80% of Browsers Found To Be At Risk of Attack

CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."

Slashvertisement

[suso]

Not getting enough hits? Slashvertisement can work for your company too. Call today!

Re:Slashvertisement

[tgeller]

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

Re:

[WrongSizeGlass]

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

I thought your observations may have merit so I went to Company A's [companya.com] website but I didn't see any nifty new tools ... though it does have a picture of a cute little dog. ;-)

Re:

[jrumney]

They do have a plugni to install though. So your browser is guaranteed to be vulnerable after visiting their site - just in case you were feeling left out of the 80% majority.

Re:

[Anonymous Coward]

This is a slashvertisement, but at least it was for something useful this time. I just patched 3 browsers based on the results.

Plug-ins Bad. Here's ours

[Lunoria]

So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure. People need to update their software for security. That's not news.

Re:Plug-ins Bad. Here's ours

[bunratty]

You can use Mozilla's Plugin Check [mozilla.com]. No installation required.

Re:

[bunratty]

Ah, The perfect is the enemy of the good. [famous-quotes.net] Could there possibly exist some things that are useful despite the fact that they are not perfect?

Re:

[ColdWetDog]

Plugin Check doesn't recognise Gears or Media Player. What use is a plugin checker that doesn't recognise commonly installed plugins?

This is a problem for both the official Mozilla plug in check and the current slashvertisement site. The official Mozilla site flags a much larger number of plugins including the hapless mess that is Java but misses several Google plugiins. Unfortunately it appears that plugin writers don't necessarily follow the guidelines for announcing themselves and further that Silverlight comes back as outdated in both checks even though I've pulled the download directly from Microsoft's site, installed it and rebo

Re:

[Darkness404]

Which is why properly maintained repositories are so useful. However they are often incomplete (as in the case with Ubuntu), super-restricted (as in the case of Apple), or a mess (as in the case with Android).

Re:

[Yvan256]

I didn't have to download or install anything when I did the test. I even browse with Java and plug-ins disabled.

I clicked, it said "Safari 5.0.3, up to date", done. Took about 3 seconds.

I'm guessing different browsers and operating systems require different things.

Re:

[dotancohen]

So, you got to install a plug-in to check if your other plug-ins are secure. Maybe the browsercheck plug-in isn't secure.

It didn't install a plugin for me. In fact, after seeing people complain here about the plugin I check the FAQs:
https://community.qualys.com/docs/DOC-1542#s1 [qualys.com]

It seems that only Windows users need a pluging. On my Kubuntu system it was all Javascript (I suppose, what else could it be?). So the answer to your "Why must I install an insecure plugin" question seems to be: "Because you are using Windows".

I would have thought this closer to 100%

[mswhippingboy]

Since new exploits are identified each day.

Re:I would have thought this closer to 100%

[SudoGhost]

I would have thought it closer to 100% since about 100% of browsers are used by people, which are the biggest security flaws in any system.

Re:I would have thought this closer to 100%

[Skarecrow77]

My wife has a shirt that says "Social engineering" on the front, and on the back it says "Because there is no patch for human stupidity".

My wife is awesome.

Re:

[Amouth]

"you can't fix stupid" - Ron White

Re:

[Anonymous Coward]

Nah, 80% is correct. the remaining 20% of browsers are Opera, which is not known to be used by people.

Re:

[Imrik]

It only counts exploits that have been patched.

Re:I would have thought this closer to 100%

[Kenja]

Lynx is still pretty safe!

Re:

[e9th]

Is your version susceptible to this? [nist.gov]

Re:

[severoon]

"80% of Browsers Found To Be At Risk of Attack. In other news, Chrome marketshare up to 20%." :-)

Re:I would have thought this closer to 100%

[VGPowerlord]

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

I wasn't aware that the Commodore 64 had updates.

Re:

[osgeek]

Look, man, if you have an opinion just express it. Don't keep these things all bottled up inside where they can fester.

Tell us what you really think about the guy and you'll feel better.

All this sugar coating to avoid hurting his feelings isn't doing either of you any favors.

Re:

[WrongSizeGlass]

Did you know that 'theaveng' is an anagram for 'negative' if you swap an 'i' for the 'h'? Well, it is. Yes, I know that it's meaningless, but it's more entertaining than some of his posts.

Isn't that?

[Wolvenhaven]

The exact percentage of IE marketshare?

