Java and Dr. Evil

[davej]

See... http://www.cbsnews.c...-java-software/ "The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts." http://www.slashgear.com/turn-off-java-they-warn-heres-how-you-do-it-12265037/

Edited January 13, 2013 by davej

[Ingolme]

I think it's been a while since a security breach in the Java browser plug-in was found. Java in itself is still OK. I'm not sure why they haven't found a solution yet, it's been months.

[davej]

The problem was identified and Oracle didn't care enough to fix it. Some suspect that Oracle is trying to kill OpenSource. http://techcrunch.com/2012/08/18/oracle-makes-more-moves-to-kill-open-source-mysql/

Edited January 13, 2013 by davej

[Ingolme]

That's silly. Do you have a grudge against Oracle or something?Possibly an adequate solution requires deep investigation.

[justsomeguy]

I have a grudge against Oracle, they seem like they're trying as hard as possible to make as many errors as possible in applications that get used by a lot of people. This happened 6 months ago also, there were 2 critical vulnerabilities in JRE discovered at least in July that were being actively exploited and those didn't get fixed until August. The patch that they released yesterday to fix the latest vulnerability still has security issues. Here's an article from last year about the problems with Java that led to 670,000 Macs getting infected. Here's an article from 2011 that shows that Java is the #1 infection vector for Windows machines, responsible for 37% of infections, with Acrobat reader at 32%. I saw something recently that said that Kaspersky labs now says that Java is responsible for 50% of infections, and Acrobat 28% (attacks specifically against IE or Windows account for only 3%). Java has long-term problems, and Oracle seems to be reactive, not proactive, about addressing those problems. Some people suggest Java should be completely rewritten. For my part, I have neither Java nor Acrobat installed on any computer I use and just because of that I'm protected from the vast majority of potential infections. So yeah, I don't like what Oracle has done with Java. SUN didn't do an awesome job with it either, but Oracle looks like it has zero interest in addressing the issues in Java until they become major headlines.

[justsomeguy]

The way I look at it is that I can choose to have Java installed (and by default it installs and enables all browser plugins), and be a part of this, or I can just get rid of Java entirely until I come across some reason why I might need it. I've had to use some of the online meeting sites where I install Java, do the meeting, and uninstall after I'm done. At least the uninstaller works well.

[davej]

I think it is dismaying that OpenSource projects can end up being owned by a company that has no motivation to preserve them and actually may have purchased them for the purpose of destroying them.

[justsomeguy]

Oracle bought MySQL, which happens to be the #1 open source competitor to their own (highly expensive) Oracle database product.

[justsomeguy]

Here's another article about Java: http://www.networkwo...ake-2-years-fix

HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. "The safest thing to do at this point is just assume that Java is always going to be vulnerable," Moore said. "Folks don't really need Java on their desktop."

And from http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story :

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe Systems Inc's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.Java was responsible for 50 percent of all cyberattacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

[Don E]

JSG, Would it be sufficient enough to disable the java plugins in our browsers?

[justsomeguy]

I'm not a security expert, but I would think that would stop the drive-by download attacks.