What's the deal with Java today?

YeOldeStonecat said:
When reading up on this article when the news broke....I stumbled on some article stating that Oracle knew about this particular vulnerability at least 6 months ago.

DocGreen said:
That's insane, irresponsible, and shameful... almost sounds like Java is being developed and maintained by the government. :rolleyes:
Click to expand...
Click to expand...

I think the explanation for Java, VBA before that etc. is far simpler than that: the vendors (Microsoft, Sun/Oracle) are really only trying to push their tech.

VBA was the first big one and Microsoft basically used it to bolster Office's dominance by allowing various programmers (meaning not a big software house) to build on Office for 'custom' solutions. But in their rush to market security was a distant third or fourth. Once a few hackers realised how insecure it was, exploits were quick.

Of course, this was in the 90s before all viruses / hacks were about stealing credit card details and while those early viruses did cause lots of harm but the culprits were probably not tied in with mafias and were rather surprised when the FBI showed up at their door armed to the teeth: but then there was little chance of the FBI showing up like that in Redmond and dragging off the head of VBA for Office - even if Microsoft had written very insecure software which was almost universally deployed - because that's not the way the system works!

Java has always claimed 'security by design' but it really hasn't been any better than VBA. Business apps written in Java should be fairly secure but there's enough online Java content out there that running a browser without it (or without Flash the other top virus vector) can be problematic.

Microsoft recommending people to uninstall Java might have more to do with them currently pushing Silverlight though. Haven't heard of any Silverlight exploit until I just googled it but cvedetails.com list seven criticals, but I think the reason for not hearing about those has more to do with Microsoft not having had much success with it.
 
Last edited:
United States Homeland Security says to disable Java: http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/

United States Computer Emergency Readiness Team says to disable Java: http://www.us-cert.gov/cas/techalerts/TA13-010A.html

SOPHOS says to disable Java: http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/

Apple says disable Java... and even goes so far as to remotely disable Java: http://www.macobserver.com/tmo/article/apple-remote-disables-java-on-macs-after-major-security-alert

Mozilla Firefox says to disable Java, and like Apple, does so themselves: http://thenextweb.com/apps/2012/08/...firefox-users-disable-java-due-security-hole/

Technibble users say "nothing to see here, move along..." : http://www.technibble.com/forums/showthread.php?t=43984





So... I'm going to recommend that my customers disable Java unless absolutely necessary. This has absolutely nothing to do with Microsoft trying to push Silverlight.
 
Admittedly, I am not a tech. However... why would Oracle say the patch wouldn't be ready until Tuesday and then all the sudden something comes out today? Why would everyone still be saying to disable if the "patch" is legit?

Honest questions... don't be a jerk when answering please. :)
 
Well, the 'legitimacy'/effectiveness of is left to be seen, I suppose. For now, people should just get the patch. If still worried, they can disable/leave it disabled until they are content with the reports of patch working.
Personally, I'm just betting the patch works. Maybe at my peril, but I'm not going surfing anytime soon, and my regular sites don't use java.

As for the early release - who knows. But it makes sense that they would be hard at work to fix this exploit. Perhaps they were just finished sooner than anticipated.

Assuming the patch is good, I say good thing it's sooner than later.
 
KompuKare said:
Microsoft recommending people to uninstall Java might have more to do with them currently pushing Silverlight though. Haven't heard of any Silverlight exploit until I just googled it but cvedetails.com list seven criticals, but I think the reason for not hearing about those has more to do with Microsoft not having had much success with it.
Click to expand...

Yeah...that's true....MS is probably spotlighting this in a method of pushing Silverlight. As Silverlight is stepping a little into Java territory lately, used to be more of just a Flash competition..but now it is more a bit into Java turf.

Gonna be a busy week pushing out this 7.11. No way could I go around uninstalling Java...my business clients productivity would grind to a halt. Too many business apps and services rely in Java.
 
YeOldeStonecat said:
Yeah...that's true....MS is probably spotlighting this in a method of pushing Silverlight. As Silverlight is stepping a little into Java territory lately, used to be more of just a Flash competition..but now it is more a bit into Java turf.

Gonna be a busy week pushing out this 7.11. No way could I go around uninstalling Java...my business clients productivity would grind to a halt. Too many business apps and services rely in Java.
Click to expand...

In a way there are really two Java's: Java the cross platform language and Java the browser plugin. Most security exploits are really the plugin so having a quicker way to turn that off in the Javacpl is nice. In fact, having the Java plugin default to off would be good practice. But that might go against Sun/Oracle corporate policies of having everything run Java.

Which is the crux of most security vulnerabilities: Java, VBA, .NET are all very useful to have on a computer. But having them being able to 'face' the internet is where the problem start.
 
KompuKare said:
Most security exploits are really the plugin so having a quicker way to turn that off in the Javacpl is nice. In fact, having the Java plugin default to off would be good practice. But that might go against Sun/Oracle corporate policies of having everything run Java.

Which is the crux of most security vulnerabilities: Java, VBA, .NET are all very useful to have on a computer. But having them being able to 'face' the internet is where the problem start.
Click to expand...

May come down to really having to lock down Java.....
As of now...I can't begin to fathom how difficult it would be to get control of clients Java like this....we got over 2,800 nodes in our N-Able management...and more that aren't in it.

In a single enterprise setup...with a global policy...easy enough. But for traditional SMB...where we aren't 100% in control of everything....it's darn near impossible to apply global templates. Sooo many different clients running soooo many different apps that rely on Java....both on the LAN, as well as internet facing.

