java If You Can't Disable Java, What Can You Do?

[Guest LilBambi]

If You Can't Disable Java, What Can You Do? - PCMag

 

Here's just a few areas where Java is used:

 

But I Use Java!

Then, there are the rest of us who actually use Java on a regular basis.

"I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to—we run these things because we have to, and the decision is out of our control," security guru Jack Daniel wrote on Uncommon Sense Security.

When I looked around to see what applications used Java, I realized many popular desktop applications fit the bill, including Office alternatives, ThinkFree Office, LibreOffice, and OpenOffice, as well as popular games such as Minecraft. Several Adobe applications also require Java to run certain components. Nothing to worry about, as these are standalone Java applications, and not the ones that run within the Web browser. . If you followed our step-by-step instructions, you disabled Java only in the browser. Local applications will still run fine.

But it turns out there are plenty of gaming sites and businesses that still use Java. Specialized banking services, such as Citi Private Bank, which combines investing and traditional banking into one account, appear to be one example. Cloud services such as Box.net power bulk-file upload tools with Java. Citrix and Cisco both offer client-less SSL VPN products, which lets users establish a secure, remote-access VPN tunnel using a Java-enabled Web browser.

Are you a student? Chances are your school uses Blackboard, which requires the latest version of the Java plugin to upload files and attachments, use the real-time chat feature Virtual Classroom, and to enable certain interactive features on the platform.

Pogo.com and KidsPlayPark.com offer online Java games. Many Pogo users, worried about the latest threats, appear to have replaced Java 7 with Java 6 (which Oracle will no longer support after February), according to posts on the user forums. Just so you know, that's a spectacularly bad idea. There are plenty of attacks that target outdated software; there is no need to risk a whole different set of attacks just to avoid the latest crop.

 

And don't forget the security tool, Secunia's Online Software Inspector, RSS Owl, and many other Open Source programs.

 

They mention that LogMeIn free uses ActiveX. That's a better alternative?! They must be kidding!

 

And as they say in the article, some just can't move from using Java based programs and it's out of their control.

 

And what about Android which is based in part on Java. And a bazillion devices that people use every day that are based on full or in part Java. And they are almost all on the Internet and people have no idea what OS it's based on or if their device is based on it, or their phone.

 

Sure if you know for a fact that you don't use Java, fine. Uninstall it. Same with Flash, Adobe Reader, RealPlayer, and any other plugin out there. You will definitely be safer online.

 

But I think we have to ask ourselves a few questions on this.

 

Why is Java being targeted so badly. Yes, Oracle needs to be better at this but that's not the only reason.

 

Think about those that will benefit from the loss of Open Source alternatives like OpenOffice, LibreOffice, alternatives to MS Office, Corel WordPerfect and a host of others.

 

Android OS/devices alternatives to Mac iOS devices, and Microsoft's Windows 8 RT and Windows Phone Mobile devices.

 

Complimentary security programs like Secunia's online software inspector to assist in making sure you are up to date.

 

Many NASA JPL programs to see the orbits of comets and asteroids, and the list goes on and on.

 

Oracle needs to get on the stick. They need to keep Java updated and the best it can be.

 

There needs to be alternatives, cross platform alternatives, to things like ActiveX and other OS specific alternatives.

 

So, I ask again. Who is sounding the alarm the most? Or more importantly, who may be behind the alarm to kill this Java and why?

[zlim]

Who is sounding the alarm?

1. Andrew Storms, director of security operations at nCircle Security

2. Adam Gowdiak, founder and CEO of Security Explorations

3. HD Moore, the chief security officer at Rapid7 and the creator of Metasploit

Source:http://www.computerworld.com/s/article/9235997/Experts_prod_Oracle_to_fix_broken_Java_security

[Frank Woods]

I use click to play in Fx 21 and it turns on all plug-in or you can leave them off. I also am using Java 8. Then there is an add on called NoScript.

[Guest LilBambi]

Sure there are lots of security folks too going after Java.

 

I am one of them and I agree! I wish Java .... and all the plugins should go to make folks safer, but it's not gonna happen because people want all those videos, flashy websites, PDF files, real audio, WM audio, QT audio, etc. etc. etc.

 

But the ONE THEY SINGLE OUT WITH A VENGEANCE is the one that has the broadest open source platforms, programs, as well as many commercial, medical and military applications, and on the most devices including phones.

 

Who benefits if all that goes away?

 

When NOAA changed from Java, they went to Flash. No brainer to me. The other commercial plugins would love to pick up Java's slack when it is replaced in various types of scenarios. Will Flash be better? Don't think so.

 

Think about that.

 

The click to play in Firefox, which was in Google Chrome even before Firefox btw, is great!

 

And of course NoScript, Adblock Plus, Do Not Track Me, etc. are great too add to the browser arsenal.

Edited January 22, 2013 by LilBambi

[Guest LilBambi]

Don't get me wrong. We should be limiting Java if it can't be disabled or uninstalled for now. I am talking about the long term here.

