Comments on: What to do about Java in Windows (and elsewhere)?

By: Ed Tittel

Ed Tittel — Sun, 20 Jan 2013 23:38:13 +0000

Dear Tom:Again some good questions and concerns. The reason DHS weighed in so heavily speaks to the pervasiveness of use of Java in government installations, some whose attack and compromise could have serious results. The nature of the vulnerability — remote code execution — is such that it could result in complete system takeover if and when the right exploit should be foisted, followed by execution of just the right elements of malware. No, it’s not that this is a bad exception following generally “good behavior” where Java is concerned (it’s been the focus of an increasing number of exploits over the past 18 months or so, but even before then its history was not unblemished). There’s a BIG RISK here which is why it’s receiving a lot of attention, though some of it may be more for sensationalism’s sake.HTH,–Ed–

By: TomLiotta

TomLiotta — Sun, 20 Jan 2013 17:50:52 +0000

And to clarify, I’m not asking about you. I’m curious about the general treatment. It’s even been on TV newscasts. — Tom

By: TomLiotta

TomLiotta — Sun, 20 Jan 2013 17:44:40 +0000

I understand most of it. It's just that particular item seems to have caused more of a stir than others in the past have. Is it because DHS is referenced in association? Is it because Java has had a fairly good history (not perfect) and this is therefore out of the ordinary? I didn't notice any attention to CVE-2012-4792. Is it just because it's "Oh, well, same old thing"? -- Tom

By: Ed Tittel

Ed Tittel — Sat, 19 Jan 2013 16:52:48 +0000

You make a good point, Tom, but the recommendations come from CERT/DHS and are primarily aimed at US government employees (or rather, the IT admins who cater to their computing and Internet access needs). While it’s true that I laid out a potential strategy for avoiding trouble based on those recommendations, they originate from elsewhere.That said you raise the very interesting question of why we use software subject to zero-day attacks in general. The real answer is “because it’s what we’ve got” which could then even translate into “because we have no choice.” In such a situation, adding extra layers of protection — as I attempted to do with an insulated VM inside its own separate runtime environment — makes even more sense, if you ask me.But thanks for asking an important question: Windows itself is surely subject to the same sort of flaws that Java is, and we continue to use it by the billions of copies daily as well.Best wishes,–Ed–

By: TomLiotta

TomLiotta — Sat, 19 Jan 2013 09:52:56 +0000

Would you use any other software tools or products that are subject to critical zero-day attacks? It’s not clear why this particular issue is raising such awareness when so many previous vulnerabilities outside of Java have mostly passed notice. — Tom