back to article Latest Java patch is not enough, warns US gov: Axe plugins NOW

Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability. The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins …

COMMENTS

This topic is closed for new posts.
  1. stephajn
    Mushroom

    Java...meet C4

    And by C4 I mean the explosive kind. Seriously....it is just insane to think of using this plugin on a site anymore in my opinion. Especially if your site is say....a bank or a government site. Just frightening.

    But then, Internet Explorer is no better. Thankfully their market share is dropping in favour of other, much more secure browsers....

    1. LarsG
      Meh

      The end of Java?

      1. keith.nicholas

        no, not java as a whole, but java as a plugin to the browser is a lemon, just as flash is, and silverlight.....sooner they are all killed off the better

    2. I ain't Spartacus Gold badge

      Re: Java...meet C4

      stephajn,

      Internet Explorer isn't that bad nowadays. At least IE9 isn't. It's nothing like the security nightmare that it used to be.

      I know that's less true if you're on XP, and stuck on whatever version works on that nowadays (IE7?). Even so, MS have worked hard on making it better, and deserve at least a bit of credit for having woken up to the security issues years ago. They're by no means perfect - but they have put a lot of time and money into improving things.

      Adobe on the other hand... They need a righteous shafting.

      I'm not sure if it's fair to blame Oracle for Java - depending on how seriously they've taken improving security since they took it over.

      1. This post has been deleted by a moderator

        1. Khaptain Silver badge

          Re: "Internet Explorer isn't that bad nowadays" - Yes it is.

          Is Barry Shitpeas your brother by any chance ?

        2. I ain't Spartacus Gold badge
          Trollface

          I shouldn't post this, but it's too tempting...

          Eadon,

          "IE is still bad, always has been, always will be bad. Microsoft are unable to write good software, history teaches this much. Despite being the browser that comes with Windows - people prefer the alternatives and go to the trouble of seeking and using them. The market has spoken.

          Desktop Linux is rubbish. MS Windows is brilliant! It has over 90% share of the desktop to Linux's 1-2%. The market has spoken.

          Or, perhaps things are more complicated than that? Modern IE is now OK. It's reasonably standards compliant, and I haven't heard web developers moaning about having to code specially for IE in years. The world does change you know... Microsoft are no longer the vicious monopolist they were ten years ago. Popularity doesn't always mean good, Linux is also great. In PCs phones, servers, etc.

          1. Anonymous Coward
            Happy

            Re: I shouldn't post this, but it's too tempting...

            @I ain't Spartacus: "The market has spoken."

            Spoken true! For the Führer! Heil!

            Thank you, for I started to believe the market hadn't had a chance to speak yet, due to the rubber ball gag Microsoft forced on it 30 years ago.

            No matter, my mind is clear now! I will go silence the ones who have started to drift from the "spoken voice" !

            We are legion! Thank you for your discipline.

          2. This post has been deleted by a moderator

            1. I ain't Spartacus Gold badge

              Re: I shouldn't post this, but it's too tempting...

              Eadon,

              Linux on netbooks wasn't wildly popular. Otherwise they'd have kept selling it. People wanted their netbooks to run the same Windows they were used to, and then they ran really really slowly. Admittedly techies were perfectly happy with Linux, but the general customers weren't.

              Also your argument directly contradicts what you say above (the very point I was making). People really hated IE6, IE7 and IE8 so they all went and got Firefox, and then Chrome. Although I'd quibble about how many people actually wanted Chrome, and how many ended up with it by Google having it installed like spyware, when you install other stuff online (how many times have I had to untick that box?). But the point is IE was shit. People changed. If Windows was so utterly shit, Linux is also free and available online, so why didn't people also change to that?

              As I've said to you several times now it's more complicated than your world view seems to allow. Such is life...

              Obviously Linux suffers from driver and software compatibility and Windows being the monopoly. But then so did Firefox and the others. My argument is that IE is now OK. I personally prefer Firefox, because I've got used to it, but when I have to use IE or Chrome, I barely notice the difference nowadays. Except Chrome won't let me have an old style menu bar, which FF and IE will.

