JRE Archives

Home » JRE

Solve the Java problem

Dave Farquhar security March 25, 2016November 25, 2016JRE, vulnerability, Whitelist

I met with a client earlier this week who asked me to go over their vulnerability scans for a bit of a sanity check. He asked some important questions, but one in particular seems worth sharing. What can we do with Java? Can we solve the Java problem?

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.

dfarq.homeip.net

Whitelist Java to provide better security and a better user experience

Dave Farquhar security, Windows December 9, 2015September 15, 2016JRE, oracle, Proxy server, Whitelist

One of the best things you can do to improve your security in a corporate environment is to limit the use of Java, or whitelist Java. Undoubtedly there will be one or more legacy web applications your company uses that require Java, and it’s almost inevitable that at least two of them will be certified for one and only one version of the JRE, and it won’t be the same one.

Believe it or not there’s a solution to the problem of conflicting JREs, but it took me years to find it, because I had no idea that Oracle called it “Deployment Rule Set.” The secret’s out now. If you run Java, and you want security, you need Deployment Rule Set.

Dave Farquhar

dfarq.homeip.net

The problem with ditching Flash and Java

Dave Farquhar security October 28, 2015October 27, 2015apple, Brian Krebs, JRE, Whitelist

Last week Adobe issued an out-of-band Flash patch, and once again Brian Krebs urged people to ditch Flash, noting that he’s done so and hasn’t missed it.

We decided to try ditching Flash at work a few months ago, but it didn’t go quite so smoothly for us. I thought I’d share my experience.

Dave Farquhar

dfarq.homeip.net

Throwback Thursday isn’t for the Java Runtime Environment

Dave Farquhar security July 31, 2014July 30, 2014Java Runtime Environment, JRE

The Java Runtime Environment is one of the nastiest pieces of software ever foisted upon mankind. It’s difficult to secure when people have the will, and few people have the will to even try. So nasty ancient versions of the JRE live forever.

That’s not to say I’ve completely given up on the Quixotic quest to get rid of it. Earlier this week, I exhorted, “Can we please not use the JRE that Ada Lovelace wrote for Charles Babbage?”

That stopped everyone dead in their tracks with a laugh. “That’s good.”

Hopefully they think it’s a good idea too. Because with all the hacks they would have had to do to get Lovelace’s JRE running on a Von Neumann architecture machine, there’s no way the thing can be stable, let alone secure.

Dave Farquhar

dfarq.homeip.net

How to check your Java version

Dave Farquhar security, Windows June 8, 2013November 29, 2018JRE, Windows Server

Sometimes, especially on Windows servers, it’s difficult to check to verify what version of Java you’re running while you’re making your rounds. If you don’t have a scanning tool to check it, here’s how to check your Java version by hand, even if the Java control panel doesn’t show up:

Dave Farquhar

dfarq.homeip.net

And the most security-riddled program of 2012 was….

Dave Farquhar security March 20, 2013March 18, 2013apple, chrome, firefox, itunes, JRE, oracle, vulnerability, windows 7, Windows Server

Secunia released its annual vulnerability review, a study of the 50 most vulnerable pieces of software in 2012. It was a fairly tight-three way race at the top, and the distance between #3 and #4 was huge.

I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.

So now that I’m killing you with suspense….
Read more

Dave Farquhar

dfarq.homeip.net

What I did since I (temporarily) need Java

Dave Farquhar security January 23, 2013April 15, 2017CERT, JRE

I’ve been seeing the same question over and over in my search logs lately: Is Java safe to run in 2013?

Generally speaking, the answer is no.
I have little choice but to run Java right now, though. I’m studying for a certification exam, and the best quiz program that I know of is written in Java. Its user interface is in Polish, a language I don’t speak, but that bothers me less than it being written in Java. Google Translate can help me with the Polish, but it can’t make Java safe. That’s up to me.

So here’s what I did.
Read more

Dave Farquhar

dfarq.homeip.net

Firefox disables out-of-date Java plugins

Dave Farquhar security April 4, 2012firefox, JRE, malware

Firefox is advising users to disable vulnerable Java versions on Windows. I actually saw this in action on a machine yesterday–a machine that has to run a slightly dated version of the JRE because a vendor hasn’t certified their product with the current version yet. Read more

Dave Farquhar

dfarq.homeip.net

Troubleshooting Packagefortheweb packages

Dave Farquhar Windows January 20, 2005JRE, troubleshooting

Under some circumstances when installing an app from a Packagefortheweb archive, such as Sun’s JRE, I get a goofy error message like “Cannot run 16-bit Windows Program” or a message about a failure to find a path with long filenames in it.

It’s a bit of a pain but you can fix it.The trick is to extract the file rather than run it. I found PowerArchiver can do it. Winzip may also be able to. I wish I had a command-line utility to do it but I don’t.

Extract it to a short directory name, then move it to the root drive. Then run your setup.exe. That should be the end of your problems. Clean up afterward to eliminate directory clutter.

Dave Farquhar

dfarq.homeip.net