Java Primary Cause of 91 Percent of Attacks

soulman901 · Jan 18, 2014

Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

heatlesssun · Jan 18, 2014

soulman901 said:
Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

+ A lot.

flegg · Jan 18, 2014

81% of attacks are caused primarily from Ask ToolBar revenge rage.

evilsofa · Jan 18, 2014

soulman901 said:
Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

If you get Java from java.com, you get the ask toolbar install question.
If you get Java from oracle.com, you don't. It just installs Java, nothing else:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Sadly, if you have Java updating automatically, it will give you the ask toolbar install question, even if you installed Java from oracle.com.

westrock2000 · Jan 18, 2014

octoberasian said:
Is there any other alternative to Java for the web? Or standalone apps? That is also cross-platform between Windows, Linux, and OSX and mobile devices?

And, is more secure to Java?

This is where I'm at. I'm more concerned about the stand alone apps.

I would like to move to something "bigger" then interpreted languages, but I would like something that is platform agnostic (since I spend equal time on Windows/Linux/OSX) and can do some level of GUI. C# and VB are real popular and easy to get in to, but are Windows. And C++ might be a little over kill for my needs.

Matthew Kane · Jan 18, 2014

Chuckled a bit at title because it's so true.

ashmelev75 · Jan 18, 2014

soulman901 said:
Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

32-bit windows:
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft] "Sponsors"="Disable"

64-bit windows
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft] "Sponsors"="Disable"

This will completely disable prompts to install any stupid shit.

Exavior · Jan 18, 2014

soulman901 said:
Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

The issue is that is how they get money. People can't get by on free software, so a lot of things are free but then ask you to install this toolbar or desktop search or something like that.

Gweenz · Jan 18, 2014

ashmelev75 said:
32-bit windows:
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft] "Sponsors"="Disable"

64-bit windows
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft] "Sponsors"="Disable"

This will completely disable prompts to install any stupid shit.

I think he's referring more to the initial install. The average user falls for it every time, so when a malware'd machine needs to be cleaned of all the java exploits, the ask toolbar must also be removed, along with Whitesmoke, Conduit, Smartbar, Webcake, Yontoo, etc etc etc. Let's just say the Ask Toolbar doesn't have the world's best uninstaller.

The worst PC's I see all have a Java version less than 7. The interesting part is, I see the same PC's often and I will remove a old Java version only to have another old version installed the next time I see it. That means the redirect malware people pick up (conduit, for one) points them at old versions of Java to download (with more open security holes) when they search for "Java" in their toolbar. Clever.

Ryokurin · Jan 18, 2014

Cerulean said:
Here's a funny thing --

We have these Lexmark X340's or some model with similar numbers. These are multi-function printers; fax, scanning, copying. To use the scan function you have to do it through the web-interface of the printer from a computer. The twist? Java is required, but not only that, you can't use anything past version 7 update 45. Printer is using latest firmware. Lexmark is refusing to fix this.

Lexmark is out of the inkjet business, that's why.

Jon55 · Jan 18, 2014

I've always wondered about this: we all know that Java sucks balls, but does it suck balls because Oracle is pants-on-head retarded at coding it/just doesn't care if it works correctly or is secure, or does it suck balls because Java at its' core is bad?

Cerulean · Jan 18, 2014

Ryokurin said:
Lexmark is out of the inkjet business, that's why.

That includes laser printers too, yes? Could you provide me some links to some articles I could use to persuade the President of the company as a supplement to replacing the Lexmarks we have?

heatlesssun · Jan 18, 2014

They are still in the professional laser printer business.

Red Squirrel · Jan 18, 2014

Java and Adobe flash/pdf viewer are some of the most badly written code with zero regards to security.

LeninGHOLA said:
Minecraft, which is a poorly optimized jumble of code.

Tell me about it, I don't understand why they did not use (standard, not MS) C++/Open GL.

Cerulean · Jan 18, 2014

Red Squirrel said:
Java and Adobe flash/pdf viewer are some of the most badly written code with zero regards to security.