              There's one dev above (making a rather shrill argument) that IE still breaks sites. I'm no expert, so I'll modify my opinion if a few others agree. I've not seen a rant from a web developer about IE for several years now, whereas I used to all the time. The last stuff I read was complaints that because IE9 was mostly standards compliant it was breaking the code people had written to work with older versions, that they served to IE user agents.

              1. Anonymous Coward
                Trollface

                Re: I shouldn't post this, but it's too tempting...

                @I ain't Spartacus: While I know you are naive and/or have financial interests in Microsoft, I would like to point out a few things in your writings.

                @I ain't Spartacus: "Linux on netbooks wasn't wildly popular... Admittedly techies were perfectly happy with Linux, but the general customers weren't."

                You missed the bus here, netbooks weren't widly popular period.

                @I ain't Spartacus: "As I've said to you several times now it's more complicated than your world view seems to allow. Such is life..."

                This sounds arrogant. (Should I bold this for you?)

                @I ain't Spartacus: "Obviously Linux suffers from driver and software compatibility..."

                The usage of the words "software compatibility" is revealing. This shows you think of software only in terms of Microsoft software.

                @I ain't Spartacus: "...and Windows being the monopoly". But wait, you said before "the market has spoken". Is your idea of a market really a monopoly? Flip flop, flip flop, flip...

                @I ain't Spartacus: "I'm no expert...".

                Agreed.

                The part where you admittedly and apparently only "read" about "stuff", but choose to take a technical stance on the matter is strange, very strange. Does this "stuff" you "read" about help you gauge investments? Anyways, either you really are this person I'm reading in here, or you have a financial tie to Microsoft. From many of your comments, and lack of technical reasoning, I'm betting it's a financial tie (I'm hoping).

                Off topic: When you quote someone, and both quotes are full sentences, but not consecutive, how do you do that?

                For example: "I am dog. I am cat. I am animal." I want to quote the 1st and 3rd sentence, but not the second. Do you use ...? Is it "I am dog. ... I am animal." The ... looks strange.

            2. itzman

              Re: I shouldn't post this, but it's too tempting...

              The only reason to retain windows is that most commercial 3rd party apps don't run on linux. And a lot don't run on OS-X either.

              Fortunately there exists virtualisation, so a crumbling old XP installation can be invoked in a couple of seconds to to run with those.

              The issue is down to the problems of melding a 'everything is free and public domain' with ''we need to make money to make this app worth writing'

              I may be wrong, but if you compile something against public domain libraries, you have to render the source code available ? And cannot thereafter charge for it without paying royalties to the public domain library authors??

              The problem would be solved in an instant if the Linux community simply said 'its all free, copy adapt and uses to your hearts content'

              1. Mark .

                Re: I shouldn't post this, but it's too tempting...

                "I may be wrong, but if you compile something against public domain libraries, you have to render the source code available ? And cannot thereafter charge for it without paying royalties to the public domain library authors??"

                You are wrong, competely. If it's public domain, you can do what you like with it.

                If you compile against GPL libraries, you have to release source code to distribute it. But this is true with Windows and Linux. It would only be a problem if this was common practice on Linux, but it isn't - most open source libraries instead use the LGPL, which means you can link without having to release your own source. Then there are licenses like BSD which have no such restrictions anyway. I'm not sure there is a "standard API" as such like with Windows, but toolkits like Qt, SDL, Gtk, Mesa do not have any of the problems you claim.

                And for all Free and Open Source licences, by definition you can charge for them, without having to pay the authors.

            3. Mark .

              Re: I shouldn't post this, but it's too tempting...

              I know there were some problems with this over operating systems like BeOS, what, 10-15 years ago, but do you have evidence that this still continues?

              I mean, these same OEM companies make tablets too these days, as well as Chromebooks. If it was that easy, why aren't they stopping Android tablets and Chromebooks? Or if Asus and Samsung aren't affected, why don't they make Linux laptops?

