Massive Amount of Malware Targets Older Java Flaws

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

Oracle Java: Bad

The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things, and breaks some things that worked before. So you end up with banking entities (looking at you Citigroup and others) that require you to use old, vulnerable versions in order to perform enterprise money transactions. You end up with the good vendors scrambling to get their code working, while the bad vendors just tell you that you have to run the old version of Java. It is so bad that we are working on a policy to keep new Java based (client) applications out and not allow the business units to bring them it. The damn thing is impossible to manage seeing as how you need the latest version but can't run it if you want your apps to work. Terrible software.

Re:Oracle Java: Bad

Yeah but what would the alternative be? .NET?

Re:Oracle Java: Bad

[tepples]

The alternative is not using a Java or Silverlight applet at all but instead using JavaScript and the HTML DOM.

Re: Oracle Java: Bad

i thought id have to type a lit but u coceree ut nicely. oracle is really just some kind of deprecator / defunctor global minion group. glad i removed java from my strategy as a developer. i smelt the waft coming about 10 years ago to be honest. and thst goes for any other update pushing, client breaking software.

Re:Oracle Java: Bad

[TechyImmigrant]

>Yeah but what would the alternative be? .NET?

No. Programs.
Programs work. You write them and they run on computers.

If you're writing a thing within a thing that runs on a thing within another thing, then you're writing Java, not a program.

Re:Oracle Java: Bad

So a moving target isn't a good security policy? Who knew (the rest of us, that's who).

Re:Oracle Java: Bad

If you're writing a thing within a thing that runs on a thing within another thing, then you're writing Java, not a program.

This definition of "program" excludes everything except for operating systems and programs that run on microcontrollers.

Re:Oracle Java: Bad

[mpeskett]

In that case I guess we'd best all go back to punching binary machine code into cards.

Re:Oracle Java: Bad

This is a retarded definition of program.

Re:Oracle Java: Bad

[allcoolnameswheretak]

Actually, the one practically undisputed big selling point of Java is backwards compatibility. In fact, most experienced developers I know would cite that Java's stringent backwards compatibility policy is one of the things that has been holding the platform back, impeding progress. As an experienced Java developer myself, I would claim that 95% of Java applications should be upgradable to the most recent version without any issues at all.

Re:Oracle Java: Bad

Those have performance issues. Look at Jmol vs. JSmol. JSmol is great, buy how many years will it be before it's as fast as Jmol? The demos on the test pages are using small molecules. The performance issues are magnified greatly when used to study molecules on the order of hundreds of thousands of atoms. Plus there are security issues. JS and HTML can't write files to the clients computer. What if your client wants files? You have to send the content to the server, and then back again to the client. So then the client has to trust you with their data. Java can write to their computer and doesn't have to send the data to the server first.

Re:Oracle Java: Bad

[BitZtream]

Which changes nothing other than the application your updating.

You realize that MS is the only company that gets the word 'patched'.

Firefox, chrome and opera all do the same as Oracle.

Not that MS hasn't introduced breaking changes and called them patches or anything.

If you think the browser is a stable platform you've clearly never done web development.

Re:Oracle Java: Bad

[allcoolnameswheretak]

"upgradable" was the wrong word. Most Java applications should run on the newest version of the VM without problems, right out of the box.

Re:Oracle Java: Bad

[JazzXP]

Actually most experienced developers will tell you that while backwards compatibility is holding it back, even minor upgrades tend to break things (in particular since Oracle took over).

Re:Oracle Java: Bad

Good luck with that... having code that works in more than one VM is a big task. For example, am I stuck with a VM that has JCE, or do I have access to JSSE? Even then, a JVM on a Mac may not run code written by a JVM on Windows.

Oracle needs to do a complete library enema of Java and really get write once, run everywhere going properly, just like how MS cleaned up house going from .NET 1.x to 2.0.

If I want something that works across platforms, it would be JavaScript, or HTML5. No flash, no Java, no stupid-ass extensions that some malware writer will cornhole.

Re:Oracle Java: Bad

[hairyfeet]

As someone who no longer has to deal with corporate (thank God, Allah, Zeus and the FSM) what pisses me off is after YEARS of decline, to the point that finding Java installed on a home user or SMB was as rare as hen's teeth that god damned game came out and fucking obliterated 10 years of declining java overnight. I am of course talking about Minecraft, or as i call it "the STD of casual gaming"

The problem is...and i'm gonna get the Jfanboys screaming bloody fucking murder for daring to point this out, but Java just sucks ass when it comes to security, it really does. You can't even compare it to Windows or flash because with both of those you can turn on automatic update and you'll be fine, with java as you pointed out they do NOT patch, they REPLACE and that ends up breaking shit as often as it fixes it so naturally all it takes is java shitting all over an app after update for most folks to learn "Don't update java EVAR" which is how we are in this mess.

If we can't get the damned programmers to use something, ANYTHING other than java then we need an open source replacement, something that will just patch the bugs instead of screwing everything up by replacing. Hell maybe somebody could port the Google version android uses but make it compatible with standard Java apps, I don't know, all I do know is we need something better than fricking Java because down here in the trenches it makes Flash look like Fort Knox by comparison. You can't even get mad at people for turning off updates because their replacing instead of patching just leaves you with broken apps so its either leave their asses hanging in the breeze or give up on running anything that uses java. While that would be fine by me I have a feeling all the casual gamers won't let that happen.

Re:Oracle Java: Bad

[Sarten-X]

It's not the programmers that matter. Programmers can write Java and compile it with any JDK they please, and it should run on any JRE, including OpenJDK and its companion JRE project. I don't know how well they patch compared to Oracle, but it's an open-source replacement, which works pretty well in my experience.

Re:Oracle Java: Bad

[cavreader]

Hardly any one actually programs against the native operating system for business apps these days. They write code against the Java and .NET run time and call it a day. That's not necessarily a bad thing because the run times do take handle of a lot of issues behind the scenes such as memory management. Both Java and .NET were touted as RAD and it does cut development time. And if needed you can always invoke system level functionality from both run times.

Re:Oracle Java: Bad

Hardly true. I'm using a whole system (Gentoo Linux) with no .NET (thank you, junk belongs to..) and no Java (disabled on the system level). Here we go: a bunch of programs NOT using Java or .Net AND actually working. That is what people use when they want the job done. Or, you can look at a bunch of Java programmers writing tons of code in pity attempt to create some useful.
If they are trying to create desktop applications, that's in most cases laughable, with very few exceptions. The created monstrous dinosaurs work slow, consume a lot of resources, and are usually not any better than anything else from the point of functionality.
If they are creating 'Enterprise' software, than we usually see an enterprise-scale f-up, with HUGE hardware and human resources pulled in to perform even simplest tasks. I'm watching a comedy in progress, when a system performing about ten TPS requires six (6) application servers to work stably. But, of course, it's all latest Java technology, JBoss/Hibernate/etc. OTOH, JS+PHP based system does 300+TPS on a freaking laptop running same database.
Frankly speaking, I see both Java and .NET as deceases. Once your company catches them, it's very difficult to get cured.

Re:Oracle Java: Bad

[Gr8Apes]

Ugh, no.

My last two forays with OpenJDK have led me to never ever use it again. It is not compatible.

Re:Oracle Java: Bad

[Gr8Apes]

Interesting that the systems I've worked on for more than 10 years, some still running, don't seem to have these security issues you're whining about. Is that, perhaps, because they're almost all wholly related to the browser plugins? Disable that and woah... you don't have security problems.

Re:Oracle Java: Bad

[Sarten-X]

In the interest of being pedantic, OpenJDK is the reference implementation. Oracle's JRE is the one that isn't compatible.

Re:Oracle Java: Bad

Use one browser for banking and a different browser for other stuff?

If you're using Mozilla you can run the browsers using different user accounts (su or runas), but that makes updating a bit messier (if you're using Mozilla).

If you're stuck using IE the banking browser should treat everything except the bank domains as completely untrusted (no active scripting etc).

Re:Oracle Java: Bad

[mlw4428]

Mono?

Re: Oracle Java: Bad

C or C++. use less frameworks, use less applicationservers. Use less layers between you and the OS, start shipping your own security patches when you introduce one. This trust in others middleware has always suppriced me. And Im a proffessional Java developer too.

Re:Oracle Java: Bad

[mrmeval]

URL: is another one that forces us to have insecure crap on our system. We run a thin client which runs firefox which runs their crap.

This of course removes all the sales drone drooling about fixing the lost work time problem of everyone standing in line doing nothing.

The genius that chose these tards has departed the building for more pay or that's what we were told.

Re:Oracle Java: Bad

If you're using external libraries, i.e. JCE and JSSE back when they weren't part of the core JDK, that is expected. Anyone with common sense would not expect backwards compatibility if you use extensions or external libraries. That is why there are not part of the core SDK.

I've been doing java for more than a decade. Apart from non core libraries, I've never had much problems running code I've compiled in Windows on Solaris or Linux or a Mac for that matter.

Re:Oracle Java: Bad

[juventasone]

they don't patch: they give you new versions...require you to use old, vulnerable versions

Exactly. And as such, we will be running Java 6 Update 16 (released in 2009) until at least 2014 on 5,000+ machines.

Re:Oracle Java: Bad

I guess what this means is that quite a lot of code was written by people less skilled than yours experienced developers.
It is no different with any other language&platform - most of the code is written by ignorants. One can only hope that trough life cycle of the application they learn and improve but in lots of cases there is a hostile attitude toward improving as it shows others less motivated are exactly that i.e. less motivated, it also 'costs money' because you are not busy writing new shitty code. I hate to admit sometimes it must be done that way - you take shortcuts to get into market on time hoping you fix it in second release but it is extremely difficult to change attitude of your team after a half a year of such practice.

Re:Oracle Java: Bad

Absolutely. .Net 1, .Net 2, .Net 3, .Net 3.5, .Net 4.0 - all supported, all up to date with fixes. Very much unlock pretty much every Java version.

