Linked by lucas_maximus on Mon 5th Dec 2011 17:23 UTC
Java Patch up warmly this winter if you're running Java. That's the advice from .NET shop Microsoft, which reckons Oracle's platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft's latest Security Intelligence Report has found here Running Java as a Web-browser Plugin is much more dangerous than Flash, and should disable the Java Applet Plugin.
Order by: Score:
The devil is full of good intentions...
by moondevil on Mon 5th Dec 2011 18:14 UTC
moondevil
Member since:
2005-07-08

... as we say in Portugal.

For sure Microsoft does this just because it cares to help the users at large.

Reply Score: 12

lucas_maximus Member since:
2009-08-18

This advice is for all Operating Systems not just Windows.

There is the same vulnerabilities in MacOSX and any Unix variant that supports the Java Plugin.

Reply Score: 4

Bill Shooter of Bul Member since:
2006-07-14

Its a pretty bad idea to have any old software that can communicate with the outside world.

Java, Flash, Internet Explorer, Chrome, Konqureror, Firefox, Opera, SilverLight/.Net, Adobe Reader, ect.

They get updated primarily for security fixes. If you don't upgrade, you're vulnerable. Picking out a single program out of the mix is silly/stupid. This is why people are jumping on the Anti-Microsoft theme. Either they're stupid and don't know they are wasting everyone's time, or they're smart and trying to knock down a competitor.

Edited 2011-12-06 18:39 UTC

Reply Score: 3

lucas_maximus Member since:
2009-08-18

Do I have to keep on saying this over and over again?

The primary problem is the Java Browser Plugin, that has no place being there on any consumer system ... whether that is Windows, MacOSX, or a *nix variant.

When was the last time you saw a Java Applet on a major website? ... When did people use Java AWT/Swing Apps frequently?

There is not really a case of JRE being on most systems let alone the Java Browser Plugin.

If it isn't there in the first place it doesn't need to be updated ... "prevention not cure!"

Edited 2011-12-06 20:00 UTC

Reply Score: 1

Bill Shooter of Bul Member since:
2006-07-14

If your message is: keep stuff up to date. Then you should keep everything up to date. End of story. No argument here.

If your message is: don't install or run programs you don't need that enlarge your attack surface. Then no problem with that either. No argument here.

But if you say: "Everyone should remove Java applets, because they have too many problems and too few uses", that's rather specific advice that doesn't have much long term value to users. The fact that it comes from a current and historical competitor to Java applets and the whole Java framework, doesn't help much. I'm sure Oracle would have a different view. I hear they are going to make a big new push for Java in browsers soon utilizing Java FX.

Reply Score: 3

lucas_maximus Member since:
2009-08-18

So which high traffic website you know of uses Java Applets?

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

NDA

Reply Score: 2

lucas_maximus Member since:
2009-08-18

If your message is: keep stuff up to date. Then you should keep everything up to date. End of story. No argument here.

If your message is: don't install or run programs you don't need that enlarge your attack surface. Then no problem with that either. No argument here.

But if you say: "Everyone should remove Java applets, because they have too many problems and too few uses", that's rather specific advice that doesn't have much long term value to users. The fact that it comes from a current and historical competitor to Java applets and the whole Java framework, doesn't help much. I'm sure Oracle would have a different view. I hear they are going to make a big new push for Java in browsers soon utilizing Java FX.


Apologies, I completely misread what you were saying.

Yeah keeping stuff up to date is important. However I don't think that Java Applets have any place on the web or any Other plugins.

Flash is a necessary Evil until every browser and system decided what codec they are going to be using for Video and Audio.

SilverLight is used extensively on Channel 9 (MSDN sites) and Flash everywhere else. Java Applets IMO are a bit of a dead technology, and I only ever seen them for things such as download managers (which most browsers have one already built in).

Reply Score: 2

ramasubbu_sk
Member since:
2007-04-05

Oracle can work with Microsoft and pushes the update to Windows Platform via Windows Update. I think, that would help IT Operations team a lot.

I don't know who feasible is this!

Reply Score: 2

CapEnt Member since:
2005-12-18

I think that Windows Market will partially solve this on Win8, at least.

But what Microsoft needs urgently (but will never do it) is to create a way to incorporate the concept of user maintained, centralized versioned repositories, like Linux has for ages.

Reply Score: 6

bannor99 Member since:
2005-09-15

Very good point. It's long overdue for Windows. And having to manually remove every piece of software instead of being able to do it as a batch job is a real pain.

Reply Score: 4

robojerk Member since:
2006-01-10

But what Microsoft needs urgently (but will never do it) is to create a way to incorporate the concept of user maintained, centralized versioned repositories, like Linux has for ages.

"Technically" you can use WSUS with System Center Updates Publisher to provide vendor based repositories. So far only Adobe (Flash, Reader, Acrobat), Oracle (JRE), and Dell (Drivers, tools, etc, etc) have active repositories I believe, and only with the latest versions of their software.

Edited 2011-12-05 21:12 UTC

Reply Score: 3

lucas_maximus Member since:
2009-08-18

TBH the real solution is not to have a plugin installed to your web browser in the first place. There really isn't a need for most users to have the plugin enabled.

Also this isn't just a problem with Windows ... it is a problem with any OS that has the Java plugin installed on a web-browser ... MacOSX had similar problems a couple of years ago, and FireFox disables by default older Java plugins.

http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-p...

I have only seen it used on things like Oracle Forms and some other bespoke internal application and some older websites.

Reply Score: 2

MS doing what they know best..
by SunOS on Mon 5th Dec 2011 18:58 UTC
SunOS
Member since:
2011-07-12

.NET wouldn't be a competitor to Java in any respects would it?

Reply Score: 9

lucas_maximus Member since:
2009-08-18

Mozilla disabled old versions

http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-p...

Leopard Security Advisory from apple

http://support.apple.com/kb/ht3437

Been a problem for some time ... but never mind, make an anti-Microsoft comment and get modded up.

I honestly don't understand why Oracle are still pushing Java Applets.

Edited 2011-12-06 04:53 UTC

Reply Score: 2

SunOS Member since:
2011-07-12

You what?

With that logic, if I said Porsche might be a competitor to Lamborghini it would make me anti-Porsche?

Reply Score: 1

lucas_maximus Member since:
2009-08-18

What are you on about? .... I just highlighted this wasn't a Windows Only issue.

Which was correcting your assertion this was some sort of FUD tactic to get people to use .NET.

But hey you name is SunOS ... you can't be biased at all can you.

Edited 2011-12-06 19:56 UTC

Reply Score: 2

Replace "Java" with "Windows"
by bannor99 on Mon 5th Dec 2011 19:52 UTC
bannor99
Member since:
2005-09-15

or Windows software and every statement in that release is still true. But thanks for the heads up, Steve.
Hey, are you going to fucking kill Oracle ( who probably deserve it) or are you all out of chairs?

Reply Score: 5

As they say
by fretinator on Tue 6th Dec 2011 00:07 UTC
fretinator
Member since:
2005-07-06

"Why yes, Mr. Kettle, you appear to be black" said Mr. Pot.

Reply Score: 6

If people only...
by JAlexoid on Tue 6th Dec 2011 01:40 UTC
JAlexoid
Member since:
2009-05-19

If people only didn't click "No" when Java Update popped up... Hell, if you keep Windows itself uptodate, then it's also quite secure.

Reply Score: 3

RE: If people only...
by WorknMan on Tue 6th Dec 2011 12:56 UTC in reply to "If people only..."
WorknMan Member since:
2005-11-13

If people only didn't click "No" when Java Update popped up... Hell, if you keep Windows itself uptodate, then it's also quite secure.


The problem with this is that some enterprises have developed apps that will break if users install a newer version of Java. So, instead of spending the time/money to upgrade the app, they just keep users on the old version. It's the same scenario as companies who have their entire infrastructure built on apps that were written in VB6, that were written back in the 90's.

Reply Score: 3

RE[2]: If people only...
by JAlexoid on Wed 7th Dec 2011 00:32 UTC in reply to "RE: If people only..."
JAlexoid Member since:
2009-05-19

Update != upgrade.

Reply Score: 2

RE: If people only...
by joekiser on Tue 6th Dec 2011 13:21 UTC in reply to "If people only..."
joekiser Member since:
2005-06-30

But then you get about 15 separate entries in Add/Remove programs for the same Java.

Reply Score: 2

RE[2]: If people only...
by JAlexoid on Wed 7th Dec 2011 00:33 UTC in reply to "RE: If people only..."
JAlexoid Member since:
2009-05-19

Yes, that is the the issue here....

