I dont understand all the fus around these exploits. Are they exploits? Yes. Do people actually use java in the web? Not really.
Maybe im in the minority but i never see java applets, and i think i browse ~ the avg. Of course i also disable all plugins until i click on something.
It makes no difference how prevalent they are in common web apps, the problem is that the Java plugin is still installed and active for a large number of users.
This is not the attack sequence:
* site has pre-existing Java
* site gets compromised somehow
* site now infects users
This is how it usually plays out:
* site gets compromised somehow
* exploit includes a 0-day Java attack
* site now infects users
Literally 0 sites on the net could be hosting Java applets and that would make no difference; it's the number of active Java plugins that creates the potential for mass-infection. So long as you have the Java plugin enabled, you'll be exposed to this attack.
Yes - also even a user who only wants to use client side Java outside of the browsers may be in trouble because of the automatically installed browser plugins that are part of the Java installation process.
It's incredible how far and fast client side Java has fallen because of Oracle's tepid response to security concerns. I've developed many internal apps for client-side Java and supported them for over a decade. I don't think I'll develop another.
It has nothing to do with Oracle's response -- the Java sandbox is simply broken, and has been known to be broken for at least the last 5 years. There's no fixing it, the approach is fundamentally flawed and fundamental to Java.
This doesn't mean that Java for client-side applications is broken, as long as you don't rely on web based distribution and browser sandboxing.
java sandbox has a massive surface area. conceivably any class in the jre could create a hole in the sandbox. modern browser sandboxes appear to be stronger because they rely on an unprivileged process which communicates with a broker interface. the broker code is much smaller than the jre code so it is easier to verify. however, there has been sandbox bypasses. the adobe sandbox bypass was a bug in the broker interface and it can be possible to use local kernel exploits to bypass the sandbox as well.
"This doesn't mean that Java for client-side applications is broken[...]"
I don't know. Java on the desktop requires administrator privileges to be able to notify me that an update is available. Also, it tries to install a virus in the form of "Ask toolbar" every frigging time.
I'm actually working on a desktop app used by hundreds of people (and installed by thousands) and my entire business model is being an ISV: trying to sell that Java app to people.
The less Java installed, the harder my life becomes ; (
Are there JREs which you can secretly include in your package, so that it looks like a few-hundred MB native application which happens to be implemented in Java?
User googles for 'digital camera nokia review' and ends up on a site containing a specially crafted 1x1 pixel Java applet. User doesn't even know it's there but due to the 0-day exploit, the applet can now download a remote executable to the user's machine and execute it. User's computer is now part of a botnet and all the user did was perform an innocuous google search.
Yes or it could be a site they visit regularly that has been hacked. Or a site that hasn't been hacked but that has JS from an ad network on it that has been hacked or let through a vulnerability. These are very scary hacks.
Update: I wrote up my recent experience of a shady advertising buy that appears to have spreading malware (likely via Java) as a goal http://news.ycombinator.com/item?id=5305092
Considering Facebook and Apple devs getting owned by these exploits I think the answer is yes. That you even know what a plug-in is does make you in the minority, but considering who has been victim so far you should not sit back with such a smug attitude.
If you visit a malicious site and click anywhere on the page (not on a plugin) then you could enable a click 2 play plugin. i raised this as a chrome bug and they said click 2 play is not a security feature. there may be even worse bypasses :(
the only way to have proper security is to disable the plugin. there is a button on the address bar that allows you to enable plugins on a page when they have been disabled. this gives you a similar experience to click2play but it is quite annoying especially if you are used to click2play.
I can't reply further down the comment thread, but can you provide an official source on this. I enabled this feature last week, and there's no way of interacting with the plugin until I click on it.
I'm SCJP since the last century and my life has been developing Java since a lloonngg time (and now Clojure, but targetting the JVM).
Honestly the retards who decided that a Java applet was a wise decision for a bank should be shot before their genes are passed to a new generation :-/
Maybe im in the minority but i never see java applets, and i think i browse ~ the avg. Of course i also disable all plugins until i click on something.