Get rid of Java now!

Now it is time to get rid of Java. Get rid of Java on your web browser now. You need to do it if you care your security at all. Finnish Communications Regulatory Authority Cert-Fi site and Security company F-Secure’s Chief Research Officer Mikko Hypponen calls for removal of Java software from browsers. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. Older versions are not vulnerable to this specific security hole, but they have other holes so using then got around this is not recommended either.

A recent bug in Java open a hole in your computer against the invaders. The situation is serious. Attackers Pounce on Zero-Day Java Exploit. The hole is used for real aim is to use machines. The attackers hit the popular sites. The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack.

It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. The Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 – almost two months away. There is a 3rd-Party Patch For New Java Zero-Day, but you know what would be better idea than patching Java? Uninstalling it.

Disable Java in your browser is the best solution. Users urged to disable Java as new exploit emerges. How to Unplug Java from the Browser article tells you how to do that. In Mozilla Firefox this is easy: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser. I did that to my browser to be safe.

Although Java is almost each and every computer, you can in most cases live very well without it. Mikko Hypponen has for some time recommended to get rid of Java in browser because “there will always be bugs in Java” that cause serious security issues quite often.

java

If you have to use an on-line service that absolutely need Java (some on-line banking systems for example), then I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

UPDATE August 31: Oracle has been quick in trying to solve this Java security issue. Oracle has just released an updated version of the Java software (Java 7 update 7). It has a fixed four vulnerabilities. Update your Java to that newest version immediately. And I think it is still good idea to keep the Java turned off in your browser unless you absolutely need it.

93 Comments

  1. Tomi Engdahl says:

    Comments from http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/

    I feel sorry for the Java ecosystem
    You’ve all been lead down the primrose path.

    Looks like you’ll need a Java virus protection system within your perimeter until you can escape the inevitable collapse.

    Once the Cost-benefit equation turns sour the conditions are ripe for a general exodus leading to total collapse of the ecosystem.

    The Java ecosystem is fine
    It’s the Java plug-in for web browsers that is the problem.
    Don’t need Java? Uninstall it.

    The Java ecosystem is MUCH bigger than the Java plug-in
    The Java plug-in could disappear tomorrow and Oracle wouldn’t blink an eye. Lots of Java applications, Java-based middleware and Java server pages out there …

    P.S. Mozilla?! They’d be happy to see the Java plug-in disappear too.

    There is no apparent difference when it comes to using Linux, Windows or Osx when it comes to java, allthough using it on Windows with IE or chrome would be a good idea due to sandboxing.

    But Java is as it always was – slow, clunky and requires plug-ins and/or a virtual machine to run. Luckily MS doesn’t ship it with Windows or we’d really be in trouble.

    Reply
  2. Tomi Engdahl says:

    Another Java zero-day exploit in the wild actively attacking targets
    http://arstechnica.com/security/2013/03/another-java-zero-day-exploit-in-the-wild-actively-attacking-targets/

    Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

    The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software.

    The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits

    A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can’t be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations.

    Reply
  3. Tomi Engdahl says:

    Java malware spotted using stolen certificate
    Same day as latest patch
    http://www.theregister.co.uk/2013/03/05/java_self_signed_exploit_spotted/

    If you haven’t already run in the latest Java patch (issued yesterday), here’s another good reason to do so: someone has turned up an exploit that uses signed code.

    The stolen private key was posted to Pastebin. Even though the applet is using a now-revoked certificate, it seems that it’s up to the user to check the revocation lists. Otherwise, if they trusted the assertion that the applet is signed, they would be well on the way to an infection.

    “In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin,” Oracle advises.

    Reply
  4. Tomi Engdahl says:

    https://twitter.com/mikko/status/312550336986509312

    We always tell people to disable the Java plug-in in their browser. Turns out, this has not protected all Mac users: http://www.f-secure.com/weblog/archives/00002525.html

    About the Security Content of OS X Mountain Lion v10.8.3
    http://www.f-secure.com/weblog/archives/00002525.html

    The details about CoreTypes: CVE-2013-0967 really caught our attention:
    “Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled.”

    Even if the Java plug-in is disabled?

    That’s interesting…

    Reply
  5. Tomi Engdahl says:

    How are Java attacks getting through?
    http://community.websense.com/blogs/securitylabs/archive/2013/03/25/how-are-java-attacks-getting-through.aspx

    Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we’re not going to do yet another roundup here.

    Exploit kits are a very common tool for distribution of many Java-based threats.

    It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That’s what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old

    It’s clearly not just the zero-day attacks that should be getting all of the attention.