I'm running my bigger clients through my head right now...which ones use Java...and so far...all do, in one form or another. Local applications ....big in healthcare. As well as internet based...lots of clients that have road warriors out in the field from home or mobile with laptops..that use SSL VPN...browser based...yup, those run on Java. Accountants and payroll....online banking sites...uploading/transferring funds. How many of you here have heard of ADP payroll? You have clients that use ADP Payroll? Wanna go disable Java on them and then have an angry hoard of office people wanting your head on a platter because they didn't get their paychecks? Businesses that run Blackberry Express/Enterprise server that manages/ties in their fleet of Blackberry phones...yup that relies on Java...old version too..can't easily update without jumping through hoops. The list goes on and on for businesses.
 
Just sent out alerts to all customers to update. Pushed it out to managed clients. Now I receive an alert from IDPA (Illinois Department of Public Aid) NOT to install the new update. It may cause the medical offices to not be able to check eligibility. For those who live in Illinois, you know just how mind-blowingly STUPID our state government is.
 
angry_geek said:
Just sent out alerts to all customers to update. Pushed it out to managed clients. Now I receive an alert from IDPA (Illinois Department of Public Aid) NOT to install the new update. It may cause the medical offices to not be able to check eligibility. For those who live in Illinois, you know just how mind-blowingly STUPID our state government is.
Click to expand...

Wouldn't NOT installing the updates leave the medical offices more vulnerable to inadvertently violating HIPPA? I'm not in Illinois, but I agree that this does sound mind-blowingly stupid! LOL
 
KompuKare said:
Microsoft recommending people to uninstall Java might have more to do with them currently pushing Silverlight though. Haven't heard of any Silverlight exploit until I just googled it but cvedetails.com list seven criticals, but I think the reason for not hearing about those has more to do with Microsoft not having had much success with it.
Click to expand...


I think it's pretty safe to say that this has nothing to do with Microsoft or Silverlight. Sure, it might benefit Microsoft and Silverlight as a side-effect... but seeing as Apple, Mozilla, and the US Department of Homeland Security ALL recommended disabling Java, I'm gonna say it's nothing more than a side effect.
 
DocGreen said:
Wouldn't NOT installing the updates leave the medical offices more vulnerable to inadvertently violating HIPPA? I'm not in Illinois, but I agree that this does sound mind-blowingly stupid! LOL
Click to expand...

I agree with you. As to the HIPAA violation: yes and no. IDPA just got their site compatible with Java 7 a few months ago, and it's still hit or miss. They are beyond incompetent. The state government here is 100% run by Chicago and the unions. We have a pension problem that Wisconsin and Indiana and California have only dreamed about. Instead of the assembly working on that this last session, they tabled it and went to work on some bill concerning road kill (I'm not kidding). Now the state is on the hook for 7 or 8 billion dollars in pension payments this year that they simply don't have. We have doctors and hospitals that haven't been paid in over a year. The governor signed the sale of Thompson prison over to the feds recently. This is a prison the state built 10 or so years ago and never used. They also never paid the contractors who built it. So the money the feds paid for the prison went straight to the contractors because of the lawsuit they filed years ago. It just goes on and on and on. Now, instead of hiring some decent coders or outsourcing their web development (not that they would be able to pay said people), they just tell everyone to stick with a major security hole.
 
angry_geek said:
Just sent out alerts to all customers to update. Pushed it out to managed clients. Now I receive an alert from IDPA (Illinois Department of Public Aid) NOT to install the new update. It may cause the medical offices to not be able to check eligibility. For those who live in Illinois, you know just how mind-blowingly STUPID our state government is.
Click to expand...

They're typically lagging behind in versions....I've had healthcare software providers tell me to roll back servers and/or workstations to older versions...because their software will not work with newer/the latest.
 
angry_geek said:
I agree with you. As to the HIPAA violation: yes and no. IDPA just got their site compatible with Java 7 a few months ago, and it's still hit or miss. They are beyond incompetent. The state government here is 100% run by Chicago and the unions. We have a pension problem that Wisconsin and Indiana and California have only dreamed about. Instead of the assembly working on that this last session, they tabled it and went to work on some bill concerning road kill (I'm not kidding). Now the state is on the hook for 7 or 8 billion dollars in pension payments this year that they simply don't have. We have doctors and hospitals that haven't been paid in over a year. The governor signed the sale of Thompson prison over to the feds recently. This is a prison the state built 10 or so years ago and never used. They also never paid the contractors who built it. So the money the feds paid for the prison went straight to the contractors because of the lawsuit they filed years ago. It just goes on and on and on. Now, instead of hiring some decent coders or outsourcing their web development (not that they would be able to pay said people), they just tell everyone to stick with a major security hole.
Click to expand...


That, my friend, is a Board-Certified Cluster F***... it's actually quite an impressive collection of fail. I really like the way it's all woven together. LOL
 
You must log in or register to reply here.

Similar threads

G
[REQUEST] Sync Windows Outlook Calendar with iPhone 12
Replies
10
Views
1K
Sky-Knight
Sky-Knight
YeOldeStonecat
Gaming rig...help with client computer with vid card issues.
2
Replies
25
Views
3K
Rosco
Rosco
Appletax
[SOLVED] Intel Rapid Restore Driver Causes BSOD - DRIVER_POWER_STATE_FAILURE
Replies
3
Views
1K
Appletax
Appletax
HCHTech
What's the deal with Acumera firewalls?
Replies
2
Views
721
YeOldeStonecat
YeOldeStonecat
Appletax
How to deal with RGB fans in gaming PC?
Replies
8
Views
2K
Appletax
Appletax
Back
Top