So What's the Deal with Java?

  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 5:56 PM GMT
    I woke up to a bunch of alarmist morning news, everything from Flu Gone Wild to Florida Swamp Pythons Run Amok.

    But the one that stuck with me was some insistence that everybody needs to uninstall Java off their machines, as there's a super-hack going around that gives hackers access to machines via Java, I guess.

    Not sure if anyone knows here what that's all about. I figured I get some more info going before trying to uninstall anything.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 6:03 PM GMT
    Ah, here we go. Google is my friend. They've said "disable," not "uninstall," which are two different things.

    http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

    Reuters via NBC NewsThe U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

    Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

    "We are currently unaware of a practical solution to this problem," the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday.

    "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," the agency said. "To defend against this and future Java vulnerabilities, disable Java in Web browsers."

    Oracle declined to comment on the warning on Friday...

    The U.S. government's warning on Java came after security experts warned earlier on Thursday of the newly discovered flaw.

    It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java. They typically recommend taking steps to mitigate the risk of attack while manufacturers prepare an update, or hold off on publicizing the problem until an update is prepared...

    The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

    It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

    They said developers of several popular tools, known as exploit kits, which criminal hackers use to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java to attack computers.

    Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

    At the time they advised businesses to only allow their workers to use Java browser plug-ins when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc.

    Adam Gowdiak, a researcher with Polish security firm Security Explorations, subsequently said he had found other security bugs in Java that continued to make computers vulnerable to attack.

    Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers when its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined comment at the time.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 10:03 PM GMT
    Well, I saw that too, in one news stream, but not in any of the others where I would expect to see it. So my first thought was :shrug: if the tech newsies aren't impressed, maybe it's just hot air from some bureaucrat. Or maybe the story will pick up steam in the next couple of days.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 10:12 PM GMT
    I had to check the date to see if this was a necro'd post because java has always been insecure as heck.

    My firewall and antivirus always catch java files in the temp folder trying to execute malicious code.

    I've heard for a while that it's really shitty and you should only use it if a program absolutely requires it. One of mine does unfortunately, so I'll just enable it before using that until they fix their POS software.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 10:25 PM GMT
    The thing with Java is that it can execute code freely within itself. So there's a potential for it to do nasty things to your computer, whether it be Mac or Windows.

    Personally, I don't even bother installing java or the java browser plug-ins. Mainly, because I don't like the bloat of running java applets. And secondly, because of the security threats. So if there's a website that requires java, then so long. Never going back there.

    There are exceptions of course. Like GoToMeeting, as mentioned in the article. But if you don't use any of those applications, then just uninstall java. You'll free up some disk space also. icon_biggrin.gif
  • Posted by a hidden member.
    Log in to view his profile

    Jan 11, 2013 10:48 PM GMT
    A lot of older sites use Java as a way of creating in browser applications like games and small tools.

    When you install java what you are doing is creating a interface for small standard applications to interact with your computer. So in this case Java can embed itself in your browser and when you visit one of these sites a small application is downloaded and run within your Java installation on your computer.

    This is not always safe, but like any software, depends entirely on you as the user. Someone can't hack your computer just because it has Java on it, but they can trick you into running an application using Java that does malicious things.

    Modern sites like facebook don't really use Java like this anymore.

    If you like going to many sites (particularly older sites) that where you might not trust the site, disable java, it's safer that way and you will probably not miss it.
  • groundcombat

    Posts: 945

    Jan 11, 2013 10:54 PM GMT
    I noticed many browsers have already started disabling Java anyway as I noticed some regularly-used sites have been telling me I have it turned off.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 12:46 AM GMT
    People can hack my computer through my java?!?!? icon_eek.gif

    fry_coffee.gif
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 12:46 AM GMT
    I found a CNET article on the problem. If I'm understanding the problem correctly, the problem is only with a certain version of Java 7. I disabled Java in my Firefox browser since I never use it anyway.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 2:04 AM GMT
    Hmm... seems to be required in order to preview a post or add an emoticon here.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 2:11 AM GMT
    mindgarden saidHmm... seems to be required in order to preview a post or add an emoticon here.

    That's JavaScript, not Java. They're totally different aside from the names. You need to disable the Java plug-ins or add-ons but keep JavaScript enabled.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 2:15 AM GMT
    paulflexes saidPeople can hack my computer through my java?!?!? icon_eek.gif

    fry_coffee.gif

  • RollDontWalk

    Posts: 187

    Jan 12, 2013 2:18 AM GMT
    DudeInNOVA said
    mindgarden saidHmm... seems to be required in order to preview a post or add an emoticon here.

    That's JavaScript, not Java. They're totally different aside from the names. You need to disable the Java plug-ins or add-ons but keep JavaScript enabled.

    That is correct. Despite the similar names there is virtually no connection between the two. JavaScript's name was chosen for marketing reasons.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 2:19 AM GMT
    DudeInNOVA said
    mindgarden saidHmm... seems to be required in order to preview a post or add an emoticon here.

    That's JavaScript, not Java. They're totally different aside from the names. You need to disable the Java plug-ins or add-ons but keep JavaScript enabled.


    homer_doh.png
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 2:58 AM GMT
    I've just now disabled Java (but not JavaScript) in Safari for Mac, will see if that creates any browser problems.

    Safari>Preferences>Security
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 3:15 AM GMT
    I went into my add-ons to disable it, and it already was!!!

    My PC did an automatic update the other day ... wondering if The Powers That Be did it for me then!
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 5:15 AM GMT
    I never did like programming in Java. I'm glad my animosity for it is justified.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 5:41 AM GMT
    SoloXCRacer saidI never did like programming in Java. I'm glad my animosity for it is justified.


    I'm with you on this one!

    Python OOP FTW!
  • calibro

    Posts: 8888

    Jan 12, 2013 5:55 AM GMT
    you should also uninstall it. it's like keeping a can of gasoline next your oven.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 5:57 AM GMT
    calibro saidyou should also uninstall it. it's like keeping a can of gasoline next your oven.


    How else am I going to make gasoline madeleines
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 6:01 AM GMT
    Narciso said
    calibro saidyou should also uninstall it. it's like keeping a can of gasoline next your oven.


    How else am I going to make gasoline madeleines


    Touche... well played.
  • calibro

    Posts: 8888

    Jan 12, 2013 6:09 AM GMT
    Narciso said
    calibro saidyou should also uninstall it. it's like keeping a can of gasoline next your oven.


    How else am I going to make gasoline madeleines


    thought that biatch's orphanage burned down years ago
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 6:33 AM GMT
    So many things stop spinning without Javascript. So many of my tools.
    Atlassian tools I can do without. But, it breaks my Cadence software.
    Worse, I can't enable/disable my VZ LTE Jetpack.

    This sucks. All I can do is Norton Ghost my main drive and hope for a quick fix.

    Anyone else use JIRA/Confluence?
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 8:03 AM GMT
    RobertF64 saidSo many things stop spinning without Javascript. So many of my tools.


    See above. NOT JavaScript. JAVA...different name, different program.
  • Posted by a hidden member.
    Log in to view his profile

    Jan 12, 2013 8:14 AM GMT
    calibro saidyou should also uninstall it. it's like keeping a can of gasoline next your oven.
    I agree. Uninstall it. Because some how, it always magically turns itself back on. You'll know when you see that little pop-up telling you to upgrade to a newer version. icon_neutral.gif