Guess what? We’re hearing reports this morning that the black hats are continuing to take advantage of security vulnerabilities in Java. Of course they are. That’s what black hats do. We’re also hearing from security experts that browser side Java isn’t likely to be made secure in the near future.
Oracle’s management of Java since obtaining it from Sun has been nothing short of a joke. It’s about time for them to decide if they want to keep Java or not. If they don’t want it, they need to spin it off or let it die. If they think it’s a valuable part of their software portfolio, they should treat it as such and work overtime to make it safe.
In the meantime, we’re standing behind our earlier assertion that Java browser plug-ins should be disabled until security experts say it’s safe to enable them again. If you run web sites that depend on Java applets to run, find another way.
Here in the U.S., disabling Java plug-ins should have little to no effect on most people’s Internet use. Here at FOSS Force we’ve had Java disabled in all of our browsers for years with absolutely no problem. However, users in other parts of the world may have trouble accomplishing some tasks, according to an article posted on PCWorld today:
“… In Denmark, for example, online banking and government websites use a log-in mechanism called NemID that requires Java support… Similar cases might exist in other countries.
“In those cases, using the click-to-play feature in Chrome and Firefox, or the Zones mechanism in IE, could be used to let Java content load from only certain websites. A less technical solution would be to use one browser with Java disabled for general tasks, and a different browser with Java enabled for trusted websites that need Java support.”
On Monday, Igor Soumenkov with Kaspersky Lab revealed in a blog entry that malware known by security researchers as Miniduke had been responsible for recently infecting computers in drive-by attacks using exploits in Java that have evidently since been patched. It had been thought that Miniduke mainly launched attacks through email phishing expeditions utilizing a now patched exploit in Adobe Reader 9, 10 and 11.
We’ve already reported that after setting on their hands through much of 2012, despite being told of numerous security holes in Java, Oracle has been busy pushing patches, fixing at least 52 security holes so far this year. Last week they issued an unscheduled patch fixing two vulnerabilities. At that time, five known security holes remained which have not yet been addressed. Oracle’s next security patch is scheduled to be issued April 16.
According to PCWorld, Adam Gowdiak, the security researcher who’s responsible for finding many if not most of Java’s recent security issues, thinks that Oracle may unable to effectively deal with their Java problem:
“There are indications that Oracle’s developers are unaware of Java’s security pitfalls and that code security reviews are either not done at all or not comprehensive enough, Gowdiak said. Many of the issues identified by Security Explorations violate Oracle’s own secure coding guidelines for Java, he said.
“‘We found many flaws which should have been eliminated by the company at the time of a comprehensive security review of the platform prior to its release,’ Gowdiak said.”
With most security experts not expecting browser side Java to be made safe anytime soon, we can’t stress enough how important it is that users disable Java at this time. Linux users can find instructions for disabling Java in most browsers in an article we published in January.