Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #21352 > unrolled thread

U.S. warns on Java software as security concerns escalate

Back to article view | Back to comp.lang.java.programmer

Contents

  U.S. warns on Java software as security concerns escalate emf <emfril@gmail.com> - 2013-01-12 07:48 -0500
    Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-12 09:05 -0500
      Re: U.S. warns on Java software as security concerns escalate RVic <rvince99@hotmail.com> - 2013-01-12 08:00 -0800
        Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-12 11:23 -0500
    Re: U.S. warns on Java software as security concerns escalate Peter Duniho <NpOeStPeAdM@NnOwSlPiAnMk.com> - 2013-01-12 10:28 -0800
    Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-12 10:38 -0800
      Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-12 13:41 -0500
    Re: U.S. warns on Java software as security concerns escalate "Hiram Hunt" <hiramhunt@verizon.net> - 2013-01-13 15:41 -0500
    Re: U.S. warns on Java software as security concerns escalate Rajiv Gupta <rajiv@invalid.com> - 2013-01-15 15:22 +1100
      Re: U.S. warns on Java software as security concerns escalate Lew <lewbloch@gmail.com> - 2013-01-15 07:31 -0800
      Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-15 14:23 -0800
        Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-15 21:10 -0500
        Re: U.S. warns on Java software as security concerns escalate Rajiv Gupta <rajiv@invalid.com> - 2013-01-17 11:47 +1100
          Re: U.S. warns on Java software as security concerns escalate Lew <lewbloch@gmail.com> - 2013-01-16 17:01 -0800
            Re: U.S. warns on Java software as security concerns escalate Rajiv Gupta <rajiv@invalid.com> - 2013-01-17 14:50 +1100
              Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-17 14:31 -0800
          Re: U.S. warns on Java software as security concerns escalate Joshua Cranmer <Pidgeot18@verizon.invalid> - 2013-01-16 21:55 -0600
          Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-17 14:57 -0800
        Re: U.S. warns on Java software as security concerns escalate Jim Janney <jjanney@shell.xmission.com> - 2013-01-17 12:36 -0700
          Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-17 14:33 -0800
          Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-17 18:14 -0500
          Re: U.S. warns on Java software as security concerns escalate Arne Vajhøj <arne@vajhoej.dk> - 2013-01-17 18:16 -0500
    Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-15 00:23 -0800
      Re: U.S. warns on Java software as security concerns escalate Patricia Shanahan <pats@acm.org> - 2013-01-15 06:47 -0800
        Re: U.S. warns on Java software as security concerns escalate Roedy Green <see_website@mindprod.com.invalid> - 2013-01-15 14:34 -0800

Page 1 of 2  [1] 2  Next page →

#21352 — U.S. warns on Java software as security concerns escalate

U.S. warns on Java software as security concerns escalate

By Jim Finkle | Reuters – 14 hrs ago

(Reuters) - The U.S. Department of Homeland Security urged computer 
users to disable Oracle Corp's Java software, amplifying security 
experts' prior warnings to hundreds of millions of consumers and 
businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious 
software enabling them to commit crimes ranging from identity theft to 
making an infected computer part of an ad-hoc network of computers that 
can be used to attack websites.

"We are currently unaware of a practical solution to this problem," the 
Department of Homeland Security's Computer Emergency Readiness Team said 
in a posting on its website late on Thursday.

"This and previous Java vulnerabilities have been widely targeted by 
attackers, and new Java vulnerabilities are likely to be discovered," 
the agency said. "To defend against this and future Java 
vulnerabilities, disable Java in Web browsers."

Oracle declined on Friday to comment on the warning.

Java is a computer language that enables programmers to write software 
utilizing just one set of code that will run on virtually any type of 
computer, including ones that use Microsoft Corp's Windows, Apple Inc's 
OS X and Linux, an operating system widely employed by corporations.

Computer users access Java programs through modules, or plug-ins, that 
run Java software on top of browsers such as Internet Explorer and Firefox.

The U.S. government's warning on Java came after security experts warned 
on Thursday of the newly discovered flaw.

It is relatively rare for government agencies to advise computer users 
to completely disable software due to a security bug, particularly in 
the case of widely used programs such as Java. They typically recommend 
taking steps to mitigate the risk of attack while manufacturers prepare 
an update, or hold off on publicizing the problem until an update is 
prepared.

In September, the German government advised the public to temporarily 
stop using Microsoft's Internet Explorer browser to give it time to 
patch a security vulnerability that opened it to attacks.

Java is so widely used that the software has become a prime target for 
hackers. Last year Oracle's Java surpassed Adobe Systems Inc's Reader 
software as the most frequently attacked piece of software, according to 
security software maker Kaspersky Lab.