Tell me about it, I don't understand why they did not use (standard, not MS) C++/Open GL.

because Java will run on any platform and Java is easy to learn and code for (without any regards to security)?

I think I remember Minecraft's maker (forgot his alias) having wrote an article about why he chose Java

Youn · Jan 18, 2014

Cerulean said:
I think I remember Minecraft's maker (forgot his alias) having wrote an article about why he chose Java

Notch:
I had been working primarily in Actionscript 3 and Java for five years when I started work on Minecraft and chose the language I felt most comfortable with. Specifically, my favorite tool in Java is hot code swapping in debug mode, meaning I can edit the code while the game is running and immediately see the results in the running game. This is super great for rapid tweaking. Java is not the fastest language out there, but I doubt I wouldve finished Minecraft if I did it in a language I enjoyed less, so Im happy with the choice. Of course, when it came to putting the game on other platforms, we had to port large portions of the codebase once for mobile phones, and then we had help from 4j to port it for XBLA.

source: http://venturebeat.com/2012/07/31/n...game-development-and-the-gender-of-his-beard/

nilepez · Jan 18, 2014

soulman901 said:
Here is what Oracle Needs to do.
1. Find a better way to manage and install the stupid thing
2. Get rid of the Ask Toolbar
3. GET RID OF THE GOD DAMNED ASK TOOLBAR!!!
4. <TRANSFORMS INTO THE HULK> SMASH ORACLE FOR HAVING ME INSTALL TOOLBAR!!!
5. Write Better Code from the Start. They need to start over with Java 8.

3 is solved by downloading the JRE at http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

Alternatively, uncheck the install ask tool bar.

nilepez · Jan 18, 2014

evilsofa said:
If you get Java from java.com, you get the ask toolbar install question.
If you get Java from oracle.com, you don't. It just installs Java, nothing else:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Sadly, if you have Java updating automatically, it will give you the ask toolbar install question, even if you installed Java from oracle.com.

Are you sure about that? I'd swear that my updates to JRE's from javasoft.com (same as link above), do not install a toolbar. I certainly don't have one and I never see the ask toolbar. With that said, I also never install browser plugin, and if you remove that, it eliminates most issues. If you need it for work, then install the plugin in one browser and use that browser for those internal apps.

Alternatively you can run an XP VM for those apps and never save changes to the VM (unless you just applied patches). I do both of those (at work and at home). I'm sure i'm not totally safe from attacks, but I bet I'm more at risk from flash than I am from java.

nilepez · Jan 18, 2014

Exavior said:
The issue is that is how they get money. People can't get by on free software, so a lot of things are free but then ask you to install this toolbar or desktop search or something like that.

It's an Oracle thing. I don't think we ever had that until Oracle bought Sun. And Oracle has also tried to go back on some of the licensing for Java (though I think they lost that battle). I'm too lazy to look up the business model for Java, but I'm fairly certain that Oracle doesn't lose money on it.

octoberasian · Jan 18, 2014

westrock2000 said:
This is where I'm at. I'm more concerned about the stand alone apps.

I would like to move to something "bigger" then interpreted languages, but I would like something that is platform agnostic (since I spend equal time on Windows/Linux/OSX) and can do some level of GUI. C# and VB are real popular and easy to get in to, but are Windows. And C++ might be a little over kill for my needs.

Exactly.

I don't see any alternative to Java from what I can tell. If going by the users who replied in this thread, you have companies using them in payrolls and clock-in to managing routers and other hardware.

The closest I can think of is .NET but that's not cross-platform or platform agnostic. And, support varies with the Mono .NET implementation for Linux.

What's needed is for Oracle to scrap the current codebase for Java. How old is that damn thing now? It's probably as old as Flash and ActionScript.

Scrap the entire thing and reconstruct it from the ground up. Implement security features from the start, allow backwards compatibility to legacy Java apps but in a sandbox, and improve resource usage and software stability.