    Reply
  6. Tomi Engdahl says:

    Oracle fixes 42 holes in Java to revive security confidence
    http://ibnlive.in.com/news/oracle-fixes-42-holes-in-java-to-revive-security-confidence/385907-11.html

    Oracle Corp released a major security update on Tuesday for the version of Java programming language that runs inside Web browsers to make it a less popular target for hackers.

    The patch fixes 42 vulnerabilities within Java, including “the vast majority” of those that have been rated as the most critical, said Oracle Executive Vice President Hasan Rizvi.

    Perhaps the most significant change will be that, in the default setting, sites will not be able to force the small programs known as Java applets to run in the browser unless they have been digitally signed. Users can override that only if they click to acknowledge the risk, Rizvi said.

    Not all known problems are being fixed with the current patch, but there are no unpatched problems that are being actively exploited, Rizvi said.

    “It was pretty embarrassing what happened with the Facebook attacks,”

    Reply
  7. Tomi Engdahl says:

    Java 8 release date slips again, now planned for 2014
    Oracle engineers too busy battling vulns to add features
    http://www.theregister.co.uk/2013/04/18/java8_pushed_back_to_2014/

    Oracle has redoubled its efforts to address the recent spate of vulnerabilities related to Java running in web browsers, but the renewed focus on security has had an unfortunate side effect – namely, that Java 8 will no longer ship by its planned September 2013 release date.

    “Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” Reinhold wrote in a blog post on Thursday.

    “Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” Reinhold wrote in a blog post on Thursday.

    Reply
  8. Rosie says:

    This web site definitely has all of the info I wanted concerning this subject and didn’t know who to ask.

    Also visit my website … Rosie

    Reply
  9. CrashPlan backup software and service « Tomi Engdahl’s ePanorama blog says:

    [...] Internet to each other completely free! The article writer don’t like Java-based programs (I don’t like the either too much) like Crashplan, but its functionality is so great, he doesn’t mind breaking his own [...]

    Reply
  10. Tomi Engdahl says:

    Maintaining the security-worthiness of Java is Oracle’s priority
    https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of

    Hi my name is Nandini Ramani, I lead the software development team building the Java platform. My responsibilities span across the entire Java platform and include platform security.

    Over the past year, there have been several reports of security vulnerabilities in Java, primarily affecting Java running in Web browsers. This blog entry outlines the steps Oracle has taken to address issues with the security-worthiness of Java in web browsers and elsewhere following the acquisition of Sun Microsystems.

    Starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products. In other words, Java will now issue four annual security releases. Obviously, Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program.

    It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment. Oracle’s effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.

    Reply
  11. Tomi Engdahl says:

    Not good enough, Oracle – promises to secure Java are too little, too late
    http://nakedsecurity.sophos.com/2013/06/03/oracle-promises-secure-java/

    Oracle has promised to work harder to make Java more secure.

    Given the constant flood of high-profile, heavily-exploited vulnerabilities, are Oracle’s new ideas going to be enough to save this piece of software from drowning in bad vibes?

    In a lengthy blog post last week, the head of Java development, Nandini Ramani, summed up what’s been done to “address issues with the security-worthiness of Java”.

    Java has been been home to a glut of security dangers for a long time now. In our Virus Bulletin prevalence reports, we combine data from a wide range of sources, and Java has been in the top five all this year and was the third biggest detection type overall in 2012.

    Thanks to its cross-platform design, Java holes can hit multiple operating systems and have been behind some of the most high-profile and damaging attacks of the last year or two.

    There are a few positive things to note in Oracle’s blog post, such as the separation of client and server-side, and improved (though far from perfect) sandboxing, as many vulnerability experts have conceded.

    The standard advice from Naked Security has long been to disable Java in the browser at least, and to avoid installing it at all if it’s not *absolutely* required.

    For some time now, numerous voices have advocated dropping Java and called for its rapid retirement, as the tragic roller-coaster of disasters has unfolded. Now Oracle says they’re stepping up to the plate, ready to do what they can to fix it, but surely it’s a case of too little, too late.

    If Java is entrenched in your business, I’d suggest getting busy with looking for an alternative. If you’re still allowing it in your browser, just stop now.

    Reply
  12. Tomi Engdahl says:

    Majority of Users Still Vulnerable to Java Exploits
    http://community.websense.com/blogs/securitylabs/archive/2013/06/04/majority-of-users-still-vulnerable-to-java-exploits.aspx

    Since the April 16 Java Critical Patch Update was released by Oracle, we also noticed that businesses have been slow to apply the Version 7 Update 21 patch into their environment. Based on our analysis, we identified the following trends:

    2 days after the release of the patch, less than 2% of users had adopted Java SE Version 7 Update 21.
    After a full week, the average adoption of the newest version of Java was at less than 3%.
    2 weeks after the newest Java version was released, the trend line had moved to a little over 4%.
    One month after release, the number of live web requests using the most recent version of Java was only around 7%.

    So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild.

    Our investigations further revealed that the busiest period of patch adoption was during the second week after release, and that adoption is continuing although at a slower rate.

    Reply
  13. Tomi Engdahl says:

    Java EE 7 melds HTML5 with enterprise apps
    New release arrives with GlassFish, NetBeans support
    http://www.theregister.co.uk/2013/06/13/java_ee_7_release/

    Oracle has announced public availability of Java EE 7, the first major release of the enterprise formulation of Java since the database giant took control of the platform in 2010. The last version shipped way back in 2009.

    Support for HTML5 and related technologies is one of the key themes of this release. Among the new APIs included with Java EE 7 are version 2.0 of the Java API for Asynchronous RESTful Web Services (JAX-RS) and new APIs to support WebSockets and JSON processing.

    Equally notable, however, are some of the planned features that didn’t make it into this release.

    Oracle had said Java EE 7 was going to be “the best application server for the cloud,” complete with built-in support for platform-as-a-service (PaaS) environments and multitenancy.

    “Partially this has been due to a lack of maturity in the space for provisioning, multi-tenancy, elasticity, and the deployment of applications in the cloud,” Java EE 7 specification lead Linda DeMichel said at the time. “And partially it is due to our conservative approach in trying to get things ‘right’ in view of limited industry experience in the cloud area when we started this work.”

    Project GlassFish has also released GlassFish 4.0, the latest version of the open source reference implementation of the Java EE standard.

    In addition, Oracle’s NetBeans IDE has been updated to version 7.3.1, bringing full support for Java EE 7 development and deployment to GlassFish 4.

    Reply
  14. Tomi says:

    Critical Java SE update due Tuesday fixes 40 flaws
    And yes, most are remotely exploitable
    http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/

    Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it’s another doozy.

    According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

    Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

    Yes, that’s bad. Oracle ranks the severity of its flaws using the Common Vulnerability Scoring System (CVSS), and the top-ranked bug in this particular update rates a 10.0 – the highest possible score.

    Reply
  15. Tomi says:

    Love and hate for Java 8
    http://www.infoworld.com/d/application-development/love-and-hate-java-8-223200

    Java 8 brings exciting developments, but as with any new technology, you can count on the good, the bad, and the headaches

    Java 8 may be the most anticipated version of Java ever. Originally slated for release in September, Java 8 has been delayed until March of next year, supposedly to buy time to make security fixes aimed mainly at client-side Java (JavaFX/Swing).

    Since I, like most of you, stopped caring about client-side Java shortly after Duke finally finished jumping rope, we won’t address any of that.

    Java 8 is trying to “innovate,” according to the Microsoft meaning of the word. This means stealing a lot of things that have typically been handled by other frameworks and languages, then incorporating them into the language or runtime (aka standardization).

    Ahead of the next release, the Java community is talking about Project Lambda, streams, functional interfaces, and all sorts of other goodies.

    Reply
  16. Tomi Engdahl says:

    Security of Java takes a dangerous turn for the worse, experts say
    Beware of increasingly advanced exploits targeting flaws that will never be fixed.
    http://arstechnica.com/security/2013/09/security-of-java-takes-a-dangerous-turn-for-the-worse-experts-say/

    The security of Oracle’s Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.

    The most visible sign of deterioration is in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7 and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, those same flaws will never be fixed.

    “This is a large pool of vulnerable users who will never be protected with security fixes and so [they're] viable targets for attack,” Budd said.

    Reply
  17. Tomi Engdahl says:

    It’s about time: Java update includes tool for blocking drive-by exploits
    Whitelist clamps down on web-based code
    http://www.theregister.co.uk/2013/09/13/java_deployment_rule_set/

    Oracle’s latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java.

    After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing vulnerabilities its top priority for JDK 7, even going as far as to delay the release of JDK 8 so it could devote more resources to fixing bugs.

    But many businesses still keep older versions of Java installed on client PCs because certain custom applications require them. That’s bad, because these out-of-date versions contain critical vulnerabilities that in some cases will never be fixed. Oracle discontinued support for JDK 6 in June.

    JDK 7 Update 40, issued on Tuesday, implements a new feature called Deployment Rule Set that aims to address this problem. It allows businesses that centrally manage their Java desktop installations to establish a set of rules specifying which Java applets and Java Web Start applications – collectively termed Rich Internet Applications (RIAs) – are allowed to run on client PCs.

    For example, an admin could create a rule blocking execution of all RIAs and then add additional rules to whitelist specific ones. Rules can be written to match any portion of an application’s URL, including the port number, and they can even specify the version of Java that should be used to run it.

    By creating such rules, companies should be able to avoid many of the most serious Java exploits that have cropped up in recent months

    Reply
  18. Tomi says:

    Java has become more and more dangerous

    Security experts have time and again warned of the dangers of Java. F-Secure’s just published a report about the exploitation of Java vulnerabilities generalized further.

    Java attacks increased from F-Secure, according to one-third of this year’s first half compared to last year’s second half. Java is directed against the attacks that account for nearly half of the ten most common finding, while the list of vulnerabilities to exploit.

    In general, the first half of 2013 a variety of attacks exploiting vulnerabilities increased significantly, and they are the most common attack method. Most vulnerabilities of attacks experienced in the United States, where 78 out of thousand users ran into a variety of security holes to exploit. In Finland, the ratio was only 14/1000.

    The most common way to exploit vulnerabilities is to attack them contaminated with harmful or through the web site.

    Source: http://www.tietokone.fi/artikkeli/uutiset/java_muuttunut_yha_vaarallisemmaksi

    Reply
  19. Tomi Engdahl says:

    The Second Coming of Java: A Relic Returns to Rule Web
    http://www.wired.com/wiredenterprise/2013/09/the-second-coming-of-java/all/

    Since its inception in 2006, Twitter had run on software built with a computer programming tool called Ruby on Rails — a tool that played a huge role in the web’s resurgence in the middle of the decade, letting engineers build sites so quickly and easily. But Twitter’s engineers came to realize that Ruby wasn’t the best way to juggle tweets from millions of people across the globe — and make sure the site could stay up during its headline moment with the president of Russia. The best way was a brand new architecture based on Java, a programing tool that has grown more powerful than many expected.

    If you know Java at all, you probably think of it as something from the late ’90s, a child of the original internet boom, a little piece of downloadable software that sent a cartoon mascot dancing across your Netscape web browser. You think of it as something that promised a world of software apps that could run on each and every one of your personal machines — from PCs to cellphones — but that ultimately failed in the face of endless security bugs and poor decisions from its creator, Sun Microsystems. “For the general populace,” says LinkedIn principal staff engineer Jay Kreps, “Java is some annoying thing that really out-of-date websites try to make them download.” And if you see it as anything more than that, you probably dismiss it as a way of building stodgy “middleware” tools that connect things like web servers and databases.

    But over the past few years, Java has evolved into something very different. It has quietly become the primary foundation for most the net’s largest and most ambitious operations, including Google, LinkedIn, Tumblr, and Square, as well as Twitter. “It’s everywhere,” says Krikorian.

    “Java is really the only choice when it comes to the requirements for a company like ours — extreme performance requirements and extreme scalability requirements,” Lee says of Square, the San Francisco startup that processes $15 billion a year in credit and debit card transactions via mobile phones and tablets. “There is no viable alternative.”

    But there’s a twist to this Java renaissance. It encompasses more than just Java.

    That may sound like a paradox, but the thing to realize is that Java isn’t one thing. It’s two. It’s a programming language, a way of writing software code. But it’s also a “virtual machine” that executes code

    Originally, the Java virtual machine — aka the JVM — only ran code built with the Java programming language, but today, it runs all sorts of other languages.

    So, the web’s big names are using the Java virtual machine as the foundation of their online services, installing the JVM across tens of thousands of servers, and they can then use this base to run code built in myriad languages — from classic Java to a language called Clojure to a new and increasingly popular invention known as Scala — picking just the right tool for the task at hand.

    Twitter builds some of its code with the Java programming language, but it fashions the majority with Scala (a language that, for many programmers, lets you create software with an ease that eclipses Java) and a bit with Clojure (a language that feels like Lisp, a way of quickly scripting code that has been a mainstay for decades). LinkedIn mostly uses the Java programming language, while sprinkling in some Scala. But the common denominator is the JVM, software that has been finely tuned over the past fifteen years to run code at speed.

    “There are so many different languages that run on it,” Krikorian says. “I only have to worry about tuning and optimizing this one thing, and I can put it on all the hardware we run at Twitter. It’s just easier.”

    Ruby Derailed

    In 2006, when Twitter built its micro-blogging service with Ruby on Rails, it wasn’t alone. As the web experienced a rebirth in the mid-aughts, the programming tools of the moment were Ruby and PHP, two “dynamically typed” languages that let you build succinct code at an unusually fast clip. But time has shown that these languages just weren’t suited to running the world’s largest web services, and now they’ve taken a backseat to Java — at least on the big stage.