Re:

[elrous0]

Actually, I run Firefox and discovered recently that auto-update had stopped working for some reason. When I tried to update through Firefox, it reported that I had the latest version. When I did a manual check, I saw that I was running version 3.6.6. Checked the site and the latest version is actually 3.6.13. Had to download and install manually. Not sure what the problem was there, but just goes to show that even a technical user running Firefox can get out-of-date.

Re:

[ColdWetDog]

The scanning tool doesn't help all that much either. It still insists that my Flash version is out of date, even though it's current (note to snarks, yes it's Flash, yes it's not all that secure even at the current patch level), it still insists that DivX is out of date, even though it's current (op cit).

Not terribly impressive. Initially it complained that FF was behind (and I had the same issue as elrous) and that Flash, Silverlight, DixX and Flip4Mac were also older versions. Except that I've not

Uhmm NO

[Monty845]

So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.

Re:

[MozeeToby]

My thoughts exactly. So does having Javascript, flash, pdf, and Java disabled put me in the special 20%? Seems to me that their statistic should read 80% of those susceptible to social engineering have insecure browsers because no one should install random plugins from random companies without a much better reason than 'check your security'. Their webpage and software model appears to be practically identical to a million scareware, 'Anti-virus' products out there.

Re:

[Tolkien]

Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times? It might help their point, but it won't help their credibility.

Re:

[lennier]

Would you rather they use malicious means of installing their checker so that you don't have to go through the tedious hoops of pressing your mouse button a few times?

What part of 'installing a random browser plugin' isn't already malicious means?

Re:

[The MAZZTer]

It is certainly possible to check plugin versions through JS alone, though from reading mozilla blogs I understand it's tricky since not all plugins report their version numbers the same way. Mozilla's Plugin Check. [mozilla.com]

Re:

[elashish14]

Then Jesus proclaimed, "Behold, I will now compromise the security of this OpenBSD installation. Here you see the machine. It is fresh, clean, secure. Now, turn around. Turn around..."

Self-selecting for failure

[RobertB-DC]

So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery [ghostery.com] immensely).

Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

Re:

[NotBorg]

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

This. (QFT)

Also, it seems the plug-in only scans software versions. It doesn't actually test if penetration is actually possible. If blocked by firewall, AV, sandboxing, system policies, etc, the test still flags you as vulnerable. It probably doesn't take into account the likelihood of a particular vulnerability of being exploited. Some "holes" have a rather obscure set of con

Updating Java

[Anonymous Coward]

Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

Re:

[Vlad_the_Inhaler]

My reason is different.
When I am browsing with Windows - which is not very often - it is with XP without Admin rights. Up comes a warning saying 'There is a new Java version available'. Well, I don't have the rights so I switch to an account *with* rights and . . . nothing. Ok, I go to Settings/Java and tell it to upgrade. It ignores me.

Ok, I could go to the Oracle site and download the JVM directly, but wtf does the standard update mechanism simply not work? It did once.

I tried installing once without

Old versions kept with Java

[SmilingBoy]

One issue with Java seems to be that it keeps old versions (or at least it used to). I used a laptop at work that had been in the cupboard for half a year. It had (roughly, can't remember exactly): Java 1.5 update 12 - Java 1.6 - Java 1.6 update 2 - Java 1.6 update 3 - Java 1.6 update 6 - Java 1.6 update 7. Why this is the case, I have no idea. Doesn't seem right though!

Re:

[Vekseid]

This nonsense stopped around 6.16 or so, but yes until then it was freaking annoying. Java updates will remove old versions now.

Use JavaRa

[surveyork]

godel_56 beat me to it: Use JavaRa to get rid of old installations of Java. However, Sun/Oracle wised up a bit and current versions of Java have this issue fixed --If memory serves me right. No more crap left over when updating _fresh installs of current JRE_.

Java, obvious

[Bobfrankly1]

The most likely plug-in to require a patch: same as last year, Oracle's Java."

Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

Re:Java, obvious

[mswhippingboy]

While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

I guess I've just been lucky.

Re:

[Bobfrankly1]

I know we have to keep our java below a certain version for our Citrix remote portal. There are some other apps that are affected, but that's by far the most important one for us.

Re:

[mswhippingboy]

Ok, I see your point. Vendor supplied applications almost always specify a particular Java version. Sometimes it's because they do something out of the ordinary (such as using JNI to get outside the JVM), or sometimes it's just that they've only tested and certified it to work with a particular version. However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

Re:

[lennier]

However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

'Should' is a wonderful word which, in IT, means 'won't'.

Re:

[mswhippingboy]

However, generally speaking an application that is written in 100% pure Java should run without change on later versions of the JRE.

'Should' is a wonderful word which, in IT, means 'won't'.

No, it means should in IT, just like it does everywhere else. It does not however, mean "always" which, in the case of Java I suppose is where the bar is set.

I suppose it's ok for a new version of Windows, Linux or OSX to break existing applications. It's fine for new versions of .Net, Cocoa, GTK, QT or other frameworks to break old applications. It expected that new versions of VB, Python or Ruby might cause problems for existing applications. However, if the latest version of the JRE causes problems for

Re:

[Vlad_the_Inhaler]

We have a mainframe application which relies on something from Java, some classes I think. An update to Java around three years ago broke that application for the clients which had appled the update. Two or three levels later (4-5 months?) it started working again.

Re:

[Amouth]

lets see

JRE 1.6 Build 17

forced disabled on MD2withRSA - now i understand you shouldn't be using it BUT alot of older apps used it including a lot of embedded web services that used SSL (aka switches, routers, printers)

they gave zero option to enable it's usage in any case starting with that update. that broke a lot of shit right there.

Re:

[mswhippingboy]

I'm not here to make excuses for Snoracle's screw ups. Any time a new version of software (anybody's) is installed, there is a chance things will break. I agree, in this case it was an obvious dumb move to push out a new version without at least flagging it in bright red letters and supplying work arounds. It was noted in the release notes for u17 (http://www.oracle.com/technetwork/java/javase/6u17-141447.html), but who reads those and who can control the clients anyway.

I understand why that had to make th

Re:

[Amouth]

In any case, this is a certificate/security issue and not a language/platform issue which was the original point I was trying to make.

It started as a "certificate/security" issue and became a "language" issue when they forced a change in what was expectable commands without recourse.

and sorry i do not believe in "don't upgrade" as a viable recourse as you are just leaving that user wide open for future problems.

they need the ability for the USER not the application to request that that the program or app be run in a specific version of the JVM so that you can allow proper backwards compatibility while allowing the user to keep up todate

Re:

[BlueBlade]

I know some of our older RSA cards on our IBM servers don't work with anything over (IIRC) Java 6.3. So we have to keep machines around with older Java version to get the remote-control feature working.

I've also seen some doc sharing sites one of our client is using (pharmacology related) that are sensitive to which Java version you run.

I know I've seen other instances which I can't recall right now. Java's portable and compatible with everything, except when it isn't :P .

Re:

[lennier]

I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break.

You've not been running Galaxy CommVault, then.

Re:

[mswhippingboy]

First, I said "I've been working with Java in large enterprise settings for over 15 years". I didn't say I have applications that were written 15 years ago that are still running the same binaries.

Second, there was a lot more than applets being written 15 years ago. I do still have Java back-end applications that were originally built back then but have undergone enhancements over the years. Just because the "Server JVM" wasn't introduced until somewhere around 1.4, doesn't mean java didn't run on servers

Re:

[mswhippingboy]

I've been working with Java in large enterprise settings for over 15 years,

Really? Large enterprise settings were using Java before the official release? The only way you could have been using it in large enterprise settings for over 15 years ago is if you were using the pre-release alpha from '94. J2EE is only 12 years old.

Actually yes. I was involved in the Sun Early Access program and started working with Java in mid 1995 (actually, I believe it was Beta code at that point, maybe still Alpha - I don't recall). JDK 1.0 was officially released in early 1996, but we were already heavily into development at that point.

No, this was not J2EE work, and it was not web oriented at all (the corporate web applications at that time were primarily done with C++ and ISAPI). These were all system integration applications and there were

Re:

[Bobfrankly1]

I was doing beta testing in 1997 for a (now dead) "multimedia company" (web developer) that was creating a kiosk for Toyota that would help users to choose the right car for them. It looked very similar to alot of the features you see on websites today, although a lot more basic. It was written in Java and as Java was back then, the app was buggy as hell. I was quite good at my job, I could break the app at any moment and when the opportunity arose, I received the lead programmer's blessing to transfer to t

Re:

[lgw]

Wow, can you really not imagine writing an enterprise application without a framework? Really? Grumble grumble wrote me some enterprise software in assembly code back in the day mumble grumble GET OFF MY LAWN YOU KIDS.

Re:

[BitZtream]

You do realize 1994 was 17 years ago ... right?

And yes, its fairly common for some people to be using software products before release. Ever heard of beta testing? Its pretty common to let some of your customers have an early crack at something so you can find out how well its going to work and find bugs you didn't otherwise predict or see.

