Java security

At one time there was much talk of the dangers of using Java but everything now seems to have gone quiet.
Does anyone know whether the problems have been resolved and if it is now safe to put our heads above the parapet again?

I think its fair to say Java now is currently fairly secure. I think its also fair to say that just like running flash and ActiveX, running Java makes your browser/PC a lot more insecure than it does by simply not having it installed.

It is only secure until the next well known exploit comes along.

There aren't many websites which need it now really, is there any specific reason you want to reinstall it?

From time to time I run Pingtest.net which uses Java to check packet loss.
Not important but slightly irritating not to be able to use it.

Use tbb line monitor or f8lure to give you a better idea of packet loss

Thanks for suggestions. I can't use TBB as I don't have a fixed IP address. I'll think about f8lure, though am reluctant to sign up to things I don't use often

Java is still the most exploited browser plug-in. This is because it lacks automatic update and as a result of this, lots of computers are using an old version of Java.

http://www.darkreading.com/vulnerability/no-java-pat...

Avoid using Java if possible. Disable the Java browser plug-inn if you only need Java for desktop applications, such as Minecraft and Wuala.

Edited by Zadeks (Tue 11-Jun-13 10:46:35)

Is Java the same thing as Javascript in browsers? Do I need Java installed to use Javascript in browsers, especially for Youtube videos and BBC iPlayer videos?

Also what's Microsoft Silverlight? What is that needed for?

No, they are totally different. You do not need Java installed to use Javascript-enabled websites. Very few websites require Java these days.

Silverlight is Microsoft's answer to Adobe Flash. Only install if it you definitely need it!

So I can uninstall Java, and things like Flash menus, cascading style sheets and Flash videos as well as my antivirus software will all work fine?

Yes.

What about Microsoft's .Net Framework?

It depends. Some programs require .net in order to operate. Microsoft Windows Update will keep .NET up-to-date for you. It's much less of a security risk than Java.

you can potentially have the same update settings on java's auto-update as on Windows update ie download but ask before install.

There's a java tool to remove old versions now.

Java isn't capable of automatically updating.

indeed, but it will automatically download updates and tell you they're ready - as does Windows Update if so configured.

according to that article the prime reason is nothing to do with automatic update but more to do with that the sun vendor wont patch old versions and new versions are incompatible with apps, since compatability is king over security they dont upgrade.

Also java has by default ran automatic update checks for years.

I dont believe in silent automatic updates without user's consent. Treating end users like pre-school children.

More sane advice would be to ensure the relevant java options are enabled which is check for updates and also to prompt to run on every instance its ran as well as to warn if outdated when running, also in browser have the browser configured to require authorisation to run on unknown sites (whitelist). Now the default behaviour in firefox and chrome, IE9+ can be configured to run in that way also by removing the * from the run whitelist.

A big problem with updating java is it usually at least requires the browser to be closed before updating and sometimes needs a reboot, whilst that is so messed up they cant do background updates. I often have to defer java updates because I cant always close all my browser windows or reboot on a whim.

More of an Enterprise excuse than anything else.

Automatic update checks are not enough. They weren't enough for Adobe and they aren't enough for Java. If people paid attention to pop-up dialogues, more versions of Java would be up-to-date.

Love 'em or hate 'em, silent upgrades are the future and they're coming to the majority of operating systems and devices near you.

Again, people really don't pay attention to update dialogues. White listing 'safe' web plug-ins is better than requiring a user to white list 'safe' sites.

Requiring an immediate browser restart is another reason why the manual update process sucks. If the update were silent, it might be possible to apply the update just before shutdown or when the user has closed the browser and is about to restart it.

Noscripts add on does the update process the best (along with Firefox). Downloads and installs the update while you browse, then applies it the next time you restart the browser. You dont even know its done it and requires no interaction with the user or interferes with your browsing session

silent updates are ok when its strictly security updates only eg. a/v defnitions and they are seamless eg., no reboots.

The problem is when dev's mix it in with feature updates which then introduces bugs and ruins the end user experience., breaks comptability etc.

There seems to be a desire by dev's to forcefully rollout feature updates which in turn creates a desire from end user's to resist these updates, so blame dev's not enduser's.

If you are trying to say companies should just put up with broken applications and downtime to satisfy your desire then it wont happen. They would just stick to the previous version before silent updates introduced.

Believe me on this, I do work for various companies, some are highly resistant to updates as their absolute priority is uptime and compatability. When I do updates and patching I have to do with extreme care to make as seamless as possible.

If i were to set servers I manage to silently automatically update to every update that comes their way, I would be out of a job as there would be chaos with things breaking left right and centre.

Edited by Chrysalis (Mon 12-Aug-13 16:51:30)

Enterprise is a different kettle of fish. There are complex and expensive ways of mitigating Java exploits without rolling out the latest update.

Yes, I would fire you if you set a server to auto-update.