Still not talking about coffee
Oracle’s Java and Adobe’s Flash have led a long and fruitful life having served a valuable purpose to one and all. However, now is the time for them to retire gracefully, move to a nice quite village, let the young up and comers take over, and live out their days playing shuffle board followed by brunch with the retirement crowd at the local diner. Java. Flash. Your days are numbered.
I’ve stated numerous times that I believe Java and Flash are the two biggest risks to online security. Relics of an Age if I’m being nice. Complete crap if I’m being honest. My position is bolstered almost daily by news of new vulnerabilities found or identified in both programs. “Why don’t I read about these possible exploits on Daves Computer Tips?”, I hear you asking yourself. If we covered all vulnerabilities in both programs to any great extent we would need a team of 10 and it would be almost all we could cover with any depth. Heck, we would have to rename the site to Flashy Dave’s Java News (FDJN is not nearly as easy to type as DCT).
It’s a Dark Dark World out There
So we know that Java and Flash have problems – we all should – but it’s OK because good companies always release timely updates to address exploits. Unfortunately that has simply not been the case in the past. Both companies have a reputation for having outstanding vulnerabilities in their software and not patching all known exploits. Often letting vulnerabilities languish for months on end – I’m not exaggerating.
OK. OK. Someone will jump in now and say I’m spinning a non-issue and scare mongering. Am I? Today’s technology world is much different that just a few years ago when in 2011 I originally suggested you should stay far away from Java. More people have access to high speed internet, more financial activity is conducted online, and more people communicate electronically. All important facts, but no one had hacked Target, no one hacked the Federal Office of Personnel Management, and Snowden hadn’t leaked the secret NSA documents at that time.
The bad guys are getting smarter. In fact, there is an entire dark under side to the internet which is comprised of script kiddies, criminal organizations, and even our very own governments, focusing on the theft or collection of financial and personal information. They operate and collaborate in groups in the dark corners of the internet. This list of adversaries grows daily and they quite often look to Flash and Java as their key to unlock your computer or device.
In the “good old days” a vulnerability was discovered either by a researcher or by reverse engineering a know exploit and a patch was published thereby graciously saving the populous from compromise. This is no longer the case as the bad guys find vulnerabilities and guard them because a vulnerability that isn’t know publicly is as good as gold – and often worth more than gold either financially or in information value. To protect their bounty the bad guys don’t go after mass infections with their new found discoveries, but use targeted attacks on smaller subsets of users to glean specific data.
We will never know the true capabilities of the dark side of the internet, but as an example a recent hack and data dump of the group Hacking Team (interesting name!), a group known to support nation state hacking among other things, gives a few good examples. Someone gained access to their network and stole a massive 400GB of data. Early analysis of this data shows they had at least 3 publicly unknown Flash exploits in their arsenal. 400GB is a huge amount of data to parse and I’m sure a few more will be found before it is all said and done. This is just one semi-legitimate company and doesn’t take into account other entities, Countries, “security” companies, or criminals. Flash and Java are target rich environments!
I am not alone. In the past week both Firefox, Google, and Facebook have taken steps to eliminate Flash vulnerabilities, although each approached the problem from different angles. Firefox took the extreme action of blocking the compromised Flash version (184.108.40.206) by default, Google announce the next version of Chrome will block auto playing Flash elements, while Facebook’s Chief Security Officer, Alex Stamos, took to Twitter to shame Adobe into action.
It’s definitely a shot over the bow of the Flash ship. Maybe a similar fate will befall Java. Apple took a reasonable step in 2013 by blocking Java and I hope that is a precursor to future actions by other browser vendors.
Make the move
We’re definitely not here to tell you what to do as everyone has different configurations and requirements. We do, however, try to give solid advise then allow the visitor to make the right decision and that advise is to uninstall Java from your computer and only enable Flash on sites you trust implicitly. The number of sites that require Flash gets smaller everyday as more sites use HTML5 so disabling Flash should have little affect on your day to day browsing.
Actual programs that require Java are few and far between in the consumer world, but if there is a program that you absolutely can’t live without which requires Java now may be the time to look at alternatives or contact the author about updating their program. If you must have Java installed for a program at least disable Java from within your browsers. If no other option is available my personal preference would be to run Java on a virtual machine.