That was fast… vulnerability found in latest Java

Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.

Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.

Your move, Oracle.

UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.

New patch for Java plugs recently-discovered security hole

Much to their credit, Oracle has released a patch for Java that fixes a recently-discovered security hole in Java.

CERT confirms that the new patch does indeed resolve the problem. All Java users – and that’s you, unless you’re absolutely certain Java is disabled – should apply this update as soon as possible. This affects Windows, Linux and MacOS users.

This is a welcome reaction from Oracle. Until this patch was released, it was assumed that the hole would not be fixed until the next regular patch cycle in October 2012.

Opera 12.02 released

A new version of the Opera web browser was announced today. Version 12.02 includes some security fixes, as well as some other minor changes.

The Opera blog post announcing version 12.02 also describes a way to avoid potential problems with the recently-announced Java security hole. It involves changing an Opera setting that forces the user to ‘click to play’ for any content provided by a plugin (including Java). With this setting enabled, if you visit a site infected with a Java exploit, the exploit code won’t run unless you specifically allow it. While possibly overkill, this is as good a workaround as we can expect, at least until Oracle issues a fix for the Java hole.

Firefox 15 released

Another new version of Firefox was announced today. Version 15 includes some new features, like silent updates (which I will immediately disable), and some fixes for long-standing plugin memory use issues.

The Firefox release notes for version 15 have all the changes.

Interestingly, there doesn’t seem to be a list of previous Firefox versions or the corresponding release notes anywhere on the site. But you can find the release notes for a version by replacing ‘15.0’ with any other version number in this URL:
http://www.mozilla.org/en-US/firefox/15.0/releasenotes/.

Why I use a really long passcode for my wireless network

Visitors to my home who want to use our wireless network are often stupefied by the 63-character, hexadecimal WPA2 passcode. In spite of the legitimate security concerns that went into my choice of such a long code, this always embarrasses me. Of course, being embarrassed easily is all part of growing up and being British. (That’s a Monty Python reference in case you didn’t get it.)

So I’m happy to report yet another analysis of wireless passcode security and the relative ease of cracking them.

The upshot is that no passcode is uncrackable. Your only hope is to make your passcode so long and complex that it can’t be cracked in a reasonable timeframe. Using all of the maximum 63 characters is strongly recommended.

So, laugh all you want, and groan as you struggle to enter that monstrosity, but I’m not going to simplify it just for convenience.

New Java vulnerability likely to remain unpatched until October 2012

UPDATE: Oracle releases a fix ahead of schedule.

A recently-discovered security flaw in Java is going to make web browsing more dangerous than usual over the coming weeks.

The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.

Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.

Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.

Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.

Recommendations

Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.

If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.

Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.

Here are some more technical details from CERT.

Additional related articles

Windows 8 annoyance lists start appearing

Since I’ve yet to bite the bullet and download an evaluation copy of Windows 8, I’m relegated to passing along reviews from elsewhere. Luckily, there’s no shortage of those.

First up is an article from laptopmag.com, entitled ‘8 Worst Windows 8 Annoyances and How to Fix Them‘. Here are the highlights:

  • No more Start menu. Why, Microsoft? Why not make it optional? Then, if I’m using a tablet, I’ll turn on the new UI; and otherwise leave it off.
  • Desktop apps (basically, all the software you currently run on Windows) are harder to find, since they are all jammed behind one pane of the new UI.
  • Shutting down the computer involves more steps and it’s not immediately obvious what those steps are.
  • The new Windows Mail app only supports IMAP, not POP. Why, Microsoft? IMAP certainly has its uses, but for most users, POP more closely matches what they really want, and how they conceptualize email. IMAP can be very confusing for users.
  • Even Windows 8 itself reverts to ‘desktop mode’ for many activities. So what’s the point of the new UI? Is it just there to confuse people and make everything take longer? The constant transitions between the new UI and the desktop are jarring for users.

Next, a PCGamesN contributor has an entertaining rant on why he’s uninstalling Windows 8. Just as I plan to do soon, this poor sod forced himself to install Windows 8 in order to evaluate it. Highlights:

  • The new UI, and the way it’s forced on the user only to revert to the desktop for many operations, is a disaster.
  • The core apps – the ones Microsoft expects you to use every day – are awful. This includes the the email client, the messaging client, the calendar, the media player and the Metro version of Internet Explorer (there’s a desktop IE as well).

Fun stuff! Thanks Microsoft, for giving bloggers such a rich source of disgust.

As predicted, Windows XP holdouts likely to upgrade to Windows 7

I’ve been saying for a while that corporate/business/enterprise customers are going to avoid Windows 8. IT departments have no interest in helping countless users re-learn Windows basics because of an ill-conceived and unavoidable user interface decision by Microsoft.

Enterprise IT folks are not interested in performing Windows upgrades on thousands of PCs unless there is a good reason to do so. When Microsoft stops developing security patches for Windows XP in April 2014, that will be a good reason to upgrade machines still running XP. Thankfully, there are alternatives to Windows 8.

After a lot of early problems with networking, compatibility and drivers with Windows 7, that O/S has emerged as the next go-to O/S for Windows-based PCs. Moving a user from Windows XP to Windows 7 will not involve a lot of re-training, drivers have matured, and software compatibility issues have mostly been resolved. Windows 7 sales are likely to exceed Windows 8 sales in the coming months, no matter what Microsoft does to encourage people to skip Windows 7.

Apparently, the attendees of a recent TechMentor conference held at Microsoft’s headquarters agree. According to those folks, Windows 7 is going to be the next Windows XP, with 7 assuming the mantle of ‘most solid and reliable Windows O/S’ for enterprise users.

My own plans are to evaluate Windows 8 on a test PC, but switch my Windows XP machines to Linux if possible, and Windows 7 if not. Windows 8 has a lot to prove before I will even consider using it on any of my main PCs.

Usability expert pronounces new Windows 8 UI confusing

Apple fans like to accuse Microsoft of stealing ideas from Apple. They also like to give Steve Jobs credit for inventing things actually invented by others. A recent example of this is the apparent belief among some Apple diehards that Jobs invented tablet computing.

Another common misconception is that Apple (and Jobs) invented the graphical user interface and mouse. In fact that honour goes to the wonderfully creative folks who worked at the Xerox Parc research facility in Palo Alto in the 1980s. Jobs saw a demonstration of a graphical interface at Parc and soon afterward, the Mac appeared on the scene.

In fact, all creative work builds on what came before, whether we’re talking about art or technology. These days, there’s far too much emphasis on ownership of ideas, with hopelessly broken patent and copyright systems making lawyers rich and causing untold misery for everyone else. Don’t get me started.

Raluca Budiu is a computer usability expert who previously worked at both Xerox Parc and Microsoft. She was recently interviewed by laptopmag.com, and was asked about the Windows 8 UI. What she says will surprise nobody who has given any thought to the new tablet/touch-focused UI. It’s confusing. It’s cognitively jarring. It’s more work than previous Windows UIs. Her comments were based on her own personal use of the new O/S and not the result of any kind of formal study, but I think we can agree that her observations have merit. I hope she decides to study the new UI in detail; the results could encourage Microsoft to provide workarounds for some of the more awkward UI issues in Windows 8.