FLASH AND JAVA ISSUES – January 2013
It’s been some time since I posted something in this column and I thought that with the New Year, this would be a good time to restart posting again. With all the work going on with the website during the past several months, I had some concern about losing valuable information that you would need. Fortunately, there was not a lot of major items to mention.
Moving on, the New Year brings new challenges and right off the bat, a couple have come up that everyone should be aware of. As you know, I do not recommend adding software to systems just to have it. Some of us do happen to evaluate and test software as part of our jobs. In most cases, that software is removed not long after the evaluation process is complete. From time to time though, this doesn’t happen so I have a routine in which on a quarterly basis, I will review my desktop and laptop to see what I can remove.
Of course, during this same process, I also look to upgrade different pieces of software that I know needs to be done. So, as I have recommended in the past, I use Secunia PSI to help in that process. During the last quarter of 2012, I also decided to take a good look at what software usage I am getting out of things like Adobe Flash and JAVA.
Since I work on the business side of computers and work with computer servers, I have started to recommend that Adobe Flash be removed from all servers with no difference between Windows or Linux servers. Because of the trend of publishers to move to HTML 5 and away from Flash which is somewhat taxing on systems of all types, adding Flash to a server which usually is running specialized software anyway, is a worthless proposition in which the only benefit is eye candy to the administrator of the system. I have found that some utilities are able to run remotely on desktop systems and if you already have Flash installed there, it’s okay to run the utility there. Just don’t add to the stress of the server having to run a piece of software which has no benefit to the job that the server does. It also eliminates another attack vector that can be used by the bad guys.
Now on the heels of this decision, comes the advice from the security community which also includes the US Homeland Security Department, that people should begin removing JAVA from their systems. Since most people do not keep up on computer security news, Oracle, which owns Java has recommended for a while now that all users of JAVA remove all versions lower than version 7 from their systems. The reason is because Oracle is no longer supporting versions lower than 7 that are in use.
On the surface of this, this appears to be good advice because old versions were notoriously buggy and difficult to remove. Beginning this month, Oracle has begun AUTOMATICALLY removing version 6 from computers whether you know it is on there or not. As for older versions, you still have to remove them manually through the Add/Remove process in Windows. I suggest that you get started on this now.
The current version of JAVA right now is version 7. So you would guess that you should jump right in and install that. In the past couple of weeks comes the warning that a new zero day exploit has evolved that attacks JAVA 7. The recommended action is to disable JAVA in the browser if you do not need it. Unfortunately as I have found out, that is easier said than done. Disabling JAVA is not the problem here; it’s the use of JAVA on the various websites which use it which in those cases makes the website nearly unusable.
Now that said, the question looming in the security community is when Oracle can deliver an updated version of JAVA which is safe to use. Unfortunately, estimates are out that suggest that it could to two years or more before this can be done. The reason is that there is a lot of interdependency among the sub modules that make up JAVA which means that there will need to be some extensive testing and retesting of the rewritten modules to see of the new modules will work with the old modules and vice versa.