Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.
ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.
Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.
Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.
Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.
Microsoft is apparently applying a strict set of rules to the Windows Store, which is making its debut on desktop PCs with the arrival of Windows 8.
By the current rules, many popular PC games would not be acceptable for the Windows Store, including Skyrim. Games not available through Windows Store would still be available in the usual way, but they would be limited to running on the Windows desktop rather than on the new user interface. But who cares whether a game will run on the new UI? Most PC games take over the entire screen when they run anyway.
I’m betting this goes one of four ways:
- Game developers ignore the Windows Store and sell their games the same way as before. Windows Store becomes increasingly marginalized and irrelevant.
- Microsoft figures out how to sell mature content in Windows Store, and game developers gradually give in and start using it.
- The Windows Store restrictions remain in place, Microsoft phases out support for desktop gaming, and PC gamers revert to Windows 7 in disgust. Windows 8 retail sales drop to zero, joining business sales levels.
- Microsoft relents, recognizing that the only way to keep Windows Store relevant is to allow people to buy what they actually want there.
See Techdirt’s coverage of this issue for more details and links.
Update 2012Oct27: Microsoft is apparently paying attention. They have decided to adjust their rules to allow inclusion of mature games, although the change will not take effect until as late as December 2012.
The Verge reports on findings from a Forrester study (as interpreted by The Wall Street Journal) showing that companies are significantly less interested in Windows 8 than they were in Windows 7.
Clearly, businesses have settled on Windows 7 to get them from the impending demise of Windows XP to the next (post Windows 8) version. Microsoft’s extended support for older operating systems is a real boon for IT departments, but there’s a danger that eventually Microsoft will give up and adopt a support model more like Apple’s, in which you’re practically forced to upgrade the O/S every other year.
Pokki is a freeware Start menu replacement program, previously available for Windows XP and 7. The developers recently added Windows 8 functionality, allowing users of that O/S to bring the Start menu back and avoid the goofy new user interface completely.
The Verge has a nice writeup on the new Windows 8 features in Pokki.
Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.
You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.
Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).
It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.
Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.
Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.
Users forced to switch to Windows 8 are going to have a hard time adjusting to the new user interface. People who provide technical support for those users are going to wish they were on an extended vacation. Ars Technica provides an early glimpse at the Windows 8 support experience.
Google encourages security researchers to discover security vulnerabilities in its web browser, Chrome. The recently-concluded Pwnium 2 contest revealed one new vulnerability. A $60,000 prize was awarded to its discoverer, and within hours, a new version of Chrome (22.0.1229.94) that addresses the vulnerability was released.
Despite the fact that Windows 8 has not yet started appearing on store shelves, Microsoft is releasing a set of updates for the new operating system. Since Windows 8’s RTM (release to manufacturing), several new issues have been discovered, and the updates are intended to address those issues.
Anyone testing or evaluating Windows 8 should install the updates, which are available through Microsoft Update.
Anyone buying a new computer with Windows 8 installed on it should check for and install any pending updates immediately after powering up the computer for the first time. Anyone installing Windows 8 after it is released to retail should also immediately check for and install any pending updates.
Another new version of the Firefox web browser was released today.
The release notes for version 16.0 describe all the most notable changes, while the bug fixes page for version 16.0 lists every change.