US Government advises you to disable Java - Calgarypuck Forums - The Unofficial Calgary Flames Fan Community

ResAlien · 01-11-2013, 10:04 PM

Apparently there are some security concerns surrounding Java.

Quote:

Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.

"The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform."

So a real threat or is this the equivalent of your uncle forwarding you emails about how onions cure the plague?

http://www.cbsnews.com/8301-205_162-...java-software/

DownhillGoat · 01-11-2013, 10:42 PM

I was actually coming over to post this. It was on Financial Post as well.

It's not like Java hasn't been linked to attacks before, I'd assume it's a fairly significant threat.

ResAlien · 01-11-2013, 10:49 PM

I'm not the most technical guy in the world, for firefox everywhere says to disable it in my plug-ins. It's not even there in my plug ins so yay for me no worries?

Jacks · 01-11-2013, 10:52 PM

Quote:

Originally Posted by ResAlien

for firefox everywhere says to disable it in my plug-ins. It's not even there in my plug ins so yay for me no worries?

I was wondering the same thing.

photon · 01-12-2013, 10:19 AM

If it's not in your plugins in Firefox it should be ok, you can go here to test to see as well:

http://www.java.com/en/download/testjava.jsp

It sounds like Oracle was told about this exploit back in August, and released a patch in October but didn't patch it properly.

Overall there's been a lot of questions around Oracle and their stewardship of Java since they purchased Sun.

sclitheroe · 01-12-2013, 11:24 AM

Quote:

Originally Posted by photon

Overall there's been a lot of questions around Oracle and their stewardship of Java since they purchased Sun.

More so I'd say it's an absolutely fricking condemnation of the idea that running JIT compiled code in a so-called "sandbox" could or would ever be secure - Java exploits are nothing new since Oracle took the reins.

I actually wonder if moving away from just-in-time compilation to native code and simply interpreting the Java bytecode would be more secure - it would be somewhat harder for the exploits to break out of the sandbox if they weren't already executing as native x86 code (although maybe they could still emit x86 code outside sandbox memory and get it to run, who knows).

For many client-side Java apps, I bet the performance hit to do interpreted runs vs JIT compilation wouldn't be that bad, and maybe worth it if it improved security.

photon · 01-12-2013, 11:40 AM

Not new, but Oracle doesn't seem to be very responsive (and other things they've done around Java that make me nervous, more from an enterprise server side).

A sandbox's security still depends on the sandbox, and as long as the sandbox has any kind of access to whatever the sandbox is sitting in there'll always be potential security risks. Browsers are supposed to be sandboxes for Javascript and other code to display a webpage but still get exploited to access the machine.

Making Java into an interpreted language may make it more secure (though I would think that would just shift the security issues around, the interpreter is machine code itself still has to make machine code at some point) but you would lose a lot of what makes Java Java and the advantages it has over interpreted languages. If there was a significant advantage of an interpreted language then one could just choose an interpreted language to make their app, but we don't see much of that.

Mike F · 01-12-2013, 01:51 PM

Turned off the Java plugin in Chrome.

The internet sucks without Java.

photon · 01-12-2013, 03:14 PM

Lulwut? Do any websites actually use Java?

DownhillGoat · 01-12-2013, 04:04 PM

Quote:

Originally Posted by Mike F

The internet sucks without Java.

Really? I had to use Photon's link to see if I was even running it since I formatted my drive a few months ago.

I think the last time I've seen a site need Java was for a new vehicle builder.

photon · 01-12-2013, 05:18 PM

Maybe meant Javascript? People often confuse the two since they have similar names.

Mike F · 01-12-2013, 05:50 PM

Quote:

Originally Posted by kunkstyle

Really? I had to use Photon's link to see if I was even running it since I formatted my drive a few months ago.

I think the last time I've seen a site need Java was for a new vehicle builder.

I followed the instructions for disabling the plugin in Chrome and somehow Javascript and Java both got disabled.

Fixed now, thankfully.