Irony: it is a plugin

[MobyDisk]

You have to appreciate the irony that the test requires a plug-in. For all I know, the test is the virus. I assumed it would be a series of javascripts that tested vulnerabilities.

False positives?

[dgatwood]

I wonder how much of this is due to vendors deliberately not bumping the version numbers when they put in a security patch?

Mozilla has one too

[gQuigs]

http://www.mozilla.com/plugincheck/ [mozilla.com]

Re:

[hduff]

So both sites tell me that Shockwave and Java are out-of-date (using Mageia1-alpha1 and FF4beta11) and I update them with the files they provide links to AND it now says I' still out-of-date.

Derp?

Re:

[surveyork]

Hmmm... Are you running Firefox beta portable? In any case, here's my experience: I have: Firefox 3.6, Firefox 4 beta portable and Pale Moon portable. When I go to Plugin Check and update, only Firefox 3.6 gets updated. If I recall correctly, I manually copied the Flash DLL from my User > Application Data > Mozilla > plugins into Firefox 4 beta port. and Pale Moon port. "plugins" folder. Now all of them are up-to-date. Someone else may explain it better but the gist of the solution is that the rele

Mandatory Access Controls or Sandboxing

[metrix007]

SO, at present the most secure browsers on Windows are Chrome and IE8+

Why?

Because they make use of Windows Integrity Controls, a type of MAC which means if a low level process is exploited it has no access to the rest of the user account.

As much as people laud Opera they are really behind the fucking curve on this one, and I don't know what Mozilla's excuse is. With the excess beta's they really don't have one.

It should be noted out before hairyfeet gets in that while Firefox and Opera do not make u

Re:

[gad_zuki!]

The problem with these sandboxed browsers is that their plugins are not sandboxed, generally.

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

I think IE8 is doing well on these tests because if you're using IE you might be a corporate user who's computer is regularly updated by the system admin.

Both these browsers running an insecure version of Java means instant exploit. The best advice is run any browser you want, but ge

Re:

[VGPowerlord]

I think Chrome is doing well because it ships with its own PDF viewer, thus eliminating the big vector of Adobe's insecure PDF viewer.

Chrome also integrates Adobe Flash... but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

Re:

[Amouth]

but unless Google is updating Flash whenever Adobe issues an update, it's less secure than the versions that use a standalone plugin.

except that Google's version is Sandboxed where the standalone plugin isn't.. so while the flash part might be exploitable - too what ends is far different.

Re:

[cbhacking]

Unless a plugin automatically adds an exception for itself (which some *cough*Flash*cough* do) it will either prompt you for permission to run outside the sandbox, or will run within it. I remove permissions for Flash to do this and it still usually works just fine.

Re:

[mlts]

The more browsers use the operating system security abilities, be it WIC, jail(), AppArmor, SELinux, or any other mechanism that reduces the privs a Web browser under, the better.

The battle for control of most PCs is going to be fought at the browser and browser add-on level. This is one front that really needs defense in depth, from browser add-ons being in a separate context from other objects, to a browser tab or window not being able to access other windows, to a browser not being able to get normal us

Re:

[mlts]

Correction: Kudos to Google for using OS controls for additional security.

Yes, using OS specific security constructs makes a Web browser less portable across platforms, but it might be that some OS security mechanism may be the only thing standing in the way of browser compromise turning into complete machine pwnage.

On a larger scale, it might be time for OS makers to have some standardized security mechanisms, where a program can take advantage of them regardless if it runs on Windows, OS X, AIX, or OpenV

Re:

[cbhacking]

Strictly speaking, IE7 also includes Protected Mode (MIC sandbox). That's only relevant on Vista though - Win7 comes with IE8 and XP is incapable of MIC.

Not sure of header

[hesaigo999ca]

With a heading like this, too much is left to the imagination, I thought 80% of browsers out there in use are vulnerable, and if that is all, I would say redundancy is useless. Stating the obvious, such as any application made by man, will be error prone....so any browser running out there, is obviously flawed, no news here, move along...

Corporate -vs- home users?

[MobyDisk]

I wonder what the percentages are for corporate users compared with home users. I bet home users are better: My current employer requires out machines to have a *particular* version of Java installed. The internal corporate web site doesn't work on anything newer, or older. Unfortunately this seems to be the norm, not the exception.

I'm constantly amazed at how these internal apps are some of the poorest maintained software. Training applications, time sheets, desktop sharing, CRMs ... consistently the poorest quality tools I encounter.