Re:Oracle Java: Bad

[Joce640k]

Actually, the one practically undisputed big selling point of Java is backwards compatibility.

Was backwards compatibility.

Before Oracle took over.

Nowadays all you're backwards compatible with is the old exploits.

Re: Oracle Java: Bad

[SplashMyBandit]

Yes, but C & C++ have buffer overruns and all sorts of nasties. C & C++ are for desktop apps and rarely used for web apps. Java dominates the enterprise web space. The problem here is not Java (desktop) application nor web application (the server-side stuff of what you see in your browser), but in the Java applet plug-in (which is something else entirely). C & C++ simply aren't used by the majority of enterprises for web apps because they would be *even worse* than Java for security vulnerabilities (plus productivity is lower, which costs money).

Re:Oracle Java: Bad

[cgomezr]

If a Java application requires an older version of the platform, it's probably due to crappy coding (violating a precondition of some method, trusting undefined behaviour, using undocumented libraries that are not part of the standard API, etc.)

I have been developing in Java for like 12 years and I have never had any issues with backward compatibility. The closest I have had to an issue was a change to how word wrapping works in Swing text components in 1.7, which made an application look a bit uglier in that version (but fully functional).

In fact, one of the big advantages of Java IMHO is its great backwards compatibility... they take care not to break anything, stuff that was deprecated back in version 1.1 (1997) is still there and working.

As for compatibility between OSes (mentioned in some child threads), the only problems I've had in all these years were always my fault when I was a novice, on things like developing for Windows, expecting "blah.properties", creating "Blah.properties" and expecting it to work on Linux. Obviously Java can't deal with wrong assumptions by the developer, but if you don't do that kind of things, programs just work out of the box across OSes.

That said, I agree the Java update mechanism is horrendous. And that's when it works. It's pretty common for the update-system under Windows to leave you with redundant versions, and I have a win 7 machine where it just fails with an uninformative error message.

Re:Oracle Java: Bad

[Exit_On_Right]

We've had that policy for years now and it's working quite well. Using .net for everything may be a bit of a pain at times, but it beats having to test every app twice a month when a new version of Java comes out.

Re:Oracle Java: Bad

> The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things

I am not aware of anything that was deprecated as long as you stay with the same main version (Java 1.5, 6, 7). Care to give examples? Oracle changed vendor string when they bought Sun and this was a major screwup. There might be some more examples of things getting broken but this happens with any software and any vendor.

Java just doesn't have patches and instead installs a complete release. I prefer it this way as it allows me to keep several versions and easily switch back if I need it. On Linux, sysadmins here use RPMs and are quite happy with that. I don't know how sysadmins prefer top do that on Windows and why updating the whole JVM is a bad thing.

Re:Oracle Java: Bad

[cavreader]

You have led a very sheltered life if you have not encountered any well written Enterprise applications. Lets all write everything in C/C++/Objective-C because it is easier and faster than Java or .NET. and it's really cool.

Re:Oracle Java: Bad

That definition of program would exclude .NET, Python, Java, etc... really, almost all common languages except for C, Objective-C and C++.

Re:Oracle Java: Bad

[Gr8Apes]

The mods must find it interesting that you're wrong, or that you find Oracle wrong? I don't know. But even basic code had challenges running on OpenJDK. Do a few multithreaded pools with some DB access and synchronization and whoopsie....

Re: Oracle Java: Bad

Yes, but C & C++ have buffer overruns and all sorts of nasties.

Most of which cause warnings on modern compilers. That argument is out of date for anyone who's not an output ignoring idiot. Also there are a lot of static analyzers out there. If you're an "enterprise" you can not only afford them (if the free ones aren't good enough) but should already be using them even if you're using something like Java.

Seriously, don't let code review start and stop at some dude that signs off on things. We have tools that are usually going to do better than that asshole anyway.

I've never understood why people hold Java with such high esteem. They go on about compile once run everywhere but that almost never happens. Even when they do compile it once, they only run it on one platform for the duration of its life. They start off and end with the same OS running on the same architecture (usually x86) for the entire time the software used. You might as well compile it to machine native binaries and get better performance.

It's even more stupid that Java can't live up to the compile once run everywhere pipe dream since you can only do the "run everywhere" bit iff you use the same JVM everywhere. This mostly means you compile once and run exactly the same place always. What a crock.

"Oh but Java has exceptions!" they say. And catchalls to defeat them.

"Oh Java has garbage collection!" And we need 10 times the memory to deal with it. They really do think that memory is cheap and that its cheapness scales to infinity.

"Oh Java's performance really quite good!" But only when comparing to earlier versions of Java, not competing technologies.

"Oh Java is so productive!" Productivity is measured in lines of code. Wheee! And around we go!

Java is not much more than marketing. Marketing works well for enterprise. SHOCKER!

Re:Oracle Java: Bad

[NotBorg]

Then why do so many Java programs require specific JVM versions? They literally won't run on newer Javas.