Java was responsible for 50 percent of all cyber attacks last year in 
which hackers broke into computers by exploiting software bugs, 
according Kaspersky. That was followed by Adobe Reader, which was 
involved in 28 percent of all incidents. Microsoft Windows and Internet 
Explorer were involved in about 3 percent of incidents, according to the 
survey.

The Department of Homeland Security said attackers could trick targets 
into visiting malicious websites that would infect their PCs with 
software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading 
malicious software that would infect machines of computer users who 
trust that site because they have previously visited it without 
experiencing any problems.

They said developers of several popular tools, known as exploit kits, 
which criminal hackers use to attack PCs, have added software that 
allows hackers to exploit the newly discovered bug in Java to attack 
computers.

Security experts have been scrutinizing the safety of Java since a 
similar security scare in August, which prompted some of them to advise 
using the software only on an as-needed basis.

At the time they advised businesses to allow their workers to use Java 
browser plug-ins only when prompted for permission by trusted programs 
such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc.

Java suffered another setback in October when Apple began removing old 
versions of the software from Internet browsers of Mac computers when 
its customers installed new versions of its OS X operating system. Apple 
did not provide a reason for the change and both companies declined to 
comment at the time.

Adam Gowdiak, a researcher with Polish security firm Security 
Explorations, told Reuters he believes that Oracle fails to properly 
test its software fixes for security flaws. "It's definitely safer for 
users to stay away from Java 'til Oracle starts taking security 
seriously," he said.

http://news.yahoo.com/government-warns-java-security-concerns-escalate-160640366--sector.html

[toc] | [next] | [standalone]

#21354

On 1/12/2013 7:48 AM, emf wrote:
> U.S. warns on Java software as security concerns escalate
>
> By Jim Finkle | Reuters – 14 hrs ago
>
> (Reuters) - The U.S. Department of Homeland Security urged computer
> users to disable Oracle Corp's Java software, amplifying security
> experts' prior warnings to hundreds of millions of consumers and
> businesses that use it to surf the Web.
>
> Hackers have figured out how to exploit Java to install malicious
> software enabling them to commit crimes ranging from identity theft to
> making an infected computer part of an ad-hoc network of computers that
> can be used to attack websites.
>
> "We are currently unaware of a practical solution to this problem," the
> Department of Homeland Security's Computer Emergency Readiness Team said
> in a posting on its website late on Thursday.
>
> "This and previous Java vulnerabilities have been widely targeted by
> attackers, and new Java vulnerabilities are likely to be discovered,"
> the agency said. "To defend against this and future Java
> vulnerabilities, disable Java in Web browsers."
>
> Oracle declined on Friday to comment on the warning.
>
> Java is a computer language that enables programmers to write software
> utilizing just one set of code that will run on virtually any type of
> computer, including ones that use Microsoft Corp's Windows, Apple Inc's
> OS X and Linux, an operating system widely employed by corporations.
>
> Computer users access Java programs through modules, or plug-ins, that
> run Java software on top of browsers such as Internet Explorer and Firefox.
>
> The U.S. government's warning on Java came after security experts warned
> on Thursday of the newly discovered flaw.
>
> It is relatively rare for government agencies to advise computer users
> to completely disable software due to a security bug, particularly in
> the case of widely used programs such as Java. They typically recommend
> taking steps to mitigate the risk of attack while manufacturers prepare
> an update, or hold off on publicizing the problem until an update is
> prepared.
>
> In September, the German government advised the public to temporarily
> stop using Microsoft's Internet Explorer browser to give it time to
> patch a security vulnerability that opened it to attacks.
>
> Java is so widely used that the software has become a prime target for
> hackers. Last year Oracle's Java surpassed Adobe Systems Inc's Reader
> software as the most frequently attacked piece of software, according to
> security software maker Kaspersky Lab.
>
> Java was responsible for 50 percent of all cyber attacks last year in
> which hackers broke into computers by exploiting software bugs,
> according Kaspersky. That was followed by Adobe Reader, which was
> involved in 28 percent of all incidents. Microsoft Windows and Internet
> Explorer were involved in about 3 percent of incidents, according to the
> survey.
>
> The Department of Homeland Security said attackers could trick targets
> into visiting malicious websites that would infect their PCs with
> software capable of exploiting the bug in Java.
>
> It said an attacker could also infect a legitimate website by uploading
> malicious software that would infect machines of computer users who
> trust that site because they have previously visited it without
> experiencing any problems.
>
> They said developers of several popular tools, known as exploit kits,
> which criminal hackers use to attack PCs, have added software that
> allows hackers to exploit the newly discovered bug in Java to attack
> computers.
>
> Security experts have been scrutinizing the safety of Java since a
> similar security scare in August, which prompted some of them to advise
> using the software only on an as-needed basis.
>
> At the time they advised businesses to allow their workers to use Java
> browser plug-ins only when prompted for permission by trusted programs
> such as GoToMeeting, a Web-based collaboration tool from Citrix Systems
> Inc.
>
> Java suffered another setback in October when Apple began removing old
> versions of the software from Internet browsers of Mac computers when
> its customers installed new versions of its OS X operating system. Apple
> did not provide a reason for the change and both companies declined to
> comment at the time.
>
> Adam Gowdiak, a researcher with Polish security firm Security
> Explorations, told Reuters he believes that Oracle fails to properly
> test its software fixes for security flaws. "It's definitely safer for
> users to stay away from Java 'til Oracle starts taking security
> seriously," he said.
>
> http://news.yahoo.com/government-warns-java-security-concerns-escalate-160640366--sector.html

