April 16, 2014

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).


87 thoughts on “Critical Java Update Plugs 37 Security Holes

  1. arnim

    Apart from the usual desktop-patching, do you have a clue how easily CVE-2014-0457 can be exploited from the server side? The description from oracle sounds not good:

    “Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

    Applies to client and server deployment of Java. “

  2. Tim A

    When it comes to Java or anything Adobe, aren’t they all critical? lol

    Thanks for the heads-up, Brian!

  3. LG04

    I really like the suggestion you have of using two browsers. I do this at home. I have FireFox locked down tight, no flash installed, Java disabled, no script, etc. and use Chrome with security features (noscript, prompt for plugins, etc) for sites that need those features. And IE has been removed from the Windows computers.

    As always, great reporting!

    1. 0x003

      Hi LG04, care to share how you remove IE on your windows? in my experience with WinXp if you remove IE8 it will revert to IE6. TIA

      1. JCitizen

        Yep! Internet Explorer(IE) is part of the operating system, you can no more remove it completely that the base kernel of the code!

  4. schmo

    if you don’t have java installed, and goto jav.com to see if you have it installed, it will tell you to install java in order to continue… more or less.

    1. Vee

      You either forgot the “a” in “java.com” or you knowingly posted a porn site.

      Oh yeah, I mention that’s a porn site? That’s a porn site, yep.

  5. ahazuarus

    I am in the category of “has to use Java for a legacy application” but only on a specific workstation and it’s not linked to internet explorer. I use the ninite.com’s installer to update it… Very quick and painless.

    1. Bob

      Yes, we’re in the same boat. Our 64bit machines that are running Perceptive software are required to run Java 6 still. Our 32bit machines can run 7 but out SIS doesn’t like 7.51. I do like the idea of having separate browsers to play/work and will suggest it to my team.

  6. Anonymous

    Brian, I’ve finally done it. Java is gone from my system.

  7. s7

    While at work we have to have a specific older version of Java installed to run our Oracle ERP system. (Version 6 Update 27)

    Apparently Oracle updates Java much quicker than they can update their other software that relies on Java to run.

    Craziness….

    1. dlam

      The vulnerability lies in running java in browser. If you follow Brian’s advice on “click-to-play”, you should be safe even you have an older version of java installed.

  8. Katrina L.

    Can’t wait to remove Java from my computer as soon as I get off work. I wouldn’t be surprised if it wasn’t Java that shot my mother’s computer straight to crap. Thanks for the posting, reminded me of exactly what I needed to do when I got home.

    1. Old School

      After Java has been uninstalled, be sure that all related directories have been deleted including the directories made during the Sun Microsystems days. In days of olde, the Java upgrade process left obsolete versions on my PC and I have found folders call “sun” in general application data folders.
      Is there a Java guru in the audience that could elaborate on this subject? Could someone write a definitive Java removal checklist?

      1. Vee

        Same with Adobe stuff. There’s probably automated “full installer tools” either official or unofficial floating around. To get rid of all traces of old stuff though you’d just be better off with a fresh install of the OS.

        But as long as you don’t have multiple versions of like java.exe/javaw.exe running then it’s probably harmless clutter, right?

  9. Old School

    Long ago, after reading Brian’s many stories about Java, I solved all current and future Java problems through the use of one word: uninstall.

    1. Rabid Howler Monkey

      I only install Java on [a subset of] my GNU/Linux desktop systems where I run a number of Java applications. While I realize that Java vulnerabilities are multi-platform, there’s very little malware, especially, mass malware, that targets Java on the GNU/Linux desktop. Note, however, that this is not an excuse to be careless with Java.

      *Importantly*, most GNU/Linux distros use open source Java, the OpenJDK JRE and IcedTea browser plug-in, which are kept up-to-date via the distros update managers. In addition, downloading/installing the NoScript add-on for Firefox to manage frequently-visited, legitimate web sites also helps to reduce the Java risks.

      Now would be a great time for those needing to run Java applications and/or visit websites that require the Java plug-in to convert their no longer supported Windows XP-based PCs to GNU/Linux desktops. Both Ubuntu and Linux Mint include open source Firefox and Java, by default.

  10. uyjulian

    Just remove Java from the browser.
    I really only use Java for android development and Minecraft.
    There are some programs that turn java “.jar” files into native executables that do not require java.

