Thread: Homeland Security and Java

Recently, the US homeland security group issued a warning about hacking and Java. An example article is found at How to disable Java following Homeland Security warning | Washington Times Communities.Now I used to program in Java, as well as other languages like C#, Perl and PHP. So here are my questions.

1. Can someone tell me the technical problem here with Java?
2. Why can't Oracle, as well as the world wide Geeks in private enterprise, law enforcement and academia suggest a proper fix or resolution?

Also at Java Programming Forum - Learn Java Programming where I've posted some links to CERT and Oracle that are informative.

Whoops! I meant this one: Homeland Security and Java

Umm... Works for me when I click the corrected link.

Anyway, here's what I posted:

This thread has been kept invisible for a bit - ironically because people here are somewhat cautious about clicking on random links, and it isn't clear exactly where the link you provided leads to.

Nobody here can answer for CERT with respect to the first question. Nor can we answer for Oracle and the unspecified geeks in the second. However there is some problem affecting Java applets running in web browsers, and google reveals the usual standard of journalism in the reporting of that. (It seems a general rule that with respect to anything technical, scientific and, most especially "security" related, that reporting should remain information free.) The following links may be useful:

* The CERT advisory is at Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code
* Oracle have released Oracle Security Alert CVE-2013-0422 describing the problem
* and released update 11 for JDK 7 at the usual download page Java SE Downloads

It seems you should download and install the update. I haven't read the page that closely so I'm not sure whether it fixes the fault or merely alerts you before applets run. So, to avoid "driveby" attacks, it might pay to be cautious about running Java applets if you are unsure about the applet or the site/page that hosts it.

Today there is a new release of Java. Hopefully, this release addresses the problem I mentioned.

With versions of Firefox that I use on my Centos 5.8 and Centos 6.3 Linux systems, the Java plugin was not supplied.

If you get the plugin (part of JRE from from Oracle) and go to activate it there are several manual steps. You have to really want it.

When you finally get it set up you are presented with a warning message from Firefox. Here's part of the message from Firefox 10.0.11:

Java Plugin has been blocked for your protection.
.
.
.
Who is affected?
All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_33 or between 1.7.0 and 1.7.0_4.
.
.
.

After all of this, if you really want to activate it so that you can run Java applets from your favorite web site, you can, but you can't say you haven't been warned.


It has been suggested that a useful browser feature might be an "opt-in" option on a site-by-site basis for browsers so that if you want to use an applet from a trusted site you might be able to. (You can presently set up an "opt-in" option for all cookies. It asks you whether you want to accept cookies when a site wants to set one.)

Even if this were available for Java plugins, I note that you still would have to be on guard for malware that can stash itself in your system and cause redirection from the web site that you think you are accessing to one of the blackhat guys. Remember the infamous Windows rootkit exploit? Particularly nasty since it exploited a security feature at the very bottom of the operating system and hidden from just about all "normal" programs. This thing is still floating around, but now there are ways of detecting and preventing it. Most of the time. ( I suspect that if any of the bad guys are successful in infecting your computer this way, they would have something mind more "interesting" than playing havoc with java applets.)

Anyhow...

There have been lots of Java browser plugin security flaws reported over the years (I seem to remember one last July or August), but actual attacks have not been widely documented. This latest warning comes, apparently, from real exploits that are now loose in the wild. Warning from U.S. Homeland Security? That's a new one (I think).

Furthermore...

I'm thinking that there have been security flaws for just about every program (major or minor) in widespread use, not just the Java plugins for browsers. I mean, I get security updates for various Linux application programs at a rate of several a week, but there are rarely any actual exploits.

Anyhow, I can't say how widespread any exploits of the latest Java plugin bug really are, but...

You can't say that you haven't been warned. (But I said that already.)


Bottom line: Eternal vigilance is not only the price of freedom. It is also the price of security. (To the extent that security is attainable.)



Cheers!

Z