Junk Your Java and Flush Your Flash


Still not talking about coffee

Junk your Java

Junk your java!

Oracle’s Java and Adobe’s Flash have led a long and fruitful life having served a valuable purpose to one and all. However, now is the time for them to retire gracefully, move to a nice quite village,  let the young up and comers take over, and live out their days playing shuffle board followed by brunch with the retirement crowd at the local diner. Java. Flash. Your days are numbered.

I’ve stated numerous times that I believe Java and Flash are the two biggest risks to online security. Relics of an Age if I’m being nice. Complete crap if I’m being honest. My position is bolstered almost daily by news of new vulnerabilities found or identified in both programs. “Why don’t I read about these possible exploits on Daves Computer Tips?”, I hear you asking yourself. If we covered  all vulnerabilities in both programs to any great extent we would need a team of 10 and it would be almost all we could cover with any depth. Heck, we would have to rename the site to Flashy Dave’s Java News (FDJN is not nearly as easy to type as DCT).

It’s a Dark Dark World out There

So we know that Java and Flash have problems – we all should – but it’s OK because good companies always release timely updates to address exploits. Unfortunately that has simply not been the case in the past. Both companies have a reputation for having outstanding vulnerabilities in their software and not patching all known exploits. Often letting vulnerabilities languish for months on end – I’m not exaggerating.

OK. OK. Someone will jump in now and say I’m spinning a non-issue and scare mongering. Am I? Today’s technology world is much different that just a few years ago when in 2011 I originally suggested you should stay far away from Java. More people have access to high speed internet, more financial activity is conducted online, and more people communicate electronically. All important facts, but no one had hacked Target, no one hacked the Federal Office of Personnel Management, and Snowden hadn’t leaked the secret NSA documents at that time.

The bad guys are getting smarter. In fact, there is an entire dark under side to the internet which is comprised of script kiddies, criminal organizations, and even our very own governments, focusing on the theft or collection of financial and personal information. They operate and collaborate in groups in the dark corners of the internet. This list of adversaries grows daily and they quite often look to Flash and Java as their key to unlock your computer or device.


In the “good old days” a vulnerability was discovered either by a researcher or by reverse engineering a know exploit and a patch was published thereby graciously saving the populous from compromise. This is no longer the case as the bad guys find vulnerabilities and guard them because a vulnerability that isn’t know publicly is as good as gold – and often worth more than gold either financially or in information value. To protect their bounty the bad guys don’t go after mass infections with their new found discoveries, but use targeted attacks on  smaller subsets of users to glean specific data.

So what

occupy flash-featureWe will never know the true capabilities of the dark side of the internet, but as an example a recent hack and data dump of the group Hacking Team (interesting name!), a group known to support nation state hacking among other things, gives a few good examples. Someone gained access to their network and stole a massive 400GB of data. Early analysis of this data shows they had at least 3 publicly unknown Flash exploits in their arsenal. 400GB is a huge amount of data to parse and  I’m sure a few more will be found before it is all said and done. This is just one semi-legitimate company and doesn’t take into account other entities, Countries, “security” companies, or criminals. Flash and Java are target rich environments!

Alex Stamos QuoteI am not alone. In the past week both Firefox, Google, and Facebook have taken steps to eliminate Flash vulnerabilities, although each approached the problem from different angles. Firefox took the extreme action of blocking the compromised Flash version (18.0.0.203) by default, Google announce the next version of Chrome will block auto playing Flash elements, while Facebook’s Chief Security Officer, Alex Stamos, took to Twitter to shame Adobe into action.

It’s definitely a shot over the bow of the Flash ship. Maybe a similar fate will befall Java. Apple took a reasonable step in 2013 by blocking Java and I hope that is a precursor to future actions by other browser vendors.

 Make the move

say NO to JavaWe’re definitely not here to tell you what to do as everyone has different configurations and requirements. We do, however, try to give solid advise then allow the visitor to make the right decision and that advise is to uninstall Java from your computer and only enable Flash on sites you trust implicitly. The number of sites that require Flash gets smaller everyday as more sites use HTML5 so disabling Flash should have little affect on your day to day browsing.


Actual programs that require Java are few and far between in the consumer world, but if there is a program that you absolutely can’t live without which requires Java now may be the time to look at alternatives or contact the author about updating their program. If you must have Java installed for a program at least disable Java from within your browsers. If no other option is available my personal preference would be to run Java on a virtual machine.

 

Posted in:
About the Author

David Hartsock

Executive Editor/Owner/Admin of Daves Computer Tips and all-around good guy - Dave's interest in computers began in the early 1980's during the Apple II era. In the early 1990's the PC began to replace proprietary and mainframe devices in Dave's industry so he began to learn and experiment with the PC. Through DOS, Windows 3.1, Windows 95, Windows 98, Windows 2000, Windows XP, Vista, Windows 7, Windows 8.1, and now Windows 10. Dave became the "go to" guy for friends, family, and coworkers with computer problems. Daves Computer Tips was born in 2006 in an effort to share these experiences with others in an easy to understand, plain English, form.