              I think it's a shame that Linux netbooks went away, though I personally chose to buy a Windows netbook, sorry.

              And don't get me wrong - I dual boot Linux on my Clevo, and think Ubuntu is still good for most people, and wish it had more share. But I don't think it's all down to some alleged evil MS practices. The biggest problem is that it doesn't have support from any major companies selling computers - and it also gets very little advertising, or coverage in the media. These are the things that are necessary. Consider even for Android, whilst massively successful on mobile, struggled on tablets simply because they got virtually zero coverage in the media. Archos released Android tablets before Apple released their ipad, but Archos were ignored, whilst the entire media hyped Apple even before initially announcing it (remember "istale"?) Android tablet share is now growing, but only because the greater marketing and awareness for the Kindle Fire and Nexus 7.

              (I also have to laugh at the people who "escape this", by buying into a company that then has control over the software *and* hardware...)

            4. Anonymous Coward
              Anonymous Coward

              Re: I shouldn't post this, but it's too tempting...

              Eadon you keep banging on about this:

              "until MS killed that too by tellign OEMs not to put Linux on Notebook"

              Independent citation required please.

        3. Don Jefe

          Re: "Internet Explorer isn't that bad nowadays" - Yes it is.

          Is that what web developers say? Funny, you obviously aren't one and shouldn't put words into the mouths of others.

        4. Anonymous Coward
          Anonymous Coward

          @Eadon Re: "Internet Explorer isn't that bad nowadays" - Yes it is.

          Upvote from me.

          Anyone who doubts for a nano-second that  Internet Exploder is not the absolute Spawn of the Devil has obviously never practiced the art of web design.

          1: Craft a site, from code so lean and pure it's almost poetry.

          2: Validate site against every test W3C can throw at it.

          3: Test site in popular browsers:

          * Firefox —CHECK!

          * Chrome —CHECK!

          * Safari —CHECK!

          * Opera —CHECK!

          * Internet Exploder —COMPLETELY FUCKED!

          4: Spend as much time as it took you to build the site in the first place, patching, twisting and hacking to get it to run properly on that stinking POS of a browser, until the resulting code is now so deformed and ugly it makes you want to weep.

          On the day Internet Exploder is finally taken out and has a bullet put through its head, web designers around the world will be popping the champagne corks. May it rot it Hell!

          1. Anonymous Coward
            Anonymous Coward

            @madra

            To be honest, I'm a bit sceptical of claims from any Web developer who describes his own code as "so lean and pure it's almost poetry." The old Internet Exploder thing does nothing to add to your credibility either. Not saying you're lying, just a piece of advice on how to make your arguments look less emotional. That way people are more likely to pay attention to the arguments themselves rather than dismiss them as a rant. Well, it'd make *me* more likely, anyway.

          2. Anonymous Coward
            Anonymous Coward

            Re: @Eadon "Internet Explorer isn't that bad nowadays" - Yes it is.

            @masdra If you write your webpages to the w3c spec they won't work in any modern browser so your example is biased by the fact that you must be developing against one of the browsers that you say it works in. Likewise, if you develop standards compliant html for IE it won't work in at least one of the other browsers. You can set up examples to expose any of those browsers listed as 'non compliant', and IE9 is certainly no worse than any of the others.

            The fact is that none of them are 'wrong', the W3C spec simply isn't specific enough to stop minor *differences* in interpretation of that spec. With the complexity of HTML5 you can expect to see this happen all the more where certain parts of the spec won't be supported. If you account for this, testing as you go, then situation above never occurs.

          3. Blitterbug
            Meh

            Re: @Eadon "Internet Explorer isn't that bad nowadays" - Yes it is.

            Madra, you'll only encourage him.

          4. itzman

            Re: @Eadon "Internet Explorer isn't that bad nowadays" - Yes it is.

            @madra. BTDTGTTS

        5. Anonymous Coward
          FAIL

          Re: "Internet Explorer isn't that bad nowadays" - Yes it is.

          "... Despite being the browser that comes with Windows - people prefer the alternatives and go to the trouble of seeking and using them. ..."

