tantek.com

  1. Disable Java NOW / Why does the New York Times Chicken-Little HTML5 When Java Exploits Are Real?

    on (ttk.me b/48V1)

    A couple of weeks ago the New York Times (NYT) published an article with <title> "Web Upgrade HTML 5 May Weaken Privacy" and heading: New Web Code Draws Concern Over Privacy Risks which chicken-littled HTML5 with as far as I can tell, purely theoretical concerns while never having written an article about vulnerabilities from Java which are actually used and for sale.

    Evercookie: the return of Samy

    The NYT article mentions an "Evercookie" proof-of-concept created using new HTML5 features by Samy Kamkar who infamously "went to Chipotle and ordered ... a burrito" after launching his MySpace "Samy is my hero" profile worm which gave him over a million friend requests. Obviously Samy has established his credibility, but nowhere is it explained (not by NYT nor Samy) how his "Evercookie" poses any kind of real threat or exploit. Vague references to "tracking" and "privacy" are made without any actual explanation.

    Thus not an actual exploit (just a proof of concept), nor any documentation of actual potential harm. A prime example of chicken-littling.

    Java vulnerabilities empower exploit kits

    On the other hand, in his post Java: A Gift to Exploit Pack Makers, Brian Krebs lists and specifically documents (emphases mine):

    • Specific commercial (for sale) "exploit kits", like "Blackhole". (i.e. actual exploit implementations)
    • Effectiveness in the wild metrics: on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.
    • Java vulnerability ubiquity compared to others: Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.
    • Multiple exploit kits' screenshots confirming Java's most vulnerable status: SEO Sploit Pack ... Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or "loads"
    • Naming more specific exploit kits that primarily leverage Java vulnerabilities: Crimepack and Eleonore

    Let me make this clear: these exploits allow outside attackers, to take over your machine, and then use it for whatever they want, e.g. extract your passwords and local personal data, or add your machine to a botnet (imagine Skynet but with (supposedly) a human (perhaps highest bidder) issuing the commands) for more nefarious distributed attacks on other machines.

    Theoretical and abstract vs. real and concrete

    Thus on the one hand you have the theoretical and abstract "tracking" danger from new HTML5 features reported by the New York Times, and on the other hand the real world concrete danger of having your machine taken over due to Java vulnerabilities.

    Brian wonders why this is so in the tech press in particular:

    "But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits."

    I wonder too.

    New York Times, When Will You Cover Java Vulnerabilities?

    Dear New York Times, are you ignorant on web security, not doing your homework, or deliberately omitting coverage of Java vulnerabilities, perhaps afraid of being sued (as Java corporations have done previously and recently) ?

    Disable Java NOW

    Given the real threats that Java vulnerabilities pose to your machine, and frankly, it's rarely used for anything essential, I highly recommend you disable Java in all your browsers.

    Especially if you use a Macintosh, note that Apple has deprecated Java and will stop shipping it in software updates and software installs. This is especially important because if you check the official Verify Java Version page (noted by Brian Krebs in Java Update Clobbers 29 Security Flaws), you'll see a note for Mac Users:

    Mac Users: Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac.

    Right, those software updates which have deprecated Java as noted. Time to bail.

    How to turn off Java in browsers

    Here's how you turn off Java in common browsers (these instructions are for Macintosh versions, Windows browsers are likely similar. If someone posts instructions for Windows browsers, I'll link to it.)

    • Camino 2: (thanks to Eric Meyer)
      • From the Camino menu, choose Preferences...
      • Click Web Features (with globe/switch icon) in the top row
      • Uncheck [ ] Enable Java
      • Close the Preferences window (titled Web Features at this point)
    • Chrome:
      • There is no direct UI in Chrome. You have to:
      • Go to about:plugins (if clicking that link doesn't work, copy/paste it into a new tab)
      • Scroll down to Java ...
      • Click the blue underlined Disable text link there
      • Consider disabling Flash and others too
    • Firefox 3:
      • From the Tools menu, choose Add-ons
      • Click Plugins on the top right
      • Scroll down the list til you see Java Embedding ...
      • Click on it to select it
      • Click the ( Disable ) button on the right
      • Scroll down the list til you see Java Plug-In ...
      • Click on it to select it
      • Click the ( Disable ) button on the right
      • Consider disabling Shockwave Flash and others too
      • Close the Add-ons window
    • Firefox 4:
      • From the Tools menu, choose Add-ons
      • Click Plugins on the left
      • Scroll down the list til you see Java Plug-in ...
      • Click the ( Disable ) button on the right
      • Consider disabling Shockwave Flash and others too
      • Close the Add-ons window
    • Opera 10: (thanks to Daniel Bergqvist)
      • Go to opera:config#Java|Enabled (if clicking that link doesn't work, copy/paste it into a new tab)
      • Uncheck the Enabled [ ] checkbox
      • Click [ Save ]
      • Click ( OK ) to dismiss the dropdown sheet
      • Choose Quit Opera from the Opera menu
      • Relaunch Opera
    • Safari and WebKit nightlies:
      • From the Safari menu, choose Preferences...
      • Click the Security (with lock icon) in the top row
      • Uncheck [ ] Enable Java
      • Close the Preferences window (titled Security at this point)

    Disabling Flash, though it has fewer vulnerabilities than Java, will likely cause sites to load faster, since much more network/CPU is wasted by all the Flash ads that sites have these days. I disable Flash everywhere but Safari and run ClickToFlash (the 1.6b9 beta works fine) to selectively run Flash on video sites like Hulu and YouTube.

    Disabling Java will not only increase security (by avoiding all the above-mentioned Java vulnerabilities) but it will increase performance as well because your browser won't waste any network time downloading Java applets, nor will it waste any CPU time running them.

    Increase your browsing security and speed. Disable Java Now.