Dailydave mailing list archives
Re: Where is the Java-Apocalypse?
From: "Altieres Rohr" <altieres () gmail com>
Date: Mon, 14 Jan 2013 14:56:01 -0200
Java is a broken technology, as far as browser security is concerned, even without any zero day. It can run self-signed applets outside the sandbox, something Internet Explorer never did with ActiveX. Reason: it's a bad idea. http://www.cert.org/blogs/certcc/2008/06/signed_java_security_worse_tha.html If you read the advice this screen gives to the user, it says that "you have to trust the origin of the application". Which origin? The Publisher and Name are untrustworthy (because it's not signed). Do they mean the "From"? If yes, there's some bad news - a lot of these applets get put in legitimate websites. Its option to disable applets in the browser didn't used to work. Now it does. But here's what CERT has to say about it: http://www.kb.cert.org/vuls/id/625617 " Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin. Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation." Java can't install a Control Panel option, nor respect a checkbox without crashing. And then there's the self-update mechanism. It checks for updates every two weeks using its own scheduler (the Windows scheduler is beyond them), but only installs them after a month by default. And when it finally knows a new update is available, it throws an UAC prompt to the user without any warning. It's the kind of thing every user should not accept, because you should only see prompts after actions. Of course, you shouldn't see UAC prompts for updates at all. But that's not all. After you accept the UAC prompt, you have the interact with the Java tray icon. If you don't, it won't install. After you click the tray icon, you click Install. Then you click Install. Again. Then you tell it that no, you don't want a new toolbar or change the default search engine in your browser. Then you click Next. Then you wait while there's a big installation window sitting there telling you how great Java is while the update progresses. Then you tell it that no, you can't restart your browser. And you click Close. Then it complains that you will have to reboot your system (?) if you don't restart your browser. And depending where you click it restarts your browser anyway. And if you had disabled Java in your browser, you might have to disable it again. It's no wonder that old Java exploits still work, or that users accept to elevate malicious applets. The applet and update functions are broken in their very design. The less than stellar coding is icing on the cake. Regardless, Java programmers always complain that I'm being unfair when I say JRE is not user friendly. So perhaps that's why Java has the same issues for years - its developers are happy as followers, instead of interested in improving their tool. If developers are happy to code for it, users have no choice but to install and (attempt to) keep JRE updated. Regards. Altieres Rohr linhadefensiva.org | editor g1.globo.com | colunista www.altieresrohr.com.br _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Where is the Java-Apocalypse? Dave Aitel (Jan 11)
- Re: Where is the Java-Apocalypse? Altieres Rohr (Jan 14)