Very Important Security Update for Java

[da2ce7]

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

[1715263368]

1715263368

[1715263368]

1715263368

[mjc]

Even the latest version of java is vulnerable.  It seems every time they fix another group breaks it.  These are just the vulnerabilities which research groups are informing the public about.  Now that it has been broken so many times it is better to just stay away.  This coming from a long time java developer.  I'm more fearful of the vulnerabilities that have not been announced.

[Phinnaeus Gage]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

[mjc]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

In short yes.

www.us-cert.gov/cas/techalerts/TA13-032A.html  (posted 4 hours a go)  These warnings have been coming out for the past few months.  Attackers have found vulnerabilities that when exploited will allow an attacker to remotely execute on your computer.  Every time Oracle fixes one more critical vulnerabilities are found and reported.

possible attacks are endless, but loading of trojans, keyloggers, scanners for wallet.dat files are just a few of the threats you are faced with.

use at your own risk.

[debianlinux]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

[theymos]

Oracle should scrap the Java browser plugin. It's rarely used nowadays anyway.

[cypherdoc]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?

[debianlinux]

If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."

Java != Javascript

so does this mean that Bitaddress.org, based on Javascript, is still secure?

I am not one to claim anything to be secure. I can say that vulnerabilities that exist in one platform do not inherently exist in the other as the 2 technologies are entirely different. Java is a programming language whereas Javascript is a client side scripting language and the only commonality they share is in name. In fact, Javascript was named such precisely to ride on the popularity of Java.

[CIYAM]

The actual ISO name is ECMAScript (http://en.wikipedia.org/wiki/ECMAScript) and as stated by others apart from using the name Java as part of its more commonly known name (a decision likely made by Netscape to try and "cash in" on the success of Sun's Java by renaming what was originally called LiveScript to JavaScript) the two languages have technically nothing more in common then they do with C or C++ (i.e. just some syntactic similarities).

[cypherdoc]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

[CIYAM]

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).

[Insu Dra]

I'm not a apple fan at all but ... I'm pro apple on this one, just remove it completely and forget about it.
Oracle has had more time then needed and they don't seem to care so why should you ?

http://www.securityweek.com/apple-blocks-java-entirely-over-security

[Scrat Acorns]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

Javascript's security has nothing to do with bitaddress.org's security. If you are concerned about the latter, you should download the entire page (it's a single html file), verify it with the author's GPG key and always run it locally.

As for Javascript's security you have to understand that there are many implementations, basically each browser has their own engine so a possible attack will have to target a specific browser. There have not been any Javascript 0-days that I'm aware of lately, simply because most engines take security seriously and implement sandboxing correctly.

Java is just a bloated language that didn't evolve to support the browser client model and maintained by a company that doesn't really give a damn about open source software. You should not be running Java on the browser. If you do, only enable it for websites you trust.

[jerfelix]

let me ask this another way.

Allow me to answer this in another way.

If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is:

1) Buy and old laptop that has no WiFi (or *remove* the WiFi card).

2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected.

Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* (http://susestudio.com/a/kp8B3G/ciyam-safe if interested).

Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).

I'll add that this is a tremendous amount of paranoia and hassle for the casual user.  There are often tradeoffs between Security and usability.  Also between Security and Cost.

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

...Oh, you were only trying to make sure your old futon didn't get stolen from your college dorm room?  Well then just lock your door, idiot!


Security should scale up with the assets you are trying to protect.  Reasonable steps to take when creating a paper wallet (for someone with a small amount of assets), are to use a system with virus protection installed, open bitaddress.org in a "private browsing" window, print your paper wallet, and close the browser immediately afterward.

[CIYAM]

Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."

Sure - and agreed -  but understand that the post I replied to was already OT as the OP was about Java (not JavaScript).

[debianlinux]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.

[mjc]

let me ask this another way.

does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?

To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language  but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.

But when it it is a vulnerability in the Language (or more specifically the JVM) then your code doesn't matter.  The issues with the Java are a result of the underlying Java JDK.  In most cases when running the malicious code it breaks out of the sandbox and executes arbitrary code of the attackers desire.  

These attacks are very specific to Java and do not affect JavaScript in a browser.  Turn off your java plugin.  This means that applets on sites will no longer work.  It also means that a malicious applet embedded in a page just waiting for your browser to stop by will not affect your browser.

There a fair share of JavaScript vulnerabilities, but that's not the focus of this thread.  Right now Java has some Critical vulnerabilities and they are being exploited in the wild.  You may think you are only protecting you college sofa, but if leave that door unlocked and then someone sneaks a camera in the room and your girl comes over, what happens on that sofa just got important.  

My point is that one should consider the most important thing that could be done and protect that.  If you are storing a wallet.dat and only have a few coins no problem right?  well if i were an attacker I would write an app that tracked all the addresses I had private keys for and as the address accumulates funds wait until it hit a threshold then clean them out.  that might not be fore a year or so.   So do you need a bunker and  vaults? No.  But should turn off Java plugin while it is extremely vulnerable and being exploited, YES.

[kokjo]

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

[Gabi]

As other people said, java and javascript are TOTALLY DIFFERENT.

[Insu Dra]

here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.

You must burn candles for vm gods

[tvbcof]

...
Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).
...

"0% risk".  Hmmmm.

[CIYAM]

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)

[justusranvier]

Unless the programs that read the QR codes provably free from any flaws that could allow a specially-crafted image to trigger an exploit you can't call the risk 0%.

[CIYAM]

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?

[justusranvier]

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?

The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Image processing libraries, like any other kind of software that processes arbitrary input, can fail in ways that allow arbitrary code execution. A few years ago it was possible to take over Windows computers if you could convince the user to load a web site containing a malicious JPEG image.

There are ways to reduce this risk by auditing code audits, fuzz testing, and other techniques but those don't completely eliminate the risk.

[Driice]

Just uninstalled java. Thanks for the headsup

[CIYAM]

The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Understand that you can do a "decoderawtransaction" on the "offline computer" before you bother to sign it and create the final QR code (and understand that the particular QR code being used is only big enough to hold a couple of hundred bytes).

So unless we are talking about your *offline* computer being compromised then we are not seriously talking about a possible "attack vector" are we (and okay I am happy to change 0% to let's say 0.00001%)?

[tvbcof]

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)

Mostly it's just that the term 'zero risk' tends to set off alarm bells in my mind.  Generally speaking, TEMPEST and Cold Disk are two risks that I see as non-zero.  Particularly if someone knows you have potentially hundreds of thousands of USD's worth of BTC (or anything else) kicking around.  I'd be inclined to at least encrypt the HDD by way of making security suggestions.

[phelix]

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

What about deactivating java in the browser? Should that not be enough?

I highly recommend noscript.

[grantbdev]

How at risk am I with OpenJDKs installed for development (no web plug-in) on GNU/Linux?