JAVA Security!

[sundaymorningstaple]

So how, our learned IT gurus on the board? Something to be concerned with or tempest in a teacup?

http://www.todayonline.com/Technology/E ... urity-flaw

SAN FRANCISCO - Computer users are being advised by security experts to disable Oracle Corp's widely used Java software after a security flaw was discovered in the past day that they say hackers are exploiting to attack computers.

"Java is a mess. It's not secure," said Ms Jaime Blasco, Labs Manager with AlienVault Labs. "You have to disable it."

Java, which is installed on hundreds of millions of PCs around the globe, is a computer language that enables programmers to write software using just one set of code that will run on virtually any type of computer.

It is used so that Web developers can make sites accessible from browsers running on Microsoft Windows PCs or Macs from Apple.

Computer users access those programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.

Three computer security experts told Reuters yesterday that computer users should disable those Java modules to protect themselves from attack.

A spokeswoman for Oracle said she could not immediately comment on the matter.

"This is like open hunting season on consumers," said Mr HD Moore, Chief Security Officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks.

Mr Moore said machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.

Mr Marc Maiffret, Chief Technology Officer with BeyondTrust, said that businesses may need to keep using Java to access some websites and Internet-based programs that run on the technology.

"The challenge is mainly for businesses, however, which have to use it for some applications," he said. "Oracle simply needs to do a lot more to secure Java and get their act together."

Security experts said the risk of attack is currently high because developers of several popular tools known as exploit kits that criminals use to attack PCs have added software that allows hackers to exploit the newly discovered bug in Java to attack computers. Reuters

[Mi Amigo]

Definitely something to take very seriously IMO.

Java (the runtime that is installed in your PC or Mac) - as opposed to Javascript (which runs in the browser and confusingly is a different animal altogether) - has become a method of choice for the malware community. Many people don't really need the Java runtime, but they have it installed from some time back and never removed it. I've uninstalled it from all our PCs and aside from a neat Java-driven world clock that I used to use, I don't need it for anything.

Until recently, one of our banks here required the Java runtime to be installed on the PC / Mac in order to use their internet banking service; that was just insane, but fortunately they've now removed that requirement for personal internet banking (although it's still required for business internet banking - hopefully they'll re-engineer that soon).

I'm not a gamer myself but I believe that some games use the Java runtime. If you need it for that, then you can install the latest version and disable its use by the browser if that's not needed - see this page and search for the first mention of 'Java' for more details:

https://www.grc.com/sn/sn-383.htm

Another thing that you can do (if you use Firefox) is install the NoScript plug-in - this prevents Javascript by default on each site you visit and you can 'train' it to allow scripting on sites that you trust. The significance is that (I believe) a website would always need to use scripting to call the Java runtime, so if scripting is disabled, this will help protect you from malicious code.

Edit: fixed typos.

[v4jr4]

2013 at its best

As complicated as it is, I don't think it's easy to replace existing modules made from Java. Sure, nothing's perfect. But as far as I can see, Java is used at almost everywhere. Disabling it directly is not a good option.

[Mi Amigo]

Well I guess it depends on how you use your computer. I don't miss it at all. If you really do need it then it would be a good idea to prevent browser access by default IMO.

[v4jr4]

Well I guess it depends on how you use your computer. I don't miss it at all. If you really do need it then it would be a good idea to prevent browser access by default IMO.

Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.

[zzm9980]

It's very serious, but something as 'very serious' as this comes up at least once a month. Not downplaying the severity, but I'm guessing at least 25% of the viewers on this board have been infected and have their machine owned by a similar vulnerability to this.

As an IT Security guy, I run without the Java Runtime (along with no Flash), on the system I use for normal browsing. Also I primarily use Chrome, which while not perfect, is generally much more secure against browser based attacks than any other browser. You can also set up the user on your computer as a non-admin, and do your browning there, but I don't (and most people won't). About the best advice I can give on the subject.

Oh, if you're on Windows, no matter how annoying the 'Updates' popup is down by your system clock, always install them and reboot as soon as you reasonably can.

[zzm9980]

GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

[Mi Amigo]

Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.

They're talking about the Java runtime environment, originally developed by Sun, which is now part of Oracle. It's what you can get if you visit java.com (not that I'm going to). When you install the runtime packag it also installs an applet (plugin) in the browser to enable the runtime to be called from there.

In theory, if you needed the runtime for software running on your PC but didn't want the browser to have access to it, you could just remove the browser plugin. However, in my experience that is easier said than done, although the latest iteration of the Java ver. 7 code apparently allows you to do that in a less tedious way. However, ver. 7 is allegedly even more flaky security-wise than the latest ver. 6 revision, so my preference was to uninstall the whole damn thing (runtime and plugin(s)) via the Windows 'add/remove programs' (or 'programs and features' in Win7) functionality.

[Mi Amigo]

GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

TBH I'd dispute the 'very bad track record' comment. Sure, he has made one or two dubious calls over the years, but in the main I think he's done a lot more good than harm. Plus he's made it much easier for non-IT security experts like me to understand the underlying concepts.

Sorry if that makes me sound like your father

[v4jr4]

Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.

They're talking about the Java runtime environment, originally developed by Sun, which is now part of Oracle. It's what you can get if you visit java.com (not that I'm going to). When you install the runtime packag it also installs an applet (plugin) in the browser to enable the runtime to be called from there.

In theory, if you needed the runtime for software running on your PC but didn't want the browser to have access to it, you could just remove the browser plugin. However, in my experience that is easier said than done, so my preference was to uninstall the whole damn thing (runtime and plugin(s)) via the Windows 'add/remove programs' (or 'programs and features in Win7) functionality.

Unless it's vital for daily tasks, uninstall Java is still an option

[Mi Amigo]

Unless it's vital for daily tasks, uninstall Java is still an option

10-4. That gets my vote.

[zzm9980]

GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

TBH I'd dispute the 'very bad track record' comment. Sure, he has made one or two dubious calls over the years, but in the main I think he's done a lot more good than harm. Plus he's made it much easier for non-IT security experts like me to understand the underlying concepts.

Sorry if that makes me sound like your father

I don't want to get into a pissing match over this, but your comment seems contradictory. I did say he does good for non-technical people. You're disputing my 'very bad track record' comment, but then you tell me a few lines later you're NOT an IT Security expert. I wouldn't non-experts to pick up on a lot of his inaccurate calls; as mentioned it's usually the technical details. If you're bored, Google "Steve Gibson incorrect" or "Steve Gibson is wrong" for some other people's rants on the topic. From me personally, I've listened to a few of his podcasts (and my peers' suggestion so I could laugh at the ridiculous things he says) and found his understanding of WPA2-PSK security, TLS/SSL, Certificates and man in the middle attacks pretty flawed for someone who claims to be a security expert. He has many common misconceptions that non-security IT people or middle management often have. Again, he encourages good overall behaviour but does make technical mistakes often enough to have a negative reputation amongst most of the IT Security community.

edit: Here is a good post with quotes and references to very well respected people in the industry (Fyodor, Mark Russinovich), and their opinion of him, including ridiculous shit he has said:
http://allthatiswrong.wordpress.com/200 ... s-a-fraud/

and another: http://attrition.org/errata/charlatan/steve_gibson/

[Mi Amigo]

Hey zzm, I certainly don't want to get into a pissing contest either, partly because I'd obviously lose, given that you are a security expert and I'm just an interested amateur; but also because I respect you as a long-standing member of this forum. I apologise if my comments came across as provocative - that certainly wasn't the intention. They were based on my knowledge of Steve Gibson's activities and the fact that I have learned some 'best' (or at least 'better') practices from listening to his podcasts. The links you posted look very enlightening and I will definitely have a more detailed read of them over the weekend.

Just out of interest, which sites, podcasts, etc. do you use to get reliable security information? I read Brian Krebs' blog and check out the Sans site from time to time, plus I listen to the 'Cisco Cyber Risk Report' podcast. I'm sure there are many other good sources of info, but some of the other ones I've found have been somewhat impenetrable for a non-expert like me.

[sundaymorningstaple]

Thanks guys. I've been running without Java Plug-ins in Chrome & FF for a while now, but wasn't sure just how deep it goes. Good to get some professional feedback.

[Strong Eagle]

If one is running a good anti-virus, anti-malware product, you won't get infected in the first place. One must first load the naughty software onto your PC, and if spurious browser requests are blocked, and the anti-virus companies block known infection sources, chances are low that you will get smacked.

Porn and warez surfers beware.