FLASH AND JAVA ISSUES – January 2013

It’s been some time since I posted something in this column and I thought that with the New Year, this would be a good time to restart posting again. With all the work going on with the website during the past several months, I had some concern about losing valuable information that you would need. Fortunately, there was not a lot of major items to mention.

Moving on, the New Year brings new challenges and right off the bat, a couple have come up that everyone should be aware of. As you know, I do not recommend adding software to systems just to have it. Some of us do happen to evaluate and test software as part of our jobs. In most cases, that software is removed not long after the evaluation process is complete. From time to time though, this doesn’t happen so I have a routine in which on a quarterly basis, I will review my desktop and laptop to see what I can remove.

Of course, during this same process, I also look to upgrade different pieces of software that I know needs to be done. So, as I have recommended in the past, I use Secunia PSI to help in that process. During the last quarter of 2012, I also decided to take a good look at what software usage I am getting out of things like Adobe Flash and JAVA.

Since I work on the business side of computers and work with computer servers, I have started to recommend that Adobe Flash be removed from all servers with no difference between Windows or Linux servers. Because of the trend of publishers to move to HTML 5 and away from Flash which is somewhat taxing on systems of all types, adding Flash to a server which usually is running specialized software anyway, is a worthless proposition in which the only benefit is eye candy to the administrator of the system. I have found that some utilities are able to run remotely on desktop systems and if you already have Flash installed there, it’s okay to run the utility there. Just don’t add to the stress of the server having to run a piece of software which has no benefit to the job that the server does. It also eliminates another attack vector that can be used by the bad guys.

Now on the heels of this decision, comes the advice from the security community which also includes the US Homeland Security Department, that people should begin removing JAVA from their systems. Since most people do not keep up on computer security news, Oracle, which owns Java has recommended for a while now that all users of JAVA remove all versions lower than version 7 from their systems. The reason is because Oracle is no longer supporting versions lower than 7 that are in use.

On the surface of this, this appears to be good advice because old versions were notoriously buggy and difficult to remove. Beginning this month, Oracle has begun AUTOMATICALLY removing version 6 from computers whether you know it is on there or not. As for older versions, you still have to remove them manually through the Add/Remove process in Windows. I suggest that you get started on this now.

The current version of JAVA right now is version 7. So you would guess that you should jump right in and install that. In the past couple of weeks comes the warning that a new zero day exploit has evolved that attacks JAVA 7. The recommended action is to disable JAVA in the browser if you do not need it. Unfortunately as I have found out, that is easier said than done. Disabling JAVA is not the problem here; it’s the use of JAVA on the various websites which use it which in those cases makes the website nearly unusable.

So my advice here? If you don’t have a need for JAVA, uninstall it and you are done. If you need to use JAVA for certain websites, get a second or third browser and use that browser with JavaScript enabled to use for those specific sites. In addition to this move, disable JAVA and JavaScript in the browsers you are using for all your other browsing. If that is a problem, then use JAVA with caution and be sure you keep up on the news from Oracle on how soon this bug will be fixed.

Now that said, the question looming in the security community is when Oracle can deliver an updated version of JAVA which is safe to use. Unfortunately, estimates are out that suggest that it could to two years or more before this can be done. The reason is that there is a lot of interdependency among the sub modules that make up JAVA which means that there will need to be some extensive testing and retesting of the rewritten modules to see of the new modules will work with the old modules and vice versa.

So in a nutshell, if you don’t need JAVA, take it off your computer. Otherwise, use one browser specifically for websites that need to use JAVA and kill the use of JAVA and JavaScript in all other browsers you are using on the Internet. There are a lot of websites on the Internet which will tell you how to disable JavaScript, or remove JAVA from your systems. Take a look at these and follow their instructions.

Comments

IKraus's picture

A few comments I would like to add to what Marlin has said. First, that JAVA and JavaScript are not the same thing! This is a common point of confusion. While I can certainly see how eliminating or turning off the use of JAVA as an excellent idea, turning off JavaScript is going to be more difficult. JavaScript is needed to make most modern sites work at all, so there's that facet of things.

For those using Mozilla's FireFox, consider installing the NoScript add-on. This gives you control over what scripts connected to the site you are visiting are allowed to run. Usually those associated with the site itself - assuming it is trustworthy - are safe. If the content you want to see on that site is still not visible, then I would toggle the allow/block setting for each external source until the content becomes visible. Doing so for each site you frequently visit may take time, but it will reduce your risks from malware.

One last point I'd like to make is that it is taking sites a while to covert from using Flash to HTML 5. So, again, eliminating Flash at this time may or may not be desirable given your browsing habits. If you are frequenting a site making use of Flash, by all means check with them to find out when they plan to transition the site to HTML 5.

Next point, always check to ensure you are using the most recent release of whatever browsers you are using. Updates for every browser out there have come out over this past week or so, in part due to the issues Marlin mentioned. Get in the habit of checking for such updates at least once per month.

Finally, along with the items Marlin mentioned, there was news last week about major vulnerabilities within commonly used JavaScript collections. If a site is making use of those, they should probably have been updated by now. Again, by all means check to see if the sites you frequent are taking care of things on their end by carrying out such updates.