Java security problems
 

There has been a lot of publicity about Java recently which leaves computers vulnerable to attacks by hackers. Many sources suggest disabling Java until a proper fix is found.

I am using Windows 7, 64 bit, and Firefox as my preferred browser. Can anyone suggest what effect disabling Java will have?

If anyone wants to heed the warnings and disable their Java, instructions can be found here.

If you don't use Java apps none.

If you use Java apps, things will break.

To be honest, for your average punter, disabling Adobe Flash is more likely to have a pronounced effect.

Why not try it and see ?

Ok I will bite, what won't work if people disable Adobe Flash? I have no idea
myself but knowing my luck with computers I don't wish to just do it as
something bad is bound to happen.:(

Many websites use Adobe Flash to deliver interactive and/or streaming content (BBC iPlayer for example) Some newer websites are using HTML5 to do this, but Flash is quite a popular technology with lots of knowledgeable coders out there.

Latest version of Java was available yesterday.

...and reportedly also 'vulnerable'...................

important security tip is to uninstall all old versions of the Java VM
Installing a new version does not remove the old ones by default. They get left behind and are available to be hacked (even if not active).
Obviously if you need a specific old JVM version for a specific application then you can't remove that, but otherwise remove old versions as soon as a new one comes along.
Also in the Java applet in the control panel, on the general tab > temporary internet files > settings > UNTICK the box which says "keep temporary internet files on my machine"

Its not a lot, but it helps

Yes well, if you want things to stop working ...

There are two main reasons for having Java installed.

(1) You are running some desktop applications that are written in Java.

(2) You wish to run some Java applets embedded in web pages.

The security risks are mostly with (2), and the suggested workarounds, such as disabling Java in the browser, are mostly aimed at this scenario.

If however you are in scenario (1) it is quite likely the case that each Java application you rely on needs a specific version of Java (each version has its own bugs, so each application might be targetted to a specific version). In this case uninstalling old versions will kill the applications that rely on them.

Scenario 1 can also apply to scenario 2.

I know of at least one well established professional stockmarket data feed tool that relies on Java Applets and the developers recommend specific versions of Java.

What you say is correct, but for most home users there isn't that need to use old versions. Few use version-dependent programs. For the average home user, the simple fact is that they should have one JVM installed: the newest available

For a few days I've had an alert 'Java Update Available' and I really don't know whether to trust it.

Program name: jucheck.exe
Verified publisher: Oracle America, inc.
File origin: Hard drive on this computer

Any thoughts?

yes, run it, and accept the update
its a security patch, and an important one

Milo, thanks. Roger Wilco;)

- but do be aware that some 'experts' still rate this Java as 'flawed'. I have gone back to disabling in the browsers until all this kerfuffle settles down. I see quite a few Java based sites offering 'alternatives' like Flash' (again, not guaranteed perpetually safe) and have not encountered a problem.

I have a friend locally who's business is based on a large security prog written in Java. I wonder what the future holds?

I have been told that it's best to delete older versions when you have installed the latest update. You can do this by looking in your 'add remove' programms application (in xp) or 'uninstall program' (in 7 etc) and that way
circumventing any risk that any exploit created to intercept that version cannot be used if it has been deleted - just make you check you have the latest version before doing that.

Java IS flawed, period. And this "kerfuffle" won't die down as malware writers are increasingly targetting it in preference to Windows itself.
However, if you are browsing the web, you probably need it. Especially if you shop online, bank online, pay your bills online, play games online......

The suggestion of using Flash instead is a non-starter: that has a completely different set of uses, and is not an alternative product. Also, its just as flawed and vulnerable as Java

To try to be secure, you need to have installed the latest version of Java, and ensure thats the only version installed, unless you need an earlier version for a specific piece of software. Most home users don't.
Make sure you have up to date reputable security software (McAffee and Norton are not reputable in my book).
And most importantly - practice safe browsing. Browsing and sex are similar in that if you take risks, then both will give you a pox

Agree with all of that, but what about my last line regarding the future for JAVA-based programmers?

I can't answer that
However the phrase "security program written in Java" rather gives the impression of being oxymoronic

All programming languages have a finite lifetime. Choosing to be a "JAVA-based programmer" is a mistake. What one needs to be is a "programmer who, amongst plenty of other languages, can use JAVA".

That's what he told me - something to do with financial transactions I believe. I was quite impressed when I first heard about 2 years back, but now..........................I even got a library book out to look at Java

I use a 64-bit web browser which happily renders me immune to most web-borne threats. Wahoo! :}

"I use a 64-bit web browser which happily renders me immune to most web-borne threats"

There speaks someone who has the words "born victim: please mug me" stencilled on his forehead

True, but Java will be around for a long time. C# pretty much killed any mass market desktop for Java, and Flash pretty much killed it in web browsers, but it's big on servers, is used a lot in custom business apps and is now the default development language for Android. We have Java server systems in the field that are expected to be running well into the 2020s.

The main point is that you shouldn't have Java enabled in your browser unless you need it, just as you shouldn't have Flash enabled unless you need it. Any plugin introduces new security holes, so you should always disable any you don't need.

BOAC,

There's plenty of future for JAVA programmers in the Financial Sector.

Much more of a future than there is for people who program in the short-term trendy languages like Python, Ruby and all that nonsense.

C/C++ will always be the big daddy though, so that might be a good thing for Java programmers to learn if they want some diversity of skills.

Aye. The popular it becomes the more it is likely to be targeted by fraudsters etc, especially as more and more financial transactions are happening online than ever before.

I can imagine though that whilst most of these viruses and exploits are
'genuine', I could hazard a geuss that some of them are planted on purpose
by the very companies that are supposed to protect from it. No viruses and
no business and profit for these companies. But that is pure speculation on my part.

"But that is pure speculation on my part."

No, just pure paranoia. Though I've often wondered about how the Kasperskys learnt their trade behind the iron curtain, with a ban on exports of PCs to the Soviet bloc

I suspect like Mr Putin, they spent some time in alphabet city during their formative career years where easy access to otherwise verboten would be par for the course. :cool: