Java on the desktop: safe or not?

Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.

ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.

On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.

Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.

Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.

Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.

Windows 8 Store Rules could be a problem for some games

Microsoft is apparently applying a strict set of rules to the Windows Store, which is making its debut on desktop PCs with the arrival of Windows 8.

By the current rules, many popular PC games would not be acceptable for the Windows Store, including Skyrim. Games not available through Windows Store would still be available in the usual way, but they would be limited to running on the Windows desktop rather than on the new user interface. But who cares whether a game will run on the new UI? Most PC games take over the entire screen when they run anyway.

I’m betting this goes one of four ways:

  1. Game developers ignore the Windows Store and sell their games the same way as before. Windows Store becomes increasingly marginalized and irrelevant.
  2. Microsoft figures out how to sell mature content in Windows Store, and game developers gradually give in and start using it.
  3. The Windows Store restrictions remain in place, Microsoft phases out support for desktop gaming, and PC gamers revert to Windows 7 in disgust. Windows 8 retail sales drop to zero, joining business sales levels.
  4. Microsoft relents, recognizing that the only way to keep Windows Store relevant is to allow people to buy what they actually want there.

See Techdirt’s coverage of this issue for more details and links.

Update 2012Oct27: Microsoft is apparently paying attention. They have decided to adjust their rules to allow inclusion of mature games, although the change will not take effect until as late as December 2012.

Lack of interest in Windows 8 runs rampant in the business world

The Verge reports on findings from a Forrester study (as interpreted by The Wall Street Journal) showing that companies are significantly less interested in Windows 8 than they were in Windows 7.

Clearly, businesses have settled on Windows 7 to get them from the impending demise of Windows XP to the next (post Windows 8) version. Microsoft’s extended support for older operating systems is a real boon for IT departments, but there’s a danger that eventually Microsoft will give up and adopt a support model more like Apple’s, in which you’re practically forced to upgrade the O/S every other year.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.

Firefox 16.0 pulled due to vulnerability

Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.

Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.

Update 2012Oct12: No exploits using this vulnerability have yet been seen in the wild, but a proof of concept has been published. The POC demonstrates the vulnerability with a few lines of Javascript code that could be embedded on a web site. Now that this POC has been made public, it’s reasonable to assume that similar code will start appearing on hacked and malicious web sites in the very near future.

Microsoft releases patches for Windows 8

Despite the fact that Windows 8 has not yet started appearing on store shelves, Microsoft is releasing a set of updates for the new operating system. Since Windows 8’s RTM (release to manufacturing), several new issues have been discovered, and the updates are intended to address those issues.

Anyone testing or evaluating Windows 8 should install the updates, which are available through Microsoft Update.

Anyone buying a new computer with Windows 8 installed on it should check for and install any pending updates immediately after powering up the computer for the first time. Anyone installing Windows 8 after it is released to retail should also immediately check for and install any pending updates.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.