Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Here we go again: Java 7u11 security patch incomplete

wrldwzrd89

wrldwzrd89

macrumors G5
Original poster
Jun 6, 2003
12,110
77
Solon, OH
Link to story: http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/

Summary: Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.

My analysis: Well, this is the latest in a series of black eyes / punches to the gut for Oracle and Java. How do you deal with such an unmitigated disaster? I don't know - but at this point, since all the exploits involve the web browser applet plugin, I'd be tempted to announce that Java applets, at least as we know them now, will cease to exist completely in Java SE 8 - the web plugin will go away, as will all code to support it. This is just a hypothetical "nuclear" measure; but in this day and age, with HTML5 being the clear way forward, it just may be worth it.
 
munkery

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Exploitation of these Java vulnerabilities is at least somewhat mitigated by requiring the end user to click "OK" to run unsigned and self signed Java applets by default.

Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.
 
S

snberk103

macrumors 603
Oct 22, 2007
5,503
91
An Island in the Salish Sea
munkery said:
...
Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.
Click to expand...

I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.
 
munkery

munkery

macrumors 68020
Dec 18, 2006
2,217
1
snberk103 said:
I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.
Click to expand...

I totally agree. Prior to Java sandbox bypass exploits being readily available, users had to accept running unsigned and self signed Java applets that required permission beyond those allowed by the Java sandbox and malware still used social engineering to trick users to gain those privileges.

Now Java requires all unsigned and self signed applets to be manually allowed regardless of the applets required permissions in relation to the Java sandbox. So, malware that uses Java applets will either require being manually allowed to run to execute a Java sandbox exploit or to prompt the user to accept a certificate to run with elevated privileges.

Basically, another layer of security has been added but users that are susceptible to being tricked via social engineering are still liable to be tricked.

At least now knowledgeable users that require Java enabled in the browser are more protected.
 
SactoGuy18

SactoGuy18

macrumors 601
Sep 11, 2006
4,339
1,502
Sacramento, CA USA
That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.
 
munkery

munkery

macrumors 68020
Dec 18, 2006
2,217
1
SactoGuy18 said:
That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.
Click to expand...

Anti-virus software will only protect you from specific known threats; unknown threats aren't reliably detected. Java applets as a whole aren't inherently bad so a specific definition is required for a malicious applet.

That's the reason why I don't use any online services that require Java and don't have Java enabled in my web browser.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom