DuckDuckGo Ups Ante: Gives $300K to 'Raise the Standard of Trust'
For the seventh year in a row, the search engine that promises not to stalk your online moves puts its money where its mouth is, this year by donating $300,000 to organizations that
System76 Saying Goodbye to Bland Design
Considering that System76 chose to unveil its new design plans to The Linux Gamer -- no invite went to FOSS Force, BTW -- we can't help but wonder if a System76 Steam Machine isn't in the works.

The Screening
The Great Debian Iceweasel/Icedove Saga Comes to an End
Now that Thunderbird is back in the Debian repositories, the decade long dispute that led to all Mozilla products in Debian being rebranded has ended.

The hatchet is finally completely
Back Yard Linux
It's not as lonely being a Linux user as it once was. These days you're liable to find people throughout your neighborhood using Linux.

My how times have changed.

It wasn't long ago that Linux
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
January 14th, 2013

Oracle’s Quick Java Patch–Too Little Too Late?

On Sunday, Oracle pushed an “unscheduled” patch to fix a security hole in Java that had prompted the U.S. Department of Homeland Security to take the unprecedented step of advising all Internet users to disable browser-side Java. The hole was already being exploited in the wild when white hats brought it to the public’s attention last week, mainly being used to install “ransomware.”

Despite Oracle’s assurances that it’s safe for surfers to go back in the water, security experts remain uncertain about the safety of Java. On Information Week, writer Mathew J. Schwartz quotes at least one security expert who gives the security patch a thumbs up:

“Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle’s fix is sound. ‘The version released [Sunday] blocks the recent Java 0-day exploit code,’ he said.”

However, Reuters reports that the same security expert still has reservations about Java security due to other unresolved issues:

“Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

“‘We don’t dare to tell users that it’s safe to enable Java again,’ said Gowdiak…”

Those who take the leap and re-enable Java will find they’ll now have to be more hands-on with its use. According to a security advisory published by Oracle, after installing the patch, Java will no longer always run quietly in the background with no input from the user:

“The default security level for Java applets and web start applications has been increased from ‘Medium’ to ‘High’. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the ‘High’ setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

Users might find this a little troublesome. Indeed, it seems to be a way for Oracle to deny responsibility in the future and place blame on hapless users who click through.

Many Internet writers are suggesting that users permanently refrain from re-enabling Java. Writing on Forbes website, Andy Greenberg points out that Apple disables the Java plugin by default in OSX, then adds:

“Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited ‘sandbox,’ Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. ‘The attack surface is so big,’ Kandek says. ‘In many ways, you don’t want Java to be able to do all the things that it does anymore.'”

Over at Slate, writer Will Oremus also weights in on the side of those urging users to dump the Java browser plugin permanently:

“So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you’re one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.”

On my computers I’ve long had Java disabled on all browsers and I hardly know it isn’t there. What I do know is that by not having Java enabled, there’s one less security issue to worry me.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

2 comments to Oracle’s Quick Java Patch–Too Little Too Late?