Re:Oracle Java: Bad

[hairyfeet]

Nope, sorry, WRONG. Sure you'd THINK it would be browser plugins but try loading up a VM and hitting some malware laden sites and you'll see they'll scan for old versions and if you aren't on a browser that runs in low rights mode, like say Firefox or any browser on XP, then they will do everything they can to trick the user into running a java app and fucking themselves. hell i saw one which downloaded a small 2Mb .jar and then had a webpage yes/no dialog box pop up which was actually how they were getting the java app to run as no matter which you picked you were in reality picking "yes please run this jar file".

At the end of the day there is no getting around the fact that unless Java is kept locked down so that it can only run the one or two programs you need it for? Then its gonna be a risk, no other way to put it. The fact that first Sun and now Oracle are responsible for this mess because of their replace instead of patch just makes it that much worse because as i say with other risky software you can set it for auto-update and be reasonably safe whereas with Java if you leave on auto-update you'll end up with broken apps.

Any way you slice it the situation with Java is fucked up and it really needs to be left in the corporate space where it can be isolated by group policy, not on Joe and Sally's desktop running video games.

Re:Oracle Java: Bad

If you say something assertively on the Internet it makes you right.

Re:Oracle Java: Bad

[TechyImmigrant]

Python is compiled. It's a more effective cross platform language than Java. As TFA points out, Java brings much version baggage. A compiled python program tends to work.

Re:Oracle Java: Bad

[hairyfeet]

That is why I mentioned Android and not OpenJDK, because I heard that like Gnash its pretty terrible. I don't know if it has gotten better but i tried both 2 years ago and even a basic java chat client fell down and went boom on OpenJDK, and I couldn't get Gnash to pay a 4 year old VP6 flash video I found.

But the fact he got modded up just shows how much groupthink and reality don't go together because that is like saying its MSFT's fault that LO makes word salad out of even slightly complex docs. At the end of the day the user is not gonna give a shit WHY it doesn't work, just that it doesn't work, so trying to play the blame game is pointless.

Re:Oracle Java: Bad

[Gr8Apes]

You noted that I didn't talk to Android, because that one works, whether Oracle likes it or not. OpenJDK just wasn't there, and probably won't be there for a while, especially in the areas of truly interesting functionality, such as NIO. (To me anyways, I write mostly server type code, for non mobile clients anyways).

I do take exception to your claim of Java being a massive security breach, because it's not. What is a screaming pile of cracker opium are the browser plugins. Yes, the security manager / sandbox implementation appears to have a flaw or two. But the real issue is when you run unknown code on a system that has full access capabilities, do you expect full security especially when it's layered through at least 2 other levels of applications? If you do I have some prime ocean front property south of New Orleans to sell you too. (Note that just about every security flaw reported mentions in the description "when run in the browser")

Re:Oracle Java: Bad

[Sarten-X]

What's interesting is the pedantic point that right or wrong, OpenJDK's right. Sure, it's horribly broken, but by being the reference implementation, it's right by definition. This is indeed similar to Microsoft's mistreatment of the Office Open XML format. Upon release, the official spec was demonstrably not the format Office actually used. For making a program compatible with Microsoft Office, Microsoft's spec was nearly useless. For making a JRE compatible with Oracle's Java, Oracle's spec is nearly useless. In both cases, it's an anticompetitive maneuver to force the open-source competitors to do more work, not only implementing the spec faithfully for the correctly-written programs, but also reverse-engineering the closed-source offerings to figure out the expected incorrect behavior.

Hairyfeet called for an open-source Java implementation:

...we need an open source replacement, something that will just patch the bugs instead of screwing everything up by replacing. Hell maybe somebody could port the Google version android uses but make it compatible with standard Java apps...

My point is that there already is an open-source replacement. It's plagued with constant FUD from the ever-present threat of Oracle's legal team, so it's not nearly as popular as it should be for a reference implementation. In a vicious cycle, that means the bugs and not-as-expected parts (the aforementioned incompatibilities, but again that's the wrong term for a pedant like me) don't get enough attention to be fixed.

Android's Dalvik VM is not a feasible solution. It's even more wildly different than OpenJDK. While the Java specification declares that Java VMs are stack-based machines, Dalvik is register-based. Some classes can be converted automatically, but the majority of existing Java code will require extensive manual conversion, and that means fully retesting every part of everything.

In my opinion, the right solution is to forcibly free Java from the tyranny of Oracle's stewardship, and put it in the hands of a benevolent company or foundation that can be expected to care most about having a stable and secure platform rather than making a big profit. From there, the OpenJDK project can get programming assistance with legal indemnity while focusing on cross-platform perfection, and the official JVM can continue to support the full integration features that OpenJDK lacks (because they're not finalized enough to be in the spec).

Maybe that benevolent company, the source of all Java's warm fuzzy goodness, could even be named after the benevolent energy source that powers this planet...

Re:Oracle Java: Bad

[hairyfeet]

IF they have a browser that runs in low rights mode and IF they have a good AV? Then sure java is fine, but you are dead wrong about it JUST being the plug in that is a threat.

