|
15 Jan 13 - 06:25 AM (#3466353) Subject: Tech: Java Warnings From: JohnInKansas A few (5?) days ago, the U.S. Department of Homeland Security urged PC users to disable the program (Java) because of bugs in the software that were being exploited to commit identity theft and other crimes. For those interested, a report of that notice is at US warns on Java software as security concerns escalate. A new report, just posted yesterday indicates that Oracle has released a patch, but warns that the patch is not a complete fix for the vulnerability. The latest report is at Despite Java update, security experts say bugs remain. Security advisors continue to recomend that Java be removed or disabled, whether or not the patch is applied. Some time ago, Oracle warned that older Java versions were "highly vulnerable" and released newer versions. With prior updates it was common to find Java applications that required an obsolete version so many people kept multiple ones in their browsers with only one (or none) enabled, in case they ran into something that needed an older version. At that time, we were assured that the latest version was "fully backward compatible" and were advised to remove all older versions. Even then, it was recommended by most security advisors that the Java utility should be disabled except when needed. At about that time, or possibly a little before, reports are that Apple removed all old versions from their supported machines. I personally followed instructions, removed all the old ones, downloaded the latest version "just in case I needed it," and disabled it. When I checked at the time of the Homeland Security warning (first link above) I found that there was no Java in tools on my Internet Explorer, although I haven't checked to see when it was "disappeared." It's likely that most Windows users will also find that Microsoft updates have removed Java (but maybe only if it was turned off at the time of the update?). It would be suggested that everyone take a look at whether or not it's still there in their browsers. In IE, Tools | Manage add-ons or the little "sprocket"|Manage add-ons will get you to the right place. The default is to display "currently loaded" so you have to roll down to get "all add-ons" to make sure whether it's there. If it's present, some Java uses can turn it on/off when needed, with or without notifying you, so it needs to be completely gone if you don't want it to pop up. SECOND SUBJECT: Also worth noting is that Microsoft issued an "out of sequence" (Emergency) patch for Internet Explorer yesterday. You should get it automatically if you get automatic updates. This patch applies only to IE8 and older. Windows 7 users should already have IE9 and Win8 people should have IE10, and will not be affected; but some older OS versions can't use the latest IE releases and should get the patch. John |
|
15 Jan 13 - 07:18 AM (#3466364) Subject: RE: Tech: Java Warnings From: GUEST,BrendanB Hi John Thank you for the information. I have done as you suggested and could not find Java but have found 'Deployment Toolkit. Oracle America Inc Enabled''. Should I do anything about this? |
|
15 Jan 13 - 10:58 AM (#3466455) Subject: RE: Tech: Java Warnings From: Bill D Oracle says new release ready link to download I have not done it yet... waiting a few days for checking by experts. |
|
15 Jan 13 - 01:09 PM (#3466509) Subject: RE: Tech: Java Warnings From: JohnInKansas The second link in the original post tells about all I really know about current recommendations. For most users, the recomendation is just "don't have Java" for now, although some businesses may use Java for specific purposes that will force them to continue to have it on some machines. The recommendation is that it be removed from any machines where it's not a critical requirement for some specific and necessary business usage. Bill D's first link appears to refer to the update that spawned the patch discussed at that link, but appears to be for a separate release of a developers kit (that may be the same as the "Deployment Toolkit" BrendanB found). I'm not familiar with developer tools for Java, but it's probably not something anyone should need unless they create and distribute stuff in Java. Most users won't likely have anything other than the Java Browser Plugin that lets Java things run in a browser. The Plugin doesn't appear to be separately mentioned in Bill D's link, although it's probably a component in the kit. (Check the "Reminder" note there.) Since Java is intended to be a "cross platform" language that lets the same scripts run on multiple operating systems, it's possibly a little more likely that 'NIX users would have a use for developer/deployment tools than for either Apple or Windows users. Serious "Gamers" on any platform may need Java for some games to run, but you'd have to check each game to know whether it's needed. Web pages that need Java will generally give you a popup (at least in IE) that asks if you want to use it, and if you allow it, the download should be automatic. It appears that when a one-time "allow" is accepted either my Norton deletes it when the page is closed, or Microsoft update wipes it at the next autoupdate. SOME HISTORY: Java was developed by Sun Microsystems, and Microsoft (and others) bought a license to include the browser plugin as a standard component in browsers. When Sun sold out to Oracle, Oracle "reinterpreted" the license agreements, and Microsoft (and others) quit