          And on Android I use Dolphin and Opera....so by your argument, Google's shit as well.

      2. Blitterbug
        Happy

        Re: Internet Explorer isn't that bad nowadays

        Mr Spartacus, you're gunna get DVd like there's no tomorrow for balanced commentary like that, I'm afraid. IE is indeed far from the spew-covered monstrosity of old and I feel no less secure using. However I also have FF, Opera and the chrome-plated one simply cos different sites render better in different browsers and you learn which over time. Some sites only render properly in Chrome, some in FF, some in IE. Opera has a lovely 'block' option on the right-click, but can be sluggish. I generally prefer Chrome over IE cos of the way it handles downloads, but you can't set the 'New Tab' option to open your home page which annoys the living fuck out of me. Ah well.

  2. Anonymous Coward
    Meh

    Believe it or not...

    ...there are actually some reasons why Java in the browser is a "useful thing". Not many, I grant you, but there are some. For example, the organisation I work for requires us to use a secured VPN tunnel with a Java client to RDP into our workstations, and plenty of other organisations require something similar.

    1. Anonymous Coward
      Anonymous Coward

      Re: Believe it or not...

      You've been implementing your VPN wrong, change it, it's not that hard.

      - Steve Jobs

    2. Steen Hive
      Coat

      Re: Believe it or not...

      IE may nowadays be more red-headed stepchild than the spawn of the devil it once was, but shitty java-based browser clients to shitty proprietary SSL VPNs are most certainly more than able to step up an assume that dubious accolade. "Requiring crap" isn't really a good use-case.

  3. This post has been deleted by a moderator

    1. hayseed

      Re: Bullshitometer

      Two years to address issues, not just a bug. Rearchitecting (addressed in new releases, like java 7 and 8) would take time, like XP SP2 or Adobe Reader X.

    2. Mike Flugennock
      Coat

      Re: Bullshitometer

      2 years to fix bug, says someone at a "penetration testing software" vendor.

      Why do journalists on a techie blog print this type of crap?

      Uhhmmm... so they'll have an excuse to use the word "penetration"?

      Thanks, you've been wonderful. I'm here all week. Don't forget to tip your waitress.

    3. Michael Wojcik Silver badge

      Re: Bullshitometer

      2 years to fix bug, says someone at a "penetration testing software" vendor.

      Says a well-known, reputable security researcher. But you wouldn't know about that, would you? Do you have any actual real-world qualifications, Eadon, or are you just a sock puppet that exists only to whine about how Microsoft done you wrong? Honestly, you're like a record at the end of the track: just the same noise over and over.

      And it's not "to fix bug" [sic]. Moore suggested it would likely take Oracle a couple of years to address this class of vulnerabilities. Do you understand the vulnerabilities? I would guess not. Here's a hint: they involve using reflection to bypass access restrictions (primarily implemented through visibility, which was not a good idea) on privileged methods, and thereby elevate privilege. (It's a trampoline attack, in other words.) Closing any number of such holes doesn't provide much confidence that they're all closed, or that new ones won't be created in the next release; so the developers will need to rethink their entire approach to access restriction for privileged methods, then implement it, then find and refactor all the old code that depends on the current approach.

      So yeah, that might take a little while - assuming Oracle commits to actually fixing this in the first place.

  4. Anonymous Coward
    Anonymous Coward

    What is needed...

    All Anti-virus companies need to start treating drive-by malware as viruses and STOP them from getting onto my computer. For years malware has been largely ignored by AV companies and outfits like Malwarebytes and Spybot have stepped in to fill the gap. Even today, Malwarebytes picks up trojans and other crap my Symantec (Work) and AVG (Home) miss.

    Sandbox the browser and squash anything that acts up. If a few web sites break as a result then good. Maybe we will stop going to them in time.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: What is needed...

      For years malware has been largely ignored by AV companies...

      You have it in a nutshell: don't rely on any single product to provide security. A layered approach is the way to go.

      1. asdf Silver badge
        Trollface

        Re: What is needed...

        >You have it in a nutshell: don't rely on any single product to provide security. A layered approach is the way to go.

        Yeah because nothing makes the games scream like having 5 different apps looking at every disk read and write. Granted you can have whitelists and such but what a damn bother. Good security especially on Windows is always a far amount of work and there is generally a trade off of security vs performance and usability. Still there is a reason I generally only access my banking accounts with *nix machines. Windows is for gaming and work but not really security.

    2. Tom 7 Silver badge

      Re: What is needed...

      its been possible with sensible security settings but then your computer wouldn't be the fun you want it to be.

      So do you want simple and fun or secure and complicated? They are mutually exclusive despite what you've been told by people who sell you this crap.

    3. tirk
      Windows

      Re: What is needed...

      To misquote Homer Simpson... Anti-virus companies; the cause of, and solution to, so many of life's problems!

    4. dssf

      Re: What is needed...

      What *I* want is for Firefox on Android to work like it does on the desktop, and support:

      -- Trueblock Plus

      -- Adblock Plus

      -- Better Privacy

      -- Caffeine Security Secure Firefox

      -- Flashblock

      -- Google Privacy

      -- Noscript

      -- Request Policy

      Any site operators and any development managers who would deny me these need a S-E-V-E-R-E ASS kicking.

      Not every visitor will want these levels of security concurrently, but for those of us who bought tablets, only to find out Mozilla gives F*ckall a care for our needs, it is disheartening. Google can't be bothered to give an expeditious frack and so won't give us proper, built-in IDS, firewalls, and reporting toos having forensics quality so we who care can lob that information to law enforcement in a package they can read, sort, and format for case prosecution. I do NOT two F*CKS what marketing people want, what paid-for sponsors or sponsees want, or the like. There is way too much criminal activity going on against ordinary people who surf for any sort of priority to be granted to marketing people who put data scarfing above user protection.

      Yes, I become extraordinarily livid when this vein of topic arises. Fortunately, I do not have a $25,000,000 pot from which to pay bounty hunters with K.O.S orders. Wait, in certain jurisdictions, that could get me arrested, right? That is why it is FORTUNATE I do NOT have the monetary or Houdini resources to pull off bounties and remain undetected.

      1. Anonymous Coward
        Joke

        Re: What is needed...

        "What *I* want is for Firefox on Android to work like it does on the desktop....."

        Sorry, my battery doesn't last that long

    5. Don Jefe
      Joke

      Re: What is needed...

      Just by an Apple or (x)ix product & you'll have nothing to worry about.

    6. Dan 55 Silver badge
      WTF?

      Re: What is needed...

      Java is already sandboxed.

  5. mark l 2 Silver badge

    I could get rid of Java from my PC if someone would come up with a alternative file manager for webmin that doesn't require java as i need it to admin my web servers

    1. Khaptain Silver badge

      Alternative and secure option

      CLI and SSH.

  6. Anonymous Coward
    Anonymous Coward

    Java

    Write your malware once and run it anywhere

    1. asdf Silver badge

      Re: Java

      >Write your malware once and run it anywhere

      Only because its able to avoid the horrible pile of steaming shit that is Swing.

      1. Destroy All Monsters Silver badge
        Trollface

        Re: Java

        > 2013

        > Still not into Griffon

  7. tuxtester
    Facepalm

    Re: I could get rid of Java ...

    The problem applies to a program specifically coded using tool kits (java packages) which have been designed to take advantage of the security holes in Oracle's JVM called Java 7.

    Running a desktop application such as Minecraft is not a problem.

    OpenJDK is an excellent alternative to Oracle's JVM and is standard on Linux.

    OpenJDK is still version 6 build 20-ish (IcedTea6) and so won't suffer from this particular security problem.

    Yet the US Gov have used the term Java to imply there's just a single JVM.

    Java is the language not a particular runtime. There are many different Java Virtual Machines. Most mobile telephones have one but NOT an Oracle JVM. None of these security problems can exist, by any means, on these devices. The JVM simply isn't the same or used in mobile device browsers.

