[ImageJ-devel] What about this huge Java security issue?? How do we keep ImageJ users both safe and satisfied with a Java platform?

Curtis Rueden ctrueden at wisc.edu
Tue Jan 15 12:04:11 CST 2013


Hi Bill & everyone,

> what is the likelihood that oracle does something drastic with Java as
> a result of the scare?

I am confident that Oracle will do their best to patch such
vulnerabilities, and take steps to mitigate future ones. Two days ago
Oracle released a patch for the current issue [1]. Unfortunately, security
experts say the fix does not fully address the bug [2].

Still, of particular note is that fact the default behavior now always
prompts users to confirm execution of the applet:

"The fixes in this Alert include a change to the default Java Security
Level setting from 'Medium' to 'High'. With the 'High' setting, the user is
always prompted before any unsigned Java applet or Java Web Start
application is run."

This means that while there may be more zero-day exploits discovered in
Java in the future, they will have much less impact than before because
attackers can no longer exploit them to silently install malware. It may
still be possible to trick users into clicking OK to a malicious applet.
But if you can trick a user into clicking OK to such a dialog box, you may
as well sign your malicious applet (which presents a similar dialog box) to
grant it full user privileges straight away, rather than relying on a Java
bug.

In other words, I expect zero-day Java exploits to be largely impotent from
now on.

> Maybe this situation is more run-of-the-mill than my gut is feeling
> right now.

Actually, I agree it is quite unusual for the local news to be widely
reporting such things, and also rare for the U.S. government to recommend
actually uninstalling the affected software. Adobe Flash (which I think has
a larger install base than Java does) has chronically suffered from similar
issues (e.g., [3]), but to my knowledge, it was not as widely covered nor
recommended to uninstall it. Similarly, Internet Explorer itself has had
similar remote code execution exploits, one of which was fixed just
yesterday [4].

The point is that software is buggy, browsing the net is inherently
insecure, and people should make a strong effort to avoid malicious web
sites. (In particular, don't click links in spam emails!) It is best to
assume your system *always* has at least one remote code execution exploit
which could be used against you if you browse the wrong web page.

Regards,
Curtis


[1]
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[2]
http://www.independent.ie/business/technology/emergency-patch-for-java-fails-to-fix-cybercrime-holes-warn-experts-3351321.html
[3] http://msisac.cisecurity.org/advisories/2012/2012-077.cfm
[4] http://technet.microsoft.com/en-us/security/bulletin/ms13-008


On Sat, Jan 12, 2013 at 7:35 AM, Mohler,William <WMohler at neuron.uchc.edu>wrote:

> Yes, thanks.  What I'm worried about is society's tendencies to be blind
> to sensible approaches.  Eg, what is the likelihood that oracle does
> something drastic with Java as a result of the scare?  Maybe this situation
> is more run-of-the-mill than my gut is feeling right now.
>
> Bill
>
>
>
>
> Jason Swedlow <j.r.swedlow at dundee.ac.uk> wrote:
>
> Hi Bill-
>
> Curtis and Johannes suggested very sensible approaches.
>
> I believe this is what you are referring to, and this clearly says to
> disable Java in your web browser:
>
> http://www.kb.cert.org/vuls/id/625617
>
> Cheers,
>
> Jason
>
> --------------------
> Centre for Gene Regulation & Expression | Open Microscopy Environment |
> University of Dundee
>
> Phone:  +44 (0) 1382 385819
> email: j.swedlow at dundee.ac.uk<mailto:j.swedlow at dundee.ac.uk>
>
> Web: http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow
> Open Microscopy Environment: http://openmicroscopy.org<
> http://openmicroscopy.org/>
>
>
> From: <Mohler>, William <WMohler at NEURON.UCHC.EDU<mailto:
> WMohler at NEURON.UCHC.EDU>>
> Date: Friday, 11 January 2013 20:41
> To: Jason Swedlow <j.r.swedlow at dundee.ac.uk<mailto:
> j.r.swedlow at dundee.ac.uk>>, "imagej-devel at imagej.net<mailto:
> imagej-devel at imagej.net>" <imagej-devel at imagej.net<mailto:
> imagej-devel at imagej.net>>
> Subject: Re: [ImageJ-devel] What about this huge Java security issue?? How
> do we keep ImageJ users both safe and satisfied with a Java platform?
>
> I'm hoping just what you're thinking.  But the press here is telling
> people to "uninstall java" as the only certain way to avoid having their
> systems hacked.  This is now backed by an announcement by US Dept of
> Homeland Security that there is no other recourse...  Not easy stuff to
> deal with, right or wrong.
>
>
>
> Jason Swedlow <j.r.swedlow at dundee.ac.uk<mailto:j.r.swedlow at dundee.ac.uk>>
> wrote:
>
> Bill-
>
> Still trying to verify this, but this is about browser plug-ins, which you
> can turn off.
>
>
> http://developers.slashdot.org/story/13/01/10/1540202/java-zero-day-vulnerability-rolled-into-exploit-packs
>
> Cheers,
>
> Jason
>
> --------------------
> Centre for Gene Regulation & Expression | Open Microscopy Environment |
> University of Dundee
>
> Phone:  +44 (0) 1382 385819
> email: j.swedlow at dundee.ac.uk<mailto:j.swedlow at dundee.ac.uk><mailto:
> j.swedlow at dundee.ac.uk>
>
> Web: http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow
> Open Microscopy Environment: http://openmicroscopy.org<
> http://openmicroscopy.org/>
>
>
> From: <Mohler>, William <WMohler at NEURON.UCHC.EDU<mailto:
> WMohler at NEURON.UCHC.EDU><mailto:WMohler at NEURON.UCHC.EDU>>
> Date: Friday, 11 January 2013 20:15
> To: "imagej-devel at imagej.net<mailto:imagej-devel at imagej.net><mailto:
> imagej-devel at imagej.net>" <imagej-devel at imagej.net<mailto:
> imagej-devel at imagej.net><mailto:imagej-devel at imagej.net>>
> Subject: [ImageJ-devel] What about this huge Java security issue?? How do
> we keep ImageJ users both safe and satisfied with a Java platform?
>
>
> Sent from my Verizon Wireless 4G LTE DROID
> _______________________________________________
> ImageJ-devel mailing list
> ImageJ-devel at imagej.net<mailto:ImageJ-devel at imagej.net><mailto:
> ImageJ-devel at imagej.net>
> http://imagej.net/mailman/listinfo/imagej-devel
>
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
>
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
>
> _______________________________________________
> ImageJ-devel mailing list
> ImageJ-devel at imagej.net
> http://imagej.net/mailman/listinfo/imagej-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://imagej.net/pipermail/imagej-devel/attachments/20130115/b560ec5a/attachment.html>


More information about the ImageJ-devel mailing list