Re:

[Asic Eng]

Same in our company. The problem is that frequently the users have no say at all. If the SW needed to be sold, then customers would simply refuse to buy such low quality - for internal tools the users are forced to use the crap.

Re:

[Salvo]

Users shouldn't have a say, The IT dept. should have the say.
Unfortunately, bean counters and upper management have more of a say than those who actually know all the issues. System sales reps use buzzwords to impress the management, or provide kickbacks for bean counters, lumping the IT dept. with an overpriced piece of crap that any competent sysadmin could roll themselves in a weekend (as long as they didn't get interruptions from Clueless Users) using a Linux system, Apache and MySQL.
It's all well and g

Not even remotely surprised

[jimicus]

I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

The mess we have right now is the reason why there is always something on a PC that needs updating.

Re:

[BitZtream]

So you want Sparkle/WinSparkle to be an OS library.

Sparkle might have happened previous to the OS X AppStore since the guy who writes it is an Apple employee but thats probably shot now.

I wouldn't expect anyone to make much effort in this direction though, it offers no profits and requires extra work.

Re:

[jimicus]

Something like that, yes. I hadn't heard of Sparkle, but it looks like it's roughly the right idea.

The reason it needs to be in the OS is because if it isn't, there's precious little chance of third-party software supporting it. Not only would it reduce these risks, but it could hook into Active Directory for enterprises.

Though existing companies providing network management software would probably have something to say about that.

Re:

[mlts]

I'll take the repos where the Web browser can scan both default and user specified repositories for updates over having every single program, plugin, and code chunkie having a separate update mechanism.

With so many update mechanisms, there are so many links that can become weak links in a security chain that program security becomes unwieldy. If a blackhat manages to compromise some browser addon's update mechanism, and the addon can get user (or even admin) context, it means the blackhat just obtained the

Re:

[Rich0]

Uh, what he was proposing was something like Sparkle. App registers with the OS with an RSS feed. App owner publishes to RSS feed, app gets updated, maybe with user confirmation first.

The problem with apps that update themselves, is that they can only do that when they're running, and as local admin. I don't like apps that run all the time - I don't need to have QuickTime running the 99.999% of the time that I'm using my computer and NOT watching a quicktime video. I certainly don't need to have it runn

Re:

[BitZtream]

MS doesn't even do this well for their own apps.

2005 called, they want their feature back.

Windows Update only updates Windows issues.

Microsoft Update handles pretty much all MS apps at this point, once you visit it and install the required bits Windows Update turns into Microsoft Update and the problem is solved ... for MS updates.

WTF?

[The Grim Reefer2]

I went to the Browser Check [qualys.com] link and was told that I have to enable Java and refresh the page. So to check my browsers security I first have to lower my current security settings? Now I see how they got their numbers.

80% of users can't be trusted

[ArhcAngel]

to stay away from web sites that steal their data.

100% of web browsers are vulnerable

[blair1q]

Anyone who imagines we've found all the exploits already is a moron.

has trouble with nspluginwrapper

[AdamWill]

If you have Flash installed via nspluginwrapper, it shows two Flash entries, one saying "10.2.152 Up to Date", but the other saying "10.2 Potential Threat", with an explanation that it couldn't figure out the version precisely enough to be sure what it was. It counts this as a security threat. So that's a false positive right there.

Don't use BrowserCheck.

[R.Mo_Robert]

Mozilla has a free plugin check that you can use to see not only if you're up to date on the most common plugins but also if any of yours that are out of date suffer from an known exploit you should fix immediately. It's free, and there's no extra plugin (yeah, BrowserCheck...what the) to install: http://www.mozilla.com/en-US/plugincheck/ [mozilla.com].

Re:Java?!?!?

[mswhippingboy]

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

This is actually true. However, when user just mindlessly click through the security dialog on unsigned applets that warn that resources outside the sandbox may be accessed it defeats the whole sandbox protection mechanism.

I guess it gets back to the old adage "Make it foolproof and only a fool will use it.".

Re:

[gad_zuki!]

You don't need to click on anything. The malware java exploits I've seen in the wild simply load up as applets. The malware writers get them signed with stolen keys. No need for the user to do anything. Blaming the user is common here, but its shit software owned by a shit company, and has a shitty security record.

Considering most people have no need for java the best advice isn't update, its uninstall it.

Re:

[Robert Zenz]

Wait...so basically you're saying that Java is shitty because it can't detect stolen security keys?

