Bitcoin Forum
November 24, 2017, 03:43:39 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Very Important Security Update for Java  (Read 3943 times)
da2ce7
Legendary
*
Offline Offline

Activity: 1222


Live and Let Live


View Profile
February 02, 2013, 12:15:41 AM
 #1

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

One off NP-Hard.
1511538219
Hero Member
*
Offline Offline

Posts: 1511538219

View Profile Personal Message (Offline)

Ignore
1511538219
Reply with quote  #2

1511538219
Report to moderator
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511538219
Hero Member
*
Offline Offline

Posts: 1511538219

View Profile Personal Message (Offline)

Ignore
1511538219
Reply with quote  #2

1511538219
Report to moderator
1511538219
Hero Member
*
Offline Offline

Posts: 1511538219

View Profile Personal Message (Offline)

Ignore
1511538219
Reply with quote  #2

1511538219
Report to moderator
mjc
Hero Member
*****
Offline Offline

Activity: 588


Available on Kindle


View Profile WWW
February 02, 2013, 02:07:00 AM
 #2

Even the latest version of java is vulnerable.  It seems every time they fix another group breaks it.  These are just the vulnerabilities which research groups are informing the public about.  Now that it has been broken so many times it is better to just stay away.  This coming from a long time java developer.  I'm more fearful of the vulnerabilities that have not been announced.


Kindle : Bitcoin Step by Step (2nd Ed) : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Kindle : Bitcoin Mining Step by Step : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Facebook :  https://www.facebook.com/BitcoinStepByStep     Twitter : @BitcoinSbS
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1358


Bitcoin: An Idea Worth Spending


View Profile
February 02, 2013, 02:24:06 AM
 #3

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
mjc
Hero Member
*****
Offline Offline

Activity: 588


Available on Kindle


View Profile WWW
February 02, 2013, 02:41:53 AM
 #4

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

In short yes.

www.us-cert.gov/cas/techalerts/TA13-032A.html  (posted 4 hours a go)  These warnings have been coming out for the past few months.  Attackers have found vulnerabilities that when exploited will allow an attacker to remotely execute on your computer.  Every time Oracle fixes one more critical vulnerabilities are found and reported.

possible attacks are endless, but loading of trojans, keyloggers, scanners for wallet.dat files are just a few of the threats you are faced with.

use at your own risk.

Kindle : Bitcoin Step by Step (2nd Ed) : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Kindle : Bitcoin Mining Step by Step : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Facebook :  https://www.facebook.com/BitcoinStepByStep     Twitter : @BitcoinSbS
debianlinux
Full Member
***
Offline Offline

Activity: 221


View Profile
February 02, 2013, 02:52:21 AM
 #5

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2856


View Profile
February 02, 2013, 02:52:32 AM
 #6

Oracle should scrap the Java browser plugin. It's rarely used nowadays anyway.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
February 02, 2013, 03:02:14 AM
 #7

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?
debianlinux
Full Member
***
Offline Offline

Activity: 221


View Profile
February 02, 2013, 03:10:49 AM
 #8

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?

I am not one to claim anything to be secure. I can say that vulnerabilities that exist in one platform do not inherently exist in the other as the 2 technologies are entirely different. Java is a programming language whereas Javascript is a client side scripting language and the only commonality they share is in name. In fact, Javascript was named such precisely to ride on the popularity of Java.
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 02, 2013, 03:19:00 AM
 #9

The actual ISO name is ECMAScript (http://en.wikipedia.org/wiki/ECMAScript) and as stated by others apart from using the name Java as part of its more commonly known name (a decision likely made by Netscape to try and "cash in" on the success of Sun's Java by renaming what was originally called LiveScript to JavaScript) the two languages have technically nothing more in common then they do with C or C++ (i.e. just some syntactic similarities).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
February 02, 2013, 03:25:44 AM
 #10

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 02, 2013, 03:55:28 AM
 #11

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).