Reply Score: 2

That was painful
by aaronmcohen on Tue 6th Dec 2011 02:25 UTC
aaronmcohen
Member since:
2011-09-19

Gosh that was a painful whitepaper to read. So Microsoft funded paper with 23 Microsoft employees writing it found a concern with a MS competitor.... shocker! personally the fact that they found few ActiveX and MS Office VBA Attacks does raise an eyebrow.

"As in previous periods, many of the more commonly exploited Java vulnerabilities are several years old, as are the security updates that have been released to address them."

Java only recently had a good update capability under Windows and still has a long way to go. Personally I'd love to see the Browser plugin/JVM get updated with zero day updates and the system JVM get updated with only service packs.

I agree that there are some improvements needed in Java Release Engineering but I am not sure MS should be the one calling foul.

Reply Score: 4

RE: That was painful
by lucas_maximus on Tue 6th Dec 2011 05:47 UTC in reply to "That was painful"
lucas_maximus Member since:
2009-08-18

Java only recently had a good update capability under Windows and still has a long way to go. Personally I'd love to see the Browser plugin/JVM get updated with zero day updates and the system JVM get updated with only service packs.


I honestly don't even know why Java is installed on most peoples machines. Not many programs use it for desktop programs, and I haven't been to a popular site that has used it ever.

I have Java installed with the JDK, but developers are in the minority.

I agree that there are some improvements needed in Java Release Engineering but I am not sure MS should be the one calling foul.


I think the main problem is applet ... simply have Java on the system isn't a security problem.

Reply Score: 2

RE[2]: That was painful
by Straho on Tue 6th Dec 2011 09:08 UTC in reply to "RE: That was painful"
Straho Member since:
2011-09-30

I honestly don't even know why Java is installed on most peoples machines.

I have same problem with windows.

The number-one exploit was CVE-2010-0840, affecting the Java Runtime Environment (JRE), disclosed in March 2010 and addressed with an Oracle update the same month.

Oracle produce update for the number-one exploit the same month when it's found, so what's the problem.
May be I don't understand all article, but still from what I understand - Java has security problems (yes, all platforms have them), Oracle update them the same month (good for Oracle unlike other companies), "Keep all software in your environment up to date, not just Windows" ("Don't play with fire!", says my grandmother).

Edited 2011-12-06 09:08 UTC

Reply Score: 2

RE[3]: That was painful
by lucas_maximus on Tue 6th Dec 2011 13:21 UTC in reply to "RE[2]: That was painful"
lucas_maximus Member since:
2009-08-18

I have same problem with windows.


You are obviously a bit of a cock.

Let me explain this to you. Windows with all its various problems is still the best General purpose OS for masses on desktop and laptops.

Oracle produce update for the number-one exploit the same month when it's found, so what's the problem.
May be I don't understand all article, but still from what I understand - Java has security problems (yes, all platforms have them), Oracle update them the same month (good for Oracle unlike other companies), "Keep all software in your environment up to date, not just Windows" ("Don't play with fire!", says my grandmother).


The Java plugin is a total waste of time these days ... however flash has far more attention paid to it, however the flash plugin is pretty good for playing video and games on.

Reply Score: 2

RE[4]: That was painful
by djrikki on Tue 6th Dec 2011 13:45 UTC in reply to "RE[3]: That was painful"
djrikki Member since:
2011-09-02

Most popular != Best

Reply Score: 1

RE[4]: That was painful
by Straho on Tue 6th Dec 2011 15:27 UTC in reply to "RE[3]: That was painful"
Straho Member since:
2011-09-30

Sorry, I wasn't clear enough.
I didn't said that java plugins are smart decision, they are awful. Flash is peace of shit also.
I just say that it's not Java/Oracle fault, just because from what I read there have update for issues and this is just cheap anti-advertising from MS. To blame platform because lazy developers and uneducated users is ridiculous.
That's really simple: vulnerability is found, now everybody knows about it, I begin to exploit vulnerability, updates are produce, nobody use them, I still exploit vulnerability.

MS allow outdated and cracked software on Windows. That made it the most popular "General purpose OS for masses on desktop and laptops". But everything has good and bad side, article is about bad side.

