Open Source Adapted Bicycle Pedal Comes to the Rescue
Accessibility has always been important to designers of open source software. Now that open source has come to design, that's more true than ever, as demonstrated with this open source bicycle
Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.


Jupiter Broadcasting's long-running
Dealing With Real-Life, Everyday Security Threats
No one has ever been shot by a hacker who was breaking into their computer through the Internet. Not so for thieves coming in through the back door.

Roblimo's Hideaway

I wrote a piece
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
The Future of Desktop Ubuntu
With all the changes happening at Canonical, you might wonder what this means for the future of desktop Ubuntu, besides the return to the GNOME desktop.

There hasn't been this much news about a single Linux distro
Libreboot Reorganizes: Seeks to Make Amends
It appears the people developing Libreboot have done some of the hard work necessary to fix potentially toxic personal dynamics after last year's controversy, when the project removed itself from the
It's Windows Time in Linux Land Again
Using Windows. What a horrible thing to ask a Linux user to do.
March 14th, 2013

Java Remains Unsafe–Not Likely To Be Fixed Soon

Guess what? We’re hearing reports this morning that the black hats are continuing to take advantage of security vulnerabilities in Java. Of course they are. That’s what black hats do. We’re also hearing from security experts that browser side Java isn’t likely to be made secure in the near future.

Oracle’s management of Java since obtaining it from Sun has been nothing short of a joke. It’s about time for them to decide if they want to keep Java or not. If they don’t want it, they need to spin it off or let it die. If they think it’s a valuable part of their software portfolio, they should treat it as such and work overtime to make it safe.

In the meantime, we’re standing behind our earlier assertion that Java browser plug-ins should be disabled until security experts say it’s safe to enable them again. If you run web sites that depend on Java applets to run, find another way.

Here in the U.S., disabling Java plug-ins should have little to no effect on most people’s Internet use. Here at FOSS Force we’ve had Java disabled in all of our browsers for years with absolutely no problem. However, users in other parts of the world may have trouble accomplishing some tasks, according to an article posted on PCWorld today:

“&#8230 In Denmark, for example, online banking and government websites use a log-in mechanism called NemID that requires Java support&#8230 Similar cases might exist in other countries.

“In those cases, using the click-to-play feature in Chrome and Firefox, or the Zones mechanism in IE, could be used to let Java content load from only certain websites. A less technical solution would be to use one browser with Java disabled for general tasks, and a different browser with Java enabled for trusted websites that need Java support.”

[yop_poll id=”5″]

On Monday, Igor Soumenkov with Kaspersky Lab revealed in a blog entry that malware known by security researchers as Miniduke had been responsible for recently infecting computers in drive-by attacks using exploits in Java that have evidently since been patched. It had been thought that Miniduke mainly launched attacks through email phishing expeditions utilizing a now patched exploit in Adobe Reader 9, 10 and 11.

We’ve already reported that after setting on their hands through much of 2012, despite being told of numerous security holes in Java, Oracle has been busy pushing patches, fixing at least 52 security holes so far this year. Last week they issued an unscheduled patch fixing two vulnerabilities. At that time, five known security holes remained which have not yet been addressed. Oracle’s next security patch is scheduled to be issued April 16.

According to PCWorld, Adam Gowdiak, the security researcher who’s responsible for finding many if not most of Java’s recent security issues, thinks that Oracle may unable to effectively deal with their Java problem:

“There are indications that Oracle’s developers are unaware of Java’s security pitfalls and that code security reviews are either not done at all or not comprehensive enough, Gowdiak said. Many of the issues identified by Security Explorations violate Oracle’s own secure coding guidelines for Java, he said.

“‘We found many flaws which should have been eliminated by the company at the time of a comprehensive security review of the platform prior to its release,’ Gowdiak said.”

With most security experts not expecting browser side Java to be made safe anytime soon, we can’t stress enough how important it is that users disable Java at this time. Linux users can find instructions for disabling Java in most browsers in an article we published in January.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Latest posts by Christine Hall (see all)

Comments are closed.