tantek.com

Disable Java NOW / Why does the New York Times Chicken-Little HTML5 When Java Exploits Are Real?

on (ttk.me b/48V1) using BBEdit

A couple of weeks ago the New York Times (NYT) published an article with <title> "Web Upgrade HTML 5 May Weaken Privacy" and heading: New Web Code Draws Concern Over Privacy Risks which chicken-littled HTML5 with as far as I can tell, purely theoretical concerns while never having written an article about vulnerabilities from Java which are actually used and for sale.

Evercookie: the return of Samy

The NYT article mentions an "Evercookie" proof-of-concept created using new HTML5 features by Samy Kamkar who infamously "went to Chipotle and ordered ... a burrito" after launching his MySpace "Samy is my hero" profile worm which gave him over a million friend requests. Obviously Samy has established his credibility, but nowhere is it explained (not by NYT nor Samy) how his "Evercookie" poses any kind of real threat or exploit. Vague references to "tracking" and "privacy" are made without any actual explanation.

Thus not an actual exploit (just a proof of concept), nor any documentation of actual potential harm. A prime example of chicken-littling.

Java vulnerabilities empower exploit kits

On the other hand, in his post Java: A Gift to Exploit Pack Makers, Brian Krebs lists and specifically documents (emphases mine):

Let me make this clear: these exploits allow outside attackers, to take over your machine, and then use it for whatever they want, e.g. extract your passwords and local personal data, or add your machine to a botnet (imagine Skynet but with (supposedly) a human (perhaps highest bidder) issuing the commands) for more nefarious distributed attacks on other machines.

Theoretical and abstract vs. real and concrete

Thus on the one hand you have the theoretical and abstract "tracking" danger from new HTML5 features reported by the New York Times, and on the other hand the real world concrete danger of having your machine taken over due to Java vulnerabilities.

Brian wonders why this is so in the tech press in particular:

"But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits."

I wonder too.

New York Times, When Will You Cover Java Vulnerabilities?

Dear New York Times, are you ignorant on web security, not doing your homework, or deliberately omitting coverage of Java vulnerabilities, perhaps afraid of being sued (as Java corporations have done previously and recently) ?

Disable Java NOW

Given the real threats that Java vulnerabilities pose to your machine, and frankly, it's rarely used for anything essential, I highly recommend you disable Java in all your browsers.

Especially if you use a Macintosh, note that Apple has deprecated Java and will stop shipping it in software updates and software installs. This is especially important because if you check the official Verify Java Version page (noted by Brian Krebs in Java Update Clobbers 29 Security Flaws), you'll see a note for Mac Users:

Mac Users: Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac.

Right, those software updates which have deprecated Java as noted. Time to bail.

How to turn off Java in browsers

Here's how you turn off Java in common browsers (these instructions are for Macintosh versions, Windows browsers are likely similar. If someone posts instructions for Windows browsers, I'll link to it.)

Disabling Flash, though it has fewer vulnerabilities than Java, will likely cause sites to load faster, since much more network/CPU is wasted by all the Flash ads that sites have these days. I disable Flash everywhere but Safari and run ClickToFlash (the 1.6b9 beta works fine) to selectively run Flash on video sites like Hulu and YouTube.

Disabling Java will not only increase security (by avoiding all the above-mentioned Java vulnerabilities) but it will increase performance as well because your browser won't waste any network time downloading Java applets, nor will it waste any CPU time running them.

Increase your browsing security and speed. Disable Java Now.