    Java isn't the problem, Java is a programming language. The security problem lays squarely at the door of one implementation of the JVM: Oracle's.

    Uninstall Oracle's Java 7 software and replace it with OpenJDK.

    1. vic 4

      Re: I could get rid of Java ...

      OpenJDK and IcedTea are also affected. OpenJDK and oracles JVM share much of the same code base.

      1. The BigYin

        Re: I could get rid of Java ...

        Can you cite a source for that, please? I'm genuinely interested to know if OpenJDK/IcedTea is affected or not.

        A bit of quick searching only yields me forums postings - nothing authoritative.

        1. vic 4

          Re: I could get rid of Java ...

          How about the document referred to in the article?

          http://www.kb.cert.org/vuls/id/625617

          1. The BigYin

            Re: I could get rid of Java ...

            Thanks! Dunno how I missed that. My excuse is that I'm laid up with the lurgy.

  8. Paul Anderson
    Thumb Up

    Agreed, Tuxtester, and a really important point that writers are missing. The vulnerabilities are in JVM / Java Runtime Environment. JavaScript is OK, right ?

    1. Destroy All Monsters Silver badge
      Pint

      JavaScript has nothing to do with anything (though it had, and still does, have problems).

      Additionally, why not use NoScript? No autostarting Applets anymore.

      1. asdf Silver badge
        Trollface

        I dare say Javascript flaws are still responsible for more malware dumping than Java would be my guess but Java is catching up these days.

  9. Destroy All Monsters Silver badge
    Big Brother

    The next governmental announcement

    "Uninstall TSA! Groping, probing, stealing and fondling (plus possibly cancer-installing) by uniformed nontrustworthies perfoming security theater will take years to fix. Additionally, the effectiveness of TSA is marginal. We recommend that every tax-paying citizen no longer deal with this product."

    Bet it won't come.

    1. asdf Silver badge
      Big Brother

      Re: The next governmental announcement

      I know I am going to get the crap down voted for this comment but most of the sympathy I had for survivors who lost loved ones in 9/11 flew out the window when they pushed for the creation of the Ministry of Love (Department of Homeland Security who oversee TSA). Surprised they didn't push to bring back the Un-American Activities Committee in the House as well.

      1. Mike Flugennock

        Re: The next governmental announcement

        ...Surprised they didn't push to bring back the Un-American Activities Committee in the House as well...

        Actually, they did, only under a bunch of different names.

      2. Anonymous Coward
        Anonymous Coward

        Re: The next governmental announcement

        "who lost loved ones in 9/11 flew out the window"

        Unfortunate use of that phrase, there, asdf,

  10. Yet Another Anonymous coward Silver badge

    My new invention

    My bank has Windows PCs running IE displaying an internal app with lots of text boxes that the user tabs between to enter the numbers.

    I suggest replacing the virus prone PC and the malware prone browser with some sort of custom hardware which sends tab characters directly down a wire to the big computer and receives the text to print in the box directly from the same wire. The custom box wouldn't have an OS or be able to access facebook

    Can anyone suggest a name for this technology?

    1. Ponmyword

      Re: My new invention

      You could call it a smart terminal as it's smart enough not to be a security problem.

    2. Anonymous Coward
      Anonymous Coward

      Re: My new invention

      vt100 ?

    3. itzman

      Re: My new invention

      Wyse 50?

  11. Jon Double Nice

    "If you can't avoid...

    ...using a handful of websites that demand your browser supports Java", why not apply a small piece of selotape to a corn cob.

  12. koolholio
    Holmes

    "This will help mitigate other Java vulnerabilities that MAY be discovered in the future."

    As the title reads... Just as never turning the machine on will eliminate all except for WAKE ON technologies.

    Its true that... if you have no plan to use it, or need it, why is it installed... However lets be realistic... Its not half as bad as Adobe's issues given most users probably werent aware that 11.5.502.146 was released recently since code for prior versions went public... and could easily be blocked by decent AV heuristics... because it mainly targets JMX classes in java.