Reply Score: 2

RE[5]: That was painful
by Straho on Tue 6th Dec 2011 15:52 UTC in reply to "RE[4]: That was painful"
Straho Member since:
2011-09-30

Actually I read only article not PDF, but when browse PDF I was shocked. Page 63 from 168 show a graphic where you could learn that detected Operating Systems exploits was doubled at the end of 2Q2011 and at second place after Java exploits. May be for 3Q2011 we should expect OS exploits to be more than Java.

May be masses should be warned about that in this cheap article.

Reply Score: 1

RE[5]: That was painful
by lucas_maximus on Tue 6th Dec 2011 16:03 UTC in reply to "RE[4]: That was painful"
lucas_maximus Member since:
2009-08-18

Flash is peace of shit also.


It isn't particularly good, but for cross browser video and audio it is the only sensible choice.

I can either try supporting WebM, MP4 and Flash ... or just use Flash and Mp4 for iOS, I have covered the overwhelming majority of visitors.

There is no advantage of running a Java Applet unless you are a business that has specific applications that use it.

MS allow outdated and cracked software on Windows


It called backwards compatibility ... very important for businesses. TBH if a piece of software works why change it?

As for illegal software, I am sure you can run it on other platforms as well.

Reply Score: 0

RE[6]: That was painful
by Straho on Tue 6th Dec 2011 18:11 UTC in reply to "RE[5]: That was painful"
Straho Member since:
2011-09-30


It called backwards compatibility ... very important for businesses. TBH if a piece of software works why change it?

I and most people I know at least patch security updates on our systems. I'm not sure about Java, but for last 4 years I patched hundreds Oracle DB servers, Red Hat, OEL and HP-UX machines with security and bug fixing patches and they still works.
Most of the companies also pay for software support. For example Quest Software never broke Toad for Oracle for me, but produce some bug fixes, same with Altova. (That's closed software companies, with Open source is even easier.)
Masses are just ignorant and stupid. They care about their cars tires and fuel, to change oil, breaks , but never care about theirs computers systems, personal information, etcetera, etcetera.

Edited 2011-12-06 18:15 UTC

Reply Score: 2

RE[7]: That was painful
by lucas_maximus on Tue 6th Dec 2011 19:51 UTC in reply to "RE[6]: That was painful"
lucas_maximus Member since:
2009-08-18

What are you on about? old Software doesn't not include the bloody runtime that is backwards compatible.

In any event the security problem is the plugin not the Java runtime.

Reply Score: 2

RE[4]: That was painful
by Shkaba on Tue 6th Dec 2011 22:10 UTC in reply to "RE[3]: That was painful"
Shkaba Member since:
2006-06-22


Let me explain this to you. Windows with all its various problems is still the best General purpose OS for masses on desktop and laptops.


And let me explain this to you: java is the most common used middle tier runtime for all enterprises. NET comes in a distant third. Take a guess as to why this report should be taken with a ROCK of salt.

Reply Score: 3

RE[2]: That was painful
by tidux on Tue 6th Dec 2011 19:22 UTC in reply to "RE: That was painful"
tidux Member since:
2011-08-13

1. Vuze/Azureus
2. [Open/Libre]Office
3. Minecraft

It's still relevant.

Reply Score: 2

RE: That was painful
by dsmogor on Tue 6th Dec 2011 08:05 UTC in reply to "That was painful"
dsmogor Member since:
2005-09-01

I'm reading Larssons Millennium and the old Tycoon Vanger told troubled Blomkvist : if you are beaten hard by someone don't fight back if you know you will lose in full frontal attack but never forget and let it go. Observe and wait until your enemy is vulnerable to strike him. Ms have been hardly whipped on the security front, they have a lot of credibility to recount especially in the enterprise. This is just a great opportunity to hit two birds with one arrow. I have no doubt they will use the same tactics against Android when the time comes.

Reply Score: 5

I challenge you to....
by Slambert666 on Wed 7th Dec 2011 02:52 UTC
Slambert666
Member since:
2008-10-30

For everyone that thinks this is only Microsoft PR bashing a competitor do the following:

Install java browser plugin for versions 1.4 1.5 6 and 7 (you need all of them because java is not strictly backwards compatible, and many businesses are still at 1.4 or older)

Then go surf some suspicious websites for a couple of hours... I dare you.

Reply Score: 2