    “Ruby on Rails was great to get us to the point where we could make the decision to get off it,” says Krikorian. With Java, he explains, Twitter needs about ten times fewer machines to run its site than it would need with Ruby. And unlike the Rails programming framework, Java and Scala let Twitter readily share and modify its enormous codebase across a team of hundreds of developers.

    The Java language isn’t quite as easy to use as Ruby, but for Krikorian and his engineers, Scala is. “Scala seems like a more modern language,” he says. “It makes the transition from Ruby easier — and it’s just more fun.”

    The exception that proves the rule is Facebook. Facebook was originally built with PHP, and it still runs on PHP. But to solve the scale problem, the social networking site has taken a page from the Java book, moving its PHP code onto a custom-built virtual machine that provides just-in-time compilation.

    Facebook enjoys this sort of in-house hack. But so many others have just moved away from their original languages.

    Meanwhile, outside the programming world, Java is still portrayed as security nightmare that no longer runs applications on PCs, laptops, and phones. And there’s some truth to this. Late last year, a spate of new security bugs shined a harsh light on Java as a way of running software on most personal machines.

    But thanks to a brand new virtual machine built specifically for mobile devices — Google’s Dalvik virtual machine, the Java language has found new life on Android phones and tablets, where it’s the primary means of building applications. And on servers, it’s helping drive not only big name web services, but countless software applications used inside other businesses.

    As an open source project, the JVM is free for everyone to use, and anyone is free to build new software and even new programming languages that run atop it. In the wake of Scala, other developers are building a new language for the JVM called Ceylon, and if you like, you can even run Ruby atop the virtual machine, in the form of something called JRuby.

    Reply
  20. Tomi says:

    Will New Red-Text Warnings Kill Casual Use of Java?
    http://developers.slashdot.org/story/13/09/26/1620242/will-new-red-text-warnings-kill-casual-use-of-java

    “Java 1.7.0_40 [Note: released earlier this month] introduces a new ‘red text’ warning when running unsigned Java applets. ‘Running unsigned applications like this will be blocked in a future release…’

    “The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.’”

    Reply
  21. Tomi Engdahl says:

    Danske Bank threw a farewell to Java

    All Danske Bank’s private customer network services are available without Java, says the company in a statement.

    - Danske Bank’s network security solution based on the earlier Java software, which allowed for a flexible and efficient network of threats against terrorism. The network of services now introduced new security solutions will continue to provide strong protection for online transactions, but do not require customers to update any software on your own computer, write Danske Bank in a statement.

    Source: http://www.itviikko.fi/tietoturva/2013/10/08/danske-bank-heitti-hyvastit-javalle–yhta-paikkaa-lukuun-ottamatta/201313954/7?rss=8

    Reply
  22. Tomi Engdahl says:

    If Java Is Dying, It Sure Looks Awfully Healthy
    The odd, but popular, assertion that Java is dying can be made only in spite of the evidence, not because of it.
    http://www.drdobbs.com/jvm/if-java-is-dying-it-sure-looks-awfully-h/240162390/

    But when it comes to Java being in some kind of long-term decline, I see little supporting evidence. The recent JavaOne show, that annual jamboree of Java coders, was clearly larger and better attended than it has been in either of the last two years. Vendors on the exhibiting floor with whom I spoke were unanimous (truly not a single exception) in saying that traffic, leads, and inquiries were up significantly over last year, which itself was better than the year before. Normally, when technologies start their ultimate decline, tradeshows are the first to reflect the disintegrating community: Vendors don’t want to pay to be at a show with shrinking attendance and developers who are not required to attend start spending their travel budget on other more relevant events. Invariably, there comes a time when a tradeshow/conference feels like a tomb — the sure sign that the final death spiral is imminent.

    Technically, the language continues to advance.

    JavaFX continues to advance and is significantly easier to program for than Swing. This attention to the UX is an opportunity for growth that might well develop more than presently expected. Oracle is acutely aware of Java’s role on small devices. (According to the company, some 3-billion handheld devices run Java today.) It has integrated the former JavaME with the Java SE edition and it is actively developing Java for the upcoming wave of small implementations known as the Internet of Things (IoT).

    When you add in the Android ecosystem, whose native development language is Java, it becomes very difficult to see how a language so widely used in so many areas — server, Web, desktop, mobile devices — is in some kind of decline.

    The good health of the ecosystem is even more evident if we look at the JVM. This, too, has continued to advance with each major release of the language.

    On GitHub, which is the mecca for hip projects these days, Java was in the #3 slot both last year and this year as the language of choice for projects. (Its position there below JavaScript and Ruby is somewhat historical: gitHub was originally a primarily Ruby repository.) On the controversial Tiobe index, Java retains its overall #2 place, behind C. (C and Java have gone back and forth for the top two spots since 2002).

    Reply
  23. soccer says:

    I’m impressed, I must say. Seldom do I come across a blog that’s equally educative and interesting,
    and let me tell you, you have hit the nail on the head. The issue is something that not enough people are speaking intelligently about.

    Now i’m very happy that I stumbled across this during my
    hunt for something concerning this.

    Take a look at my blog :: soccer

    Reply
  24. Tomi Engdahl says:

    COFFEE AND DANISH HELL: National ID system cockup forces insecure Java on Danes
    Enjoy your gaping holes if you wanna bank, email, etc
    http://www.theregister.co.uk/2013/10/17/java_causes_problems_denmark/

    A bungled IT upgrade has downed Denmark’s universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information.

    Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind the system said Danes wouldn’t be able to use both the latest patched version of Java and NemID until Friday.

    Java Update 45 was released on Tuesday, bringing with it a whopping 51 security bug fixes for the still widely used platform.

    A dozen of these vulnerabilities merited the most severe CVSSv2 score of 10, meaning they could be used “to take full control over the attacked machine over the network without requiring authentication.”

    So, the Danes are faced with a conundrum: upgrade and lose access to critical public and private online services, or don’t upgrade and keep their computers open to some potentially very serious security flaws.

    Reply
  25. oyun ve temaların says:

    Inspiring quest there. What happened after?

    Thanks!

    Reply
  26. Tomi Engdahl says:

    Exploits no more! Firefox 26 blocks all Java plugins by default
    Click-to-run activated even for latest version
    http://www.theregister.co.uk/2013/12/10/firefox_26_blocks_java/

    The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run.

    The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin beginning with Firefox 24, but decided to delay the change after dismayed users raised a stink.

    Beginning with the version of Firefox that shipped on Tuesday, whenever the browser encounters a Java applet or a Java Web Start launcher, it first displays a dialog box asking for authorization before allowing the plugin to launch.

    Users can also opt to click “Allow and Remember,” which adds the current webpage to an internal whitelist so that Java code on it will run automatically in the future, without further human intervention.

    Mozilla’s move comes after a series of exploits made the Java plugin one of the most popular vectors for web-based malware attacks over the past few years. So many zero-day exploits targeting the plugin have been discovered, in fact, that the Firefox devs have opted to give all versions of Java the cold shoulder, including the most recent one.

    Reply
  27. Tomi Engdahl says:

    Cyberspies blast Icefog into US targets’ backdoors
    You dirty RATs
    http://www.theregister.co.uk/2014/01/15/icefog_java_based_backdoor/

    Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.

    The Icefog ATP (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.

    Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.

    The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea.

    Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers.

    “We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” Kaspersky researchers explain in a blog post

    “Because organisations can’t eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them.”

    To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files.

    Reply
  28. Tomi Engdahl says:

    Java, Android were THE wide-open barn doors of security in 2013 – report
    Cisco research claims two techs led to nearly all of the exploits
    http://www.theregister.co.uk/2014/01/17/cisco_dont_like_malware_phishing_etc_stay_away_from_java_and_android/

    While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.

    According to the networking giant’s latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

    So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it’s absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.

    “If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they’ll be putting their resources in the right place,” Cisco’s report suggests.

    Often, Cisco says, criminals will target industry-specific websites to set up “watering holes,” malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.

    Reply
  29. Tomi Engdahl says:

    Java Primary Cause of 91 Percent of Attacks: Cisco
    http://www.eweek.com/security/java-primary-cause-of-91-percent-of-attacks-cisco.html

    Cisco’s 2014 Annual Security Report points the blame at Oracle’s Java for being a leading cause of security woes.
    There are many different risks and attacks that IT professionals had to deal with in 2013, but no one technology was more abused or more culpable that Java, according to Cisco’s latest annual security report.

    The Cisco 2014 Annual Security Report found that Java represented 91 percent of all Indicators of Compromise (IOCs) in 2013.

    What that means is that the final payload in observed attacks was a Java exploit

    “I was surprised to see that the Java IOC number was 91 percent,” Gundert said. “There were a number of Java zero days that were used in various attacks, but there were also a ton of well-known Java vulnerabilities that were packaged into various exploit packs.”

    Cisco isn’t the only one that saw a high degree of Java exploit activity in 2013. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. Just yesterday, Oracle updated Java yet again, this time for 51 vulnerabilities.

    “2013 really was the year of Java exploits,” Gundert said.

    Java exploits tend to have great success because people simply just aren’t patching it regularly, Gundert said.

    Another surprising finding is that among a sample of 30 large, multinational company networks taken by Cisco, 100 percent of them at some point in 2013 visited a Website that hosts malware.

    Reply
  30. Tomi Engdahl says:

    The mammoth dances lambda
    Java language is trying to reinvent itself and shake off “the day of COBOL” refers

    A lot of the language used is no longer considered fashionable. Java had built up in the pressure to keep up with developments. One expert appointed Information Week, java “increasingly mammoth mastodon old-fashioned” and “today’s cobol.”

    Java 8′s most notable new features are borrowed from the lambda language commands and APIs that are called streams.

    “The old school Java programmers will have to give some thought to update and problem-solving style, if you want to make full use of the advantages of lambda”

    Source: http://summa.talentum.fi/article/tv/8-2014/56422

    Reply
  31. Tomi Engdahl says:

    Oracle hasn’t killed Java — but there’s still time
    http://www.infoworld.com/d/application-development/oracle-hasnt-killed-java-theres-still-time-247823

    Java core has stagnated, Java EE is dead, and Spring is over, but the JVM marches on. C’mon Oracle, where are the big ideas?

    Java was the big opportunity. Java was Sun’s success story.

    By the time Oracle bought Sun, its troubles had leaked into Java 7, which took approximately 100 years (give or take) to be released — and with far fewer features.

    With Java 7 and Java 8, we got developer porn, but no new ideas or big ideas. So Typesafe stuck things into Scala, developers talked up those features, then they went into Java. This allowed the developers stuck in big companies who dreamed of writing Scala to use their favorite candy with a slightly wonkier syntax in Java.

    Java EE was already stagnant. Do you know what’s new in the latest release? Neither do I, and I don’t care.

    Java EE is hobbled by a Java Community Process that has outlived its usefulness because Oracle is terrible at pretending it cares what people think.

    What is driving Java?
    Inertia is driving Java. If you want a multiplatform runtime, the JVM is the main game in town. There is so much stuff in Java and an install base so extensive that, from a business standpoint, you’d be an idiot to ignore it.

    That inertia is part of the reason Hadoop was written in Java (mostly) instead of other languages.

    I don’t think Oracle knows how to create markets. It knows how to destroy them and create a product out of them, but it somehow failed to do that with Java.

    Reply
  32. Tomi Engdahl says:

    Now even Internet Explorer will throw lousy old Java into the abyss
    Out-of-date, unsafe ActiveX controls to be blocked starting next week
    http://www.theregister.co.uk/2014/08/07/ie_out_of_date_activex_control_blocking/

    Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it’s got its eye set squarely on Java.

    Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.

    The change mirrors similar features found in competing browsers, including Chrome and Firefox, both of which already block out-of-date and unsafe plugins.

    Microsoft will maintain the list of verboten ActiveX controls itself

    What’s interesting, though, is that when the blocking feature launches later this month, Redmond’s blacklist will consist of but a single culprit: Oracle’s Java ActiveX control.

    And not just one or two versions of the add-on will raise the alarm, either. Microsoft has flagged every version from all but the most recent patch levels of the Java SE platform, going all the way back to Java SE 1.4.

    Reply
  33. Tomi Engdahl says:

    Redmond stall means IE Java axe won’t swing till September
    ‘WE NEED MORE TIME!’ cry angry sysadmins, and Redmond listens
    http://www.theregister.co.uk/2014/08/14/redmond_stall_means_ie_java_axe_wont_swing_till_september/

    Microsoft has handed sysadmins a reprieve by delaying the blockage of vulnerable old versions of Java in its flagship Internet Explorer web browser until September.

    The postponement was made on the back of complaints to Redmond, which only provided a guide to managing the issue on Tuesday.

    “Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls,” Microsoft wrote in an advisory.

    Reply
  34. Tomi Engdahl says:

    If Java Wasn’t Cool 10 Years Ago, What About Now?
    http://developers.slashdot.org/story/14/08/24/1758222/if-java-wasnt-cool-10-years-ago-what-about-now

    10 years ago today on this site, readers answered the question “Why is Java considered un-cool?” 10 years later, Java might not be hip, but it’s certainly stuck around.

    Reply
  35. Tomi Engdahl says:

    Very popular exploit nowdays (third most popular PC exploit):

    Exploit:Java/Majava.A identifies malicious files that exploit vulnerabilities in the Java Runtime Environment (JRE).
    http://www.f-secure.com/v-descs/exploit_java_majava_a.shtml

    Exploit:Java/Majava.A is a Generic Detection that identifies exploit files used to target and exploit vulnerabilities in the Java Runtime Environment (JRE).

    If successfully used, exploits can provide an attacker with a wide range of possible actions, from viewing data on a restricted-user database to almost complete control of a compromised system.

    to prevent successful exploitation, please ensure you install the latest updates available for Java and/or remove any old, unnecessary installations.