including the Java plugin by default in newer versions. Oracle is now the "owner" of Java, but distributes mostly ONLY developer software that most users probably don't need. The more or less official (this is a little vague) distributor for the Plugin now appears to be java.com. A search for "Java download" in my Norton Secure Search lists seven pages of "free Java" of unintelligible purposes or reliability before it gets to the first hit for either java.com or oracle.com. I would be disinclined to download anything from most of them, but then I'm not desparate to get anything that they offer. The most common other (non-maker) site that I likely would trust would be cnet.com. Others may be safe enough, but verifications I would want are more trouble than just going to someplace I already feel I can trust. John |
|
15 Jan 13 - 03:23 PM (#3466564) Subject: RE: Tech: Java Warnings From: Bill D Because I have several programs that are Java based, I had the full installation..in fact, several versions. But because I use those infrequently, I am not concerned with needing Java until they give an 'all clear' sign.... and then I may wait and see. I hate seeing this, because Java IS such a useful tool for some things and I'd LOVE to see the idiots who compromised it found and... ummmm... 'severely chastised' |
|
15 Jan 13 - 04:43 PM (#3466606) Subject: RE: Tech: Java Warnings From: JohnInKansas Placing blame here is a tough call. The vulnerability is built into Java by the people who designed Java. The exploiting of the vulnerability is something that has been seen done by a variety of idiots who happen to have found it. First reports imply that the main people targeted by the exploit have been government agencie and large corporate users, hence the Homeland Security warning. It's not clear whether significant attacks on "ordinary people" have been found, although it's clearly possible that any Java is vulnerable. If it's needed to run a trusted application, whether on your own computer or on a trusted site, it's implied by some reports that it's still okay to use Java, but recommended that it be disabled except during the actual use. The ease with which a Java applet can turn the plugin on and off if you only use the simple enable/disable switch suggests that it's fairly risky to just leave it available when you don't have good reasons to let it run. In IE, and probably in other browsers, you can sequester the plugin so that it can turn itself on whenever needed, or so that it can only be turned on when it asks for permission and you tell it that it's okay. It should be noted that not all applets that might turn it on are sufficiently polite to turn it OFF when they're done with it, so some extra caution may be required to make sure it goes away when you leave your safe application. In casual browsing, I've only seen one or two requests to run Java since it was apparently removed from my machine. In those cases everything I was interested in came up without allowing it, so it's unlikely that just removing it will cause much problem for most users, although some may have special needs for having it available. (Java appears to be much used for tracking where you go and for selecting/providing the ads that pop up all over some sites?) John |
|
15 Jan 13 - 05:08 PM (#3466634) Subject: RE: Tech: Java Warnings From: Jack Campin There are some ABC processors written in Java (like Five Line Skink). It's a good platform for that, so let's hope this gets fixed. |
|
15 Jan 13 - 05:31 PM (#3466643) Subject: RE: Tech: Java Warnings From: Stilly River Sage Last weekend I disabled the Java in my various browsers individually instead of uninstalling the whole thing. Yesterday I updated to the newest Java for the patch they released. I think in the future I'll simply uninstall the Java from the machine without all of the tweaking of browsers - if it is in the machine the browsers can use it, rather than turning it off at each point. SRS |
|
15 Jan 13 - 06:10 PM (#3466668) Subject: RE: Tech: Java Warnings From: Bill D I had used...occasionally... this program- Arachnophilia to edit a web site. It was originally NOT a Java program, but the author rewrote it several years ago for the reasons he explains in excruciating detail. He is GOOD, and program has become a standard. I have no idea what those who depend on it daily will use now. The program(s) I would miss, though I don't need them frequently, are things like WinDirStat, and SpaceSniffer which analyze how the space on your PC are used and present the results in a graphic format. They are based on TreeMap, a concept developed at the University of Maryland a number of years ago.... and it is Java based. I 'think' Java is required, but have not tried one since I read the warnings. I will be watching developments mainly to see if I can use them again. Those programs are pure genius and help me keep track of what I have. |
|
15 Jan 13 - 06:18 PM (#3466671) Subject: RE: Tech: Java Warnings From: GUEST,JHW(cookie on old computer) Control Panel has a Java icon. Opening that gives various tabs and numerous options on Java Use and updates. Can I turn it off here for now rather than removing it by add/rem programs (where mine is listed as Java 7 update 9) |
|
15 Jan 13 - 10:58 PM (#3466796) Subject: RE: Tech: Java Warnings.Gargoyle From: GUEST,.gg I told you so... Butt heads like a goat. Sincerely, Gargoyle But,..... Why would one listen to a lofty stone ediface...over a shitty, midwestern hole in the ground? |
|
17 Jan 13 - 12:21 AM (#3467407) Subject: RE: Tech: Java Warnings From: JohnInKansas NEW REPORT: Homeland Security still says no to Java Suzanne Choney, NBC News 16 January 2013 The Department of Homeland Security says despite some fixes to Java, it continues to recommend users disable the program in their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes. The Computer Emergency Readiness Team, part of the DHS, first took the unusual step last week of issuing an alert, warning users to disable Java, saying the program could be manipulated by criminals to trick users into visiting malicious websites that could infect their computers with malware, or allow criminals to steal personal financial data on users' PCs. Oracle, maker of Java said on its security blog Sunday that it updated Java 7 for Web browers, fixing two vulnerabilities. The company also switched Java's security settings to "high" by default, which should make it more difficult for malware to run without the user knowing it. Even so, security experts have since warned that several critical security flaws remain. "All versions of Java 7 through update 10 are affected. Web browsers using the Java 7 plug-in are at high risk," said the Computer Emergency Readiness Team on its website: This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment. For information on how to disable Java, you can learn more here. Java is a computer language that lets software be written using one set of code that can run on any computer, no matter the operating system. "It s required by some Web sites that use it to run interactive games and applications," writes security expert Brian Krebs on his Krebs on Security blog. "Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it." Sophos Security notes that understandably, some users mistakenly think turning off Java also turns off JavaScript, which controls the look and feel of Web pages. "Most modern websites make heavy use of JavaScript, so these people are worried that sites such as Facebook, Twitter ... will be pretty much useless if they follow our 'turn Java off' advice," writes Paul Ducklin of Sophos Security on the company's blog Wednesday. "Turning off Java will not turn off JavaScript," he says. John |
|
17 Jan 13 - 12:49 AM (#3467410) Subject: RE: Tech: Java Warnings From: Joe Offer I dutifully turned off Java on my browsers when I saw information about this problem. Trouble is, it puts limits on what I can do on Facebook, and on the Bank of America Website where I manage all my finances. Troublesome, eh? -Joe- |
|
17 Jan 13 - 11:03 AM (#3467591) Subject: RE: Tech: Java Warnings From: EBarnacle I removed Java last weekend and have had no call for it from any of my machines. |
|
17 Jan 13 - 01:20 PM (#3467650) Subject: RE: Tech: Java Warnings From: JohnInKansas Joe O - Most of the Facebook features are claimed to be JavaScript, which is not the same as the Java that's the problem. JScript functionality is apparently built into the browsers and nothing related to it should show as an installed program or in the BHOs (plugins) in your browser. The ability to run JScript is sort of like the ability to read html(?). It is possible that you've used some "Facebook Aps" that use Java directly and would need an installation. It's fairly likely that your bank might also use JScript, but warnings about Java code for secure public sites have been around long enough that it should be reasonably safe to turn it on there. It does appear that if you have Java installed, and rely on turning it on/off in your browser, you must change settings in each browser separately. If true, this allows the possibility that you could set up one browser to use it for a site where you must, but disallow it in another browser that you use for general browsing. If you want to turn Java on in one and off in another, but don't want to learn how to use two different kinds of browsers, you should be able to create a "secure username" and set the browser for that user one way, with a separate username to have the other instance of the browser do something different. Of course this means changing users when you go to the bank. Settings for different users of a single browser on the same machine are independent of each other. Win7 makes it easy to "switch users," (Start|Shut Down|switch users)but I don't recall whether it's as simple in earlier versions since I never used it. (When I opened my username on "her" machine in earlier versions, a reboot was usually required to get rid of the trash from her unintelligible - to ordinary humans - setup.) John |
|
17 Jan 13 - 01:42 PM (#3467661) Subject: RE: Tech: Java Warnings From: Bill D John... what...if anything.. is the difference between Java used by your browser(s) and the basic Java installation on you computer? Does the browser just access the basic Java, or is it a separate deal? Obviously, my interest is whether I can use those 2-3 Java based programs if I do NOT have Java enabled in my browser. |
|
