FedEx Will Pay You $5 to Install Flash on Your Machine
We certainly hope that FedEx shows more concern over the safety of its drivers and pilots than it shows to customers wanting to order printing online.



FedEx is making you an offer you
iCub the Open Source Robot
It occurs to us that the iCub might be the perfect companion for an only child. Probably cheaper in the long run than a little brother or sister, and it can be turned off at night.

The Screening Room



Apparently,
Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.

Media



Jupiter Broadcasting's long-running
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway



OMG! I think I see a giant camera lens on
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway



This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room




At the Computer History museum, GitHub CEO Chris
April 22nd, 2013

Oracle Serious About Java Security–Maybe

We’re not ready to tell you we think it’s safe to reactivate your Java browser plugin–in fact, just the opposite–but we will say that Oracle is at least giving the appearance they’re now serious about addressing browser-side Java’s safety. Early last week they issued a security patch that fixed either 41 or 42 Java security issues, depending on what website you’re reading.

Excuse us if we don’t seem too impressed. At this juncture all we’re willing to do is say with utmost snark, “It’s about time.”


For more than a year now having Java available to the network has been a dangerous proposition–so dangerous that Homeland Security issued a warning in January urging all U.S. citizens to shut down Java in the browser. Since then, Oracle has issued several security fixes, which still left users vulnerable even though a patch in early February fixed a whopping 50 security holes. Another patch, issued in March, “switched Java security settings to ‘high’ by default,” according to Oracle. This setting requires users to authorize unsigned or self-signed applets before they’ll run.

Oracle’s latest patch, the one with the 41 or 42 fixes depending on who’s talking, offers more of the same according to Sean Michael Kerner in an article posted April 16 on eSecurity Planet. Reporting on a conversation with Hasan Rizvi, Executive Vice President for Oracle Fusion Middleware and Java, he writes:

“With the new Java update, Oracle is now also going to lock down applets and require that code is signed before it can run, even for sandboxed apps.

“‘The majority of the recently disclosed vulnerabilities and vulnerabilities fixed in the Critical Patch Update for Java SE resulted in effectively allowing escape from the sandbox,’ Rizvi said. ‘To a large extent, active exploitations of these vulnerabilities were taking advantage of the legacy practice that allowed sandboxed Java applets and web start applications to run without any warning to the user.’

“Rizvi noted that the signing requirement will improve the security of Java users in a number of ways. For one, it will create some sense of accountability with Java code developers.

“‘Malicious attackers will be required to purchase a code-signing certificate,’ he said. ‘Note that before issuing a code-signing certificate, certificate authorities generally perform certain checks to ensure the identity of the person applying for the certificates.’

“Oracle will be able to identify where the certificate came from and will have the ability to blacklist the certificate and the application.”

[yop_poll id=”8″]

In an article released the same day by Reuters, writer Joseph Menn said that Rizvi indicated users would still be able to override and run unsigned code “if they click to acknowledge the risk …” It’s not exactly clear how this is different from the policy put in place with the patch Oracle issued in March, other than making what was once a “high” security measure now business-as-usual.

Here at FOSS Force we see no reason to take a chance and enable Java in the browser unless it’s an absolute necessity. According to the Reuter’s article, Java is now the most attacked software on the Internet:

“Last year, Java surpassed Adobe Systems Inc’s Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

“Java was the vehicle for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.”

Our advise on running browser-side Java remains the same as it’s been since Homeland Security issued their advisory back in January. If you don’t need it, keep it disabled. Hardly any websites require Java anymore and having the browser plugin operational only makes you vulnerable. No operating system is safe. In recent months there have been reports of Java exploits being used against all platforms, including OS X and Linux.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Comments are closed.