Guest post by Patch up warmly this winter if you’re running Java. That’s the advice from .NET shop Microsoft, which reckons Oracle’s platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here Running Java as a Web-browser Plugin is much more dangerous than Flash, and should disable the Java Applet Plugin.
… as we say in Portugal.
For sure Microsoft does this just because it cares to help the users at large.
This advice is for all Operating Systems not just Windows.
There is the same vulnerabilities in MacOSX and any Unix variant that supports the Java Plugin.
Its a pretty bad idea to have any old software that can communicate with the outside world.
Java, Flash, Internet Explorer, Chrome, Konqureror, Firefox, Opera, SilverLight/.Net, Adobe Reader, ect.
They get updated primarily for security fixes. If you don’t upgrade, you’re vulnerable. Picking out a single program out of the mix is silly/stupid. This is why people are jumping on the Anti-Microsoft theme. Either they’re stupid and don’t know they are wasting everyone’s time, or they’re smart and trying to knock down a competitor.
Edited 2011-12-06 18:39 UTC
Do I have to keep on saying this over and over again?
The primary problem is the Java Browser Plugin, that has no place being there on any consumer system … whether that is Windows, MacOSX, or a *nix variant.
When was the last time you saw a Java Applet on a major website? … When did people use Java AWT/Swing Apps frequently?
There is not really a case of JRE being on most systems let alone the Java Browser Plugin.
If it isn’t there in the first place it doesn’t need to be updated … “prevention not cure!”
Edited 2011-12-06 20:00 UTC
If your message is: keep stuff up to date. Then you should keep everything up to date. End of story. No argument here.
If your message is: don’t install or run programs you don’t need that enlarge your attack surface. Then no problem with that either. No argument here.
But if you say: “Everyone should remove Java applets, because they have too many problems and too few uses”, that’s rather specific advice that doesn’t have much long term value to users. The fact that it comes from a current and historical competitor to Java applets and the whole Java framework, doesn’t help much. I’m sure Oracle would have a different view. I hear they are going to make a big new push for Java in browsers soon utilizing Java FX.
So which high traffic website you know of uses Java Applets?
NDA
Apologies, I completely misread what you were saying.
Yeah keeping stuff up to date is important. However I don’t think that Java Applets have any place on the web or any Other plugins.
Flash is a necessary Evil until every browser and system decided what codec they are going to be using for Video and Audio.
SilverLight is used extensively on Channel 9 (MSDN sites) and Flash everywhere else. Java Applets IMO are a bit of a dead technology, and I only ever seen them for things such as download managers (which most browsers have one already built in).
Oracle can work with Microsoft and pushes the update to Windows Platform via Windows Update. I think, that would help IT Operations team a lot.
I don’t know who feasible is this!
I think that Windows Market will partially solve this on Win8, at least.
But what Microsoft needs urgently (but will never do it) is to create a way to incorporate the concept of user maintained, centralized versioned repositories, like Linux has for ages.
Very good point. It’s long overdue for Windows. And having to manually remove every piece of software instead of being able to do it as a batch job is a real pain.
“Technically” you can use WSUS with System Center Updates Publisher to provide vendor based repositories. So far only Adobe (Flash, Reader, Acrobat), Oracle (JRE), and Dell (Drivers, tools, etc, etc) have active repositories I believe, and only with the latest versions of their software.
Edited 2011-12-05 21:12 UTC
TBH the real solution is not to have a plugin installed to your web browser in the first place. There really isn’t a need for most users to have the plugin enabled.
Also this isn’t just a problem with Windows … it is a problem with any OS that has the Java plugin installed on a web-browser … MacOSX had similar problems a couple of years ago, and FireFox disables by default older Java plugins.
http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-p…
I have only seen it used on things like Oracle Forms and some other bespoke internal application and some older websites.
.NET wouldn’t be a competitor to Java in any respects would it?
Mozilla disabled old versions
http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-p…
Leopard Security Advisory from apple
http://support.apple.com/kb/ht3437
Been a problem for some time … but never mind, make an anti-Microsoft comment and get modded up.
I honestly don’t understand why Oracle are still pushing Java Applets.
Edited 2011-12-06 04:53 UTC
You what?
With that logic, if I said Porsche might be a competitor to Lamborghini it would make me anti-Porsche?
What are you on about? …. I just highlighted this wasn’t a Windows Only issue.
Which was correcting your assertion this was some sort of FUD tactic to get people to use .NET.
But hey you name is SunOS … you can’t be biased at all can you.
Edited 2011-12-06 19:56 UTC
or Windows software and every statement in that release is still true. But thanks for the heads up, Steve.
Hey, are you going to fucking kill Oracle ( who probably deserve it) or are you all out of chairs?
“Why yes, Mr. Kettle, you appear to be black” said Mr. Pot.
If people only didn’t click “No” when Java Update popped up… Hell, if you keep Windows itself uptodate, then it’s also quite secure.
The problem with this is that some enterprises have developed apps that will break if users install a newer version of Java. So, instead of spending the time/money to upgrade the app, they just keep users on the old version. It’s the same scenario as companies who have their entire infrastructure built on apps that were written in VB6, that were written back in the 90’s.
