Aaaand that's why I don't have the Java plugin installed. Anywhere.
I'd like to think that we're almost to the point of viewing Java in the same light as Bonzi Buddy or Comet Cursor; IT discovers you got Java on your computer again, they just sigh and re-image it, with some stern warnings to please not download such sketchy software.
Large companies tend to have important enterprise applications that require Java to run and, even worse, in some cases upgrading the version of Java on the user's desktop will break the application. You then end up with hundreds or thousands or users with vulnerable versions of Java on the PC that you can't upgrade until the software vendor fixes whatever is wrong with their application.
I've seen it countless times at my previous job (.edu with 1000s of staff and faculty) where we were basically helpless to do anything because absolutely critical applications would break if we upgraded Java on the desktop.
Solution: closely monitor traffic to/from user's PC's, hope for the best, and re-image when they inevitably got pwned.
Before someone chimes in with the obvious "switch to a different application", it's not that easy when you have millions invested and training the user base sometimes takes months.
Oracle BTW offers paid support for old Java versions long after they no longer release public updates. The Feb 2013 end of support date for 6.0 is for free support.
There is a data room by a very large M&A group that requires you to install Java. I hate them with a passion because you can't really avoid them in my line of work so I end up having a VM just for them. Java as a requirement to access a document store for which you've already signed a pretty solid NDA is a real nuisance. Especially since it then ends up giving you download access through their applet anyway...
Firefox: Tools > Addons > Plugins Tab > disable all
Don't use Flashblock or Javablock or similar extensions, they hide the applet, they don't stop execution.
You should always use a browser with all plugins disabled as your default browser. Run a second browser for trusted sites where you enter the URL in yourself.
True. But once those plugins go away, something else will become the new low hanging fruit. Personally, I wonder how well WebGL will hold up, given that 3d graphics drivers are absolutely not written with security mind, and were never really intended to be hooked up to the web...
That is a good point. A bit like how people would switch to Macs to avoid viruses, but all they were really doing was moving to a place that wasn't being targeted yet.
I don't like the monolithic design of modern browsers - it is rendering engine, javascript interpreter, sandbox, audio, video, webgl, user management, local store etc. all in one big heap.
We will need features to let users swap parts out, highly customize them, apply advanced ACL's to each component (since the browser becomes the new OS) and disable them (chrome://flags)
As with many (but not all) things Microsoft do, when the thick layers of gelatinous hivemind diatribe are pealed away what's left are sound, conscientious engineering decisions made by an organization with a near pristine history of supporting end users and going to extraordinary lengths to preserve backwards compatibility.
As for instances where they have not preserved support and compatibility, Silverlight comes to mind, and they dumped that largely in favour of frameworks targeting HTML+JS.
(I'm not a Microsoft employee, just a user who appreciates the APIs I cut my teeth on 20 years ago remain applicable today)
It took them a while to even take patching security vulnerabilities in a timely manner seriously. I can understand that secure design (e.g. not running everything as admin) could fall under "backwards compatibility."
Yeah, I read that a few weeks ago, I can't remember the source. It will be really funny in the next year or two if the security experts encourage everyone to use IE to ensure a safe browsing experience.
You can be both! But I am usually more annoyed by rich content than the lack thereof. It grabs your CPU and memory and screams out to anyone in your vicinity, "Look what x is browsing!"
>I wonder how well WebGL will hold up, given that 3d graphics drivers are absolutely not written with security mind
It doesn't seem to be holding up too well against normal use, never mind deliberate attempts to exploit it: it's not uncommon for WebGL demos to crash at least one browser/hardware combo. Example from the last WebGL submission I read a few days ago: http://news.ycombinator.com/item?id=5211211
> Don't use Flashblock or Javablock or similar extensions, they hide the applet, they don't stop execution.
For Flashblock on Firefox, at least, this is incorrect. And if it were true, you would lose the main benefits of using Flashblock to begin with: better security, privacy, lower CPU and memory use. Which makes using such a plugin rather pointless, so I doubt any blocking plugin works this way.
That sounds like an assumption based on how you would implement it. Until Chrome implemented its native click to play, most of "click to play" plugins were targeted at advertising and simply blocked visual rendering and audio playback. It's not for lack of trying, the underlying framework for the plugin to stop execution simply didn't exist.
This works only for outdated Java versions that are known to be vulnerable (they're blacklisted by Mozilla version-by-version).
If you happen to have the newest Java version which hasn't been publicly announced as exploitable, it will not be blocked unless you enable `plugins.click_to_play` in `about:config`.
Anyway it's still a very good move from Mozilla side to minimize the risks.
It's not that easy, I think Chrome has some good anti-clickjacking algorithm implemented. I remember once I couldn't enable a Flash video on one site because it had an overlay advert over part of it.
Moreover, you have to right-click and then click "Run this plugin" from the native Chrome menu. I doubt you can create any overlay over native browser's menu.
> Moreover, you have to right-click and then click "Run this plugin" from the native Chrome menu. I doubt you can create any overlay over native browser's menu
It must be different on Windows. I have it enabled on my Mac and it requires a single click to enable a plug-in.
Opera: go to opera:config#UserPrefs|EnableOnDemandPlugin
To enable all plugins on page, click the play/puzzle icon in the address bar. To permanently enable plugins on certain pages: right click -> Edit site preferences... -> Content.
I have this enabled both in Opera and in Chrome. Certain sites are permanently whitelisted. Much better browsing experience.
> Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.
> "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
It seems it's high time now to start working with two separate profiles in a browser if you're forced to use Java - one internal-only with Java enabled, and the second for browsing the internet, with Java disabled (of course this works as long as your internal apps do not get hacked...).
Rather easy to achieve with Firefox (probably there are command line switches for Chrome as well):
1. Create two profiles, `external` and `internal`, using
`firefox -p`
2. Open external profile and disable Java (will be kept in profile settings)
Then, run first `firefox -p external`, then `firefox -no-remote -p internal`, that way links opened e.g. from email clients will go to the external instance.
Total paranoiacs could try to find/write some extension that will block all the pages other than approved internal ones in the internal profile (perhaps AdBlock Plus will do?).
I think the separate profiles is the better looking tinfoil hat. For everyday browsing Adblock is nice, but I think it falls short. Throw NoScript and RequestPolicy into the mix and it gets a lot better. My friends always laugh when they watch me browse the web because I have to enable javascript for any new site and then use RP to allow that site to make requests to other domains.
I also use that approach, and while it sometimes gets annoying I am really glad for choosing it when I, once again, stumble upon some page that would like to load crap from 20 other domains.
If you use Chrome there is. Go to chrome://chrome/settings/content and look under plug-ins. There is Run automatically (default), Click to play and Block all. You can also set whitelists for sites you are OK with trusting (YouTube comes to mind).
Noscript even let's you block webgl depending on if the site is whitelisted/blacklisted.
The great thing about RP is that you can let some sites make requests to facebook (for instance, nothing special about FB) and not allow all other sites to make requests to facebook.
This happened last month, so it was 0-day THEN, not NOW.
The hole in question was patched in the February 1st Java release.
This is news because it shows how Facebook was affected by the many unaddressed security holes that were present in Java (and how it could be run -- last month -- silently), but this is NOT news of new holes in Java.
So far the latest (quite significant) fixes seem to have been effective.
"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
It's criminal how Oracle can release production code with so many security holes. It seems like every week there is a new new Java based exploit.
Some of these vulns are extremely old. I read the Oracle security bulletin which says some of them dates back to 1.4.2. (Oracle is still willing to support such old versions if you pay for it)
I would suspect that it would be related to Android development given that (1) Android SDK requires Java, (2) Facebook develops a native Android app, (3) Facebook does NOT develop a native Blackberry app (other mobile SDK using Java), and (4) the identified engineer(s) were on the mobile team.
Having the Java plugin installed does not mean they were doing Java development. It could have been iOS engineers and they had the plugin enabled so they could access some internal application.
But that is only half of the way, because thanks to C and C++ runtimes, they are still open to security exploits triggered by buffer overflows, strings misuse, use after free, double deallocation, array access out of bounds, stack overflow, pointer misuse...
The only safe way is to use a separate VM for browsing, or failing that, run the browser under a different user account with limited user rights.
The only reason I still have Java installed on my OSX machine is to use a SQL Server management tool. If I were to run that in a virtualized environment by installing Parallels and running a separate instance of OSX in that virtual environment, would that completely isolate Java to that one "box" and protect the rest of my environment?
Does the management tool run as Java web page plugin, or as a standalone Java application? If it's the latter, just disable the Java plugin in all of your browsers and you should be safe.
"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
How long will we wait and shrug our shoulders until we start blaming Oracle and looking for assurances this doesn't happen again? 'Free' services continuously disappoint me, notwithstanding FLOSSware.
Perhaps there is a mole at Oracle leaking security holes elsewhere.
Regarding the corporate users, I think actually most of them should not need any of those 3 plugins enabled:
1. Acrobat Reader plugin: use some less popular PDF reader which is not that commonly attacked
2. Flash: you shouldn't play Flash games in the office ;) For Youtube, you can enable HTML5 version in modern browsers
3. Java: IMO it's mostly needed in IE6-dating web apps but I might be very naive here...
Regarding Acrobat: there's a built-in PDF reader coming in Firefox soon (pdfjs). Currently I do not use any plugin, just make the browser download a PDF and render it in SumatraPDF or PDF Xchange Viewer.
Exactly. BTW are the fill-in PDF forms that prevalent? I've only been using them once a year to fill my tax declaration which sadly requires installation of Adobe Reader plugin in Poland. I feel the corpo world prefers Excel for that kind of things :)
Operating systems and/or CPUs need to be less predictable in terms of how they lay out memory. All of these "new" security exploits are nearly always a new form of the same old buffer overflow attack that people have been using since the beginning of time.