    1. Rabid Howler Monkey

      There might actually be some users that have no need to run Java applications, but *do* need to run Java applets via the Java web browser plug-in for at least one important web site.

      If Java is as dangerous as Brian Krebs makes it out to be (and I’m not stating that it isn’t), then one should look for options to use Java without having to install it on one’s PC, especially a PC running Windows which is unmercifully targeted by the exploit kits. Brian’s two-browser solution won’t protect a user from Java zero-days that exploit kit writers can, apparently, now afford to buy.

      That’s why I believe that the USAF Lightweight Portable Security (LPS) Public Linux distro for a LiveCD is safe alternative as it includes both Java and the Firefox NoScript add-on:

      http://www.spi.dod.mil/lipose.htm

      Note that this is similar to Brian’s recommendation of using Puppy Linux for online banking.

      Burn the LPS ISO to a CD and boot the CD when visiting web sites that require the Java web browser plug-in. And be sure to sign up to the lipose web site to be notified when new ISO releases are available:

      http://www.spi.dod.mil/LPS_notify.htm

  11. Maureen

    After hearing Brian encourage us many times to divorce ourselves from Java, I worried, whined, and delayed, but finally took a deep breath and did it. I’ve never regretted ditching it.

    Thanks again, Brian.

  12. IN

    Are you thinking of having people remove Windows as it too has bugs. C and C++ also have some doosies when it comes to bugs. Shall we stop with those also? Perhaps we can all run Linux or Mac. But hang on they use Java also.

    How about don’t use a browser as that can open you up to vulnerabilities. Block PHP sites, there is malware on those.?

    Having Java only on a second browser – Still means you are using Java.

    This is poor advice and will be taken the wrong way by most people. I really suggest a rethink and rewrite.

    Try educating rather than getting hits based on scarring ppl.

    “it is easier to scare than inform”

    1. BrianKrebs Post author

      Spoken like a Java developer! Seriously, I have no idea who you are or what your interest or investment in Java may be, but to accuse me of fear mongering on this issue means you haven’t got the slightest clue about how most exploit kits work.

      You browse to a site that’s hacked or booby trapped with an exploit kit, and if you’re not up to date with the *very* latest Java, you will almost certainly get malware foisted on your system. I’ve had a chance to look inside countless exploit kit panels that show which exploits are most successful, and it’s always Java powering about 90+ percent of the successful infections.

      E.g.

      http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/

      and

      http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/

      But it’s not enough to be up to date on the patches, because some of the guys developing these exploit kits now have nearly million dollar budgets to buy zero days in the underground. What kind of zero days are most prized by exploit kit makers? Java.

      http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/

      http://krebsonsecurity.com/wp-content/uploads/2014/04/jpm-buysploits-1.png

      1. IN

        I have no argument with your experience or abilities. They are clear to see.

        However your audience, some of whom are not as experienced are reading this as – Java is evil, remove everything to do with it.

        And this is spreading poor and unnecessary advice.

        1. BrianKrebs Post author

          Fair enough, but I don’t think that offering the idea of a two-browser approach as an alternative to removing it outright is a bad idea. In fact, for most end users, this is a very workable concept. Those who can’t keep this stuff straight (and who probably aren’t up to the task of constantly updating this program) probably are best removing it from the browser or nixing Java altogether. Java is not really that widely used on the Web anymore (those who argue otherwise are usually confusing Java with Javascript).

          1. Ne'er do well

            Thank you Krebs. I like your simple solution. Dump it if you don’t want to put up with java. Two browsers goes about as far as my interest in messing with fixes and all the technobabble above about how to use Linux or c++ bugs or all that is just blah blah blah.
            People thump your chests elsewhere and leave the man alone.

          2. IN

            Thank you for the reply.

            Perhaps a bit more of a write up on:

            “confusing Java with Javascript”

            Would be of real use to a number of users.

            And save Minecraft from going broke as people shun all things Java 🙂

            1. JCitizen

              Fer sure! I should dump my provider, but I’m too lazy, and they have been an internationally recognized security firm(I know that sounds like an oxymoron) but I refuse to get rid of them until gigabyte service is installed, then I will have to by a new appliance. I will dump anyone who forces me to use Java after that!

            2. out

              Malwarebytes Anti-exploit does multi stage behavioral analysis on most browsers as well as Java Itself. If you play Minecraft you should use it!

          3. Rick

            One thing that I find ironic is how many military-based sites are dependent on a) Internet Explorer b) Java and c) Flash. Class, which are historically the 3 most prevalent vectors to get your system owned?

            1. Cindy

              With respect to Explorer. Explorer allows for log-in with PII card certification that most browsers don’t. Chrome is a browser designed with marketing in mind. Secure military systems are not connected to the internet.

                1. Cindy

                  Mozilla is more compatible than IE to HTML5 and CSS3 but the DOM’s are different. It is more of a compatibility with existing products than just the card reader and believe me the card reader is a big negative with Mozilla. You can argue what is supported and what isn’t but it comes down to there being too many issues.

              1. rthonpm

                IE just appears to be the only browser that can support CAC/PIV cards since it’s able to use the native certificates cache in Windows. Firefox uses its own certificate cache and adding the CA and PIV certs to it will allow it to work quite well.

          4. timeless

            I seem to recall that you used to have a standard paragraph (for new readers) explaining that “JavaScript is not Java” or similar.

            Perhaps if you were to resume including such a paragraph — or possibly have “or to ditch the program once and for all” link to an article explaining why people can ditch it, i.e.:

            … what they usually encounter is JavaScript sent to their web browsers (which has nothing to do with Java), or HTML content sent by Java applications running on web servers (which doesn’t require their web browsers to support Java).

      2. Java The Hutt

        “Spoken like a Java developer!”

        Dude that stings a little. I’m a Java developer. J2EE is a fine tool for server side work. IMHO it has a good track record for web applications, APIs, services. I would, however, hesitate to use it on the client, and would never use it in the browser.

        1. Daniel Martin

          Agreed, but let’s be more specific:

          The Java sandboxing technology has turned out in practice to be impossible to secure. I still don’t see what it is that makes this fail as a theoretical concept, but the observed practical experience has been that it’s a failure. This means java in the browser should always be considered insecure, as should any system where you load and run some only partially-trusted code.

          Elsewhere? Yes, absolutely; J2EE deployments may use nested classloaders, but they don’t use sandboxing. It would be a big step backwards if management that is not inclined to listen to their technical staff were to conclude that, say, programs written Java were fundamentally less secure than those written in C or C++, or that javascript written by hand is inherently more secure than that written through GWT.

          Java is a fine server language and even a fine client language (witness minecraft), just use it as you’d use any other language. You only get into trouble when you start doing things that depend on the sandbox model being secure. (something nearly no other language/runtime provides, because Java has shown it to be such a terrible idea)

          I do wish Oracle could finally give up and admit that the jvm sandbox is a failed model and offer a java download that includes no ability to run java applets, so that there’s not even a chance that the java install you’re using for sensible reasons will be picked up by your browser and used to enable java in the browser. And while they’re at it, maybe they could offer a normal Windows installer without any stupid browser toolbars.

      3. Mike

        Brian,

        I’m coming to the comments a little late. Your article was not clear on one distinguishing detail. There’s Java, the separately installed platform, and there is JavaScript, which is built in to browsers. With the installed platform, there may also be a browser plug-in, which is not JavaScript and should be disabled if one must have the Java platform for other reasons. Also, blocking JavaScript is a good idea (e.g. the NoScript add-on). I agree with not bothering to install the platform and all of your other conclusions. However, the lack of distinction between Java and JavaScript seems to have confused some readers/comment-ers. Uninstall Java; disable/click-to-allow JavaScript; and disable the plug-in if you must have Java and the plug-in is in your browser.

        Thanks.

    2. Vee

      It’s not that Java is bad, it just doesn’t belong in the web browsers as a plugin due to its never ending battle of exploits. I’d say the same for Adobe’s plugins as well.

      Though I don’t think people have to uninstall Java ever since they added the option to disable it from web browsers. I have Java set that way myself.

    3. jbmartin6

      IN, you are way off base. He said remove it *if you aren’t using it* which is just basic and sensible security advice. Then he added advice to patch it if you do need it, followed up with another suggestion for multiple browsers.

      1. d

        After reading Brian’s WaPo columns, I removed Java years ago. Yes, Brian has been recommending users who do not need Java — I was one of them — to remove it for quite a while now. (I remember finding about seven different versions!) In addition, when he began KrebsonSecurity, he’s had many posts about the distinctions of Java from JavaScript.

        Brain can only recommend and suggest, but you may need to do some researching on your own. And by using the search located right under Brian’s picture, I found this:
        http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

  13. Timo Kinnunen

    Don’t run Java with full administrative privileges! If you don’t, those CCVS 10.0 ratings become much more manageable CCVS 7.5 ratings:

    “The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5. ”

    “Typical on Windows”? Typical on Windows XP perhaps, but there’s no cure for that.

  14. Berend de Boer

    On servers we usually tend to use openjdk. Does anyone know how that fares with regard to security?

    1. JCitizen

      Have you tried to analyse it with Secunia? They have some free products and not so free enterprise solutions for that. The list of applications and code that they support gets longer every day it seems.

    2. 0x003

      you may try Belarc Free Adivisor and remove it after you use, my assumption your using Windows.

  15. JCitizen

    For any newbies to PC security that may be having this same problem. This new update will throw off error messages and refuse to update without running the updater elevated as an administrator.

    At least that is what happened on Vista Ultimate x64. Also some folks might try updating on XP, and I believe this will not work, and probably you will never get an update that runs on XP forever on. I seem to remember reading that Java ended support for XP just like Microsoft did. My apologies if this was already pointed out in any of the links in this article.

    1. Tim A

      They could make the installer prompt for administrator privs up front ..but they can’t stop writing buggy software either, so.. eh.

      1. JCitizen

        True – I wished they had prompted during update, but it didn’t. Of course I was logged in as an administrator, but still had to elevate. I uninstall java on all clients upon discovery. I have to use it because of a “security” program I use – HA! – imagine that? As soon as I find a replacement for that program and the attendant hardware, I’m dumping java for good.

  16. Bob B.

    All the aforementioned comments are accurate. All application software runtime environments are vulnerable to penetration by either directly manipulating memory or exploiting software called by the runtime environment. The Java sandbox and security policies are easily bypassed. Brian’s suggestion is only minimally effective since, as someone stated, you are still running Java natively in the browser. For many not running Java is not a solution since their bank, or whomever, requires it. A suggestion to consider is to use either a software sandbox (I recommend Blue Ridge Network’s – Browse With Trust), which is better, or a hardware isolated sandbox (I recommend Bromium’s VSentry) which is best.

    1. JCitizen

      I assume you have to have the latest Intel motherboard technology to make Bromium work? That is how I parse it anyway. I need to get my copy of Drive Vaccine out and play with it some day!

  17. chasm22

    I just upgraded to a new box running Windows 8.1 pro. I have Chrome installed and run it as my default browser.

    My question concerns I.E. 11. It seems that java isn’t installed by default. Can anyone confirm this?

    1. Tim A

      @chasm22,

      Correct, Java is an add-on and is not installed by default.

    2. Old School

      “It seems that java isn’t installed by default.” Today is your lucky day. The two “don’ts”: Don’t install Java on your PC and don’t confuse Java with JavaScript.
      Do: see Brian’s comment of April 16, 2014 at 6:52 pm. Without Java, you will still be able to live long and prosper. ( http://www.youtube.com/watch?v=Iu1qa8N2ID0 )

  18. chasm22

    As a followup to the above, apparently MS has also left flash off of IE11. These developments would seem to indicate that Microsoft has taken a bit of steam out of some arguments that it is less secure browser than firefox or chrome.

    Just wondering, because I haven’t touched it in quite a while. I might give it a try, since it’s also the only 64 bit browser of the three, although Chrome negates most of the advantages of that by the way it handles memory and individual browser windows.

    Anyways, I bought into the whole MS thing by purchasing a refurbished surface pro 128gb. I’m only mentioning thos because the instruction manual for it included the following statement; ” Add-ons ”

    “Internet Explorer 11 is designed to provide an add-on free experience, playing HTML5 and many Adobe Flash
    Player videos without installing a separate add-on. Add-ons and toolbars will only work in Internet Explorer for
    the desktop. To view a page that requires add-ons in Internet Explorer, swipe down or right-click to bring up the
    Address bar, tap or click the Page tools button, and then tap or click View on the desktop.
    You can view, enable, and disable the list of add-ons that can be used by Internet Explorer for the desktop. For
    more info, see Manage add-ons in Internet Explorer on Windows.com. “

      1. chasm22

        I’m not sure what IE 11 in Win 8.1 is doing for flash support. I got nothing off the adobe site. Worked normally with Chrome, but with IE nothing.

