Very Important Security Update for Java

[da2ce7]

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

[mjc]

Even the latest version of java is vulnerable.  It seems every time they fix another group breaks it.  These are just the vulnerabilities which research groups are informing the public about.  Now that it has been broken so many times it is better to just stay away.  This coming from a long time java developer.  I'm more fearful of the vulnerabilities that have not been announced.

[Phinnaeus Gage]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

[mjc]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

In short yes.

www.us-cert.gov/cas/techalerts/TA13-032A.html  (posted 4 hours a go)  These warnings have been coming out for the past few months.  Attackers have found vulnerabilities that when exploited will allow an attacker to remotely execute on your computer.  Every time Oracle fixes one more critical vulnerabilities are found and reported.

possible attacks are endless, but loading of trojans, keyloggers, scanners for wallet.dat files are just a few of the threats you are faced with.

use at your own risk.

[debianlinux]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

[theymos]

Oracle should scrap the Java browser plugin. It's rarely used nowadays anyway.

[cypherdoc]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?

[debianlinux]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?

I am not one to claim anything to be secure. I can say that vulnerabilities that exist in one platform do not inherently exist in the other as the 2 technologies are entirely different. Java is a programming language whereas Javascript is a client side scripting language and the only commonality they share is in name. In fact, Javascript was named such precisely to ride on the popularity of Java.

[CIYAM]

The actual ISO name is ECMAScript (http://en.wikipedia.org/wiki/ECMAScript) and as stated by others apart from using the name Java as part of its more commonly known name (a decision likely made by Netscape to try and "cash in" on the success of Sun's Java by renaming what was originally called LiveScript to JavaScript) the two languages have technically nothing more in common then they do with C or C++ (i.e. just some syntactic similarities).

[cypherdoc]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

[CIYAM]

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).

[Insu Dra]

I'm not a apple fan at all but ... I'm pro apple on this one, just remove it completely and forget about it.
Oracle has had more time then needed and they don't seem to care so why should you ?

http://www.securityweek.com/apple-blocks-java-entirely-over-security

[Scrat Acorns]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

Javascript's security has nothing to do with bitaddress.org's security. If you are concerned about the latter, you should download the entire page (it's a single html file), verify it with the author's GPG key and always run it locally.

As for Javascript's security you have to understand that there are many implementations, basically each browser has their own engine so a possible attack will have to target a specific browser. There have not been any Javascript 0-days that I'm aware of lately, simply because most engines take security seriously and implement sandboxing correctly.

Java is just a bloated language that didn't evolve to support the browser client model and maintained by a company that doesn't really give a damn about open source software. You should not be running Java on the browser. If you do, only enable it for websites you trust.

[jerfelix]

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).

I'll add that this is a tremendous amount of paranoia and hassle for the casual user.  There are often tradeoffs between Security and usability.  Also between Security and Cost.

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

...Oh, you were only trying to make sure your old futon didn't get stolen from your college dorm room?  Well then just lock your door, idiot!


Security should scale up with the assets you are trying to protect.  Reasonable steps to take when creating a paper wallet (for someone with a small amount of assets), are to use a system with virus protection installed, open bitaddress.org in a "private browsing" window, print your paper wallet, and close the browser immediately afterward.

[CIYAM]

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

Sure - and agreed -  but understand that the post I replied to was already OT as the OP was about Java (not JavaScript).

[debianlinux]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.

[mjc]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.

But when it it is a vulnerability in the Language (or more specifically the JVM) then your code doesn't matter.  The issues with the Java are a result of the underlying Java JDK.  In most cases when running the malicious code it breaks out of the sandbox and executes arbitrary code of the attackers desire.  

These attacks are very specific to Java and do not affect JavaScript in a browser.  Turn off your java plugin.  This means that applets on sites will no longer work.  It also means that a malicious applet embedded in a page just waiting for your browser to stop by will not affect your browser.

There a fair share of JavaScript vulnerabilities, but that's not the focus of this thread.  Right now Java has some Critical vulnerabilities and they are being exploited in the wild.  You may think you are only protecting you college sofa, but if leave that door unlocked and then someone sneaks a camera in the room and your girl comes over, what happens on that sofa just got important.  

My point is that one should consider the most important thing that could be done and protect that.  If you are storing a wallet.dat and only have a few coins no problem right?  well if i were an attacker I would write an app that tracked all the addresses I had private keys for and as the address accumulates funds wait until it hit a threshold then clean them out.  that might not be fore a year or so.   So do you need a bunker and  vaults? No.  But should turn off Java plugin while it is extremely vulnerable and being exploited, YES.

[kokjo]

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

[Gabi]

As other people said, java and javascript are TOTALLY DIFFERENT.

[Insu Dra]

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

You must burn candles for vm gods