At the end of the day you just can't change the fact that java has one of the most piss poor security records out there, it competes with flash and reader for most security risks per version. When you are looking at something with that poor a record frankly excuses are pointless, nothing will change the fact that bugs jumping out of their sandbox is common and dozens of bugs come out for each version, its really bad.

Re:Oracle Java: Bad

[Gr8Apes]

OpenJDK's ... horribly broken, but by being the reference implementation, it's right by definition.

Seriously, do you even read what you write? it's broken, it's not the reference implementation, that would be Sun's, and now Oracle. There are other implementations that work - namely Apple, IBM, and BEA's renditions (also now acquired by Oracle). So there's no excuse for the horror that is OpenJDK, so the "spec is nearly useless" is provably false. You may not like it, it may not be the idealist's preferred outcome, but Java does work.

Google's Dalvik VM was never mentioned as a replacement, just as an implementation. You appear to want something ideal, prepare yourself for disappointment.

Re:Oracle Java: Bad

[Gr8Apes]

I am not worried. At the end of the day, MS has the absolute worst security record out there, by any definition you care to make. Remove the browser and run Java with known code, amazingly, it's quite secure and powers all sorts of web sites that deal with PCI, PPI, and more. Anything MS has to get an exception.

Re:Oracle Java: Bad

[Gr8Apes]

You are so hellbent on a crusade you're sad.

Read your post - Browser site browser browser download webpage......

You do realize that the "jar" could also be an EXE, or some sort of script, or any numerous other entry points. It could even be a jar that contains an EXE that it then copies and executes. In any case, it's either a trojan (read that as you're a moron for running untrusted code) or a plugin. So, you're still wrong. Enjoy.

Re:Oracle Java: Bad

[Gr8Apes]

And you are still wrong. I didn't say squat about low right mode and good AV. Under windows, even windows 7, this means absolutely nothing thanks to a common and easily abused DLL injection mechanism and a completely retarded security model.

Considering that it's not really meant to be used in a browser (yeah, surprise, it's not), it's amazing that people still try to use it this way.

Re:Oracle Java: Bad

[Sarten-X]

Keep digging that hole deeper.

Historically, Sun always used the Sun JDK as the RI and made it available under the Binary Code License (BCL). This was very convenient for Sun since it meant that its product implementation was compatible by definition. However, it was also confusing since the Sun JDK contained quite a few features that were not part of the standard, such as the Java Plugin.

Re:Oracle Java: Bad

[Trogre]

You have got to be joking.

Please tell us how you got on building and running something even as basic as MIDlets with OpenJDK.

research by microsoft

shows that microsoft is no longer the target of attacks, nor the target of use.

Personally...

Personally I have 3 different versions of Java on my work machine. 1.5 for an old router, 1.6 for relatively current routers (ie still under warranty but no firmware updates forthcoming) and 1.7 for anything coming in the door. For the love of PCs will you vendors stop providing interfaces that require DESKTOP JAVA and IE .

At home I run VMs for this sort of thing. One for IE6, 7,8,9,and now IE10 compatability testing. My work PC is a reject P4 single core from 2004 so VM is not really an option there. I work for a small local government so upgrades also seem to be a pipe dream.

So I continue on with multiple versions of java that are exploitable, but I really have no choice... until one exploit or another infects the entire network (worm style)... then it will be an "issue worth addressing."

Is anyone else in the "can't afford to upgrade" group or is it just me?

Re:Personally...

As a foot note my phone has twice the processor and the same amount of RAM as this PC.

Thank you captain obvious?

gg

It's the Forrest Gump principle

[techno-vampire]

People who still use older versions of Java probably aren't up to date on other patches or updates either, making them even easier to exploit or infect. Stupid is as stupid does, and that includes IT policies that don't allow machines to be kept current when it comes to security.

Re:It's the Forrest Gump principle

[klystianek]

too true, You should be always up to date with ur applications not only because exploits but also performance in general

Re:It's the Forrest Gump principle

Yeah, 'cause I wanna spend my whole damn day installing patches!

Not to mention that Gosling probably could have spent his time more productively than inventing yet another language with yet more exploits!

Re:It's the Forrest Gump principle

[techno-vampire]

Yeah, 'cause I wanna spend my whole damn day installing patches!

With Microsoft, all you have to do is turn on Windows Update and the patches will be installed once a month, like clockwork. Or, with Linux, you can check for updates any time you please and pick up whatever's come in since the last time you checked. Either way, the process is (mostly) automated.

Re:It's the Forrest Gump principle

[Nimey]

By the Great Old Ones, have you the misfortune of trying to push out Flash Player using AD group policy? Have you seen the contortions you have to do to make it /work/? Ugh.

just wait for the caps to blow on the old p4 syste

[Joe_Dragon]

just wait for the caps to blow on the old p4 systems to force a upgrade.

No shit Sherlock

[BitZtream]

Wouldn't you be pretty stupid to target the current mostly patched version and ignore the FAR larger pool of older installs.

This is only news if you don't have a clue

zombie journalism

[roman_mir]

Read these words:

Java.
Malware.
Security.
Flaw.