        Now the really weird part.When I first tried to enter the adobe site, IE gave me a warning that the site required enabling an activex plugin that was a security risk. I checked off on enabling it ,reloaded,left the site,closed IE went back and still got nothing. I then decided to see what I had enabled and went to IE’s add-on manager,which looks identical to the one in my old machine running XP. I know this is going to make me sound
        flakey, but lo and behold there is Shockwave Flash Object v1300182! I can only say that I checked before under every conceivable way(all add-ons,currently loaded add-ons,etc.)and there wasn’t any Shockwave Flash Object. Anyone familiar with the add-on manager realizes its a pretty straightforward tool, and as I mentioned before, in appearance it looks unchanged from the days of XP back to I’m guessing IE 6 or so.

        As far as not being detected at the adobe site, I have to wonder if no java played a part? Either way, I disabled it.

        1. Tim A

          @chasm22,

          I’m not sure why Flash didn’t load when you went to that page. :-/ I know I’ve seen it work before on my Windows 8 machine, but I’ll check it out this evening now that I’ve installed more updates.

          As straight forward as it SHOULD be, I’ve seen the add-ons manager be inconsistent in what it displays, so I’m not surprised there.

          I just avoid using IE whenever possible. 🙂

          Java and Flash should have nothing to do with each other.

        2. JCitizen

          Using flash is a mess no matter what browser you use, I think you were right to keep it off the machine, if at all possible. It is easy to get tricked into downloading that pesky Shockwave, as if anyone has used it in decades! I remove it immediately upon discovery.

          I still get complaints from clients that only about 75% of Youtube videos play with IE10/11 HTML-5 encoding, so some may be using the flash plugin to cover the minority that don’t work. I assume this is why you are trying? I also assume you already know that the Adobe page seems to get confused as to whether you are using a non-IE browser or not. This can mess up the process as to which one you get – active X/ or plug-in. – This causes the wrong test page to open, especially if you use a non-IE default browser; You may have to paste the appropriate test URL in you browser that are not default. I’ll leave it at that.

        3. Tim A

          @chasm22,

          Going to that page works just fine for me. It tells me I have 13,0,0,182 installed.

          1. chasm22

            @ Tim A

            First of all, thanks for your time, especially knowing that you don’t use IE and neither do I. So this is going into the end of the day file under why the hell did I waste time on that.

            What version of IE are you using? I tried the adobe website again today. Same results. IE 11.0.09600.17031

            Today I went a little further and reset some of the security settings under internet options. And I turned off the pop-up blocker. Of course I reenabled Shockwave in the add-on manager. I’m not sure, but I don’t even think I should have to have it enabled in order to check the version. But just to avoid any confusion, I did it. Exact same results=no results at all.

            So I decided to expand on my stupid time allotment and went to another part of the adobe website. To be specific, I went here; http://helpx.adobe.com/flash-player.html.

            This is the part where we enter the MS bermuda triangle. Under ‘Install flash in five easy steps’.

            The first step is to check to see if you have the flash player installed. When I did this step I got a big green✔ check mark followed by the message: “Flash Player is pre-installed with Internet Explorer in Windows 8.” But wait! Below under the details I get this tidbit;

            YOUR SYSTEM INFORMATION

            Your Flash Version
            Flash Player disabled

            Your browser name
            Internet Explorer

            Your Operating System (OS)
            Windows (Windows 8)

            Flash player disabled?? I am dazzled by the methodology(being generous here) that MS has employed to ensure flash remains disabled. Apparently, they’re so concerned with it that even when the customer tries to use it, they’re not going to allow it. Remember, at first it didn’t even show under the add on manager, now it’s listed and enabled but ?? But adobe says it’s disabled. And it is apparently because a little further down this page they have a flash animation to use to see if your installation went OK. The animation didn’t appear. So I’ve got an enabled/disabled add- on.

            The best thing I can say is it looks like MS has at least made an effort to make flash disabled by default. And that certainly isn’t a bad thing.

            Just as a reference, Chrome displayed the following under the same page: Flash Player is pre-installed in Google Chrome and updates automatically!

            Your Flash Version
            13.0.0.182
            Your browser name
            Google Chrome
            Your Operating System (OS)
            Windows (Windows 8)

            And the animation worked. I have Chrome set up as click to play, but for this instance I had it run automatically. I like it when browsers actually do what you ask them to. And to be truthful, there are times when I want to be able to use flash.

