It's time to run Java out of town (Java accounts for more Windows infections than any other source)

I've been railing about Java for years, but enough is enough. Java exploits top all other infection vectors, on any platform, year after year. Oracle has shown repeatedly that it's organically incapable of keeping the Java Runtime Environment secure. If your company makes Java apps, either for internal use or for release to an unsuspecting world, it's time to stop. If your clients are using Java, it's time to give them the tools and the support they need to block Java.

No doubt you've heard about the Flashback Trojan/virus. You might not have heard that Kaspersky now has hard, cold details on 670,000 infected Macs -- that isn't an estimate, it isn't an extrapolation, it isn't some sky-is-falling scare tactic. The folks at Kaspersky have ID numbers for 670,000 Macs that are actively participating in the Flashback botnet.

Windows users shouldn't be feeling complacent or smug. The Java holes used to infect those Macs also appear in Windows versions of Java. We just dodged the bullet this time because the Flashback author(s) decided to pick on Macs.

There's a lot of misinformation floating around about the nature of the Flashback onslaught. Flashback started out as a Trojan last September. It tricked Mac users into installing the Trojan by disguising itself as an update to Flash.

Sometime in February, the Flashback author(s) then upgraded their infection routines to take advantage of old Java security holes, ones that were patched in 2009 and 2011. Intego describes this February variant, Flashback.G, as a three-way infector. If you use Safari and go to an infected site, and you have Java enabled but one of the old Java security holes hasn't been patched, you can get hit with a drive-by infection -- you don't need to lift a finger and your Mac gets pwned. If the Flashback.G infector finds that you have installed both of the old Java patches, it simply asks if it's OK to install the payload. The Mac installation dialog box says the content is signed by "Apple Inc" but "the digital signature of this certificate could not be verified."

By and large, Windows users are savvy enough to walk away from a warning like that. But many Apple users aren't quite so experienced, or damaged, or inured. Many of them took the bait.

Now you understand why some places say Flashback is a Trojan and others identify it as a virus. In fact, it's both.

The big brouhaha this past week involves yet another refinement of the Flashback infector, generally identified as Flashback.K to Flashback.N, depending on whose numbering system you follow. This variant takes advantage of a relatively new drive-by hole in Java, identified as CVE-2012-0507. Prior to April 3, if you were using Safari and had Java enabled on your Mac and you ventured to an infected website, your machine got taken. No questions asked.

On April 4, Apple issued a patch for Java that was supposed to block this latest Flashback infection vector. Apparently it didn't cover all the bases because Apple issued a second patch on April 6. Apple was widely criticized for dragging its feet on this patch because Oracle had patched the same hole for Windows users back on Feb. 17. Apple's facing even more criticism because the patch only works on OS X Snow Leopard or Lion. If you're running an older version of Mac OS, such as Tiger or Leopard, your tail's hanging in the wind.

Apple doesn't bundle Java with any of its products any more -- and hasn't done so since OS X Lion -- but many Mac owners find themselves installing Java manually when they go to a website that requires (or requests) Java.

Oddly, Flashback doesn't even try to infect Mac systems with antivirus products Little Snitch, Virus Barrier, iAntiVirus, Avast, ClamXav, HTTP Scoop, or Packet Peeper installed. And it won't infect Macs that have Apple's free Xcode development environment installed.

If you want to see whether your Mac is actively participating in the Flashback botnet, go to the Kaspersky verification site and run your UUID through its lookup routine.

The Flashback payload appears to move in two directions. First, it scrapes log-in IDs and passwords from the Safari browser. Second, it redirects search engine results.

Security researcher Brian Krebs has been recommending for years that people turn off Java and enable it only when they absolutely have to run it. Many sources peg Java as the primary source of Windows infections over the past two years, including this Virus Bulletin 2011 presentation and a Virus Bulleting analysis of infections delivered by exploit kits.