Update != upgrade.
But then you get about 15 separate entries in Add/Remove programs for the same Java.
Yes, that is the the issue here….
Gosh that was a painful whitepaper to read. So Microsoft funded paper with 23 Microsoft employees writing it found a concern with a MS competitor…. shocker! personally the fact that they found few ActiveX and MS Office VBA Attacks does raise an eyebrow.
“As in previous periods, many of the more commonly exploited Java vulnerabilities are several years old, as are the security updates that have been released to address them.”
Java only recently had a good update capability under Windows and still has a long way to go. Personally I’d love to see the Browser plugin/JVM get updated with zero day updates and the system JVM get updated with only service packs.
I agree that there are some improvements needed in Java Release Engineering but I am not sure MS should be the one calling foul.
I honestly don’t even know why Java is installed on most peoples machines. Not many programs use it for desktop programs, and I haven’t been to a popular site that has used it ever.
I have Java installed with the JDK, but developers are in the minority.
I think the main problem is applet … simply have Java on the system isn’t a security problem.
I have same problem with windows.
Oracle produce update for the number-one exploit the same month when it’s found, so what’s the problem.
May be I don’t understand all article, but still from what I understand – Java has security problems (yes, all platforms have them), Oracle update them the same month (good for Oracle unlike other companies), “Keep all software in your environment up to date, not just Windows” (“Don’t play with fire!”, says my grandmother).
Edited 2011-12-06 09:08 UTC
You are obviously a bit of a cock.
Let me explain this to you. Windows with all its various problems is still the best General purpose OS for masses on desktop and laptops.
The Java plugin is a total waste of time these days … however flash has far more attention paid to it, however the flash plugin is pretty good for playing video and games on.
Most popular != Best
Sorry, I wasn’t clear enough.
I didn’t said that java plugins are smart decision, they are awful. Flash is peace of shit also.
I just say that it’s not Java/Oracle fault, just because from what I read there have update for issues and this is just cheap anti-advertising from MS. To blame platform because lazy developers and uneducated users is ridiculous.
That’s really simple: vulnerability is found, now everybody knows about it, I begin to exploit vulnerability, updates are produce, nobody use them, I still exploit vulnerability.
MS allow outdated and cracked software on Windows. That made it the most popular “General purpose OS for masses on desktop and laptops”. But everything has good and bad side, article is about bad side.
Actually I read only article not PDF, but when browse PDF I was shocked. Page 63 from 168 show a graphic where you could learn that detected Operating Systems exploits was doubled at the end of 2Q2011 and at second place after Java exploits. May be for 3Q2011 we should expect OS exploits to be more than Java.
May be masses should be warned about that in this cheap article.
It isn’t particularly good, but for cross browser video and audio it is the only sensible choice.
I can either try supporting WebM, MP4 and Flash … or just use Flash and Mp4 for iOS, I have covered the overwhelming majority of visitors.
There is no advantage of running a Java Applet unless you are a business that has specific applications that use it.
It called backwards compatibility … very important for businesses. TBH if a piece of software works why change it?
As for illegal software, I am sure you can run it on other platforms as well.
I and most people I know at least patch security updates on our systems. I’m not sure about Java, but for last 4 years I patched hundreds Oracle DB servers, Red Hat, OEL and HP-UX machines with security and bug fixing patches and they still works.
Most of the companies also pay for software support. For example Quest Software never broke Toad for Oracle for me, but produce some bug fixes, same with Altova. (That’s closed software companies, with Open source is even easier.)
Masses are just ignorant and stupid. They care about their cars tires and fuel, to change oil, breaks , but never care about theirs computers systems, personal information, etcetera, etcetera.
Edited 2011-12-06 18:15 UTC
What are you on about? old Software doesn’t not include the bloody runtime that is backwards compatible.
In any event the security problem is the plugin not the Java runtime.
That’s what I said – lazy developers doesn’t mean bad platform. So this article is cheap MS advertising.
Lets forget that the plugin is installed with the JRE.
Lets forget that Oracle release update before 18 months.
And let me explain this to you: java is the most common used middle tier runtime for all enterprises. NET comes in a distant third. Take a guess as to why this report should be taken with a ROCK of salt.
1. Vuze/Azureus
2. [Open/Libre]Office
3. Minecraft
It’s still relevant.
I’m reading Larssons Millennium and the old Tycoon Vanger told troubled Blomkvist : if you are beaten hard by someone don’t fight back if you know you will lose in full frontal attack but never forget and let it go. Observe and wait until your enemy is vulnerable to strike him. Ms have been hardly whipped on the security front, they have a lot of credibility to recount especially in the enterprise. This is just a great opportunity to hit two birds with one arrow. I have no doubt they will use the same tactics against Android when the time comes.
For everyone that thinks this is only Microsoft PR bashing a competitor do the following:
Install java browser plugin for versions 1.4 1.5 6 and 7 (you need all of them because java is not strictly backwards compatible, and many businesses are still at 1.4 or older)
Then go surf some suspicious websites for a couple of hours… I dare you.