            So I guess that any curiosity I might have had concerning the newest version of IE has been snuffed out by this curious snafu.

            1. JCitizen

              HA!HA! 😀
              Good post chasm22! I got a kick out of reading your trial and tribulation!

              1. chasm22

                JCitizen,

                Shh, don’t tell anyone but after I read your post referencing the trouble html5 had with a significant number of youtube videos I tried using IE to view videos. I’m 63 so youtube isn’t part of my regular diet, but I’ll tell you what they’ve got some very nice fix-it type videos there that I take advantage of occasionally.

                I live in the hills so to speak and the best bet for me to access the internet has been through my Verizon cell plan combined with a nice booster. (I plan on giving Dish a try soon)

                Anyways, I get a decent enough 3g signal(booster won’t work with the 4g signal) but the signal isn’t quite good enough to give me a smooth streaming experience. Well,here’s the part that’s interesting. IE played everything I tried at youtube without so much as a hiccup. Shut it down and tried the same ones launching youtube via Chrome and every video would stop every 10 to 20 seconds.

                Enough to make the last brown hair on my head go grey.

                1. JCitizen

                  This may be a double post, as my previous one suddenly disappeared. Microsoft keeps updating IE-10 and 11, so maybe the old issues have been resolved. I haven’t visited the subject for a while.

            2. Tim A

              @chasm22,

              Haha, no problem on the time spent. I do have to deal with IE because it’s the browser of choice at work.

              I’m not at home, so I can’t check the version number. That machine is as up-to-date as possible, though, so Windows 8.1 Update ..or whatever the backpedaling flavor of the day is. Heh

              As if the whole Java/JavaScript thing wasn’t confusing enough, Flash is also referred to as Shockwave Flash, which is not the same thing as and does not rely on Shockwave Player.

              I don’t think Flash is disabled by default since they went through the trouble of embedding it. But you did say you had to tell it to run.

              So, back to basics. Is your machine plugged in? Is it turned on? Oops, maybe that’s too far back. Heh Have you restarted IE? Have you restarted your computer?

              Other than that, I got nuthin. :-/

              1. chasm22

                Yeah, the names being used are crazy. I referred to it as shockwave flash object because that’s the name used by ms in the add-on manager.

                The whole thing started as a simple little try on my part to check whether my new computer had the latest version of the flash player. Then it got to be a little humorous, but now it’s simply become ridiculous. I’m starting to wonder if I’m working with W8.1 or Win98.

                My latest look at the add-on manager reveals the following;

                Name: Shockwave Flash Object
                Publisher: Microsoft Windows Third Party Application Component
                Type: ActiveX Control
                Architecture: 32-bit and 64-bit
                Version: 13.0.0.182
                File date: ‎Monday, ‎March ‎31, ‎2014, ‏‎2:23 PM
                Date last accessed: ‎Today, ‎April ‎19, ‎2014, ‏‎1 minute ago
                Class ID: {D27CDB6E-AE6D-11CF-96B8-444553540000}
                Use count: 21
                Block count: 208
                File: Flash.ocx
                Folder: C:\Windows\System32\Macromed\Flash

                Please note the name of the folder. And then we seem to have some confusion over whether ActiveX still exists. Well MS certainly thinks it does. And it seems that Macromedia might still be a player, or maybe they just don’t appreciate reality?

                Now I’ll be frank with you. I used to think there was a shockwave player and a flash player . I’m not sure about what we have here. What is a Shockwave flash object? Is this another MS blurry thing. I mean didn’t/hasn’t shockwave gone by the wayside? Just wondering?

                At least I’m running the current version of the macromedia/adobe shockwave player/flash player whatever thing. Disabled. I think.

                1. JCitizen

                  The icon is different in the program list, but I’m still wondering the same thing. I often end up having one Macromedia object, and two flash objects which are Active X and Non-IE pluggin. The Macromedia seems to pop in there occasionally despite my being careful about updating adobe. So it is a kind of recurring spammy kind of irritation.

  19. pboss

    So if you do have Java on a machine and use Firefox, I’ve noticed that 64-bit Windows 7 actually needs two Java updates, the 32-bit one for Firefox and the 64 bit one you get if you visit the page with the 64 bit version of IE.

    1. rthonpm

      If you don’t use a 64-bit browser, there’s no need to install the 64-bit plugin unless you also use a 64-bit application that requires it. These are fairly rare so for the most part, don’t install it. The Java updater will only update the more common x86 JRE.