17 Jan 13 - 04:13 PM (#3467714) Subject: RE: Tech: Java Warnings From: JohnInKansas JavaScript (JScript) is just a way of writing instructions for your computer to do something. The script can (usually) only call up instructions built into programs that "read and interpret" it. It's (oversimplified) much like html, but can call for functions that don't fit within the html standards to do things like calling up advertisements that aren't on the same page/server you're looking at, but has limited ability by itself to create (as opposed to identifying and fetching) new objects. The Java language, that's what these recent warnings are about, is a fairly powerful programming language that can create new things for the computer to do. It is a fairly powerful full-blown programming language, specifically designed to be executable by "almost any" OS. It should be noted that Java, as a computer language, is about as dangerous to UNIX or Mac systems as to Windows, since it's purpose is to allow the same code to run anywhere. JScript is similarly intended to be cross-platform compatible everywhere, but it mostly only passes instructions to use things the programs/operating systems have predetermined or builtin capability of doing. JScript can be, simplistically, thought of as a little like an old fashioned batch file that can give instructions but isn't really overly powerful by itself. You don't have a "BATCH" program identifiable on your computer, but the computer can read the .bat script to know what builtin functions you want to use. If you use the right grammar, a batch file can call for a GWBASIC or IBMBASIC program to run, but the BASIC program and the interpreter have to be there for it to work. To create new things to do, you usually have to be in BASIC to write the program, identify it, and put it on the machine. Java, the programming language, IS THE BASIC (or almost C, C#, C##, or D#) and can create new things to do very potent stuff. Microsoft has begun migrating toward what they call "Power Script" as something of a replacement, or alternative, for JScript, but success in convincing people to use it is unclear. They seem to be fairly similar, but I haven't penetrated into either of them enough to be the right one to try to give real comparisons or descriptions. John |
|
17 Jan 13 - 04:25 PM (#3467716) Subject: RE: Tech: Java Warnings From: Beer So far I have been lucky. I have had no problems with any programs since I disabled Java. Adrien |
|
18 Jan 13 - 03:40 PM (#3468202) Subject: RE: Tech: Java Warnings From: GUEST,JHW(cookie on old computer) Norton say this (on my sisters computer) though I use Avira You may have recently seen some of the extensive news coverage, including statements from the United States Department of Homeland Security, regarding a vulnerability in Java. Rest assured, because you have a Norton security software product installed on your computer, you're protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature. We also recommend that you apply Oracle's recently released security patch and make sure you are running the most updated version of Java. Thank you for being a valued Norton customer. Sincerely, The Norton Team |
|
18 Jan 13 - 05:15 PM (#3468251) Subject: RE: Tech: Java Warnings From: Bill D Interesting... I wonder if Norton guarantees it if you are compromised... I suspect not.. I'm sure Oracle's team(s) are working night & day to work out something. |
|
18 Jan 13 - 07:31 PM (#3468297) Subject: RE: Tech: Java Warnings From: JohnInKansas Completely redundant warning: Reports have begun to come in about scams using popups urging you to immediately "click here to save yourself from the Java curse" or things similar. Of course clicking will install a "back door" that allows installation of about anything the criminal wants to put on your computer, with keystroke loggers (to steal passwords) being right up front in the payload. Typical note at Bogus Java patch drops malware on your PC. This article recommends getting the Java patch only from Oracle. This link does have a short "which Java do I need" bit that may be helpful in deciding what version(s) you want, but may not make things much clearer since the download it says you need doesn't obviously have the same name on the download button as what it's called in the "explanation." Maybe Oracle is a under a little pressure(?). John |
|
19 Jan 13 - 09:24 PM (#3468789) Subject: RE: Tech: Java Warnings From: GUEST what...if anything.. is the difference between Java used by your browser(s) and the basic Java installation on you computer? To use Java, you have a Java Runtime (JRE) installed on your computer. To use Java on your browser, you need a Java Plugin installed on your web browser. This Plugin is the connection between the browser and the JRE. It's the same JRE but there are differences between a Java applet running in your browser and a Java Application running on your Desktop. These differences (at least mainly?) concern security and permissions, eg. by default, an unsigned Java Applet can not write to local file. See here. I think permissions can also be altered via policy files. Note the above concerns Java. A Java Applet in a browser uses the applet tag. The unrelated JavaScript uses a script tag. JavaScript in a browser (client side JavaScript) runs under the control of the browsers own engine. As with Java applets, there are certain operations that client side JavaScript is not allowed to do. JavaScript is actually quite powerful, eg here is a WYSYWIG replacement for a text area is written in JavaScript. It can be used to request data from a server and modify the web page with the new data, etc. |
|
21 Jan 13 - 05:51 AM (#3469336) Subject: RE: Tech: Java Warnings From: GUEST Just curiosity - why do the writers of Java create it? We download it for nowt and then complain! Writers of other programmes make a convenience of it but Whats in it for Oracle? |