Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Where is the Java-Apocalypse?
From: "Altieres Rohr" <altieres () gmail com>
Date: Mon, 14 Jan 2013 14:56:01 -0200

Java is a broken technology, as far as browser security is concerned, even
without any zero day.

It can run self-signed applets outside the sandbox, something Internet
Explorer never did with ActiveX. Reason: it's a bad idea.
http://www.cert.org/blogs/certcc/2008/06/signed_java_security_worse_tha.html

If you read the advice this screen gives to the user, it says that "you have
to trust the origin of the application". Which origin? The Publisher and
Name are untrustworthy (because it's not signed). Do they mean the "From"?
If yes, there's some bad news - a lot of these applets get put in legitimate
websites.

Its option to disable applets in the browser didn't used to work. Now it
does. But here's what CERT has to say about it:
http://www.kb.cert.org/vuls/id/625617

" Starting with Java 7 Update 10, it is possible to disable Java content in
web browsers through the Java control panel applet. Please see the Java
documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the
Java Control Panel applet may be missing on some Windows systems. In such
cases, the Java Control Panel applet may be launched by finding and
executing javacpl.exe manually. This file is likely to be found in
C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it
has been disabled in the web browser as described above and then
subsequently re-enabled. Reinstalling Java appears to correct this
situation."

Java can't install a Control Panel option, nor respect a checkbox without
crashing.

And then there's the self-update mechanism. It checks for updates every two
weeks using its own scheduler (the Windows scheduler is beyond them), but
only installs them after a month by default.
And when it finally knows a new update is available, it throws an UAC prompt
to the user without any warning. It's the kind of thing every user should
not accept, because you should only see prompts after actions. Of course,
you shouldn't see UAC prompts for updates at all.

But that's not all.

After you accept the UAC prompt, you have the interact with the Java tray
icon. If you don't, it won't install.
After you click the tray icon, you click Install.
Then you click Install. Again.
Then you tell it that no, you don't want a new toolbar or change the default
search engine in your browser.
Then you click Next.
Then you wait while there's a big installation window sitting there telling
you how great Java is while the update progresses.
Then you tell it that no, you can't restart your browser. And you click
Close.
Then it complains that you will have to reboot your system (?) if you don't
restart your browser.
And depending where you click it restarts your browser anyway.

And if you had disabled Java in your browser, you might have to disable it
again.


It's no wonder that old Java exploits still work, or that users accept to
elevate malicious applets.
The applet and update functions are broken in their very design. The less
than stellar coding is icing on the cake.

Regardless, Java programmers always complain that I'm being unfair when I
say JRE is not user friendly. So perhaps that's why Java has the same issues
for years - its developers are happy as followers, instead of interested in
improving their tool. If developers are happy to code for it, users have no
choice but to install and (attempt to) keep JRE updated.


Regards.

Altieres Rohr
linhadefensiva.org | editor
g1.globo.com | colunista
www.altieresrohr.com.br

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault