Singapore Expats Forum

JAVA Security!

Discuss about computers & Internet. Including mobile phones, home appliances & other gadgets. Read about Windows security risks or virus updates.
User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 34671
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

JAVA Security!

Postby sundaymorningstaple » Fri, 11 Jan 2013 4:14 pm

So how, our learned IT gurus on the board? Something to be concerned with or tempest in a teacup? :o :o :o

http://www.todayonline.com/Technology/E ... urity-flaw

SAN FRANCISCO - Computer users are being advised by security experts to disable Oracle Corp's widely used Java software after a security flaw was discovered in the past day that they say hackers are exploiting to attack computers.

"Java is a mess. It's not secure," said Ms Jaime Blasco, Labs Manager with AlienVault Labs. "You have to disable it."

Java, which is installed on hundreds of millions of PCs around the globe, is a computer language that enables programmers to write software using just one set of code that will run on virtually any type of computer.

It is used so that Web developers can make sites accessible from browsers running on Microsoft Windows PCs or Macs from Apple.

Computer users access those programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.

Three computer security experts told Reuters yesterday that computer users should disable those Java modules to protect themselves from attack.

A spokeswoman for Oracle said she could not immediately comment on the matter.

"This is like open hunting season on consumers," said Mr HD Moore, Chief Security Officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks.

Mr Moore said machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.

Mr Marc Maiffret, Chief Technology Officer with BeyondTrust, said that businesses may need to keep using Java to access some websites and Internet-based programs that run on the technology.

"The challenge is mainly for businesses, however, which have to use it for some applications," he said. "Oracle simply needs to do a lot more to secure Java and get their act together."

Security experts said the risk of attack is currently high because developers of several popular tools known as exploit kits that criminals use to attack PCs have added software that allows hackers to exploit the newly discovered bug in Java to attack computers. Reuters

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 4:35 pm

Definitely something to take very seriously IMO.

Java (the runtime that is installed in your PC or Mac) - as opposed to Javascript (which runs in the browser and confusingly is a different animal altogether) - has become a method of choice for the malware community. Many people don't really need the Java runtime, but they have it installed from some time back and never removed it. I've uninstalled it from all our PCs and aside from a neat Java-driven world clock that I used to use, I don't need it for anything.

Until recently, one of our banks here required the Java runtime to be installed on the PC / Mac in order to use their internet banking service; that was just insane, but fortunately they've now removed that requirement for personal internet banking (although it's still required for business internet banking - hopefully they'll re-engineer that soon).

I'm not a gamer myself but I believe that some games use the Java runtime. If you need it for that, then you can install the latest version and disable its use by the browser if that's not needed - see this page and search for the first mention of 'Java' for more details:

https://www.grc.com/sn/sn-383.htm

Another thing that you can do (if you use Firefox) is install the NoScript plug-in - this prevents Javascript by default on each site you visit and you can 'train' it to allow scripting on sites that you trust. The significance is that (I believe) a website would always need to use scripting to call the Java runtime, so if scripting is disabled, this will help protect you from malicious code.

Edit: fixed typos.
Last edited by Mi Amigo on Fri, 11 Jan 2013 5:06 pm, edited 3 times in total.
Be careful what you wish for

User avatar
v4jr4
Reporter
Reporter
Posts: 887
Joined: Mon, 09 Jul 2012
Location: Chocolate Factory

Postby v4jr4 » Fri, 11 Jan 2013 4:43 pm

2013 at its best :lol:

As complicated as it is, I don't think it's easy to replace existing modules made from Java. Sure, nothing's perfect. But as far as I can see, Java is used at almost everywhere. Disabling it directly is not a good option.
"Budget Expat"

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 4:45 pm

Well I guess it depends on how you use your computer. I don't miss it at all. If you really do need it then it would be a good idea to prevent browser access by default IMO.
Be careful what you wish for

User avatar
v4jr4
Reporter
Reporter
Posts: 887
Joined: Mon, 09 Jul 2012
Location: Chocolate Factory

Postby v4jr4 » Fri, 11 Jan 2013 5:06 pm

Mi Amigo wrote:Well I guess it depends on how you use your computer. I don't miss it at all. If you really do need it then it would be a good idea to prevent browser access by default IMO.


Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.
"Budget Expat"

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Postby zzm9980 » Fri, 11 Jan 2013 5:07 pm

It's very serious, but something as 'very serious' as this comes up at least once a month. Not downplaying the severity, but I'm guessing at least 25% of the viewers on this board have been infected and have their machine owned by a similar vulnerability to this.

As an IT Security guy, I run without the Java Runtime (along with no Flash), on the system I use for normal browsing. Also I primarily use Chrome, which while not perfect, is generally much more secure against browser based attacks than any other browser. You can also set up the user on your computer as a non-admin, and do your browning there, but I don't (and most people won't). About the best advice I can give on the subject.

Oh, if you're on Windows, no matter how annoying the 'Updates' popup is down by your system clock, always install them and reboot as soon as you reasonably can.
Last edited by zzm9980 on Fri, 11 Jan 2013 5:12 pm, edited 1 time in total.

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Postby zzm9980 » Fri, 11 Jan 2013 5:10 pm

GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 5:13 pm

v4jr4 wrote:Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.

They're talking about the Java runtime environment, originally developed by Sun, which is now part of Oracle. It's what you can get if you visit java.com (not that I'm going to). When you install the runtime packag it also installs an applet (plugin) in the browser to enable the runtime to be called from there.

In theory, if you needed the runtime for software running on your PC but didn't want the browser to have access to it, you could just remove the browser plugin. However, in my experience that is easier said than done, although the latest iteration of the Java ver. 7 code apparently allows you to do that in a less tedious way. However, ver. 7 is allegedly even more flaky security-wise than the latest ver. 6 revision, so my preference was to uninstall the whole damn thing (runtime and plugin(s)) via the Windows 'add/remove programs' (or 'programs and features' in Win7) functionality.
Last edited by Mi Amigo on Fri, 11 Jan 2013 5:35 pm, edited 2 times in total.
Be careful what you wish for

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 5:17 pm

zzm9980 wrote:GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

TBH I'd dispute the 'very bad track record' comment. Sure, he has made one or two dubious calls over the years, but in the main I think he's done a lot more good than harm. Plus he's made it much easier for non-IT security experts like me to understand the underlying concepts.

Sorry if that makes me sound like your father ;-)
Be careful what you wish for

User avatar
v4jr4
Reporter
Reporter
Posts: 887
Joined: Mon, 09 Jul 2012
Location: Chocolate Factory

Postby v4jr4 » Fri, 11 Jan 2013 5:32 pm

Mi Amigo wrote:
v4jr4 wrote:Yep. But I still don't get the clear picture which Java application. It could be web, applet, or executable format. I guess they refer it to applet/executable format.

They're talking about the Java runtime environment, originally developed by Sun, which is now part of Oracle. It's what you can get if you visit java.com (not that I'm going to). When you install the runtime packag it also installs an applet (plugin) in the browser to enable the runtime to be called from there.

In theory, if you needed the runtime for software running on your PC but didn't want the browser to have access to it, you could just remove the browser plugin. However, in my experience that is easier said than done, so my preference was to uninstall the whole damn thing (runtime and plugin(s)) via the Windows 'add/remove programs' (or 'programs and features in Win7) functionality.


Unless it's vital for daily tasks, uninstall Java is still an option :D
"Budget Expat"

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 5:34 pm

v4jr4 wrote:Unless it's vital for daily tasks, uninstall Java is still an option :D

10-4. That gets my vote.
Be careful what you wish for

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Postby zzm9980 » Fri, 11 Jan 2013 6:55 pm

Mi Amigo wrote:
zzm9980 wrote:GRC.com... heh. Take their advice at only the most broad, high level. Steve Gibson is decent to explain IT security concepts broadly to someone like my father, but when it comes to any kind of details of a technical nature he has a very bad track record of flubbing up details or giving the wrong advice.

TBH I'd dispute the 'very bad track record' comment. Sure, he has made one or two dubious calls over the years, but in the main I think he's done a lot more good than harm. Plus he's made it much easier for non-IT security experts like me to understand the underlying concepts.

Sorry if that makes me sound like your father ;-)


I don't want to get into a pissing match over this, but your comment seems contradictory. I did say he does good for non-technical people. You're disputing my 'very bad track record' comment, but then you tell me a few lines later you're NOT an IT Security expert. I wouldn't non-experts to pick up on a lot of his inaccurate calls; as mentioned it's usually the technical details. If you're bored, Google "Steve Gibson incorrect" or "Steve Gibson is wrong" for some other people's rants on the topic. From me personally, I've listened to a few of his podcasts (and my peers' suggestion so I could laugh at the ridiculous things he says) and found his understanding of WPA2-PSK security, TLS/SSL, Certificates and man in the middle attacks pretty flawed for someone who claims to be a security expert. He has many common misconceptions that non-security IT people or middle management often have. Again, he encourages good overall behaviour but does make technical mistakes often enough to have a negative reputation amongst most of the IT Security community.

edit: Here is a good post with quotes and references to very well respected people in the industry (Fyodor, Mark Russinovich), and their opinion of him, including ridiculous shit he has said:
http://allthatiswrong.wordpress.com/200 ... s-a-fraud/

and another: http://attrition.org/errata/charlatan/steve_gibson/

User avatar
Mi Amigo
Manager
Manager
Posts: 1789
Joined: Sat, 19 Jun 2004
Location: Kinto Pino

Postby Mi Amigo » Fri, 11 Jan 2013 7:56 pm

Hey zzm, I certainly don't want to get into a pissing contest either, partly because I'd obviously lose, given that you are a security expert and I'm just an interested amateur; but also because I respect you as a long-standing member of this forum. I apologise if my comments came across as provocative - that certainly wasn't the intention. They were based on my knowledge of Steve Gibson's activities and the fact that I have learned some 'best' (or at least 'better') practices from listening to his podcasts. The links you posted look very enlightening and I will definitely have a more detailed read of them over the weekend.

Just out of interest, which sites, podcasts, etc. do you use to get reliable security information? I read Brian Krebs' blog and check out the Sans site from time to time, plus I listen to the 'Cisco Cyber Risk Report' podcast. I'm sure there are many other good sources of info, but some of the other ones I've found have been somewhat impenetrable for a non-expert like me.
Be careful what you wish for

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 34671
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Postby sundaymorningstaple » Fri, 11 Jan 2013 9:25 pm

Thanks guys. I've been running without Java Plug-ins in Chrome & FF for a while now, but wasn't sure just how deep it goes. Good to get some professional feedback.

:)

User avatar
Strong Eagle
Moderator
Moderator
Posts: 10731
Joined: Sat, 10 Jul 2004
Location: Off The Red Dot
Contact:

Postby Strong Eagle » Sat, 12 Jan 2013 12:01 am

If one is running a good anti-virus, anti-malware product, you won't get infected in the first place. One must first load the naughty software onto your PC, and if spurious browser requests are blocked, and the anti-virus companies block known infection sources, chances are low that you will get smacked.

Porn and warez surfers beware.


  • Similar Topics
    Replies
    Views
    Last post

Return to “Computer, Internet, Phone & Electronics”

Who is online

Users browsing this forum: No registered users and 3 guests