    Reply
  36. Tomi Engdahl says:

    Oracle has finished the Java 7′s updates and security fixes. Normal users, this is not just swing, but the developers cessation of support can be a problem. However, Oracle also sells technical support for Java 7 of the developers.

    Basic Users java is updated automatically from the beginning of the year. Oracle now encourages all users to upgrade to Java 8

    Java is imported next year for 9 version. Oracle, the release takes place in September next year. The biggest change in Java will be the fact that the source code becomes modular.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=2797:java-7-ei-saa-enaa-korjauksia&catid=13&Itemid=101

    Reply
  37. Tomi Engdahl says:

    3 Billion Devices And A Sega Genesis Run Java
    http://hackaday.com/2015/11/23/3-billion-devices-and-a-sega-genesis-run-java/

    A few years ago, [Mike]’s friend gave him an old Sega Genesis with the very cool and somewhat rare SegaCD drive attached. The SegaCD gave him an idea – while it’s not easy to burn a cartridge and play homebrew games on a real Genesis console, everyone has a CD burner somewhere. [Mike] began writing his demo and then realized adding Java would be easy on the 68000. The result is Java on three billion devices and a Sega Genesis.

    This project is built around Java Grinder a Java byte code compiler that will compile classes, factories, and all the horrible Java design.design.pattern.pattern.patterns() into assembly language. Already, there are a lot of platforms supported by Java Grinder, including the Commodore 64, the TI99, and thanks to some work from [Joe Davisson], the Apple IIgs

    Java Grinder
    http://www.mikekohn.net/micro/java_grinder.php

    Reply
  38. Tomi Engdahl says:

    Disabling Java Plugins
    https://www.f-secure.com/en/web/labs_global/disabling-java-plugins

    Many security researchers and national computer security organizations caution users to limit their usage of the Java Runtime Environment (JRE), unless required for business reasons, or to remove it entirely, including disabling Java plug-ins in web browsers.

    Listed below are instructions for disabling Java plug-ins or add-ons in common web browsers ( based on the advice given by the US-CERT Vulnerability Note VU#636312).

    Reply
  39. Tomi Engdahl says:

    Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away
    http://www.wired.com/2016/01/goodbye-applets-another-cruddy-piece-of-web-tech-is-finally-going-away/

    Another piece of old, insecure web infrastructure is about to be killed off.

    Oracle says that it’s discontinuing its Java browser plugin starting with the next big release of the programming language. No, Oracle isn’t killing the Java programming language itself, which is still widely used by many companies. Nor is it killing off JavaScript, which is a completely different language that Oracle doesn’t control. What Oracle is getting rid of is a plugin that allows you to run programs known as “Java applets” in your browser.

    You not think you even have the Java plugin installed, but if you’ve ever installed Java, or if Java came pre-installed on your computer, then you probably do, even if you never use it. The good news is that Oracle won’t be automatically installing the Java plugin when you install Java anymore. The bad news is that it won’t be providing security updates anymore either, so you should go ahead and uninstall it now. In fact, there’s a good chance you can uninstall Java entirely.

    With Microsoft dropping support for old versions of Internet Explorer and Adobe slowly phasing out Flash, it looks like a nightmarish era for web security is finally drawing to an end.

    Reply
  40. Tomi Engdahl says:

    Universities finally realize that Java is a bad introductory programming language
    https://thenextweb.com/dd/2017/04/24/universities-finally-realize-java-bad-introductory-programming-language/#.tnw_rCxo4cg8

    Java is popular, certainly, but it’s also extremely clunky and syntactically bloated.

    But a new version of the course, CS 106J is based on JavaScript.

    According to the University website, “[CS 106J] covers the same material as CS 106A but does so using JavaScript, the most common language for implementing interactive web pages, instead of Java.”

    The decision to ditch Java is a laudable one. While there’s a lot to like about it, Java is perhaps the harshest language you can learn as a beginner. In fact, in this respect, it’s straight-up awful.

    Because, here’s the thing. Programming is fun – or at least, it should be. It shouldn’t be scary, but rather a fundamentally creative endeavor that can lead to an amazing career.

    By teaching Java, you risk associating programming with something tedious and difficult in the minds of beginners, and run the risk of them switching to something less arduous.

    Reply
  41. Tomi Engdahl says:

    Bye bye! It’s Finally the End of Life of Java 7
    https://coderoasis.com/java-7-end-of-life/

    Reply
  42. Tomi Engdahl says:

    Java Applet API heads for the exit
    https://www.infoworld.com/article/3623579/java-applet-api-heads-for-the-exit.html

    OpenJDK proposal would finally remove the ‘terminally deprecated’ API that neither the JDK nor web browsers support.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*