You are not logged in.

#1 2013-01-14 01:10:25

TobyJamesJoy
Member
From: Melbourne, Australia
Registered: 2012-06-13
Posts: 24
Website

What to do about java web-plugin vulnerability. [resolved]

Hi, I've been reading several stories this morning about a recently discovered security hole in the java web-plugin. Apparently OS X is pushing through updates to disable it and Microsoft recommends a similar course of action. It seems to be a fairly critical exploit.

My question is, does this vulnerability affect users of openJDK/icedtea?
If so, what course of action should we Archers take - "pacman -Rns icedtea-web-java7" ?

Last edited by TobyJamesJoy (2013-01-14 11:55:54)

Offline

#2 2013-01-14 01:47:33

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

You can just use NoScript/RequestPolicy or some other Java/Flash disabling plugin.
I generally find openJDK/IcedTeaWeb to have problems of its' own, since it isn't sun java.

Last edited by nomorewindows (2013-01-14 01:48:20)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#3 2013-01-14 01:51:16

TobyJamesJoy
Member
From: Melbourne, Australia
Registered: 2012-06-13
Posts: 24
Website

Re: What to do about java web-plugin vulnerability. [resolved]

Ok, cool, thanks for that, I'll check it out.

I'm still wondering however whether this most recent vulnerability applies only to oracle java or if openJDK/icedtea is an issue too.

META-EDIT: Sorry, I missed your edit, what issues do you find with the open-source versions? Security issues? I've never been lacking for performance as far as I can tell with open source java.

Last edited by TobyJamesJoy (2013-01-14 01:55:04)

Offline

#4 2013-01-14 07:40:57

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: What to do about java web-plugin vulnerability. [resolved]

I don't know if these specific vulnerabilities are in OpenJDK and icedtea, however I just assume there are many vulnerabilities in Java.

In Firefox, you can go to Tools -> Add-ons -> Plugins and disable the Icedtead Java plugin. Then if you ever need it re-enable it for a short time, do your work, and disable it again.

Yes, I agree 100% NoScript Firefox Add-on is critical for browser security. It dose take some getting use to, becuase it will brake 80% of websites until you selectively allow scripts to run from their URL's. Like you'll get the hang of noticing what URL's to allow scripts from i.e. if you see cdn.site.com or images.site.com and the website is not working like it should try to Temporally allow scripts from there and if it fixes the site then permanently allow them.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#5 2013-01-14 09:23:40

TobyJamesJoy
Member
From: Melbourne, Australia
Registered: 2012-06-13
Posts: 24
Website

Re: What to do about java web-plugin vulnerability. [resolved]

Thanks for tips guys. I use chromium and found that you can manage your plugin settings by running "chrome://plugins" in the address bar.

I also had a try of NotScripts which is supposed to be a NoScripts chrome equivalent but that really, really slowed my browser down and even whitelisted urls lost an unacceptable degree of functionality. This was immediately remedied by disabling the extension.

Is that the normal experience for firefox users or is this a chromium/extension specific issue?
Do any chromium users have recommendations for script blocking extensions?

Offline

#6 2013-01-14 09:26:40

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: What to do about java web-plugin vulnerability. [resolved]

Oracle has pushed out a fix already (Java 7 update 11).


ᶘ ᵒᴥᵒᶅ

Offline

#7 2013-01-14 11:55:03

TobyJamesJoy
Member
From: Melbourne, Australia
Registered: 2012-06-13
Posts: 24
Website

Re: What to do about java web-plugin vulnerability. [resolved]

I discovered the ScriptSafe (formerly known as ScriptNo) plugin which is a far more mature and functional alternative to NotScripts and it seems to be doing the job.

As litemotiv has noted the fix is already being pushed, so I'll be marking this as resolved. Thanks for your help helpful Archers.

Offline

#8 2013-01-14 12:07:17

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: What to do about java web-plugin vulnerability. [resolved]

litemotiv wrote:

Oracle has pushed out a fix already (Java 7 update 11).

They only fixed like 3 of like 27 vulnerabilities.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#9 2013-01-14 12:09:43

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: What to do about java web-plugin vulnerability. [resolved]

TobyJamesJoy wrote:

I discovered the ScriptSafe (formerly known as ScriptNo) plugin which is a far more mature and functional alternative to NotScripts and it seems to be doing the job.

As litemotiv has noted the fix is already being pushed, so I'll be marking this as resolved. Thanks for your help helpful Archers.