Exavior · Jan 18, 2014

Jon55 said:
I've always wondered about this: we all know that Java sucks balls, but does it suck balls because Oracle is pants-on-head retarded at coding it/just doesn't care if it works correctly or is secure, or does it suck balls because Java at its' core is bad?

It was bad before Oracle got ahold of it, they just never made it any better.

nilepez said:
It's an Oracle thing. I don't think we ever had that until Oracle bought Sun. And Oracle has also tried to go back on some of the licensing for Java (though I think they lost that battle). I'm too lazy to look up the business model for Java, but I'm fairly certain that Oracle doesn't lose money on it.

I seem to think it was there before. On top of that Oracle isn't the only one that does this so it isn't just an Oracle thing. Adobe pushes tool bars on you. Various other free programs I use ask you to please install a toolbar or google desktop or something like that along with their program during the install process to help keep their program free. HP drivers install the yahoo toolbar by default.

nilepez · Jan 19, 2014

Exavior said:
It was bad before Oracle got ahold of it, they just never made it any better.

I seem to think it was there before. On top of that Oracle isn't the only one that does this so it isn't just an Oracle thing. Adobe pushes tool bars on you. Various other free programs I use ask you to please install a toolbar or google desktop or something like that along with their program during the install process to help keep their program free. HP drivers install the yahoo toolbar by default.

I was only referring to Java, and I really don't think it existed prior to the acquisition, but it's possible that i never got the consumer JRE (though unlikely).

Adobe is far worse, because you now have to uncheck the box when you download Flash. And nobody can say that Adobe doesn't make money from Flash. The player may not make money, but their tools are expensive.

Exavior · Jan 19, 2014

nilepez said:
I was only referring to Java, and I really don't think it existed prior to the acquisition, but it's possible that i never got the consumer JRE (though unlikely).

Adobe is far worse, because you now have to uncheck the box when you download Flash. And nobody can say that Adobe doesn't make money from Flash. The player may not make money, but their tools are expensive.

the java side might have only started after Oracle took over, I really don't pay much attention to that. it all just kind of blurs together as to when I did or didn't have to unckeck a box.

However your comment here just proves what I was stating in the first place. My comment there was not aimed at only java but all programs. This is a common practice used by many now a days unfortunately for them to try to make money off free software.

nilepez · Jan 21, 2014

Exavior said:
the java side might have only started after Oracle took over, I really don't pay much attention to that. it all just kind of blurs together as to when I did or didn't have to unckeck a box.

However your comment here just proves what I was stating in the first place. My comment there was not aimed at only java but all programs. This is a common practice used by many now a days unfortunately for them to try to make money off free software.

Well of course they do. In most cases, I don't mind, because aside from donations there's no revenue stream. For Java and Adobe Flash, that's not the case.

And truth be told, I don't care that much about Java. Adobe bugs me because the check mark is no longer in the installer, so it's easy to miss. Then again, most users probably don't do a custom install by default, so perhaps Adobe's new method is more obvious to the average user.

cwaffles · Jan 22, 2014

Only real need for Java is android, other than that, enterprise apps?

chinesepiratefood · Jan 22, 2014

I don't even have java installed on my home machine, but I have to use it at work occasionally.

Ryokurin · Jan 22, 2014

Jon55 said:
I've always wondered about this: we all know that Java sucks balls, but does it suck balls because Oracle is pants-on-head retarded at coding it/just doesn't care if it works correctly or is secure, or does it suck balls because Java at its' core is bad?

Because when you get down to it, despite how they've tried to spin it, Java was not made with the web in mind. Sure they did some things to try to make it safe but some of the current problems come from choices that were made in the early 90s when the most people expected was wan access, not internet access.

LeninGHOLA · Jan 22, 2014

cwaffles said:
Only real need for Java is android, other than that, enterprise apps?

Quite a few enterprise apps.

Insula Gilliganis · Jan 22, 2014

This percentage has gone WAY up as security guru Steve Gibbon said on episode #400 of "Security Now"..

