Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Java now safe


  • Please log in to reply
28 replies to this topic

#1 BarryO

BarryO

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 27 April 2013 - 05:45 AM

Hi,

 

I received this in an email http://blog.malwarebytes.org/intelligence/2013/04/cta-new-java-vulnerability/ a few days ago.

 

I am wondering if Java is now safe to use?

 

Thanks



BC AdBot (Login to Remove)

 


#2 niemiro

niemiro

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 27 April 2013 - 05:53 AM

Hello :)

 

For a slightly humorous take on the issue, you can use these two websites:

 

http://java-0day.com/

 

http://istherejava0day.com/

 

If the second website says "Yes", it means there is currently an unpatched Java vulnerability.

 

At the end of the day, it is a constant battle between security researchers, malware authors, and Oracle.

 

Even when there is supposedly no current vulnerability, there is no guarantee that some malware authors haven't found one which security researchers haven't yet. Then you *think* you are safe, but you aren't.

 

My advice is to uninstall all versions Java if you possibly can. Then you are safe (well, from that particular threat, anyway). If you can't, make sure to uninstall all old versions of Java, and keep one up to date version of Java in a second browser. Then use that browser for whatever few Java websites you need, and then during normal browsing in your other browser you are very unlikely to be vulnerable.

 

For more about Java, see here: http://securitygarden.blogspot.co.uk/p/blog-page_18.html

 

Richard


One of the very few people in the world who is truly enthused about Windows Update and how it works...

 

Yes, I'm a bit weird :P


#3 anyrepli

anyrepli

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 April 2013 - 06:00 AM

IMHO, Java will never be 100% safe and the fact that poor coding (in recent updates) has opened the door to even more vulnerabilities has tattered Oracle's image and there is a general concern about their lack of commitment to keeping the product safe.



#4 johngreen168

johngreen168

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 27 April 2013 - 06:19 AM

Nothing is 100% safe in internet. Some suggestion would be:

  • You may use two different browser, say IE and Chrome or Firefox, your main browser should be disable Java (it will help prevent malware infection) and the other one enables Java (use it when you need it)
  • Also, you might install Returnil, it will prevent unnecessary malware installed on your system. However, the main point is that you try not to browse bad rating website :)

Hope this help



#5 BarryO

BarryO
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 27 April 2013 - 06:24 AM

Thanks all , will use it in one browser as suggested



#6 anyrepli

anyrepli

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 April 2013 - 06:38 AM

Nothing is 100% safe in internet. Some suggestion would be:

  • You may use two different browser, say IE and Chrome or Firefox, your main browser should be disable Java (it will help prevent malware infection) and the other one enables Java (use it when you need it)
  • Also, you might install Returnil, it will prevent unnecessary malware installed on your system. However, the main point is that you try not to browse bad rating website :)

Hope this help

Nothing is 100% safe is a questionable response in this case because Java has been identified as being vulnerable; period. So, using a second browser, w/Java enabled to access Java sites really doesn't lessen the user's vulnerability at all. And, remember the old saying "All roads lead to Rome?" In this case, Rome is the user's OS, and both browsers will have that in common.



#7 annaharris

annaharris

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 31 May 2013 - 07:05 AM

No! You need upgrade to MOCHAJAVA TO BE SAFE.



#8 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:11:29 PM

Posted 31 May 2013 - 07:04 PM

Nothing is 100% safe in internet. Some suggestion would be:

  • You may use two different browser, say IE and Chrome or Firefox, your main browser should be disable Java (it will help prevent malware infection) and the other one enables Java (use it when you need it)
  • Also, you might install Returnil, it will prevent unnecessary malware installed on your system. However, the main point is that you try not to browse bad rating website :)
Hope this help

Nothing is 100% safe is a questionable response in this case because Java has been identified as being vulnerable; period. So, using a second browser, w/Java enabled to access Java sites really doesn't lessen the user's vulnerability at all. And, remember the old saying "All roads lead to Rome?" In this case, Rome is the user's OS, and both browsers will have that in common.


That's correct. Ever since Java fell into Oracle's hands it has been insecure since. The problem is the bad code and update policies Oracle has compared to what Sun had which they did a much better job developing and maintaining it.

@john

Like any security product Returnil is not fool proof. I'm familiar with some security researcher's that have had malware slip through Returnil. Same thing as a sandbox malware does slip through from time to time.

#9 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:29 PM

Posted 04 June 2013 - 11:23 AM

That's correct. Ever since Java fell into Oracle's hands it has been insecure since. The problem is the bad code and update policies Oracle has compared to what Sun had which they did a much better job developing and maintaining it.


It was quite insecure under Sun too. Back when I started doing this "Vundo" was the big thing and it installed via Java exploits.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#10 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:11:29 PM

Posted 04 June 2013 - 01:15 PM

 

That's correct. Ever since Java fell into Oracle's hands it has been insecure since. The problem is the bad code and update policies Oracle has compared to what Sun had which they did a much better job developing and maintaining it.


It was quite insecure under Sun too. Back when I started doing this "Vundo" was the big thing and it installed via Java exploits.

Billy3

 

 

Really? That's interesting. I can see a lot of issues with the language due to the popularity and how it can be used.



#11 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:29 PM

Posted 04 June 2013 - 01:31 PM

I thought we were talking about the runtime itself. As for the language, you can write insecure code in any language.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#12 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:11:29 PM

Posted 04 June 2013 - 01:53 PM

I got mixed up with the definition of language and runtime. :P But yes you can write insecure code in any language, but I believe in a sense the runtime for most other languages are more secure as they don't offer the type of functionality Java does or can be exploited as easily.



#13 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:29 PM

Posted 04 June 2013 - 01:56 PM

Not really. It never was a runtime feature that was exploited -- they've all been bugs in the runtime itself. Basically, the attacker crafts some invalid bytecode that crashes the runtime in such a way that they get control of the CPU as the process crashes.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#14 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:11:29 PM

Posted 04 June 2013 - 02:06 PM

Oh gotcha. That's a real shame. It's a very useful language, but hopefully people will understand in time that with all these issues that it's really not worth it. Java appears to be a plagued platform...



#15 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:29 PM

Posted 04 June 2013 - 02:09 PM

The bugs are in the runtime, not the language. You could theoretically write a Java to CLR compiler (or vice versa).

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users