you use. This fine and safe BUT DO NOT RUN THE JAVA PLUGIN in your browser unless you know what you are doing....or fire it up on a VM if you must.
There were problems like this with ActiveX controls, ASP.net and other similar technologies. It's cool stuff in a perfect world where everybody is honest and kind.
Not surprisingly, I have it disabled for all sites myself, including even places like youtube where I externally download and save the vids for offline viewing. Other similar places that make heavy use of scripting, like facebook for example, where I have little or no interest I simply don't bother with. For online shopping, if there is tracking scripts on the purchasing pages and the checkout doesn't have an HTML fall-back mode then I don't buy the products.
http://help.mojang.com/customer/portal/articles/325948-minecraft-system-requirements
What precautions should be taken with Java SE 7 Update 4? Is it ok to use on a Windows box, or should I go with Ubuntu? This rig is to be used for games,, surfing, Facebook, iTunes, etc.
Or should I just forbid Minecraft?
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Well, that's one reason I don't have Minecraft. However, you can have Java disabled in your web browser(s) and still play Minecraft as long as the JRE is installed.
http://www.infoworld.com/t/application-security/apple-ticks-mac-users-silent-shutdown-of-java-7-212028?source=footer
Which is nice.
I start to see this video in my mind when I think about Java and Oracle:
http://www.youtube.com/watch?v=2AAa0gd7ClM
I got an email with (no subject) from a tech colleague. It just said "check this out" with a link in the body. I suspected it might be bogus, but as my browser is firefox, and I have scripts turned off by default, I figured it was ok to take a look. Of course the link was to some bogus site.
24 hours later, folks started getting the same email from my account, (no subject) and a link in the body. The account was accessed from South Korea, according to Yahoo. The interesting thing is that the message was sent from all three of my email accounts, yahoo, google, and hotmail.
The PC had java installed, and had the passwords "remembered" for those accounts. I thought I had uninstalled java on all my machines, but had missed this one.
I imagine that the bogus site executed a java script that captured my remembered passwords and other information from cookies, and sent them in to a bot queue, possibly why it took 24 hours to start spewing.
I deleted my cache and cookies, and changed my passwords on the accounts, and the problem seemed to stop. I caught it within three hours for the first bogus email being sent from my account.
Does this sound like the correct vector and solution? Or should there be more actions taken on my part?
So removing Java wouldn't matter if the attack was script-based, likewise disabling scripting wouldn't help against a Java applet vector. But as to the actual vector I don't know - I have never been on the receiving end of one (and I don't run Windows, which may have something to do with it)
-Tor
I'm asking which one of these two separate things is the most likely culprit, or if its something else.
By turning the the browser scripting (java scripts) off, I seem to have been safe so far. By having the java executable installed, I seem to have compromised security.
Anyway, if you get any emails with (no subject) in the subject line, be warned not to click the link.
And now that you've mentioned it I've gone hunting in my own reader, Thunderbird, and there is no setting in the menus. So I dug into the Advanced Config of parameters and found there is a setting "javascript.enabled;true" that is surprisingly enabled! I've now turned that off myself.
Aside from that I tend to always set my readers to render HTML but not load or access any references within the HTML, ie: No further downloading when viewing the email, and also ignore cookies.