One way to protect your computer is to use two different browsers -- one with Java enabled, the other without -- and only haul out the Java-jinxed browser when absolutely necessary. The other approach is to uninstall or disable Java in the browser you use and reinstate it only when you have no other options.

The easiest way I've found to manage Java is through the NoScript add-in for Firefox -- in fact, that's the primary reason I use Firefox as my main browser for both Windows and Mac. If you prefer Chrome, disabling Java takes only a few clicks. Instructions for disabling Java in Internet Explorer or Safari -- or allowing Java (to support, say, OpenOffice) but disabling it in the browser, are availabe on the Microsoft and Apple sites.

But that only treats the symptoms. To get rid of Java as the world's foremost computer infection vector, we simply have to get rid of Java. Yes, it's installed on 3 billion computers. Yes, many companies rely on Java -- just as they relied on ActiveX technology not so long ago. The lamentable fact is that Java's rotten to the core, and Oracle's done nothing to improve its trustworthiness. IT departments need to get on the bandwagon and run Java out of town.

The author then (in the interest of being "fair and balanced"), writes another article excoriating Java's rival -- .NET.

See here

It's time to run .Net out of town

I don't know what it is about Microsoft and .Net Framework patches, but it seems that every time we have a sizable .Net patch, it doesn't work on enormous numbers of PCs.

So it was again this week. For reasons unknown and unexplained, Microsoft pushed three .Net patches -- KB 2518864 (MS11-044, June 2011), KB 2572073 (MS11-078, October 2011), and KB 2633880 (MS12-016, February 2012) -- out the Windows Update chute. If you happen to be running Windows XP or Windows Server 2003, with .Net Framework 2.0 SP2 or 3.5 SP 1, and if you're naive enough to leave Automatic Updates turned on, you probably got nailed with a yellow alert icon that says, "Some updates could not be installed." Click through the alert and you see that Automatic Update couldn't install any of the three patches.

I know some admins who have hundreds of customers with yellow alert icons.

Microsoft has assiduously avoided explaining why so many PCs and servers were affected, and only recently have users been able to piece together a workaround. Support forums all over the world are ablaze with complaints and questions.

Yesterday, Microsoft yanked the patches. If you're staring at a yellow warning icon (or if you have scores of customers who are so bedeviled), having the patch yanked may or may not solve your problems. With a lot of help from afflicted Windows XP users and one Microsoft tech, I've come up with five possible remedies for the nagging yellow icon on my AskWoody site, ranging from easy to drastic.

If this is starting to sound like last month's .Net Framework patching debacle, where many people couldn't print their TurboTax forms over the tax weekend, the similarities are uncanny. But they're par for the course with .Net Framework patches. In the past year, I've seen problems with all these .Net patches:

May 2012: MS12-025/KB 26563638 .Net 4 patch, released via Automatic Update, pulled by Microsoft.
May 2012: MS12-025/KB 2656373 .Net 3.5.1 patch, released via Automatic Update, pulled by Microsoft.
February 2012: MS12-016/KB 2651026 .Net 2, 3.5.1, and 4 patches, multiple problems on XP systems, including ATI card control panel software Blue Screen of Death, widespread installer failures.
August 2011: MS11-069/KB2533523 .Net 4 patch, released via Automatic Updates, pulled by Microsoft.
August 2011: MS11-066/KB2487367 .Net 2 patch, released via Automatic Updates, pulled by Microsoft. Keeps reinstalling.
June 2011: MS11-039 and MS11-044, many kilobytes. Enormous array of problems, many of which can't be undone, require removing and reinstalling .Net.

Now we get to add the three new ones, which have been pulled by Microsoft.

I can't even figure out why Microsoft pushed the patches. Microsoft did release a security notification that details changes to three Security Bulletins, MS11-100, MS12-034, and MS12-035. None of those cover the patches that went haywire yesterday, but the revisions mention, "This is a detection change only." Whether the notification has anything to do with the botched patches remains to be seen, but it's the only patch notification that's come out in recent days. If the security notification isn't related to the repushed updates, why did Microsoft push them? They appeared completely unannounced, with no warning whatsoever. And they're buggy as can be -- as befits .Net patches.

Last month, I brought down a firestorm of complaints for saying that it's time to run Java out of town. Sun's (and then Oracle's) inability to keep the Java Runtime Environment patched has driven Java to the top of the infection vector list for Windows systems. Recently, it made the Mac vulnerable. Java deserves to go.

Well, Microsoft, it's time to run .Net out of town, too -- at least the older versions. Why on earth did you make your versions so backwardly incompatible that many Windows customers are forced to run multiple copies of .Net? Right now, almost any well-worn Windows PC sports a copy of .Net Framework 4, .Net Framework 3.5, and .Net Framework 2.0. Some of them also have .Net Framework 3.0 and 1.1. What's wrong with this picture?

If Microsoft can't clean up the .Net mess, it's time to move on to a better technology.

RE: Oracle and Java

Ever since Oracle acquired Sun Microsystems last year, Java community members have worried that the database giant would attempt to seize control of the Java platform. The effort to transform Java into an open source, standards-based platform driven by industry-wide consensus and collaboration was long and arduous.

Oracle has never been one to share its markets willingly, and Oracle CEO Larry Ellison made no bones about what he saw as Sun’s failure to capitalize on its Java technology.

And Sure enough, over recent months Oracle has launched its campaign in earnest.

First, it announced an agreement with IBM to collaborate on Oracle’s OpenJDK as the primary open source Java SE implementation, at the apparent expense of the rival Apache Harmony project.

Next it tried to stack the deck of the Java Community Process (JCP) in its own favor by appointing a ringer — a hitherto unheard-of Oracle customer called Hologic — for a position on the JCP Executive Committee.

Now Oracle has announced plans to offer a “premium,” commercial version of the JVM to enterprise customers, including unspecified enhancements that won’t be shared with the community-built version.

So, The Apache Software Foundation (ASF), one of the most important contributors of open source Java tools and frameworks, has issued an ultimatum demanding that the JCP enforce the ASF’s rights as a fair and equal participant in the Java specification process.

The ASF is not the first to object to Oracle’s aggressive, bullying tactics in the Java community. Prominent contributor David Lea withdrew from the JCP Executive Committee last month, claiming, “I believe that the JCP is no longer a credible specification and standards body, and there is no remaining useful role for an independent advocate for the academic and research community on the [executive committee].”

Things don’t bode well if this is what happens when Oracle takes over Java.

On the other hand, Microsoft seems to be going the right direction with their open source — MONO project, which has now successfully ported the .NET platform to LINUX, SOLARIS, ANDROID, IOS, OS X, and some for game consoles such as PlayStation 3, Wii, and Xbox 360.

In fact, Microsoft’s policy for Open Source developers is this — HOW CAN WE HELP TO MAKE .NET MORE OPEN?

The folks at the Open Source Mono project in fact have an office at Microsoft’s HQ.

Things are starting to look interesting from here...

For those of you who program in other language, here is one main difference between Java and its rival, .NET -— Although both are supposed to be write-once-run-anywhere platforms, you MUST LEARN Java to run on a machine installed with the Java Virtual Machine (JVM), while you DON’T need to learn a new language to run .NET on a CLR-enabled machine.

The design of .NET is such that programmers of ANY language can rebuild (recompile) their application and it will re-assembled the result to .NET Intermediate language, that will allow it to run on ANY .NET machine.

So, to COBOL, PASCAL, ADA, FORTH, MODULA 2, SMALLTALK, C/C++ etc. programmers out there, your life just got easier.

Here is a list of all the programming languages the .NET platform supports — click on the following link :

http://www.dotnetpowered.com/languages.aspx

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.