Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 10 of 10

Thread: Homeland Security and Java

  1. #1
    Junior Member
    Join Date
    Jan 2013
    Location
    Carol Stream, Illinois USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Homeland Security and Java

    Recently, the US homeland security group issued a warning about hacking and Java. An example article is found at How to disable Java following Homeland Security warning | Washington Times Communities.Now I used to program in Java, as well as other languages like C#, Perl and PHP. So here are my questions.
    1. Can someone tell me the technical problem here with Java?
    2. Why can't Oracle, as well as the world wide Geeks in private enterprise, law enforcement and academia suggest a proper fix or resolution?


  2. #2
    Super Moderator helloworld922's Avatar
    Join Date
    Jun 2009
    Posts
    2,896
    Thanks
    23
    Thanked 619 Times in 561 Posts
    Blog Entries
    18

    Default Re: Homeland Security and Java

    For future reference, post the original URL in your links. Shortened URLs are difficult to determine if they redirect safely to the intended site. I've edited your post to point directly to the original article.

  3. The Following User Says Thank You to helloworld922 For This Useful Post:

    curmudgeon (January 13th, 2013)

  4. #3
    Super Moderator pbrockway2's Avatar
    Join Date
    Jan 2012
    Posts
    965
    Thanks
    7
    Thanked 205 Times in 181 Posts

    Default Re: Homeland Security and Java

    Also at Java Programming Forum - Learn Java Programming where I've posted some links to CERT and Oracle that are informative.

  5. #4
    Super Moderator helloworld922's Avatar
    Join Date
    Jun 2009
    Posts
    2,896
    Thanks
    23
    Thanked 619 Times in 561 Posts
    Blog Entries
    18

    Default Re: Homeland Security and Java

    @pbrockway2 You posted a link to the moderators forum post

  6. #5
    Super Moderator pbrockway2's Avatar
    Join Date
    Jan 2012
    Posts
    965
    Thanks
    7
    Thanked 205 Times in 181 Posts

    Default Re: Homeland Security and Java

    Whoops! I meant this one: Homeland Security and Java

  7. #6
    Super Moderator helloworld922's Avatar
    Join Date
    Jun 2009
    Posts
    2,896
    Thanks
    23
    Thanked 619 Times in 561 Posts
    Blog Entries
    18

    Default Re: Homeland Security and Java

    I take it the post on the other forum was also in the moderator section? I don't see it on the "publicly available" post.

  8. #7
    Super Moderator pbrockway2's Avatar
    Join Date
    Jan 2012
    Posts
    965
    Thanks
    7
    Thanked 205 Times in 181 Posts

    Default Re: Homeland Security and Java

    Umm... Works for me when I click the corrected link.

    Anyway, here's what I posted:

    This thread has been kept invisible for a bit - ironically because people here are somewhat cautious about clicking on random links, and it isn't clear exactly where the link you provided leads to.

    Nobody here can answer for CERT with respect to the first question. Nor can we answer for Oracle and the unspecified geeks in the second. However there is some problem affecting Java applets running in web browsers, and google reveals the usual standard of journalism in the reporting of that. (It seems a general rule that with respect to anything technical, scientific and, most especially "security" related, that reporting should remain information free.) The following links may be useful:

    * The CERT advisory is at Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code
    * Oracle have released Oracle Security Alert CVE-2013-0422 describing the problem
    * and released update 11 for JDK 7 at the usual download page Java SE Downloads

    It seems you should download and install the update. I haven't read the page that closely so I'm not sure whether it fixes the fault or merely alerts you before applets run. So, to avoid "driveby" attacks, it might pay to be cautious about running Java applets if you are unsure about the applet or the site/page that hosts it.

  9. #8
    Junior Member
    Join Date
    Jan 2013
    Location
    Carol Stream, Illinois USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Homeland Security and Java

    Today there is a new release of Java. Hopefully, this release addresses the problem I mentioned.