9 Comments

  1. If you uninstall Java from your computer how can you then enable Flash only on sites you trust implicitly?

  2. Run Java on a virtual machine? Anytime I tamper with the OS, my computer crashes. This is a step for techies, not for home users. Mastering browses beyond the basics is too complex for me. People swear by Chrome, but on my machines Chrome gets riddled with malware and browser hijackers in only a few days. I use Norton and Malware Anti-MalwareBytes and it’s still not enough.

  3. Chrome is nothing special. Firefox is, hands down, the best web browser from nearly every perspective. Chrome, in my opinion, is too focused on accomplishing the ultimate goal of Google, which is to collect as much personal data about you and your browsing habits as is possible with a web browser. Their cute features may seem to offer certain conveniences and nifty tricks. But, the underlying fact is, those features just help Google connect more of your devices and information to your Google profile. You don’t know what you’ve lost until you know it. And, then, it’s too late.

  4. Might install Flashblock add-on for Firefox and other browsers. It blocks all flash but you can disable it to watch Flash videos or when you need it.

  5. Excellent article. i’d say : “Pass the word”, now and from now on.

    I’ve removed Java a long time ago. Adobe’s Flash is present (still) but only in its plug-in declination (no IE activeX) and run on Cyberfox (a Firefox fork) with the click-to-play feature : limited risk bur risk nevertheless should temptation blind me. Moreover I use a security system-wide tool called HitmanPro.Alert which is particularly zealous with Adobe’s Flash adventurous odysseys.

    Still, I aim at removing — eradicating — Adobe Flash from my system. I had already by the past done so and noticed then that many sites indeed run HTML5 when they notice the user is free of Flash. The funniest thing then is that they don’t run HTML5 when they notice Flash is available (even if I’ve disabled the plug-in : they cry for Flash when they could run HTML5!) : now what about that?!

    I hesitate to uninstall Flash (with above risk restriction above mentioned) because a few sites I care for don’t yet have the HTML5 alternative. I know i’m wrong, I know that this attitude followed by millions similar doesn’t help for the end of Flash. This is why articles such as this one slowly but surely push me towards … freedom, in a way. Hence : thanks.

  6. G’day Folks,

    I am reminded that IE and most of what Microsoft publishes has so many holes that the Pope is going to Canonize all the IE versions as they are the “Holiest” release from Microsoft. I won’t bother mentioning the others from Microsoft, mainly because I have lost count of the bugs and vulnerabilities in them.

    I am also reminded of the scare mongering relating to Java some month ago and the hype surrounding it. Surprise, Surprise, it all seems to have gone away !!??

    Then now we have the Adobe Flash situation, the ploy is very similar to that of Java which makes me wonder if the same Scare Mongers are at work here ?
    Flash is at v Flash Player 18.0.0.209 (Win and Mac), and if you need to check for the latest version then go to this page ” http://www.adobe.com/products/flashplayer/distribution3.html ” just make sure you download both the players for IE and Firefox and run them as you will find that 99.9% of the bugs have been fixed.
    – I wonder what of Microsoft’s “Silverlight” ? are we scare mongering Adobe Flash to make Silverlight number 1 ?

    Just keep checking the Adobe URL above once a week to see if the Flash version has been updated yet again, which it most likely will be in view of the scare mongering that is currently in play 🙂

    Have fun with Flash, I expect we will see it for some years to come, in my opinion.
    – However change to HTML5 if you have a website, and that is not going to be an easy task when you have several sites running, all using Flash.

    I also want to mention the result of the Java versions and notably that Oracle / Java is still supporting Win XP Pro SP3 contrary to the Dooms Day Merchants regarding Microsoft dropping support for it. Love and behold that I use Microsoft Update on my XP machine and it continues to update Critical and Microsoft Office updates, used it a week ago and it still updates my XP machine.

    – Java for XP is at Java Runtime Environment 1.7.0.79 for 32 and 64bit, also has both Java CPU (7u79) and PSU (7u80) releases. check what the differences are on the site.
    To check for the latest version for XP go here “http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html ”

    – Obviously Win 7 and above continue to be supported and Java for them is at “Java Runtime Environment 8.0 build 51″
    To check for the latest version for Win & and above go to “http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html”

    Seems that Most of the bugs in Java have been fixed and the Scare Mongers are on other Game in the IT Jungle.

    Regards
    Roger H. / PC-Bug Fixer, Sydney, Australia.

  7. Avast! free AV monitors quite a few software, Adobe included, for latest updates and downloads and installs them; all FREE.