Kaspersky looked at the statistics and said that Java was the vehicle for 50 percent of all cyberattacks last year (2012) in which hackers broke into computers by exploiting software bugs. And that 50 percent was followed by Adobe Reader, which was involved in 28 percent of these incidents. And then Kaspersky says, to give us some more perspective, Microsoft Windows and IE were involved in about 3 percent.

Going from 50% to 91% is stupidly ridiculous!!

nilepez · Jan 22, 2014

Ryokurin said:
Because when you get down to it, despite how they've tried to spin it, Java was not made with the web in mind. Sure they did some things to try to make it safe but some of the current problems come from choices that were made in the early 90s when the most people expected was wan access, not internet access.

Early 90s? Java didn't come out until 95 (Q2 as I recall) and I don't think you could applets at that time.

Regardless, there are very few sites that require java. I have a JRE installed (though I can't recall what app needs it), but the applet plugin is not installed and/or is disabled. Applets are OK at work, but I don't run them on my primary browser.

nilepez · Jan 22, 2014

Insula Gilliganis said:
This percentage has gone WAY up as security guru Steve Gibbon said on episode #400 of "Security Now"..

Going from 50% to 91% is stupidly ridiculous!!

sounds far more reasonable too. I didn't realize acroreader was that bad. I use an alternative (because acro reader is too big/slow).

Exavior · Jan 22, 2014

nilepez said:
sounds far more reasonable too. I didn't realize acroreader was that bad. I use an alternative (because acro reader is too big/slow).

Yeah Windows (and other OSs) have been pretty secure on their own so the attacks have not been through the OS anymore but have had to start targeting 3rd party applications like java, flash, and adobe reader.

nilepez · Jan 23, 2014

Exavior said:
Yeah Windows (and other OSs) have been pretty secure on their own so the attacks have not been through the OS anymore but have had to start targeting 3rd party applications like java, flash, and adobe reader.

That I knew, but I haven't used acrobat in 7 years, so I don't pay attention to the threats...flash is another story, as is java. it's also why I run secunia's PSI

Ryokurin · Jan 23, 2014

nilepez said:
Early 90s? Java didn't come out until 95 (Q2 as I recall) and I don't think you could applets at that time.

Regardless, there are very few sites that require java. I have a JRE installed (though I can't recall what app needs it), but the applet plugin is not installed and/or is disabled. Applets are OK at work, but I don't run them on my primary browser.

It didn't come out until 95, but the original concept and ground work started in 1991 long before the web became mainstream. And applet capability was there, just that browsers didn't really support that until later that year.

Disposed · Jan 23, 2014

BoogerBomb said:
Eliminating JAVA will just move the exploits to other programs. Will everyone then be all Death to XXX then as well? Java has a large install base making it easy pickings. If you think getting rid of it will stop 91% of attacks, you'rd dead ass wrong. They will just move on to the next largest install base.

Bullshit. That's a very flawed line of thinking. There are so many issues because it's so insecure. Yes the efforts would move to other things if Java died but it wouldn't be near as bad.

Java Primary Cause of 91 Percent of Attacks

Gawd

Extremely [H]

[H]ard|Gawd

[H]F Junkie

[H]F Junkie

Supreme [H]ardness

[H]ard|Gawd

[H]F Junkie

[H]ard|Gawd

[H]F Junkie

2[H]4U

[H]F Junkie

Extremely [H]

[H]F Junkie

[H]F Junkie

Supreme [H]ardness

[H]F Junkie

[H]F Junkie

[H]F Junkie

2[H]4U

[H]F Junkie

[H]F Junkie

[H]F Junkie

[H]F Junkie

Limp Gawd

2[H]4U

[H]F Junkie

Vladimir Hayt

[H]ard|Gawd

[H]F Junkie

[H]F Junkie

[H]F Junkie

[H]F Junkie

[H]F Junkie

Supreme [H]ardness