Homeland Security says Java is good for hackers – what to do?

Java applet, demonstrating 2D FFT (Photo credit: Wikipedia)

Recently, the US homeland security group issued a warning about hacking and Java. An example article is found at How to disable Java following Homeland Security warning . This presents a problem for me. You see, applications like Libre Office and Open Office need Java. I decided to visit a couple of Java forums and pose a couple of questions. The article promised a fix by Oracle on Tuesday, January 15, 2013.

My Question

Now I used to program in Java, as well as other languages like C#, Perl and PHP. So here are my questions?

Can someone tell me the technical problem here with Java?
Why can’t Oracle, as well as the world wide Geeks in private enterprise, law enforcement and academia suggest a proper fix or resolution?

Let’s look at some answers

Answer 1

Yes a security vulnerability in Java 7 has been found. It isn’t the first and it won’t be the last. I will guarantee that Oracle (and probably the OpenJDK team) are working hard to fix it but I’m betting that nobody from Oracle will make a comment in this forum and only Oracle can suggest the real fix.

I find this fuss about a single Java vulnerability rather funny. Last time I checked, on my Wife’s computer running Windows 7 the virus checker was checking for about a million viruses which exploited thousands of vulnerabilities and she gets a couple of Windows security updates a week but has anyone suggested turning off all computers running Windows? A whole industry has grown up around handling Windows vulnerabilities.

Answer 2

Nobody here can answer for CERT with respect to the first question. Nor can we answer for Oracle and the unspecified geeks in the second. However there is some problem affecting Java applets running in web browsers, and google reveals the usual standard of journalism in the reporting of that. (It seems a general rule that with respect to anything technical, scientific and, most especially “security” related, that reporting should remain information free.)

There have been many of such vulnerabilities in the Windows operating system, in the Internet Explorer, in Firefox,…. that is live. I never heard the call to disable or deinstall Windows or Microsoft Internet Explorer because of that though. Strange, right?

Answer 3

It seems you should download and install the update. I haven’t read the page that closely so I’m not sure whether it fixes the fault or merely alerts you before applets run. So, to avoid “driveby” attacks, it might pay to be cautious about running Java applets if you are unsure about the applet or the site/page that hosts it.

I would still recommend against running Java applets or anything internet connected until there is further news about this. Obviously local Java development should not be a security issue (though I would try to not write programs which would connect to the interweb anytime soon).

Me:

Oracle released a version of Java on Monday, January 14, 2013. Hopefully, this solves the problem.

Forum answer:

Just read a BBC article Java still contains security flaws, experts claim about the issue, and it seems like there are still security issues with Java (even after the latest patch).

Me:

A couple good tips from Terry’s computer tips newsletter is this:

Use a router, even if you just have one computer: How Does a Router Protect Me?
Run either free or paid version of WinPatrol WinPatrol – for System Control and Protection

Academic and business blog posts

Here are some blog posts I recommend from academic and business acquaintances of mine.

Why so many blog posts about kids? Because we have too many US mass killing sprees. Perhaps some good articles on proper childhood care can cure this current and future trend?