    Now lets focus upon more pressing matters such as... nginx, IIS 8 and Apache 2.4.3 ... IE 7,8,9 and 10 connection handling overruns which result in a DoS... and can be performed remotely!

  13. Anonymous Coward
    Anonymous Coward

    It's said to work on more browsers than just IE 7,8,9,10

    I am still to see one which isnt currently vulnerable to it? Suggestions anyone?

  14. Manu T

    disable everything

    And while we're at it. Why not just disable everything?

    Without the bloody javascript the web is faster.

    MAKE webdesigners... pardon... web-programmers.. . do proper websites again.

    Instead of a horrible piece of ECMA-code use a simple bloody HTML-tag like this one

    (A HREF="http://www.site.com/pic.jpg" target="_blank">Link</A) to open an image in another window!

    Yes, GSMArena I'm pointing AT YOU (amongst others)!!!

    For the record I removed the first < and last > to get the code displayed itself.

    In fact disabling javascript on your smartphone not only decreases data-volume coming through it also makes the bloody thing much faster. Which is important for the mortals amongst us whom don't have quad-core-GHz-gigabyte-RAM-sucking-LTE-monsters.

  15. Anonymous Coward
    Anonymous Coward

    Firefox, Chrome, Chromium, Lynx, Epiphany, W3m, Opera, IE <- This is the most affected

    I'm thinking the TCP stack might need re-writing! Or some network engineers get forensics training?

    JBoss App Server versions 4.0.2, 4.2.2 , 4.2.1 , 4.0.*,4.2.* is RCE'd too since:

    web-console/Invoker allows you to invoke jboss.admin:service=DeploymentFileRepository without permissions

  16. southpacificpom
    Trollface

    OMG - you mean I could get hacked playing Minecraft!

    Fix Java NOW!

    1. vic 4

      OMG - you mean I could get hacked playing Minecraft!

      No

  17. Anonymous Coward
    Anonymous Coward

    If you're still unlucky enough to be a java programmer...

    ...now would be a good time to learn Python. Right now.

    1. tuxtester
      Linux

      Re: If you're still unlucky enough to be a java programmer...

      Moved to Android (Google's version of Java) development two years ago. It has been a real interesting learning curve. If you think you know Java, try Android development.

      Java is a beautiful programming language and not a superset of anything like C++.

      Oracle JVM can be substituted with OpenJDK. It works fine for development. Netbeans has no trouble with it and OpenJDK does not suffer from said security problem.

    2. vic 4

      Re: If you're still unlucky enough to be a java programmer...

      Such a ridiculous comment you couldn't even add your name to it.

      Why should this have any consequence on the use of java where it is most commonly used? Applets probably cover less than 1% of java deployments (no data, just a guess based on my experience). They were great years ago but have been superseded by browser improvements, were they solved "real" problems webstart is by far the better solution.

      Java desktop and server applications are not affected by this issue at all, it's irrelevant. I know python well and it just can't scale up to the demands that most software have placed on it, especially in an enterprise, you know the software that the many businesses and governments rely on.

      1. Anonymous Coward
        Anonymous Coward

        Re: If you're still unlucky enough to be a java programmer...

        So your real name is 'vic 4' is it?

  18. Mectron

    FINALY

    Will we see then end of one of the most inefficient and bloated software ever?

    FLASH: YOUR NEXT!

    1. Anonymous Coward
      Anonymous Coward

      Re: FINALY

      I haven't got a next.

      And I wouldn't show it to you, if I did.

    2. bazza Silver badge

      Re: FINALY

      Flash? Maybe. But why bother attacking Flash? The numerous opportunities offered by HTML 5 and Javascript must surely be very tempting.

      Every time anyone does a new execution environment it takes years and years before all the bugs get ironed out. OSes aren't bad now, but they're still finding problems 22 years in. JAVA is riddled with problems seemingly, and that's been around for a long time now. Javascript has been terrible too, until browser people started implementing half decent sand boxes. Flash has had its problems too... Even .NET has had to be patched many times, though because hardly anyone used Silverlight no one noticed the vast security holes it probably blew in your browsing experience.

      So remember that HTML 5 is just another environment, is brand new, and does not require an attack to break out of whatever sandbox the browser has wrapped around it. That's because HTML5 is now the OS as far as Web apps are concerned; there's already proof of concept attacks on it. It's bound to be riddled with flaws, and one day the anti virus vendors will be selling AV for your browser...

      The HTML 5 proponents are being highly overconfident in my view, and the more it gets extended and the more OS-like it becomes the more dangerous it is. If Web apps really take off as replacements for JAVA, OSes, native apps, Flash, etc it won't take long before attackers start finding the holes in it and using them. Except their attacks may well be successful across a wider range of machines, because the browser author has probably made the same mistakes in the Windows, Mac and Linux versions.

      Quick question. If JAVA and Flash are bloatware, why isn't Javascript and HTML 5? HTML 5 in particular is the thickest of layers imaginable to lie between executable code and the CPU. It's a crazy way of running code.

  19. Steven Roper
    WTF?

    What I want to know is

    Who at Oracle pissed in the US government's cornflakes? From the way the DHS has been carrying on about Java lately, you'd think they were the fourth arm of the Axis of Evil!

    1. ForthIsNotDead
      Thumb Up

      Re: What I want to know is

      +1

      Exactly what I was thinking.

      1. tuxtester
        Linux

        Re: What I want to know is

        Same here. It's bizarre.

        I bet if you wander the US Gov's halls, you'll find PC after PC running Microsoft Windows and IE !! The most insecure operating system and browser in existence,

        A quick Google search for: security hole .net

        returns a few results too.

  20. Anonymous Coward
    Anonymous Coward

    Could someone please tell the network support team at my work the difference between Java and Javascript? I keep overhearing them telling clients who have heard about this vuln and have phoned up worried about it that they do still need Java in their browser as most websites in the world use it.

    I've tried butting in and explaining it to the support technicians myself, but when I do their eyes just glaze over because SIMILAR WORDS BE CONFUSING

    Anon for obvious reasons.

  21. Ejnar
    Facepalm

    Why turn off?

    The only solution the 'security experts' seem to be able to come up with is : "turn it off".

    Of course that is a valid solution if you know you will never need Java in the browser.

    However Java is still widely used in the browser, perhaps not so much on public internet (except perhaps netbanks), put is - in my experience - pretty much omnipresent on corporate intranets.

    Any plugin (being it Java, Flash, .NET) that allows you to download code on-the-fly and then execute it is vulnerable, sandbox or not. Bugs will always exist. The only way forward is to educate users not to say 'yes' to execute something that they don't know what is. The real problem is that too many users have had their browsers configured in such a way so that code would be executed without any prompt or active accept from the user.

    There are multiple ways to force your browser (or the plugin) to give you that prompt. The new increased default security level in Java 7 Update 11 does just that. Chrome has always had this functionality. Firefox users can use NoScript extension, etc.

    Personally I'm perfectly happy with the solution resulting from the new default security level in Java 7 Update 11. I believe that will provide me all the protection I need ... also against vulnerabilities that have not yet been discovered. But as far as I understand this solution has indeed always been available to me: I could have increased the default security level myself. I could have done that last week when the reports about the vulnerability first came out. But all the 'security experts' could muster was the recommendation to 'turn it all off'.

  22. Anonymous Coward
    Linux

    Does the exploit work on Linux?

    Does it give you root access to the underlying Operating System?

    1. fajensen Silver badge

      Re: Does the exploit work on Linux?

      One does not need root access to do bad things with a Linux system - "the standard user" is so powerful that most interesting things on a Linux system is run on crippled accounts deliberately.

      Malware-injectors, all kinds of bots, spam-mailers, DDOS-applications, kiddie-porn distribution, whatever - will be perfectly functional as a normal user. Easier to install too.

  23. JaitcH
    Happy

    People should listen up to the US Government ...

    they are the experts in leaky systems - they leak all over the place.

    Maybe Manning had a virus on his machine?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019