  10. #9
    Super Moderator helloworld922's Avatar
    Join Date
    Jun 2009
    Posts
    2,896
    Thanks
    23
    Thanked 619 Times in 561 Posts
    Blog Entries
    18

    Default Re: Homeland Security and Java

    Just read a BBC article about the issue, and it seems like there are still security issues with Java (even after the latest patch).

    I would still recommend against running Java applets or anything internet connected until there is further news about this. Obviously local Java development should not be a security issue (though I would try to not write programs which would connect to the interweb anytime soon).

  11. #10
    Member
    Join Date
    Jun 2012
    Location
    Left Coast, USA
    Posts
    451
    My Mood
    Mellow
    Thanks
    1
    Thanked 97 Times in 88 Posts

    Default Re: Homeland Security and Java

    With versions of Firefox that I use on my Centos 5.8 and Centos 6.3 Linux systems, the Java plugin was not supplied.

    If you get the plugin (part of JRE from from Oracle) and go to activate it there are several manual steps. You have to really want it.

    When you finally get it set up you are presented with a warning message from Firefox. Here's part of the message from Firefox 10.0.11:
    Java Plugin has been blocked for your protection.
    .
    .
    .
    Who is affected?
    All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_33 or between 1.7.0 and 1.7.0_4.
    .
    .
    .
    After all of this, if you really want to activate it so that you can run Java applets from your favorite web site, you can, but you can't say you haven't been warned.


    It has been suggested that a useful browser feature might be an "opt-in" option on a site-by-site basis for browsers so that if you want to use an applet from a trusted site you might be able to. (You can presently set up an "opt-in" option for all cookies. It asks you whether you want to accept cookies when a site wants to set one.)

    Even if this were available for Java plugins, I note that you still would have to be on guard for malware that can stash itself in your system and cause redirection from the web site that you think you are accessing to one of the blackhat guys. Remember the infamous Windows rootkit exploit? Particularly nasty since it exploited a security feature at the very bottom of the operating system and hidden from just about all "normal" programs. This thing is still floating around, but now there are ways of detecting and preventing it. Most of the time. ( I suspect that if any of the bad guys are successful in infecting your computer this way, they would have something mind more "interesting" than playing havoc with java applets.)

    Anyhow...

    There have been lots of Java browser plugin security flaws reported over the years (I seem to remember one last July or August), but actual attacks have not been widely documented. This latest warning comes, apparently, from real exploits that are now loose in the wild. Warning from U.S. Homeland Security? That's a new one (I think).

    Furthermore...

    I'm thinking that there have been security flaws for just about every program (major or minor) in widespread use, not just the Java plugins for browsers. I mean, I get security updates for various Linux application programs at a rate of several a week, but there are rarely any actual exploits.

    Anyhow, I can't say how widespread any exploits of the latest Java plugin bug really are, but...

    You can't say that you haven't been warned. (But I said that already.)


    Bottom line: Eternal vigilance is not only the price of freedom. It is also the price of security. (To the extent that security is attainable.)



    Cheers!

    Z

Similar Threads

  1. java.security.AccessControlException
    By aussiemcgr in forum Java Networking
    Replies: 7
    Last Post: December 30th, 2012, 01:41 AM
  2. Web Security
    By sramm in forum Java Theory & Questions
    Replies: 2
    Last Post: June 13th, 2012, 03:14 AM
  3. Java.security.AccessControlException
    By ramanareddy438 in forum Java Applets
    Replies: 3
    Last Post: December 16th, 2011, 12:47 PM
  4. Java Security Implementation for Plugin Supported Architecture
    By bgroenks96 in forum Java Theory & Questions
    Replies: 19
    Last Post: November 22nd, 2011, 04:13 PM
  5. RSA Decryption with Java.security - Hex to dec to byte array conversion...
    By SeanSeanston in forum What's Wrong With My Code?
    Replies: 0
    Last Post: December 15th, 2010, 09:48 AM

Tags for this Thread