Now watch this interview (and maybe the blooper reel as well)

and then read these words once again:

Java.
Malware.
Security.
Flaw.

I bet you are reading these in that zombie voice now.

Oracle Java UPDATER is the reason for this

[tstrunk]

Some posts above mine, people blame Oracle Java. I blame the updater.

My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
1.) This should be updated automatically by a package manager, hence I blame Microsoft
2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
3.) It should display some kind of information before requesting Admin rights.

Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar

Re:Oracle Java UPDATER is the reason for this

Your 2 and 3 are pointless. Any virus could easily duplicate and display the same information

Re:Oracle Java UPDATER is the reason for this

I believe Hitler used something called jusched.exe, too.

Re:Oracle Java UPDATER is the reason for this

No, updating should not be automated. The INSTALLER should ask whether or not you want it automatically updated, and if so, how/when, etc. Instead, we get the situation where (for example) I have to put up with jusched.exe's constant complaining that it has an update, but I don't have the privileges to install it, so I get nagged about it EVERY FRICKING TIME I login to a machine I have no control over (and therefore it isn't getting updated ever); or I get the situation where I do have admin rights, but I don't want silent updates, because updates can break things and I need to assess whether to allow it.

The whole auto-update thing needs to be worked out more sanely, because right now you can't win. Either you get broken updates pushed out silently to everyone that breaks everybody's software, you get pop-ups in the middle of key presentations or other work, or you get updates that don't deploy (privileges issues). In either instance you usually have to put up with bloated background processes for each and every program installed and you have to trust they aren't full of security holes (e.g., Nvidia's auto-update program a while ago). For multiple god's sake, at least ask me what my preference is before enabling it, and make it easy to configure, including making the whole hellish thing go away utterly and completely (i.e. no auto-starting background processes) if that's what I want. That way you could set up java to automatically update for your dad and never even ask about it, and I could turn the endless nagging off and block anything java-related in the browser to just play Minecraft in peace.

As you say, having a standard package manager where you could set an update policy system-wide and/or application-by-application would sure help.

Re:Oracle Java UPDATER is the reason for this

Some posts above mine, people blame Oracle Java. I blame the updater.

My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
1.) This should be updated automatically by a package manager, hence I blame Microsoft
2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
3.) It should display some kind of information before requesting Admin rights.

Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar

Uninstall java.

Problem solved.

Re:Oracle Java UPDATER is the reason for this

But Minecraft.

Re:Oracle Java UPDATER is the reason for this

[complete+loony]

Bingo. Why does a system tray notification require admin rights? Every other software installer I've ever downloaded tells you what it's going to install and only asks for admin rights when the installation process itself starts.

Re:Oracle Java UPDATER is the reason for this

There's also the issue that Java Auto Update is apparently still not supported on 64-bit versions of Java (see question "Why is the Update tab missing from the Java Control Panel?"). So you will just have to remember to check for updates yourself.

Re:Oracle Java UPDATER is the reason for this

[radarskiy]

Now you've solved two problems.

Re:Oracle Java UPDATER is the reason for this

I disagree - I used to think updates shouldn't be automatic but now my thinking has changed. Here are my reasons which ultimately are not technical:

1.) Flash and Acrobat Reader - they finally have auto updates that don't prompt for admin password. Between windows/office itself (automatic), flash, acrobat and java, all the targeted stuff is covered. The problem isn't that Java prompts, its that the prompt needs a password I can't give out so I have to run around to install manually. Not enough time in the day for that given the frequency of updates.

2.) Regarding admin passwords - it's been proven that admin rights for normal staff are a really bad idea. It's again best practice and web related problems dropped by orders of magnitude once admin rights were removed. They complain but they complain more if their system unusable (rightfully so).

3.) The average staffer cannot, should not and should not be trusted to understand if/when/why/how to update systems - it's not their job. However, all of the staff refer to the computer they use as 'their' computer. There is a sense of ownership and control - can't blame them but they don't like it when they get told 'no' regarding 'their' computer no matter what the reason - see item 2. Instead, IT is seen as the control freak.

No, I'd just rather go home on time this evening and get complaints from upper management about overtime and opportunity cost for downtime when I'm staying late to solve a problem that was preventable.

Example: for the last 3 years, the only problems we've had have been fake antivirus infections. Each of these were fixed with a profile rebuild as non-admin rights don't let things go very far beyond the profile. However, one user was granted Admin rights despite recommendations to update some special software they use. Guess who's machine was turned into a porn server? The same user is now more than happy to wait a few minutes (or hours even) for me to punch an admin password to update his software.

4.) I don't get complaints anymore for Acrobat Reader and Flash. I still have them for Java.

5.) Most of our systems don't really need Java but the corporate standard setup, written by those that don't know the difference between Java and Java Script, think it's required. No matter what statistics are quoted, you can't argue with that because then the PHB is feels insulted and threatened. What do they really need? A group of 9 people total need a specific site to be in their trusted site list and an ActiveX plugin which works far better than the Java version used for FireFox... for a site that often breaks when I DO update Java. This site is mission critical and is had to be put in compatibility mode when IE 10 rolled out. A major update to said site was reversed after 3 days when it basically stopped workflow nation wide for clients - the site is too big for them to handle in house but it's a profit center for them so... They are the ones that wrote the requirement to have Java installed. That's how it became part of the company standard image.

If I could automate (seamlessly - IE - no Ask ToolBar or McAffee scan whatever it is), then I would in a heartbeat and exempt the 9 listed above. I think they keep it a manual process intentionally - they get paid for each toolbar install so they need to interface with the user so they can agree to the EULA. Also explains why they don't really fix things - each new 'update' is another chance to get paid - they have an incentive to maximize these chances.

These are not technical issues - they are business issues, political issues that manifest through technology. Microsoft does this too and sometimes the reasons make sense - get rid of IE 6 for instance. However, they are nowhere as bad as Oracle's Java.

It really corks me when profit/political reasons are blamed on technology. Totally agree that a linux style, system wide patch manager would be great. However, profit/political reasons are to blame again - Microsoft has a record and

Re:Oracle Java UPDATER is the reason for this

The prompts ARE a problem. All of this stuff should just silently update itself (much like Windows does), but no they have to take the MARKETING OPPORTUNITY to shove advertising in your face, and foist toolbars and other shit on you.

Re:Oracle Java UPDATER is the reason for this

[tlhIngan]

Bingo. Why does a system tray notification require admin rights? Every other software installer I've ever downloaded tells you what it's going to install and only asks for admin rights when the installation process itself starts.

Better yet, why isn't it downloading on behalf of the installer and letting the INSTALLER ask for admin rights?

Half the time, it claims there's an update, and then it promptly fails to download it. After giving it admin. Why not attempt to download it ahead of time?

Yes, ask for admin if it would save needless popups (e.g., Windows Update - where installing multiple patches may require admin priviledges - so ask it up front then use that to run the patch installers as admin to avoid bugging the user).

Re:Oracle Java UPDATER is the reason for this

wanker

Re:Oracle Java UPDATER is the reason for this

hey here comes a car analogy - if you take your logic you will see that there is no point in locking up your car because skilled thief can open it up anyway but we usually do it anyway because it makes the work of a thief more difficult. YOu also missed the point of GP entirely which is ok - we are at /. so there is no need to read with understanding.

Re:Oracle Java UPDATER is the reason for this

How about when you initially install something you don't have to worry about what privileges you give it after that? Like someone said, any trojan can ask for Windows admin privileges. If the user gives it, you're SOL. It would be nice if when you installed software from a known vendor, that software could update itself without worrying about security.

Personally, I think when a Windows program asks to run as admin, all it does is reenforce to the user that whatever is happening must be safe instead of dangerous.

Re:Oracle Java UPDATER is the reason for this

[sonamchauhan]

Hehehehe

Re:Oracle Java UPDATER is the reason for this

[gravyface]

Take your pops to good ol' Ninite.com. Have him create an installer of all the apps he wishes to use and keep up-to-date, and either run it as a scheduled task (there's some command line switches to make this doable) or if he's like my Dad, he'll write it in the kitchen calendar and never miss running it himself manually. Once you build the installer, it's a run-and-wait thing; doesn't require any other steps, he can just keep running the same Ninite installer every week/month.

Re:Oracle Java UPDATER is the reason for this

[lazarusdishwasher]

If you start the offline installer and don't respond to any of the prompts you should be able to find a directory containg an installer in msi format in c:\users\$username\AppData\LocalLow\Sun\Java.

After you copy the referenced directory somewhere you can cancel the installer. Now that you have a msi file you can use Group Policy, or psexec, or something else to deliver your java update.

An added bonus is that I also do not seem to have the Java updater installed.

Re:just wait for the caps to blow on the old p4 sy

I keep praying for it every day when memory gulping symantec does its startup scan. We have plenty of spares as every department besides technology is well funded. They will just make me slap in a spare power supply or move the hard disk to another like model tower and have me forge on for a couple more years. I've already replaced the PSU twice. Oh well that's civil servitude for ya I guess. :(

I'll say it again people

[caspy7]

...if you don't have a need for it or don't remember when you last used it, uninstall it.

Microsoft ?

[sproketboy]

Microsoft deflecting their own security flaws,

Re:Microsoft ?

Compared to Oracle/Java MS are a shining example on the security front.

Re:just wait for the caps to blow on the old p4 sy

[SkimTony]

Instead of VMs, could you use more physical boxes and a KVM? As an ancillary benefit, when management complains that you have six PCs under your desk you can say "Well, I could toss all of these if you buy me one new PC." Alternately, wait until another department tosses a better machine than you're using: four and five year old Dells were running Core 2 Duos and Core 2 Quads, so any day now you should be able to pick up a decent system off the discard pile.

Cross-platform Java flaws?

What is the break-down by platform of exploitable Java bugs?

Enable Click to Play

[intangible]

In Chrome, Firefox, and all Android browsers, just enable "click to play" for all plugins, instantly 99.9% of your vulnerabilities are gone.
Bonuses: no flashing ads, fewer CPU or RAM chugging browser tabs, no random audio ads, better battery life.

