Vulnerabilities / Threats
1/18/2013
09:31 AM
Connect Directly
RSS
E-Mail
50%
50%

Java Security Warnings: Cut Through The Confusion

Recent warnings to deactivate Java are raising additional questions: What about JavaScript, EJB, JavaFX, Android and any other use of the programming language?

Cloud Computing Comparison: PaaS Providers
Click above for detailed features matrixes on PaaS vendors
Like its Starbucks namesake, the general-purpose Java programming language comes in many different strengths and flavors. But which ones may be harmful to the health of your PC?

The Department of Homeland Security, along with numerous security experts, have recommended that whenever possible, businesses should pull the plug on Java running in their browsers. But the warnings have led to mass confusion: Do they also apply to the general Java runtime environment? And what about JavaScript, Enterprise JavaBeans, embedded Java, JavaFX, Java running on Android or anything else with Java in its name?

The confusion is understandable. After last week's discovery of two zero-day vulnerabilities in Java, which were partially patched by Oracle on Sunday, many technology experts have recommended the following: Deactivate the Java browser plug-in and see if you miss it. If not, then don't reinstall Java.

The confusion is compounded by the difficulty of finding and deactivating Java plug-ins, especially because the latest versions of the Java browser plug-in may not accurately report when they are -- or aren't -- installed. "Your browser lies: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers," says information security consultant Michael Horowitz on his Java version testing site. "By and large, this is a good thing, but there seems to be a failure to communicate between Java and many Web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled."

[ Learn how to protect yourself and your systems. Read 10 Facts: Secure Java For Business Use. ]

Let's clear up some confusion. First, the current Java-removal advice -- and security issues -- don't apply to Enterprise JavaBeans, embedded Java, JavaFX or JavaScript. "A common mistake is to confuse Java with JavaScript -- which is technically called ECMAScript," says Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email. "These are, in fact, entirely different programming languages. While JavaScript has its own interesting history of security problems, the recently disclosed vulnerabilities do not affect JavaScript -- only Java's browser plug-in."

For security reasons, Java developer Sun (now part of Oracle) has restricted which parts of the Java runtime environment the browser plug-in can access. But DeMesy says the recent zero-day bugs have allowed attackers to use malicious websites to exploit plug-ins and gain access to the full Java runtime environment. As a result, attackers can use the Java runtime environment installed on a PC to execute arbitrary code.

The Java browser plug-in risk has been heightened by the fact that Oracle has taken its time to remediate vulnerabilities once they've been disclosed by bug hunters. By some accounts, some of Oracle's patches have also been rushed and sloppy. Also, Java security updates aren't reaching end users because Oracle has failed to offer automatic Java updates, as Adobe did to address out-of-control exploits of the Flash browser plug-in. As a result, the Java plug-in has become an attack magnet.

Notably, a recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks, compared with 18% of attacks involving a specific PDF vulnerability, 2% involving other PDF vulnerabilities, followed by MDAC, HCP and Flash bugs (1% each). But many of those exploited Java bugs were patched months ago, if not earlier, which leads to only one conclusion: "Java security fixes are not being installed," writes report author and SophosLabs researcher Gabor Szappanos. "Users don't consider Java a direct threat and don't rush into updating their systems." Or perhaps users simply don't know it's even running on their system.

Despite mounting criticism of its handling of Java in the face of regular zero-day vulnerabilities and in-the-wild exploits, Oracle officials haven't sharpened their game. An Oracle spokeswoman this week responded to requests for comment on the latest zero-day vulnerability -- first publicly documented Wednesday by security reporter Brian Krebs -- by pointing to Oracle's security advisory, issued Sunday to accompany Oracle's patch for the two zero-day vulnerabilities discovered last week. When informed by Ars Technica that the update has no information about the new zero-day bug, seen for sale by Krebs about 24 hours after the update was released, the Oracle spokeswoman replied that the company had no additional comment.

Interestingly, JavaScript offers a solution to the Java-meets-browsers security problem. "With modern versions of JavaScript there is little to no need for developers to use Java in the browser," says Stach & Liu's DeMesy. "This is the reason these vulnerabilities are so interesting -- because while the Java browser plug-in is commonly installed, it's not commonly used."

Many capabilities handled via Java browser plug-ins are already available elsewhere, and that will no doubt be the route many end users -- and hopefully developers -- will now pursue. "If WebEx and GoToMeeting didn't need Java, I wouldn't have installed it in the first place," reports one InformationWeek reader. "I've found that you can install their client and that lets you do away with Java. Goodbye Java. I have enough to worry about."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jjohnson551
50%
50%
jjohnson551,
User Rank: Apprentice
1/21/2013 | 5:51:14 PM
re: Java Security Warnings: Cut Through The Confusion
You are wrong about JavaFX, it requires the JRE.

Also the JRE is required for any Oracle E-business suite, Oracle Discover, etc customer thus why many cannot just turn it off. The reason the JRE is not updated in companies is because Oracle does not provide an enterprise method for pushing updates. There are loosely published methods to do it via Group Policy or Configuration Manager, but these often fail, and are NOT supported by Oracle.

So bottom line issue is: Oracle requires the JRE for their products, but does not provide any supported method to update the JRE other than someone with admin rights apply it manually on every computer.

I wonder were the lawyers are when you need them?
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/21/2013 | 10:35:40 AM
re: Java Security Warnings: Cut Through The Confusion
Hi -- Very, very good question, and my apologies for not being clearer. As has been noted in other comments, the issue applies *solely* to the Java browser plug-in, and (technically) to a lesser extent to the run-time environment. (The prevailing security wisdom is that having Java on your system will increase the attack surface, so you're better off removing it, if it's not necessary.)

But to be clear--and I should have said this--the current Java-removal advice doesn't apply to anything else with "Java" in the title, such as Enterprise JavaBeans, embedded Java, JavaFX, JavaScript.
DavidGP
50%
50%
DavidGP,
User Rank: Apprentice
1/20/2013 | 12:28:02 AM
re: Java Security Warnings: Cut Through The Confusion
Falling behind? Oracle released JAVA 7u11, which has the fix for that bug and another. No JAVA 6 updated version, yet!
Stratocaster
50%
50%
Stratocaster,
User Rank: Apprentice
1/18/2013 | 11:26:28 PM
re: Java Security Warnings: Cut Through The Confusion
I think most users would agree that the auto-update function in Adobe Flash is notoriously unreliable. I generally learn about such updates from my subscription to Mr. KrebsG«÷ invaluable site.

Part of the problem also is that until very recently, Java Runtime did not uninstall elegantly. I have seen a few machines which still had Java 1.5 on them coexisting with later versions because of some arcane corporate web app. In my own enterprise environment, I have NEVER received a push-out update for JRE; I do it myself, which many users are prohibited from doing due to desktop lockdown group policies. (I do not work in the IT department.) In fact, the help screen for one widely used web app checks to see whether the required G«£Java 1.5 or Java 1.6G«• (sic) is installed. There is no mention of Java 7, although Oracle has announced that support for Java 6 will cease next month.
Andrew Binstock
50%
50%
Andrew Binstock,
User Rank: Apprentice
1/18/2013 | 10:18:11 PM
re: Java Security Warnings: Cut Through The Confusion
The issue is primarily in the browser. All other forms of Java (Java desktop, server apps, embedded Java, etc.) are safe unless they're reading consuming web sites and then running an infected Java payload--something that's possible, but very, very unlikely.
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
1/18/2013 | 7:52:17 PM
re: Java Security Warnings: Cut Through The Confusion
I don't think it was true.. The issue was Apple decided not to support Flash. Apple decided to use HTML5 instead of buggy flash.. I think it was the right decision. Adobe was forced to release a server side software would convert flash videos to HTML5 for the clients which doesn't have flash.
pwndecaf
50%
50%
pwndecaf,
User Rank: Apprentice
1/18/2013 | 7:45:28 PM
re: Java Security Warnings: Cut Through The Confusion
Thanks - I was expecting answers to all the questions the author raised, also.
NunchuckNorris
50%
50%
NunchuckNorris,
User Rank: Apprentice
1/18/2013 | 6:58:38 PM
re: Java Security Warnings: Cut Through The Confusion
"What about JavaScript, EJB, JavaFX, Android and any other use of the programming language?"

Umm. OK, so the JavaScript question was answered, but what about the others?

This is only an issue with the browser Java plugin, which runs on the desktop. It is not an issue with EJBs or any of the other Java (JEE, etc) that runs on the server side, nor is it an exploit of Android, or embedded. That is an important disctinction that really should be made, before the Java technology at-large is unduely tarnished.

justanobserverinmass
50%
50%
justanobserverinmass,
User Rank: Apprentice
1/18/2013 | 4:21:41 PM
re: Java Security Warnings: Cut Through The Confusion
When the iPhone was first released and did not include java, wasn't there a hue and cry about the foolishness of doing such a thing? I think Jobs claimed it was too much a target and too easy a target and didn't need it. Looks like that's still the case today.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.