[LINK] Security problems with Java in browsers
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Sep 18 08:24:32 AEST 2012
At 1:16 +1000 18/9/12, Robin Whittle wrote:
>It looks like it might be a good idea to turn off Java applets (not
>javascript) in browsers, on Windows, Linux and Mac, due to a spate of
>problems in recent weeks:
It would be interesting to know what proportion of linkers have Java
turned on in their browsers.
I turned it off so many years ago that I can't remember when it was.
My concern back then was less about abuse of the power of the
language - although that was when we believed that it was effectively
sandboxed. My concern was that the absence of design, and the
grievously low standard of coding, meant that there were liable to be
many applet malfunctions.
And indeed the stability of my browsers did improve after I turned
Java off. And I don't miss whatever the various gee-whizzeries are
that Java applets would give me.
I still take a risk with Javascript.
____________________________________
>https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/
>
>Here is how to disable Java for Firefox, Safari, Chrome, Opera and MSIE
>(looks really complex):
>
> http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/
>
> http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
>
>Unless there is a clear need for it, it may be easier to uninstall Java
>from the computer entirely.
>
>Oracle released a version which apparently fixes the vulnerability:
>
>
>http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
>
> http://www.theregister.co.uk/2012/09/06/apple_java_update/
>
>but was not clear to me whether or not the version installed on my
>Windows XP machines here (1.6.0_35, via Control Panel > Java > Java >
>View) fixes the vulnerability. Since the vulnerability was reported to
>Oracle in April, and only fixed in late August after it was widely
>exploited:
>
> http://www.theregister.co.uk/2012/08/22/malware_crisis/
>
>this doesn't inspire confidence in enabling Java at all in web browsers.
> How would I know when it is "safe" to enable it? I haven't figured
>this out. It is never entirely safe, to run any Internet-capable
>software.
>
>Clicking the "Update Now" button in Control Panel > Java > Update told
>me that I can use it to install Java 7 update 07. But when I did so (I
>only run Windows XP) the window identified itself as "Java 6 Update 33".
> Once this was done, the View button lead to a display of "1.7.0_07".
>I guess this version fixes the vulnerability:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
>
>which has caused the recent trouble. When I rebooted Firefox, Tools >
>Addons > Plugins indicated that "Java(TM) Platform SE 7 U7 10.7.2.11"
>was enabled. I disabled it in Firefox and other browsers I occasionally
>use. (I use Java on one machine for cross-platform shareware eBay
>bidding program Jbidwatcher.)
>
>Java vulnerability has been a hot topic in the last three weeks:
>
> http://www.google.com/search?q=%22disable+Java%22
>
>
>http://thenextweb.com/apps/2012/08/28/security-companies-you-disable-java-just-uninstall/
>
>
>This is how difficult it can be to remove the Zeroaccess rootkit, which
>is one of the items of malware being installed via the Java vulnerability.
>
> http://www.theregister.co.uk/2012/09/03/java_cleanup/
>
>I guess these vulnerabilities may be beyond the capacity of anti-virus
>programs. I run a well-known commercial antivirus program not because I
>think it offers complete protection, but because I guess it provides
>more protection than I could achieve myself without devoting myself
>full-time to computer security. It frequently announces it is busy
>doing things, and sometimes declares downloaded files as "safe", but it
>hasn't made a bleat about the PC running a vulnerable version of Java
>and having it enabled in my primary browser.
>
> - Robin
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list