Re:

[jrumney]

Signed applets with stolen keys would still result in a prompt the first time the applet is run. Something else is going on here. There have been vulnerabilities in the JVM in the past that let unsigned apps jump out of the sandbox, and if the user has an outdated JVM these will still work - one particular nasty vulnerability is the fact that the OBJECT tag originally allowed the developer to specify a specific version of the JVM, so attackers can try to force the use of a vulnerable JVM - which will not pr

Re:

[lgw]

If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

For the same reason that the craptastic COBOL was before that? It's easy to learn, and once its popularity grew among non-technical managers, the network effect took over.

There's still no real need to have Java on the desktop. Server-side, just like COBOL before it, it has it's place. Inventory, payroll, CRM, and all those other card-walloping programs need to be written somehow, even if there aren't any cards to wallop anymore.

Re:

[mswhippingboy]

If it's so shitty, can you explain why it has been and continues to be (increasingly) the most widely used language/platform on the planet?

For the same reason that the craptastic COBOL was before that? It's easy to learn, and once its popularity grew among non-technical managers, the network effect took over.

There's still no real need to have Java on the desktop. Server-side, just like COBOL before it, it has it's place. Inventory, payroll, CRM, and all those other card-walloping programs need to be written somehow, even if there aren't any cards to wallop anymore.

Sorry, by my recollection is different. Java became popular despite the the fact that the corporate world was practically OWNED by Microsoft and Visual Basic/Visual C++. Most non-tech managers were afraid to use anything that didn't have a Microsoft logo on it. Most only allowed Java into their shops when it became clear that it was the logical choice in certain application spaces.

I agree, Java is not and never has had much to entice desktop application development (though that may well change when Android

Re:

[BitZtream]

Just because a lot of people use Word (or Java) does not mean they are good at it. The application really has a difficult time fixing stupid, regardless of application or language. The harder you try to fix stupid programmers, the more complex and more difficult it becomes to actually write secure software.

Everytime someone comes up with some way to 'make it easier' the end result is more often than not something thats simply more complex and just as broken and far more difficult to effectively understand

Re:

[mswhippingboy]

On that note however, as a former Java hater who had to start doing Java development , I came to realize that shitty buggy java apps are generally the fault of the shitty developer who made them, not Java

I think that one sentence says it all. How can you be a Java hater before you've done any development in it? Somehow the word "lemming" comes to mind.

Re:

[Zelgadiss]

Java was supposed to be the safe (but painfully slow) way to run "web apps" after the giant clusterfuck that was ActiveX.

But over the years it seems it too have "growth" into a security risk.

I wonder if Javascript will suffer the same fate one day.

Re:

[jrumney]

Java ran applets well before ActiveX appeared on the scene. Javascript does have the advantage that it is not capable of doing anything outside the sandbox. A lot of Java's vulnerabilities have been because of its dual use as a sandboxed untrusted applet environment and as a full unlimited desktop and server programming environment.

Re:

[Locke2005]

They both need to ask permission because their updates so frequently fail. Nothing like doing the same automatic update over and over again to bring your computer to a crawl.

Re:

[R.Mo_Robert]

Try completely removing your existing installation of Java. Try the standard Add/Remove Programs (sorry, "Programs and Features") uninstaller. When that probably fails, do the rest yourself: delete everything in C:\Program Files\Java, then remove the HKLM\Software\JavaSoft key from the registry. Now, download the full offline installer (or whatever you want, I guess--I normally use this one because I hate downloading installers that really only download something else) and try again. You may need to reboot

Re:

[mlts]

Ideally, Java should come as a .MSI or .MSP file. I don't like how it tries to foist a third party program on you when updating. Nor do I like having to deal with third party installers which means another program that has to have admin level privs on a system.

Plus, MSI/MSP files mean it is easily pushed out centrally.

Re:

[BitZtream]

MSI/MSP files are notorious for the problems they cause due to the crappy shit the InstallShield produces and Microsoft uses.

I've spent the last few years moving all the apps our company produces off of MSI files just so we can cut down on installation issues like silly shit that happens when an MSI depends on an MSI that depends on running an EXE during installation or even worse when an MSI calls a EXE wrapper for another MSI instead of referencing the MSI file directly.

Guess what, you can still deploy th

Re:

[d_jedi]

(I am OP, didn't post under my username before.. and this is a reply to both tuppe and venom)
I am running Firefox 3.0.19. The extension that doesn't work is Tab Clicking Options 0.6.9