On the few sites where you want it on by default (youtube for example) it's just a two click "enable permanently" whitelist.

WHY isn't this the default on all browsers by now?

Re:Enable Click to Play

The Firefox implementation is still not quite ready.

It pops up a focus stealing alert asking you to please turn on Flash (the only plugin I have installed) all the time, even on pages that don't have any Flash. If it only showed the play button where the plugin should be, it would be great - actually it can, if you add a few lines to userChrome.css, but try explaining that to regular users. There was a big discussion about it on the Bugzilla, but apparently too many users stated their opinions, and we all know the Firefox devs don't like to hear those. So discussion was moved from the bugzilla to a mailing list, where they could avoid that.

That focus stealing popup was so annoying that I moved to Chromium until I found the userChrome.css solution.

(I would have stayed on Chromium except it has other mis-features with "we are not going to fix that" statements from the developers. The one that really sealed it for me was the URL bar auto-correcting a correctly spelled URL to a previous mis-spelling whenever I typed it).

MS FUD: Bad

Which bit of "Research from Microsoft" did you not understand?

This is just more from the great FUD machine from Redmond.

It's Java Browser Plugin!

[coder111]

How many times do I have to repeat this. ALMOST ALL THE VULNERABILITIES TARGET JAVA APPLETS THAT RUN WITH JAVA PLUGIN INSIDE BROWER. This is not java the language in general, this is not even the JVM, this is the stupid applet sandbox. And nobody uses applets for anything anymore, this is obsolete technology maintained for backwards compatibility.

95% of Java today is running on the server-side. And there are very few security problems there.

Given the amount of articles and FUD targeted at Java on Slashdot in recent months, they could have gotten this right by now. Editors, please be explicit about this being java APPLET/BROWSER PLUGIN vulnerability every time this comes up. This is not Java language vulnerability.

--Codera

Re:It's Java Browser Plugin!

[gbjbaanb]

but you're wrong.

The plugin is simply the vector that a great number of attacks use to infect your system, the flaws are still (mostly) in the JVM.

Don't stick your head in the sand and say "blah blah no flaws in java", as you're doing everyone a huge disservice. There are bugs in the JRE that are exploited all the time (check the security fixes Oracle publishes to see what these are)., and understand that removing the plugin simply means the attackers have a harder, but not impossible, time to hack you.

Re:It's Java Browser Plugin!

Thing is he is 'sorta' right. Maybe the vulins are there but if you can not get at them are they really a problem?

For example I can hang a SP0 xp box off the internet and not get infected? How? Put a firewall in the way. XP RC is riddled with known holes. Yet no one can get at the box at all is it really vulnerable?

Sometimes patching is a matter of knowing your battles. For average joe blow? Patch it you are going to cycle your computer anyway. For someone with downtime of seconds per year? They do not patch it until they have to.

Saving with the File API

[tepples]

JS and HTML can't write files to the clients computer.

This may be true of JavaScript and HTML in IE pre-10, but the draft File API allows JavaScript programs to ask the browser to present a "Save As" file chooser and write to the file that the user chose. And because JavaScript's File API does access control through the file chooser, it doesn't require a code signing certificate from a commercial CA in order to be able to write such a file

JAVA is safe - Applets are not.

[heatseeker_around]

I had to deal with a client who wanted a .Net application because "JAVA had major vulnerabilities". Who told him this stupidity ? A "specialist" in .Net applications ! WOW ! I had to spend 3 full days to explain to him what is Java, what is an applet, why nobody uses applet anymore except the old dinosaurs who don't want to die and why it is safer and cheaper and better for him to use Java servers and applications.

Stop the bullshit ! Java is as safe as or even safer than any other technologies.

And for the so-called "systems admins" who don't understand the differences between a Java server and a Java-applet, RESEARCH, LEARN OR GO TO HELL !

Problem with Java is Management (as usual)

[minstrelmike]

The reason Java is used so extensively in the enterprise is because managers want bells and whistles.
We built a basic html app and one yahoo wanted rounded corners because they looked nice.
We said "No" due to performance issues. Then he tried to get it in thru the standard backdoor of 'standardization' and we used our strategy of defensive paperwork--the first criteria for standardization was performance, not looks. We couldn't get the other departments to stop using Java to develop apps with rounded corners but eventually, they realized their employees were avoiding the apps at every opportunity. And it broke every time Windoze was updated or we bought new laptops. That sort of canceled out the whole 'enterprise java makes updates and changes easier' idea.
Prove it now that you've got 5 years of data.

Meanwhile, our section has years of useful data and users who defend 'their app' against bureaucratic interference.

Re:Problem with Java is Management (as usual)

[minstrelmike]

And you should use this same argument against .Net and any other enterprise-level, we-can-do-it-all, kind of snake oil system presented by salesmen writing articles for airline magazines. If .NET was supposed to make things easier, then the ease ought to be measurable by now. Same with SAP or any other ERP system.

One ring to rule them all is fiction, not fact.