1)  This related to applets only, so 99.9% (or something in that
     magnitude) of Java usage is not affected.

2)  Avoiding/uninstalling Java therefore seems completely
     unwarranted. It may make sense to disable Java in your
     browser if you do not need it.

3)  All types of "active" web content has had problems. Java applets,
     Adobe Flash, MS SilverLight, JavaScript, Adobe Acrobat Reader etc..
     I will predict that there will also be found new problems in the
     future for each of these - that include Java applets.

4)  Disabling all of these permanently will reduce the web experience
     to an almost unusable state. But people need to do some things:
     surf the web on a non prived account, use anti-malware software,
     keep all software uptodate with patches, disable software not used
     etc..

5)  The last year has not been good for Java security wise. Maybe Oracle
     should focus a bit on security for the next year.

Arne

[toc] | [prev] | [next] | [standalone]

#21359

Is it only the browser plugin

Is it only a specific version?

Is it only Oracle or other Javas as well?

Thank you

[toc] | [prev] | [next] | [standalone]

#21360

On 1/12/2013 11:00 AM, RVic wrote:
> Is it only the browser plugin

It only relates to when Java is restricted by a security
manager (sandboxed). For practically purposes that means browser.

> Is it only a specific version?

Some sources say that it is only Java 7 and not Java 6.

But according to:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

then it is all versions.

> Is it only Oracle or other Javas as well?

It is an implementation bug, so other Java implementation do not
need to be vulnerable.

But many other Java implementations share code with Oracle
either via open source OpenJDK or commercial licenses.

Unless you have a statement from the vendor that they
do not have the bug, then I would assume it does.

I have seen sources claim that IcedTea is not vulnerable,
but you should not believe everything read on the
internet!

:-)

Arne

[toc] | [prev] | [next] | [standalone]

#21364

On 12 Jan 2013 12:56:28 GMT, Stefan Ram wrote:

> emf <emfril@gmail.com> writes:
>>In September, the German government advised the public to temporarily 
>>stop using Microsoft's Internet Explorer browser to give it time to 
>>patch a security vulnerability that opened it to attacks.
> 
>   Recent versions of IE do not seem to enable the user to
>   disable the Java plug-in. Although the software settings
>   might suggest the plug-in to be disabled, it is not, as one
>   can see when one visits a page with an applet. So, this only
>   leaves the possibility to uninstall Java completely (given
>   that on Windows it is hard to totally avoid using the IE).

Define "recent versions".  In IE9, I am able to use the add-in manager,
disable all the Oracle add-ins, and Java no longer works in the browser.

What did you do?  What version of IE did you use?

Of course, there is also the Java control panel, in which you can disable
the browser plug-in functionality as well, as of Java 7 update 10 (AFAIK
this is the most recent...this feature does not appear to be available in
update 9).  This should work in all browsers in which Java was enabled.

Pete

[toc] | [prev] | [next] | [standalone]

#21367

On Sat, 12 Jan 2013 07:48:51 -0500, emf <emfril@gmail.com> wrote,
quoted or indirectly quoted someone who said :

>U.S. warns on Java software as security concerns escalate

see http://mindprod.com/jgloss\0dayexploit.html
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [prev] | [next] | [standalone]

#21368

On 1/12/2013 1:38 PM, Roedy Green wrote:
> On Sat, 12 Jan 2013 07:48:51 -0500, emf <emfril@gmail.com> wrote,
> quoted or indirectly quoted someone who said :
>
>> U.S. warns on Java software as security concerns escalate
>
> see http://mindprod.com/jgloss\0dayexploit.html

\ or / that is the question.

:-)

Arne

[toc] | [prev] | [next] | [standalone]

#21383

"emf" <emfril@gmail.com> wrote in message 
news:kcrlqe$noj$1@speranza.aioe.org...
> U.S. warns on Java software as security concerns escalate
>  ...

A check at Oracle shows that 7u11 is here.  I have not tried it.
They say:
>
> Java SE 7u11
>
> This release includes important security fixes. Oracle strongly recommends 
> that all Java SE 7 users
> upgrade to this release.

-- Hiram Hunt (hiramhunt@verizon.net)

[toc] | [prev] | [next] | [standalone]

#21405

On 2013-01-12 23:48:51 +1100, emf said:

Re: Neo COBOL.

Browser manufacturers should stop supporting Java. Applets are a dead 
technology which hardly anybody uses (except for criminals).

Java is irrelevant to the vast majority of computer users. Its 
irrelevance should be cemented by deleting support for it.

The sooner universities stop teaching Java the better the world will be.

[toc] | [prev] | [next] | [standalone]

#21413

Rajiv Gupta wrote:
> Browser manufacturers should stop supporting Java. Applets are a dead 
> technology which hardly anybody uses (except for criminals).
> 
> Java is irrelevant to the vast majority of computer users. Its 
> irrelevance should be cemented by deleting support for it.
> 
> The sooner universities stop teaching Java the better the world will be.

Troll much?

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#21418

On Tue, 15 Jan 2013 15:22:07 +1100, Rajiv Gupta <rajiv@invalid.com>
wrote, quoted or indirectly quoted someone who said :

>Browser manufacturers should stop supporting Java. Applets are a dead 
>technology which hardly anybody uses (except for criminals).

 Applets are an inherently much superior technology for client side
computing. Nothing else has a sandbox.  Nothing else is so scrupulous
about signing for dangerous code.  Nothing else is so compact.
Browsers don't load the Java engine at start up, which made them
appear slower than they really are.  Even that has been fixed with
smarter JVMs that hang around as DLLs. 

Compared with every other technology they have been remarkably malware
free.  I use them all the time on my website. See
http://mindprod.com/aplets/applet.html
I am not a criminal. I don't think you know the first thing about
Applets. You are just repeating something read somewhere.


-- 
Roedy Green Canadian Mind Products http://mindprod.com
The first 90% of the code accounts for the first 90% of the development time.
The remaining 10% of the code accounts for the other 90% of the development 
time. 
~ Tom Cargill  Ninety-ninety Law 

[toc] | [prev] | [next] | [standalone]

#21421

On 1/15/2013 5:23 PM, Roedy Green wrote:
>   Applets are an inherently much superior technology for client side
> computing. Nothing else has a sandbox.

Nothing else does not have a sandbox.

Flash, SilverLight, JavaScript, Google Native Client all
use some type of sandbox.

> Compared with every other technology they have been remarkably malware
> free.

We just had one.

And there were another one just a half year ago.

Tools to exploit those are known to exist.

Arne

[toc] | [prev] | [next] | [standalone]

#21453

On 2013-01-16 09:23:29 +1100, Roedy Green said:

> On Tue, 15 Jan 2013 15:22:07 +1100, Rajiv Gupta <rajiv@invalid.com>
> wrote, quoted or indirectly quoted someone who said :
> 
>> Browser manufacturers should stop supporting Java. Applets are a dead
>> technology which hardly anybody uses (except for criminals).
> 
>  Applets are an inherently much superior technology for client side
> computing. Nothing else has a sandbox.  Nothing else is so scrupulous
> about signing for dangerous code.  Nothing else is so compact.
> Browsers don't load the Java engine at start up, which made them
> appear slower than they really are.  Even that has been fixed with
> smarter JVMs that hang around as DLLs.

The closed mindedness and general ignorance of Java fanatics never 
ceases to amaze.

As for the Java sandbox, the real problem is that the sandbox is 
implemented inside the VM itself, in Java (via the SecurityManager), 
and the Java runtime is poorly equipped to secure itself against itself.

Contrast this with the sandboxing model the CLR uses, where access 
grants can only originate from outside of the VM -- it is impossible, 
by design, for managed code to enable grants that the VM itself was not 
externally configured to provide.

[toc] | [prev] | [next] | [standalone]

#21456

Rajiv Gupta wrote:
> The closed mindedness [sic] and general ignorance of Java fanatics never 
> ceases to amaze.

Troll much?

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#21464

On 2013-01-17 12:01:54 +1100, Lew said:

> Rajiv Gupta wrote:
>> The closed mindedness [sic] and general ignorance of Java fanatics never
>> ceases to amaze.
> 
> Troll much?

I notice that you completely ignored the factual technical information 
I provied.

Head in sand much?

[toc] | [prev] | [next] | [standalone]

#21492

On Thu, 17 Jan 2013 14:50:29 +1100, Rajiv Gupta <rajiv@invalid.com>
wrote, quoted or indirectly quoted someone who said :

>
>I notice that you completely ignored the factual technical information 
>I provied.

Your sentences don't even parse. Perhaps ask someone else to rephrase
your points.

The culprit is not the JVM, but somebody writing an unsigned Applet
which masquerades as harmless but has found some way to cause harm
despite the efforts of the sandbox. I have written many Applets and I
have found the sandbox to be extremely strict, overly strict in my
opinion.

You seem to be arguing that no sandbox is better than a sandbox that
had two repaired flaws.

If you want a technical discussion, please refrain from the ad hominem
attacks.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
The first 90% of the code accounts for the first 90% of the development time.
The remaining 10% of the code accounts for the other 90% of the development 
time. 
~ Tom Cargill  Ninety-ninety Law 

[toc] | [prev] | [next] | [standalone]

#21465

On 1/16/2013 6:47 PM, Rajiv Gupta wrote:
> Contrast this with the sandboxing model the CLR uses, where access
> grants can only originate from outside of the VM -- it is impossible, by
> design, for managed code to enable grants that the VM itself was not
> externally configured to provide.

You clearly do not understand the Java security management policy. It is 
very much possible to request JVMs to lock down the policy in such a way 
that the JVM cannot grant itself access. But why let facts get in the 
way of attacking Java?

-- 
Beware of bugs in the above code; I have only proved it correct, not 
tried it. -- Donald E. Knuth

[toc] | [prev] | [next] | [standalone]

#21497

On Thu, 17 Jan 2013 11:47:29 +1100, Rajiv Gupta <rajiv@invalid.com>
wrote, quoted or indirectly quoted someone who said :

>The closed mindedness and general ignorance of Java fanatics never 
>ceases to amaze.

I presume you have never written an unsigned or signed Applet  that
uses the sandbox, or even a plain Java application for that matter.

It seems odd you be would so certain that your understanding of how it
works is superior to those that have.

We are talking about something we use as a tool every day. You are
talking about something you have no experience with. Who is the
fanatic?
-- 
Roedy Green Canadian Mind Products http://mindprod.com
The first 90% of the code accounts for the first 90% of the development time.
The remaining 10% of the code accounts for the other 90% of the development 
time. 
~ Tom Cargill  Ninety-ninety Law 

[toc] | [prev] | [next] | [standalone]

#21485

Roedy Green <see_website@mindprod.com.invalid> writes:

> On Tue, 15 Jan 2013 15:22:07 +1100, Rajiv Gupta <rajiv@invalid.com>
> wrote, quoted or indirectly quoted someone who said :
>
>>Browser manufacturers should stop supporting Java. Applets are a dead 
>>technology which hardly anybody uses (except for criminals).
>
>  Applets are an inherently much superior technology for client side
> computing. Nothing else has a sandbox.  Nothing else is so scrupulous
> about signing for dangerous code.  Nothing else is so compact.
> Browsers don't load the Java engine at start up, which made them
> appear slower than they really are.  Even that has been fixed with
> smarter JVMs that hang around as DLLs. 
>
> Compared with every other technology they have been remarkably malware
> free.  I use them all the time on my website. See
> http://mindprod.com/aplets/applet.html
> I am not a criminal. I don't think you know the first thing about
> Applets. You are just repeating something read somewhere.

I usually think of applets as an interesting idea that somehow failed to
catch on: the history of technology is full of such occurrences.  The
recent problems with the security manager are simple negligence on the
part of Oracle.

Other than applets, are there any classes of Java programs that rely on
the security manager?

-- 
Jim Janney

[toc] | [prev] | [next] | [standalone]

#21493

On Thu, 17 Jan 2013 12:36:18 -0700, Jim Janney
<jjanney@shell.xmission.com> wrote, quoted or indirectly quoted
someone who said :

>
>Other than applets, are there any classes of Java programs that rely on
>the security manager?

Java Web Start also has signed code, and you can grant fined grained
permissions.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
The first 90% of the code accounts for the first 90% of the development time.
The remaining 10% of the code accounts for the other 90% of the development 
time. 
~ Tom Cargill  Ninety-ninety Law 

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.lang.java.programmer

csiph-web