  20. rick

    Not bad advice, but forgetting history annoys me! Before java and javascript, we had a really bad thing called ActiveX.

    Java was a really good solution at the time and popularized the concept of sandboxing and did it well by standards then.

    Now the web has javascript which is good enough to replace java, and java’s sandbox just doesn’t cut it against modern exploits.

    So it’s not like java is riddled with security holes, it’s that the browser/sandbox integration has not been maintained and fell apart.

    About uninstalling java, many programs using it may ship with a jre stuck inside but some don’t and will break (minecraft!).

    I do wish the browser java download was a separate entity altogether from the jre applications need, that would avoid this confusion.

    1. Tim A

      Hmm?

      ActiveX still exists, and I’m pretty sure that’s how Java plugs into IE.

      JavaScript is by no means a replacement for Java and it’s not meant to be. They just have confusingly similar names.

      1. JCitizen

        I’m pretty sure that is how the old flash plugged into IE too! Active X that is.

  21. jay

    The FCC requires Java to apply for licenses. I have a Virtualbox XP machine that I only use for fcc.gov, nothing else has Java.
    I run version 6 because ver 7 would not allow cut and paste, many of the fields that need to be filled in are duplicated for each frequency, it would be very time consuming to give up cut and paste.
    The site’s applet is dated 2011, I wonder how many vulnerabilities it has.

  22. samak

    Without Brian’s excellent articles, IT-ignorant people like me would never realize we could get rid of Java. I have finally uninstalled it altogether after disabling it for a while and finding I never needed to enable it.
    Thanks Brian and keep up the good work.

  23. Eric

    In my mind the biggest problem is they continue to place undue trust in the JVM and API’s despite mountains of evidence that it is no longer enough to keep out the bad guys. Oracle continues to operate java with an iron fist with no innovation, so I doubt the leap can be made before it’s obsoleted by better, safer, ways to complete the same tasks.

    Personally I also think the “click to run” provides a false sense of security since it’s only time before a malware payload is inserted into a legitimate site or they figure out a way to activate the plug-in anyways.

  24. Victor

    “This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.”

    Sounds like you don’t know what java really is. It is not just that thing that run in the browser, it is a platform for running programs. If you don’t know, OpenOffice runs on java, and a lot of applications are made and created everyday on top of the JVM, and is a lot of programming languages.

    Surely, running arbitrary JARs is as dangerous as running arbitrary EXEs, but this does not means that forbidding all JAR-based programs is a good solution, the same way that forbidding all EXE-based programs is not a solution too.

    You are just getting some security problem to make a red herring that uninstalling java is the solution and spreading a lot of FUD with it.

    1. BrianKrebs Post author

      Victor. Java is not required for OpenOffice. I’m sorry, I know that doesn’t help your argument, but it’s true (and I suspect you know that).

      When malicious Java applet takes advantage of a vulnerability in Java, there is no deciding to run or not run it on the part of the user; it just happens — no prompts, just compromise.

      Now, who’s spreading misinformation, hmm?

      1. Rabid Howler Monkey

        Both OpenOffice and LibreOffice retain most of their functionality without Java. By “most of their functionality”, I refer to word processing, spreadsheets, presentations and drawing.

        What one loses without Java is OpenOffice/LibreOffice Base, which is a personal database management system (similar to Microsoft Access) as well as a front-end to mult-iuser databases. I would guess that Base is the least used of the of the OpenOffice/LibreOffice modules. [Please note that I did not state that *nobody uses Base*.]

  25. Rick

    I think the imprecision bothers some people. Java itself is fine. What is not is the browser plugin with sandbox portion of java.
    I’ll again argue that at one time it was the best solution for rich web solutions. But time passes and it’s not now.

    Sandboxing is a fantastic idea and I hope it comes back. Not just for browsers, but any app. The only way for it to work well is having the os do it, ios IMO is a good model. If windows/Linux had that, you could even run native code like in ye old days!

    Perhaps all the security breaches will get that idea going.

  26. Adrienne Washburn

    Thanks for the heads up! I think I have Java installed, but I’m not sure how it’s being used on my website. I better ask the arizona Arizona Web site design who created my blog. They did a good job solving an issue I had before in my blog, so I guess they’ll also know how to solve this Java update issue.

Comments are closed.