[LINK] Net-connected computer security seems impossible. Was: Java ...

[Robin Whittle]

This is a long rant about the difficulty and probably futility of trying
to achieve Net-connected computer security.  My conclusion:

   Unfortunately, the only way a system like this can work is if
   every program which might be insecure and responds to web
   browsing or email attachments (browsers, Thunderbird and other
   email clients, PDF readers, MP3 players, Flash players,
   molecular modelling plugins, and probably browser plugins)
   automatically checks for updates every few hours, every hour,
   every few minutes - and if there is a team of developers on
   duty 24 hours a day ready to respond to reports of
   vulnerabilities and ready to push out a reliably fixed update
   within minutes or hours.


Can anyone show why we, collectively - a planet full of people running
Internet-connected PCs, tablets, cell-phones and whatever, each with
programs, which sprout plugins, which handle files, dished out by
potentially hacked servers all over the world, with a crime-driven virus
etc. writing industry cranking out millions of separate attacks - are
not doomed forever to have our machines and therefore much of our lives,
finances, privacy, security etc. repeatedly hacked?

Since a successful attack is likely to be invisible in itself, how are
we to know to what degree these are occurring?  Hackers don't
necessarily use every password they find, or read and use the contents
of every file they can find on a computer they control - and if they
did, we may not notice the effects for a long time.  We should be
grateful, I guess, if all they want the computer for is to join a botnet
they can rent out to spammers or to extortionists for launching
distributed denial of service (DDOS) attacks.

>From the thread: Time to disable Java again? "Fixing zero-day exploit
could take 'two years'":


Hi Fernando,

You wrote, in part:

> Did you miss the message I sent earlier to the list. Java 7 update 11
> fixes the alluded flaws, PLUS it includes a new security mechanism
> that DOES NOT run unsigned or self-signed applets, unless the user
> explicitelly clicks. This makes "zero click" attacks impossible, even
> if new vulnerabilities are discovered.

I didn't notice your message at 4:39PM yesterday:  "FYI: Java 7 u11
released, plugs browser plugin holes, prevents zero-click attacks using
unsigned or self-signed applets".

On my WinXP system I clicked the Java icon in the system tray (the area
on the right of the bar at the bottom of the screen) and used the
Security tab to disable the running of Java from web browsers.  Maybe
other people were disabling or uninstalling Java, but I want it to run a
program I carefully chose and installed like an application:
JBidWatcher, for sniping eBay auctions.

Before I did this, at about 2:40AM, after reading a ZDNet story (I get
their mailings) and searching a little more, I noticed, as I had before,
that the Java installation was set to check for updates at least once a
week - on Sundays.  That didn't inspire confidence in a world where it
seems that hundreds of news stories were written per hour about a new
vulnerability - with more than one person (who presumably knows there
stuff, but how can I tell quickly if they all don't) saying the
vulnerability is being exploited and is unlikely to be fixed adequately
by Oracle any time soon.  I don't recall the version at the time I
disabled browser activation of Java, but when I went to look a the same
Security tab now, I can't do so now (at least by clicking on the icon)
because, now (maybe because I ran clicked on the icon earlier), it is
asking me if it can install Java 7 Update 11, and how this "might
uninstall the latest Java 6" from my system.  If I don't allow this, I
can't access the program to see what version it was.

I tried right clicking the icon and got a Properties option.  The last
update was on "14/01/13" (why do so many US companies inflict their
crazy-making dd-mm-yy date format on us all?).  Perhaps by default, it
was set to check for updates at 3PM every Sunday so "If an update is
recommended, an icon will appear in the system taskbar notification
area.  Move the cursor over the icon to see the status of the update.
You will be notified before the update is downloaded."

I could see that it was running (Java tab > View) 1.7.0_10.

I guess if I hadn't done anything, no updates would have occurred until
next Sunday.  I don't know to what degree this was a default setting.

In the Security tab, the "Enable Java content in browser" box had been
checked - that is what I unchecked at 2:40AM.  (There was a message
about this only taking effect after the browser(s) were restarted.)
There is a 5 position security slider there, set to Medium (recommended)
out of Very High, High, Medium, Low and Custom.

I normally use Firefox, which is version18.0.  I can see from
http://en.wikipedia.org/wiki/Firefox that this is from 2013-01-08 - I
hardly notice automatic Firefox updates these days, and I always let it
update itself ASAP.

> Plus, Firefox 18 includes a new security mechanism that DENIES running
> any plug-in content (not only Java plug-in but also the PDF plug-in
> etc) on a per-site basis until you authorize it (just like what
> happens with Active-X, you get a dialog asking for permission to run
> Plug-in content.

