Junk Your Java and Flush Your Flash


Still not talking about coffee

Junk your Java

Junk your java!

Oracle’s Java and Adobe’s Flash have led a long and fruitful life having served a valuable purpose to one and all. However, now is the time for them to retire gracefully, move to a nice quite village,  let the young up and comers take over, and live out their days playing shuffle board followed by brunch with the retirement crowd at the local diner. Java. Flash. Your days are numbered.

I’ve stated numerous times that I believe Java and Flash are the two biggest risks to online security. Relics of an Age if I’m being nice. Complete crap if I’m being honest. My position is bolstered almost daily by news of new vulnerabilities found or identified in both programs. “Why don’t I read about these possible exploits on Daves Computer Tips?”, I hear you asking yourself. If we covered  all vulnerabilities in both programs to any great extent we would need a team of 10 and it would be almost all we could cover with any depth. Heck, we would have to rename the site to Flashy Dave’s Java News (FDJN is not nearly as easy to type as DCT).

It’s a Dark Dark World out There

So we know that Java and Flash have problems – we all should – but it’s OK because good companies always release timely updates to address exploits. Unfortunately that has simply not been the case in the past. Both companies have a reputation for having outstanding vulnerabilities in their software and not patching all known exploits. Often letting vulnerabilities languish for months on end – I’m not exaggerating.

OK. OK. Someone will jump in now and say I’m spinning a non-issue and scare mongering. Am I? Today’s technology world is much different that just a few years ago when in 2011 I originally suggested you should stay far away from Java. More people have access to high speed internet, more financial activity is conducted online, and more people communicate electronically. All important facts, but no one had hacked Target, no one hacked the Federal Office of Personnel Management, and Snowden hadn’t leaked the secret NSA documents at that time.

The bad guys are getting smarter. In fact, there is an entire dark under side to the internet which is comprised of script kiddies, criminal organizations, and even our very own governments, focusing on the theft or collection of financial and personal information. They operate and collaborate in groups in the dark corners of the internet. This list of adversaries grows daily and they quite often look to Flash and Java as their key to unlock your computer or device.

In the “good old days” a vulnerability was discovered either by a researcher or by reverse engineering a know exploit and a patch was published thereby graciously saving the populous from compromise. This is no longer the case as the bad guys find vulnerabilities and guard them because a vulnerability that isn’t know publicly is as good as gold – and often worth more than gold either financially or in information value. To protect their bounty the bad guys don’t go after mass infections with their new found discoveries, but use targeted attacks on  smaller subsets of users to glean specific data.


So what

occupy flash-featureWe will never know the true capabilities of the dark side of the internet, but as an example a recent hack and data dump of the group Hacking Team (interesting name!), a group known to support nation state hacking among other things, gives a few good examples. Someone gained access to their network and stole a massive 400GB of data. Early analysis of this data shows they had at least 3 publicly unknown Flash exploits in their arsenal. 400GB is a huge amount of data to parse and  I’m sure a few more will be found before it is all said and done. This is just one semi-legitimate company and doesn’t take into account other entities, Countries, “security” companies, or criminals. Flash and Java are target rich environments!

Alex Stamos QuoteI am not alone. In the past week both Firefox, Google, and Facebook have taken steps to eliminate Flash vulnerabilities, although each approached the problem from different angles. Firefox took the extreme action of blocking the compromised Flash version (18.0.0.203) by default, Google announce the next version of Chrome will block auto playing Flash elements, while Facebook’s Chief Security Officer, Alex Stamos, took to Twitter to shame Adobe into action.

It’s definitely a shot over the bow of the Flash ship. Maybe a similar fate will befall Java. Apple took a reasonable step in 2013 by blocking Java and I hope that is a precursor to future actions by other browser vendors.

 Make the move

say NO to JavaWe’re definitely not here to tell you what to do as everyone has different configurations and requirements. We do, however, try to give solid advise then allow the visitor to make the right decision and that advise is to uninstall Java from your computer and only enable Flash on sites you trust implicitly. The number of sites that require Flash gets smaller everyday as more sites use HTML5 so disabling Flash should have little affect on your day to day browsing.

Actual programs that require Java are few and far between in the consumer world, but if there is a program that you absolutely can’t live without which requires Java now may be the time to look at alternatives or contact the author about updating their program. If you must have Java installed for a program at least disable Java from within your browsers. If no other option is available my personal preference would be to run Java on a virtual machine.


 

Posted in:
About the Author

David Hartsock

Executive Editor/Owner/Admin of Daves Computer Tips and all-around good guy - Dave's interest in computers began in the early 1980's during the Apple II era. In the early 1990's the PC began to replace proprietary and mainframe devices in Dave's industry so he began to learn and experiment with the PC. Through DOS, Windows 3.1, Windows 95, Windows 98, Windows 2000, Windows XP, Vista, Windows 7, Windows 8.1, and now Windows 10. Dave became the "go to" guy for friends, family, and coworkers with computer problems. Daves Computer Tips was born in 2006 in an effort to share these experiences with others in an easy to understand, plain English, form.

There are 9 comments

Your email address will not be published. Required fields are marked *