Isn't the Skype plugin for Facebook video-chats made in Java, too? Sounds to me like Facebook should be one of the very first companies to want to adopt WebRTC. Not only will they become independent of Skype for video-calls, but they can offer it for everyone inside the browser, too, instead of getting them to install plugins. Hopefully they intend to make it federated though, rather than keeping it Facebook-only.
Are there any good malware scans for Mac? Obviously it's not going to prevent a novel attack, but I'd like to see if I'm infected with this or other known attacks.
Microsoft really stepped up their game in the last 5-10 years, particularly with being aggressive about pushing security updates. So basically attackers are moving to other ubiquitous software with holes, e.g. Java. That's apparently also why you saw an increase of using Adobe Reader as a vector.
It's a combination of both. Java is on nearly every platform out there at this point in one form or another... and the 'Oracle' version of it is full of enough holes to drive the asteroid that just passed by earth... through.
First, yes, Java is that prevalent. There's no a single corporate company out there were there's not Java devs. As simple as that. Then Java is also on so many systems even outside the corporate world: both Windows on OS X. It's typically not there by default but on Windows it depends on who ships the machine. On OS X now at least they don't ship it by default but it's trivial to install.
But really the problem ain't Java but Java applets.
Java as in "The JVM" is actually not bad at all on the server side: on the contrary, it's very robust. There are have been two very lame exploits in 2011 allowing Denial of Services on Java webservers, but no remote exploit working on Java servers.
The problem is Java on the client-side: i.e. on people's computers. In other word: the issue is pathetically lame Java applets.
Java applets have to be the most stupid, silly and insecure lame technology ever invented by Sun.
You should have been there in comp.lang.java.programmer back in the nineties when people were saying how stupid, silly and insecure a lame tech Java applets were... Only to be laughed at by the like of Jon Skeet (the most upvoted user today on StackOverflow). To most Java early adopters Java applets were "the nuts". Supposedly the one tech going to solve all our problems.
It "only" took close to 15 years to prove wrong all the retards who thought Java applets were a good thing.
And now we're in this big mess.
For end-users it's easy: remove Java or disable Java applets.
But for the corporate world it's not so simple: many devs are, well, Java devs. Because Java is pretty much what powers the corporate world (hint: no, it's not Excel).
Then even if most apps tend to be webapps now, there are still a lot of in-house apps which are Java apps and corporate drones do need to use these apps.
Then there are all the Android / dalvik devs: world is moving to mobile and Android is huge. Hence Java is huge.
Hence you can count on many, many, many more Java exploits being used to infiltrate companies.
Companies whose users / devs are using very poor security practices anyway.
But really the problem ain't Java but Java applets.
Don't know about you but I find it fascinating how many comments fail to make a distinction between the vulnerable 'javaws' (i.e., applets) and the far more common 'java' vm. This 'mistake' illustrates both java competitor astroturfing and simple ignorance on the part of those commenting. Are there other potential reasons so many don't know or intentionally obfuscate the difference between java and javaws?
People should really all consider doing what I do: install a throwaway VM on your system from which you surf the Web. For all the sites that I don't trust I do surf from a VM which can be erased / re-installed at will.
For sites I trust, like my GMail / Google Docs, I surf from a separate user account. I'm using a firewall that can do "per user" rules and I'm only using whitelists. By default no packets can be emitted. Then the user account used to access GMail / Google Docs is configured so that it can emit HTTP/HTTPS trafic.
No Java in the user accounts / VM that do surf the Web: and I'm a "Java" dev (Java + Clojure). Java can be installed only for one user account on Linux, without needing to be root.
Wanna do online banking / MoneyBookers / etc.: boot a read-only Linux CD / DVD.
Yes, it is slightly more inconvenient than using your main user account to surf the Web. But so far security and conveniency haven't exactly been good matches yet.
The state of security today is really terribly bad. It is so bad that I'm going back to a "stupid" Nokia S40 phone until things settle down.
That's not just inconvenient, it's verging on paranoia. Most people haven't got the time or the processor cycles to spare to run a separate VM. What's wrong with just disabling plugins for all but trusted sites?
There are lots of browser bugs which aren't plugin related at all. Lots of DOM/parser/JS stuff; the most popular bug class at the moment is use-after-free.
I'd like to see a custom version of Chromium for this purpose. Google's sandboxing is great. Just reduce the attack surface by stripping out non-essentials like plugins, SVG, WebGL, NaCl, etc. etc. and you have a pretty darn secure browser. See the ridiculous complexity of those two exploits by Pinkie Pie for what attackers are up against.
Seems like a good convenience/security tradeoff to me.
That's nothing. I have my web surfing VM hooked up to a separate VLAN. My main browser (that runs on the host) can only reach the corporate network. The VM can only reach the public internet.
I'd like to think that we're almost to the point of viewing Java in the same light as Bonzi Buddy or Comet Cursor; IT discovers you got Java on your computer again, they just sigh and re-image it, with some stern warnings to please not download such sketchy software.