OK - that would help me, but how do most users reliably establish
whether or not some website should be asking their browser to run a Java
applet?  The website could look legitimate, be legitimate and be from an
organisation they rightly trust - but the site (especially if it runs on
a Windows server, which is more likely to be hacked - and many big
commercial and government sites do) may have been hacked to launch a
legitimate looking applet or whatever which is in fact an exploit.

> So, in effect this gives you TWO user permission requests before
> running untrusted, unsigned or self-signed applets. Now tell me how
> any untrusted code is going to run now?. Hackers will have to crack
> the web browser... and if they crack the browser, you have bigger
> issues to worry about.

Sure - but Java was written from the very start, as far as I know, to be
incapable of giving dangerous levels of control to anything which
arrived via a browser, without asking the user permission in a manner
which indicated that security was in question.

I am not saying Java is worse than PDFs in terms of vulnerability.  I
got rid of Adobe Reader handling browser PDFs because firstly it is
frequently found to be insecure (though most people would not know
this), because it can easily take 30 to 60 seconds to present me with a
print dialogue and because, for years, it frequently scrambles the fonts
after a certain number of pages on some documents.  I use Sumatra PDF:
http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html
which is open-source and presumably not so vulnerable (in part due to it
not being so widely used - but maybe it would be if it was very widely
used).  Sumatra doesn't run in the browser - it opens the file and
displays it as a separate application.  Printing is not so fancy as with
Adobe reader so I use its Cntrl-A option to launch Adobe Reader on some
occasions.

As far as I know, hundreds of millions of people have the Java runtime
environment installed on their PCs, ready to run whatever the browser
asks it to.  There clearly was a serious vulnerability and the update
mechanism, at least for me, seems way too slow.  People who claim to
know more about these things than I do are saying that the fix isn't
really a fix and that they don't expect the real problems to be fixed
any time soon - and in the time I choose to spend on this problem (far
more than most people would) I don't see anyone else with suitable
qualifications expressing confidence in Oracle's fix.

I wasn't aware of Firefox's new security mechanism, and I don't recall
it asking about PDFs.  How would most people know if the PDF they get
from some site has a vulnerability or not, before they open it, since a
legitimate site can be hacked to modify PDFs or to offer new ones which
exploit known vulnerabilities?

Computer security is a mess.  It is not just a problem with Microsoft
Windows, though this is surely a large part of it.  I recall looking at
a story a few days ago, which I can't find, where the formerly
"anti-virus" companies (a multi-billion dollar industry) have recognised
they can't keep up with the virus writers (some tens of millions of
discrete virii were mentioned) and were renaming their products in terms
of "security" rather than preventing or even detecting virus attacks.

I will soon update my subscription to Norton Security, because I hope it
might do something useful, even though I guess it will be oblivious to
many or most fresh security threats.

I don't let Firefox cache any password I could not handle a hacker
getting hold of - but how many people recognise that all such saved
passwords could be milked from their machine once it is silently hacked.

Computer security is a mess.  Everyone has computers connected to the
Net and most people are browsing all over the place, letting their
browsers pass all sorts of files, including Java, to other programs or
to plugins or whatever.

Java proponents have always claimed an elevated status for their
language as a browser plugin, since it was designed from the outset to
be secure.

But now, as far as I know, it is not.  Even if the latest update is
secure for now, the update system seems rather slow compared to the
speed with which a vulnerability would be found and exploited on
websites I might be browsing.

Java via the browser can do great things.  Ideally it would be used in
place of Shockwave Flash, another (now Adobe) security nightmare.

I am exploring using Eclipse-CDT for C++ development - a very fancy IDE
which is written in Java so it runs identically on Windows, Linux or
whatever.  Java is a very good thing in many respects, but if it is
written to be secure for general browser use, and is promoted for years
as such, its bad for it to be found to be flawed, with untimely updates
and especially if Sun, Oracle or whoever is responsible can't respond
with a proper fix to newly discovered vulnerabilities in a few hours.

Unfortunately, the only way a system like this can work is if every
program which might be insecure and responds to web browsing or email
attachments (browsers, Thunderbird and other email clients, PDF readers,
MP3 players, Flash players, molecular modelling plugins, and probably
browser plugins) automatically checks for updates every few hours, every
hour, every few minutes - and if there is a team of developers on duty
24 hours a day ready to respond to reports of vulnerabilities and ready
to push out a reliably fixed update within minutes or hours.

Regarding PDF security, from 2010-04-08:


http://www.zdnet.com/blog/security/the-real-dangers-of-pdf-executable-trickery/6055

 - Robin