Ya, NoScript and AdBlock Plus basically only really work in Firefox. It has something to do with the API's needed not being available in chrome.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#10 2013-01-14 14:59:59

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

I was working on a java site that uses its' own player, and the thing wouldn't work with openjdk/icedteaweb.  I had to find some instructions from the Ubuntooslow forum, and it was even simpler in Arch.  I just had to remove icedteaweb, and unpack sun's java (jre) into /opt and then link the plugin file to it inside ~/.mozilla/plugins and then it all worked correctly.  So there's probably some structures incompatible in openjdk that vary from official java.  You can leave the openjdk/openjre installed.  Some of the sites were complaining that icedtebweb was getting too old.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#11 2013-01-14 15:48:19

t0m5k1
Member
From: overthere
Registered: 2012-02-10
Posts: 324

Re: What to do about java web-plugin vulnerability. [resolved]

nomorewindows wrote:

  Some of the sites were complaining that icedtebweb was getting too old.

icedtea web java is built off of java 1.7.09 & all the online java tests will tell you it is out of date because of that.


ROG Strix (GD30CI) - Intel Core i5-7400 CPU - 32Gb 2400Mhz - GTX1070 8GB - AwesomeWM (occasionally XFCE, i3)

If everything in life was easy, we would learn nothing!
Linux User: 401820  Steam-HearThis.at-Last FM-Reddit

Offline

#12 2013-01-14 19:01:08

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

t0m5k1 wrote:
nomorewindows wrote:

  Some of the sites were complaining that icedtebweb was getting too old.

icedtea web java is built off of java 1.7.09 & all the online java tests will tell you it is out of date because of that.

That's why I found my above mentioned solution to be workable.  Downloading the jre separate and removing icedtea-web plugin and symlinking the older npip plugin to the jre.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#13 2013-01-16 14:17:43

superpronker
Member
Registered: 2012-08-20
Posts: 6

Re: What to do about java web-plugin vulnerability. [resolved]

I don't understand much about how these security holes work and don't work but can anyone tell me if it's a viable strategy to use chrome for everyday browsing and then use firefox _only_ to go to my online bank (which uses java)?

Offline

#14 2013-01-16 16:20:45

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: What to do about java web-plugin vulnerability. [resolved]

superpronker wrote:

viable strategy

Use privoxy to disable java by default, and enable it for the sites you specify.

I also use AppArmor, to restrict firefox and its plugins (which includes Java of course).

Offline

#15 2013-01-16 19:49:01

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: What to do about java web-plugin vulnerability. [resolved]

superpronker wrote:

I don't understand much about how these security holes work and don't work but can anyone tell me if it's a viable strategy to use chrome for everyday browsing and then use firefox _only_ to go to my online bank (which uses java)?

Switch banks.

(seriously, i just boycott anything that uses stuff like Java)


ᶘ ᵒᴥᵒᶅ

Offline

#16 2013-01-17 18:25:14

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

litemotiv wrote:
superpronker wrote:

I don't understand much about how these security holes work and don't work but can anyone tell me if it's a viable strategy to use chrome for everyday browsing and then use firefox _only_ to go to my online bank (which uses java)?

Switch banks.

(seriously, i just boycott anything that uses stuff like Java)

Iron contends to be on the same open source project as chromium but without the big brother google features. 
Java seems to be a swiss army knife as far as programming language goes.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#17 2013-01-17 18:31:08

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: What to do about java web-plugin vulnerability. [resolved]

nomorewindows wrote:

Java seems to be a swiss army knife as far as programming language goes.

And swiss cheese as far as security goes?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#18 2013-01-17 19:52:17

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

C/C++ is still the standby, sometimes can convert C/C++ programs without too much trouble into Java (at least the computational parts).  To use the GUI/graphics/interactive part, then have to "learn" Java.  Applets are kind of limited.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#19 2013-01-19 15:40:05

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: What to do about java web-plugin vulnerability. [resolved]

I spent a few more hours, locking down (even more) java in firefox using AppArmor. Here's my AppArmor profile, if anyone's interested - it can be used as a base, to customize.

Offline

#20 2013-08-12 23:10:18

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: What to do about java web-plugin vulnerability. [resolved]

This is annoying.   If you need javaws to run java web start, you have to install icedtea web which causes problems with your regular java that can be had by removing icedtea web and having to download the real java from java.com.  Then if you try to disable icedtea web from firefox it also disables your regular java plug-in.  Then even if you set it at ask, it only asks about the icedteaweb plugin which messes up your java.  @$#%#%  Is there any way to disable icedtea web without having to reinstall it (with pacman) when I want to use javaws?  It used to work in dwb, or luakit without icedteaweb, but now they just sit there and look stupid at me.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

Board footer

Powered by FluxBB