[LINK] Security problems with Java in browsers

Roger Clarke Roger.Clarke at xamax.com.au
Tue Sep 18 08:24:32 AEST 2012


At 1:16 +1000 18/9/12, Robin Whittle wrote:
>It looks like it might be a good idea to turn off Java applets (not
>javascript) in browsers, on Windows, Linux and Mac, due to a spate of
>problems in recent weeks:

It would be interesting to know what proportion of linkers have Java 
turned on in their browsers.

I turned it off so many years ago that I can't remember when it was.

My concern back then was less about abuse of the power of the 
language - although that was when we believed that it was effectively 
sandboxed.  My concern was that the absence of design, and the 
grievously low standard of coding, meant that there were liable to be 
many applet malfunctions.

And indeed the stability of my browsers did improve after I turned 
Java off.  And I don't miss whatever the various gee-whizzeries are 
that Java applets would give me.

I still take a risk with Javascript.

____________________________________

>https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/
>
>Here is how to disable Java for Firefox, Safari, Chrome, Opera and MSIE
>(looks really complex):
>
>   http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/
>
>   http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
>
>Unless there is a clear need for it, it may be easier to uninstall Java
>from the computer entirely.
>
>Oracle released a version which apparently fixes the vulnerability:
>
>
>http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
>
>   http://www.theregister.co.uk/2012/09/06/apple_java_update/
>
>but was not clear to me whether or not the version installed on my
>Windows XP machines here (1.6.0_35, via Control Panel > Java > Java >
>View) fixes the vulnerability.  Since the vulnerability was reported to
>Oracle in April, and only fixed in late August after it was widely
>exploited:
>
>   http://www.theregister.co.uk/2012/08/22/malware_crisis/
>
>this doesn't inspire confidence in enabling Java at all in web browsers.
>  How would I know when it is "safe" to enable it?  I haven't figured
>this out.  It is never entirely safe, to run any Internet-capable
>software.
>
>Clicking the "Update Now" button in Control Panel > Java > Update told
>me that I can use it to install Java 7 update 07.  But when I did so (I
>only run Windows XP) the window identified itself as "Java 6 Update 33".
>   Once this was done, the View button lead to a display of "1.7.0_07".
>I guess this version fixes the vulnerability:
>
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
>
>which has caused the recent trouble.  When I rebooted Firefox, Tools >
>Addons > Plugins indicated that "Java(TM) Platform SE 7 U7 10.7.2.11"
>was enabled.  I disabled it in Firefox and other browsers I occasionally
>use.  (I use Java on one machine for cross-platform shareware eBay
>bidding program Jbidwatcher.)
>
>Java vulnerability has been a hot topic in the last three weeks:
>
>  http://www.google.com/search?q=%22disable+Java%22
>
> 
>http://thenextweb.com/apps/2012/08/28/security-companies-you-disable-java-just-uninstall/
>
>
>This is how difficult it can be to remove the Zeroaccess rootkit, which
>is one of the items of malware being installed via the Java vulnerability.
>
>  http://www.theregister.co.uk/2012/09/03/java_cleanup/
>
>I guess these vulnerabilities may be beyond the capacity of anti-virus
>programs.  I run a well-known commercial antivirus program not because I
>think it offers complete protection, but because I guess it provides
>more protection than I could achieve myself without devoting myself
>full-time to computer security.  It frequently announces it is busy
>doing things, and sometimes declares downloaded files as "safe", but it
>hasn't made a bleat about the PC running a vulnerable version of Java
>and having it enabled in my primary browser.
>
>  - Robin
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list