 

Too risky right now to use it. We went through this with Flash before too.

[Corrine]

Adobe Reader was the "target" at least 3 or 4 years ago with people like Sophos' Graham Cluley recommending replacing it with an alternate reader. With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection. That isn't the case with Adobe Reader. Adobe has even improved the update process and schedule for Adobe Flash Player.

 

Java has been a major source of malware infections for way too many years. Think back to all the Vundo (Virtumundo) infections circa 2005. That wasn't the beginning of Java problems but it began the crusade to get Sun to improve the update mechanism -- which didn't happen until three years later with JRE 6u11 when the update mechanism for Java was finally changed to remove the previous install. However, it did not remove installations prior to update 10!

 

By security people (including the Dept. of Homeland Security and U.S. CERT) putting pressure on Oracle, perhaps it will get their attention and there will be a concerted effort to improve the security.

 

Here's Ben Edelman's update on IAC and a section on "The Special Problems of IAC Ask Toolbar Installed by Oracle's Java Updates": IAC Toolbars and Traffic Arbitrage in 2013.

 

Fortunately, I don't use any programs that require the use of Java.

[goretsky]

Hello,

 

I am fortunate in that I can get away without running Java at home or at work, but I know others are not so lucky.

 

Hopefully, native code, HTML5, and even Silverlight can pick up some of the slack.

 

Regards,

 

Aryeh Goretsky

[zlim]

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents.

Source: http://news.yahoo.com/government-warns-java-security-concerns-escalate-160640366--sector.html

 

28% is a big target. I suspect people do not update the version of Reader that came installed on the computer.

[Guest LilBambi]

Agreed! If Oracle wants to remain in the game. They need to get their act together. They need to realize that if they want the big bucks from corporations, they need to fix all this for users! Period.

[Corrine]

Oracle's Java security head: We will 'fix Java,' communicate better - Computerworld:

"The plan for Java security is really simple," said Java security lead Milton Smith during a conference call this week with Java user group leaders. "It's to get Java fixed up, number one, and then number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy. We have to fix Java."

 

Now he has to follow those words with actions!

[Guest LilBambi]

Thankfully they are at least reading what we all have to say and are basically promising to fix it - and communicate about it too. They have been way too quiet on this.

 

We all will hold their feet to the fire.

Edited January 26, 2013 by LilBambi

[ross549]

Which banks use Java? I have two credit unions that I bank with, and neither uses Java.

 

What functionality is provided?

 

Adam

[Guest LilBambi]

This ZDNet article talks about banks and Java:

 

http://www.zdnet.com/blog/bott/how-big-a-security-risk-is-java-can-you-really-quit-using-it/4749

[ross549]

Ok, so some banks use it.

 

Interesting item on the list- Blackboard, the distance learning tool many colleges use. Cami and I both use it extensively with our courses.

 

Adam

[therock247uk]

Java has always been a threat i remember getting java virues on my windows 95/98/me computers years and years ago. its never been secure which is sad since many websites use it.

[Guest LilBambi]

Yep, Java has been around for a very long time.

 

The problem is that it's not just for websites. As I noted earlier and linked to if it was just a few websites, fine. But there are all kinds of software, hardware, devices, routers, set top boxes, IDEs, entire commercial systems, etc. etc. etc. etc.

 

They need to fix this. And they need to do it now!

 

OK, /rant off

[Corrine]

They need to fix this. And they need to do it now!

 

They most certainly do! New bug makes moot Java's latest anti-exploit defenses, claims researcher - Computerworld

 

 

"What we found ... is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote in a message posted Sunday to the Bugtraq mailing list.

 

In an email reply to questions Sunday, Gowdiak said there was a single vulnerability that makes the bypass possible. "It could be used to successfully launch unsigned Java code on a target system regardless of the security level set by the user in Java Control Panel. [The] 'High' or 'Very High' security [setting] does not matter here, the code will still run," he said.

 

After discovering the vulnerability and creating a proof-of-concept exploit that worked on Java 7 Update 11 -- the version released two weeks ago -- running on Windows 7, Gowdiak reported the bug to Oracle.

[Guest LilBambi]

Groan... Oracle! Get with it! Our computers are at least as important to us as your corporation is to you!

Edited January 28, 2013 by LilBambi

[therock247uk]

java remains disabled in all of my browsers!!

[ross549]

I am so sick of this. Java is gone on this Mac. Apple removed it, so I simply work around any issues (very limited thus far).

 

Adam

[therock247uk]

/me may just remove java completly from all my boxes

[zlim]

I removed it last year from all but one computer and I never installed it at all on my one Win 7 netbook. I recently discovered that the one site I needed it for, worked with it disabled so I might remove it from that one computer. too.

[therock247uk]

for java i may just have a virtualbox with java installed that way i can view java only sites but keep my main system free of it.