Wednesday, September 5, 2012

Con te partirò, Java?

When I first read this article exactly six weeks ago, I was thinking C'mon, yet another marketing stance to promote .Net. Fast forward today, we've learned a shameful (sorry, painful) disclosure made on pastebin, the very same (or just variant) of what Matt Oh mentioned, AtomicReferenceArray (CVE-2012-0507) was used to exploit one 3-letter Special Agent's notebook.

With the recent spate of Java vulnerabilities, now it is well above 'concerned' state in every network security personnel. Firefox 15 and 16 disables those affected, unpatched Java plugins as soon as they installed. Users are required to update should they (really) need to use those plugins. Don't be shy to periodically check your Firefox plugins. Another noteworthy resource from Rapid7, www.isjavaexploitable.com will detect with their own Java test to determine whether your browser has necessary updates.

If you see something like this, you can sleep easy (for today).

Besides user intervention for checking updates, let's do a reality check, do we really need Java?

As Chester Wisniewski of Sophos described, the most consumers do not need JRE, only for corporate users who need WebEx and GoToMeeting to work. That article also outlined some useful workarounds to protect against further vulnerabilities. For enterprise environments, there was a chaos due to new updates received for IPS last week and two days later, there were new vulnerabilities discovered.

Last time, Apple decided to disable Java upon new patch. Users will need to enable it and if it isn't used for some time, it will go back to 'sleep'.

When Andrew Brandt gave in the epic weakest link of current security, using Fort Knox as an example, I would have said the same thing.

So long, Java. See you when I see you!!!