We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.
Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.
So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.
A recent post at Microsoft’s Windows for your Business blog reads – as one might expect – a lot like PR hype for Windows 8. Even the subtitle: “Identifying your unique Windows 8 adoption path” assumes that the reader will be upgrading to the new O/S.
The gist of the article is that Windows 8 is going to be a really good thing for “the enterprise”, meaning businesses and corporations. Having read this article and much of the material linked from it, I remain unconvinced.
This list of features found only in the pricey ‘Enterprise’ edition of Windows 8 is supposed to get IT managers all excited about Windows 8, but I don’t see anything particularly compelling there. Not enough to upgrade from Windows 7, anyway. Sure, if you’re still running Windows XP in your IT shop, you might want to consider Windows 8, but right now, Windows 7 looks like a much safer bet. Thanks to Microsoft’s surprisingly generous support windows, Windows 7 is going to be around for a long time.
Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.
Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.
Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.
Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.
Microsoft is apparently applying a strict set of rules to the Windows Store, which is making its debut on desktop PCs with the arrival of Windows 8.
By the current rules, many popular PC games would not be acceptable for the Windows Store, including Skyrim. Games not available through Windows Store would still be available in the usual way, but they would be limited to running on the Windows desktop rather than on the new user interface. But who cares whether a game will run on the new UI? Most PC games take over the entire screen when they run anyway.
I’m betting this goes one of four ways:
- Game developers ignore the Windows Store and sell their games the same way as before. Windows Store becomes increasingly marginalized and irrelevant.
- Microsoft figures out how to sell mature content in Windows Store, and game developers gradually give in and start using it.
- The Windows Store restrictions remain in place, Microsoft phases out support for desktop gaming, and PC gamers revert to Windows 7 in disgust. Windows 8 retail sales drop to zero, joining business sales levels.
- Microsoft relents, recognizing that the only way to keep Windows Store relevant is to allow people to buy what they actually want there.
See Techdirt’s coverage of this issue for more details and links.
Update 2012Oct27: Microsoft is apparently paying attention. They have decided to adjust their rules to allow inclusion of mature games, although the change will not take effect until as late as December 2012.
The Verge reports on findings from a Forrester study (as interpreted by The Wall Street Journal) showing that companies are significantly less interested in Windows 8 than they were in Windows 7.
Clearly, businesses have settled on Windows 7 to get them from the impending demise of Windows XP to the next (post Windows 8) version. Microsoft’s extended support for older operating systems is a real boon for IT departments, but there’s a danger that eventually Microsoft will give up and adopt a support model more like Apple’s, in which you’re practically forced to upgrade the O/S every other year.
Pokki is a freeware Start menu replacement program, previously available for Windows XP and 7. The developers recently added Windows 8 functionality, allowing users of that O/S to bring the Start menu back and avoid the goofy new user interface completely.
Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.
You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.
Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).
Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.
Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.