Plugins will be safer in future versions of Firefox

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Microsoft blames device builders for Windows 8’s lackluster sales

According to The Register, Microsoft is accusing PC and handheld device manufacturers of not building enough Windows 8 devices. Despite publicly claiming that Windows 8 sales are similar to Windows 7’s at this point, the numbers being flouted are deceptive, in that they include sales to manufacturers. Internally, it seems clear that Microsoft is actually disappointed with Windows 8 sales and is looking for someone to blame.

Java: what is it, and why do I need it?

You’re probably sick of hearing about Java and its troubles. Still, there seems to be a lot of confusion about what Java is, what it’s used for, and whether it’s really needed. This post is an attempt to alleviate that confusion.

From the About page on the Java web site:

From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!
– 1.1 billion desktops run Java
– 3 billion mobile phones run Java
– 100% of all Blu-ray players run Java
– Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

What is Java?

Java is essentially a programming language. It’s also a runtime environment: a program that runs natively on your PC or other computing device and allows Java programs to run on that device.

Why is Java everywhere?

Java is embedded into many household and industrial devices. Typically these devices run older versions of Java, and those older versions often have security vulnerabilities. However, the potential for damage through exploiting vulnerabilities on such devices is usually small or non-existent.

Java is currently installed on most consumer and corporate PCs, usually because at least one Java application or Java-enabled web site requires it. Java may also be enabled in the various web browsers used on those PCs.

The main reason for Java’s prevalence is its portability. In computing terms, that means a Java program will run on any Java-enabled device without modification. Developers only need to create one version of a program, instead of a different version for every computing platform they want to support.

Java in the browser; Java outside the browser

To run a Java program outside of a web browser, a Java Runtime Environment (JRE) must be installed on the device. To use a Java-enabled web site or a web-based Java application, you still need a JRE, but you also need a Java plugin for your web browser. Each browser handles plugins differently, but without a Java plugin providing a link between the browser and the JRE, Java code will not run in the browser.

Because a plugin is required to run Java in a web browser, disabling the plugin is a sure-fire way to avoid web-based Java malware.

Java programs that run outside of the web browser

The primary danger posed by Java at this time is visiting malware-infested web sites with a vulnerable version of Java enabled in the web browser. A Java program that runs outside the web browser is safe, even if the shared Java JRE is old or vulnerable, because the only Java code that runs is the code for that program. If you trust the program’s developer, you’re safe. Note that there is one exception: if the program contains a Java-enabled web browser, the risk is the same as in any other Java-enabled web browser.

Examples:

  • Minecraft – a popular game
  • Eclipse – a software development environment
  • FreeMind — mind-mapping software
  • OpenOffice (Base; wizards) – an office application suite

Java programs that run in the web browser

A Java program that runs in the web browser is safe – even using a shared, old, or vulnerable JRE – as long as you only use that program and don’t navigate to any Internet-based web sites. If you must run a browser-based Java program, try to use one particular web browser for that program (and any similar programs). In other words, use a browser that has Java disabled for web browsing, and a different (Java-enabled) browser for running your browser-based Java programs.

Examples:

  • Yahoo SiteBuilder – requires and installs JRE 1.6 in a shared location, and installs JRE 1.6 components in browsers (use with caution)
  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • many other system and network monitoring and analysis packages

Web sites that require Java for proper operation

If you can’t avoid web sites that use Java: again, it’s a good idea to set aside a Java-enabled web browser for accessing those sites (and nothing else!) Use a separate web browser with Java disabled for most of your web surfing.

Examples:

  • Some banking web sites
  • The Wall Street Journal website uses Java for dynamic charts
  • Secunia’s Online Software Inspector

Java applications that install their own JRE

When an application requires a JRE to run, it can use a shared JRE that is typically installed in a standard location where it can be found by any Java application on the PC. It can also install its own JRE in a location where it is only used by that application. This avoids potential compatibility issues, but it can make things more confusing for anyone trying to understand how Java is being used on their PC.

Examples:

  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • MindRaider – notebook and outlining application

How is Java related to Javascript?

It isn’t. Java is to Javascript what ham is to hamster. Like Java, Javascript is a programming language, and it’s often used on web sites to provide enhanced functionality. Also like Java, Javascript is often used for malware. Unlike Java, Javascript can only run within a web browser. Both represent significant security threats, and both can be disabled within web browsers, but doing so may cause some web sites to stop working properly.

Why are there so many security problems with Java?

Java’s success – its prevalence on PCs – has made it a useful target for malware developers. The success of Windows made that operating system the primary target of malware developers for years, but Microsoft has improved the security of Windows, and malware writers are looking for other targets.

All programs contain bugs, and if enough time is spent examining a program, eventually someone will find a way to break it in a way that allows security to be bypassed. Java is a program like any other, and the new focus on Java is revealing more and more security issues.

Why do developers still use Java?

Given all the recent problems with Java, one might expect software and web site developers to steer clear of it. Some developers are probably already looking elsewhere, and the longer it takes for Oracle/Sun to fix Java’s security problems, the more developers will bail. Most developers are probably concerned, but biding their time; switching away from Java is likely to be a massive undertaking.

Why do I need Java? Can I stop using it?

There’s no way to escape Java completely. You probably have several devices in your home that have Java embedded into them. But apart from the Java embedded in devices, you may not need Java at all.

In the PC world, some applications and web sites need Java to work properly. If you don’t have Java on your PC, you won’t be able to use those applications and web sites. If you’re a system or network administrator, you probably need Java to run system management tools. Your employer may use or require custom Java software in your workplace. You may need Java to use your bank’s web site. And so on.

The only way to know for sure whether you can do without Java on your PC is to disable or uninstall it, then make note of any web site or application that stops working. Of course, this may be more difficult than it sounds, since functionality may only be affected in subtle ways.

More problems with Java

  • Version confusion: traditionally, the JRE installer left old versions intact when installing new versions. This was apparently done to get around version incompatibilities, but in practice it created more problems than it solved. More recent JRE installers seem to be better at cleaning up older versions.
  • Java Development Toolkits (JDKs) add to the confusion, since they typically include their own, separate, embedded JRE.
  • There are apparently no tools for finding and diagnosing Java installations on a PC. JavaRa is useful to a point, but it doesn’t seem to find embedded JREs installed with certain Java applications.
  • When you install Java, it sets itself up to perform auto-updates. This feature can be disabled, but it has to be done every time you install or update Java. Worse, the auto-updater may delay updating your Java for days or even weeks after an update becomes available.
  • Recently, Oracle started including crapware (aka foistware) with Java JREs. Performing a default install of a recent JRE will add a worthless toolbar to your browser and may hijack your browser search settings.
  • Removing Java from Internet Explorer is almost impossible. Web browsers like Firefox and Google Chrome include simple settings for disabling Java, but for some reason this is not the case with IE.

Further reading

If you’re gotten this far and want more, the folks over at Windows Secrets recently posted some more useful information about Java.

Links

Java: now with nasty crapware

As if Java didn’t have enough problems, Oracle/Sun recently started packaging it with the Ask Toolbar. Anyone installing Java must opt out of installing the Ask toolbar, or it will show up in their web browser and hijack their browser’s search settings.

Ed Bott at ZDNet took a close look at the Java installation process and posted his findings. He starts by saying:

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

It’s an excellent article, well worth reading.

To make matters worse, I recently discovered that I can no longer disable the Java auto-updater using the Java Control Panel in Windows 7. I can uncheck the checkbox and save the settings, but if I go back to the Java Control Panel, the option has re-enabled itself. My only option is to disable the SunJavaUpdateSched (jusched.exe) startup entry using a tool like Autoruns.

I’m starting to get a bad feeling about Oracle’s management of Java. Oracle may feel that they have the world by the throat, given the prevalence of Java, but at some point, the world is going to revolt and start looking at alternatives.

Windows 8 fast startup comes at a cost

Traditionally, with each successive version of Windows, startup times have grown longer. Even the steady performance improvements in PC hardware were no match for the bloat of Windows.

With Windows 8, Microsoft decided to ‘improve’ startup performance by fooling users into thinking their computer is completely shut down when in fact it is not. It turns out that shutting down Windows 8 actually puts Windows into a suspended state, in which the current state of Windows is stored on a hard drive, ready to be loaded when the computer is restarted.

This kind of sleep/suspended state has been around for a while, and is most commonly used in portable devices such as laptops. However, there are drawbacks to this in Windows 8. Anyone attempting to boot to a different operating system, from another device (besides the default hard drive), or enter the BIOS setup program, will be unable to do so without resorting to special (hidden) methods. Worse, the classic Windows troubleshooting step of rebooting a computer will no longer accomplish much: any problems in Windows that would previously have been cleared by way of a reboot will persist in Windows 8.

I have no problem with Microsoft improving Windows’ startup performance, and I have no problem with them using sleep states to do that, but hiding what’s really going on is just going to cause a lot of confusion and frustration.

No surprise: latest Java still not secure

It looks like Java is currently the target of choice for malware authors, which must be a relief for Microsoft, since Windows was the target of choice for years. That means Java’s developer (Oracle/Sun) is in for a rough ride: the rate at which new Java vulnerabilities are found and exploits developed to use them is going to increase. The only thing that will reverse the trend is a big push by Oracle/Sun to make the core of Java a lot more healthy in terms of security. Until that happens, you’re going to keep hearing the same advice: don’t enable Java in your web browser unless you need it, limit Java use in the browser to sites and applications that require it, and even remove Java completely if you really don’t need it at all.

Relevant links:

Windows 8 Pro Upgrade price will quintuple at end of January 2013

If you’re going to buy Windows 8, you should do it soon. The promotional price of $40 for Windows 8 Pro Upgrade will end on January 31, 2012. After that, the price will be $200. I had hoped Microsoft would keep the price for Windows 8 low; $200 is excessive, especially if Microsoft really wants people to upgrade. Most people hesitate before spending $200 on anything, but $40 is a no-brainer, and even if you end up going back to Windows 7, at that price you won’t feel like you’ve been cheated. The accountants at Microsoft clearly haven’t yet learned that lowering software prices solves a lot of problems, including piracy.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.