Smiley

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Insu Dra
Full Member
***
Offline Offline

Activity: 182



View Profile
February 02, 2013, 10:03:47 AM
 #12

I'm not a apple fan at all but ... I'm pro apple on this one, just remove it completely and forget about it.
Oracle has had more time then needed and they don't seem to care so why should you ?

http://www.securityweek.com/apple-blocks-java-entirely-over-security

"drugs, guns, and gambling for anyone and everyone!"
Scrat Acorns
Sr. Member
****
Offline Offline

Activity: 293



View Profile
February 02, 2013, 10:33:43 AM
 #13

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

Javascript's security has nothing to do with bitaddress.org's security. If you are concerned about the latter, you should download the entire page (it's a single html file), verify it with the author's GPG key and always run it locally.

As for Javascript's security you have to understand that there are many implementations, basically each browser has their own engine so a possible attack will have to target a specific browser. There have not been any Javascript 0-days that I'm aware of lately, simply because most engines take security seriously and implement sandboxing correctly.

Java is just a bloated language that didn't evolve to support the browser client model and maintained by a company that doesn't really give a damn about open source software. You should not be running Java on the browser. If you do, only enable it for websites you trust.
jerfelix
Sr. Member
****
Offline Offline

Activity: 266


View Profile
February 02, 2013, 02:05:34 PM
 #14

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).



Smiley


I'll add that this is a tremendous amount of paranoia and hassle for the casual user.  There are often tradeoffs between Security and usability.  Also between Security and Cost.

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

...Oh, you were only trying to make sure your old futon didn't get stolen from your college dorm room?  Well then just lock your door, idiot!


Security should scale up with the assets you are trying to protect.  Reasonable steps to take when creating a paper wallet (for someone with a small amount of assets), are to use a system with virus protection installed, open bitaddress.org in a "private browsing" window, print your paper wallet, and close the browser immediately afterward.
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 02, 2013, 02:24:52 PM
 #15

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

Sure - and agreed -  but understand that the post I replied to was already OT as the OP was about Java (not JavaScript).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
debianlinux
Full Member
***
Offline Offline

Activity: 221


View Profile
February 02, 2013, 03:14:09 PM
 #16

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.
mjc
Hero Member
*****
Offline Offline

Activity: 588


Available on Kindle


View Profile WWW
February 02, 2013, 08:47:07 PM
 #17

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.

But when it it is a vulnerability in the Language (or more specifically the JVM) then your code doesn't matter.  The issues with the Java are a result of the underlying Java JDK.  In most cases when running the malicious code it breaks out of the sandbox and executes arbitrary code of the attackers desire.  

These attacks are very specific to Java and do not affect JavaScript in a browser.  Turn off your java plugin.  This means that applets on sites will no longer work.  It also means that a malicious applet embedded in a page just waiting for your browser to stop by will not affect your browser.

There a fair share of JavaScript vulnerabilities, but that's not the focus of this thread.  Right now Java has some Critical vulnerabilities and they are being exploited in the wild.  You may think you are only protecting you college sofa, but if leave that door unlocked and then someone sneaks a camera in the room and your girl comes over, what happens on that sofa just got important.  

My point is that one should consider the most important thing that could be done and protect that.  If you are storing a wallet.dat and only have a few coins no problem right?  well if i were an attacker I would write an app that tracked all the addresses I had private keys for and as the address accumulates funds wait until it hit a threshold then clean them out.  that might not be fore a year or so.   So do you need a bunker and  vaults? No.  But should turn off Java plugin while it is extremely vulnerable and being exploited, YES.

Kindle : Bitcoin Step by Step (2nd Ed) : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Kindle : Bitcoin Mining Step by Step : http://www.amazon.com/Bitcoin-Step-by-ebook/dp/B00A1CUQQU
Facebook :  https://www.facebook.com/BitcoinStepByStep     Twitter : @BitcoinSbS
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
February 02, 2013, 08:53:57 PM
 #18

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
Gabi
Legendary
*
Offline Offline

Activity: 1078


If you want to walk on water, get out of the boat


View Profile
February 02, 2013, 11:06:35 PM
 #19

As other people said, java and javascript are TOTALLY DIFFERENT.
Insu Dra
Full Member
***
Offline Offline

Activity: 182



View Profile
February 02, 2013, 11:14:47 PM
 #20

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

You must burn candles for vm gods Wink

"drugs, guns, and gambling for anyone and everyone!"
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!