tag:blogger.com,1999:blog-18157064.post1621286441828827935..comments2024-03-18T02:14:57.204-07:00Comments on Google Operating System: Java and QuickTime Require Permission in Google ChromeAlex Chituhttp://www.blogger.com/profile/02618542750965508582noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-18157064.post-45075966732043441152013-02-18T07:47:47.499-08:002013-02-18T07:47:47.499-08:00Paste this in the address bar:
chrome://settings/...Paste this in the address bar:<br /><br />chrome://settings/contentExceptions#plugins<br /><br />and add domains like this:<br /><br />[*.]yahoo.com<br /><br />This is not limited to Java, so you whitelist domains for all plug-ins.Alex Chituhttps://www.blogger.com/profile/02618542750965508582noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-78863931163317835432013-02-15T19:49:44.961-08:002013-02-15T19:49:44.961-08:00Re: "You can manually whitelist domains...&qu...Re: "You can manually whitelist domains..."<br /><br />Other than visiting a page with Java on the desired domain, how?A. Nonamushttps://www.blogger.com/profile/09486876483456211565noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-17749267362494421382011-06-24T14:39:20.517-07:002011-06-24T14:39:20.517-07:00I agree that there isn't a lot of client side ...I agree that there isn't a lot of client side Java activity right now. At least not in the RIA space. But there are a few very prominent and popular sites that do use Java applets. Wikipedia is probably the best example. The embedded media player in many Wikipedia articles is a Java applet.<br /><br />But again, my concern is more about the future. There are emerging Java RIA technologies such as JavaFX 2, and Apache Pivot. There are also some commercial Java RIA technologies such as Canoo RIA Suite. And I think this undermines their ability to compete alongside Flash and Silverlight because with Java, you don't get a seamless experience anymore in Chrome. And now, if you are an RIA developer and you use Java, you have to explain to the users that yes, it's OK for them to allow the app to run because it is legitimate and all. I think this reduces the appeal of Java based RIA technologies, and thus hurts them from a competitive standpoint.<br /><br />As far as bundling a sandboxed Java plugin, that should be possible for Google to do by using OpenJDK, which is GPL licensed. There is already GPL code in Chrome, so there should not be a licensing conflict with any existing Chrome code. In fact, Google should be able to do it without even getting permission from Oracle, since the GPL'd OpenJDK should allow them to do whatever they want with the code as long as they follow the requirements of the GPL.Pantheraleo2012https://www.blogger.com/profile/10238071800672218669noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-35162829502291764222011-06-24T08:54:56.881-07:002011-06-24T08:54:56.881-07:00I agree. Blocking Java content only if you're ...I agree. Blocking Java content only if you're using an outdated Java version is the best thing to do. I haven't found reports that show QuickTime malware is on the rise, so I'm not sure why it's blocked. <br /><br />Regarding Flash, I don't think Google is a big Flash fan, but their partnership with Adobe allowed them to bundle Flash and to start working on sandboxing the plugin. Flash for Chrome is already partially sandboxed in Windows and this will be improved. Chrome's auto-update makes sure that you always have the latest versionof the plugin. I don't think Oracle would allow Google to bundle a sandboxed Java plugin and I'm not sure if this would be possible. Java is rarely used on the client side today, so I don't think blocking Java content by default is such a big annoyance for users. I know a lot of people that use extensions like FlashBlock which block Flash content and lets you enable it on demand. No more Flash ads, fewer CPU cycles wasted, no more videos to play automatically. JavaBlock makes even more sense, since Java applets are used a lot to create malware.<br /><br />Google should try to better balance security benefits with user needs and only block outdated plugins.Alex Chituhttps://www.blogger.com/profile/02618542750965508582noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-84811010623438225772011-06-24T06:07:12.244-07:002011-06-24T06:07:12.244-07:00Just last week, there was another memory corruptio...Just last week, there was another memory corruption vulnerability in Flash that allowed arbitrary code execution and was rated "Extremely Critical" by Secunia. So you can quote people claiming Java is insecure all day. And I can respond by quoting vulnerabilities in Flash that make it insecure as well. So again, why isn't Flash getting the same treatment that Java is? Because Google has an ulterior motive to undermine Java. That's why.<br /><br />Both exploits were fixed in recent versions of the JVM. Java is no longer vulnerable to those exploits. It should be enough that Chrome checks whether the plugin is outdated or not, and if it is outdated, then it will ask you to upgrade it and block execution of the applet. I'm fine with that. But blocking execution on a JVM that is 100% up to date, I am not fine with unless they apply the same standard to all RIA technologies.Pantheraleo2012https://www.blogger.com/profile/10238071800672218669noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-32850836606407107212011-06-23T22:16:20.472-07:002011-06-23T22:16:20.472-07:00" Reportedly, during Q3-2010, Java assaults r..." Reportedly, during Q3-2010, Java assaults rose to about 14 times the attacks identified during Q2-2010 whence two vulnerabilities within Sun (presently called Oracle) JVM namely CVE-2009-3867 and CVE-2008-5353 were exploited. " ( http://spamnews.com/The-News/Latest/Malware-Assaults-on-the-Rise,-Says-Microsoft-2011052314642/ ) <br /><br />"Over the last few months we’ve seen a noticeable rise in the number of in-the-wild Java related exploits, some of which are pretty effective. We’ve been detecting most of these as Mal/WebStart-A. The typical scenario we see is a compromised web page hosting a malicious Java applet which downloads and executes a PE file. So why have the bad guys taken to using Java as an attack vector? Well, why not? It works. " ( http://nakedsecurity.sophos.com/2010/06/09/java-latest-playground-hackers/ )Alex Chituhttps://www.blogger.com/profile/02618542750965508582noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-4723404623569575922011-06-23T22:09:56.023-07:002011-06-23T22:09:56.023-07:00"Exploits of Sun Java by web malware increase..."Exploits of Sun Java by web malware increased in the third quarter, from 5% of all attacks in July to 7% in September, according to Cisco’s 3Q10 Global Threat Report." ( http://www.infosecurity-us.com/view/14077/web-malware-attacks-against-java-on-the-rise/ )<br /><br />"Landesman told Infosecurity that the increase in Sun Java attacks was the result of the development of a public exploit code for Java made available in the first quarter. So attackers began to focus on Java, and Java was put at the top of the exploit list.<br /><br />Many users are unaware that they have Java on their computers. Also, Sun’s security updates for Java are unpredictable. These both contributed to Java’s vulnerability to malware attacks." (same source)<br /><br />"Durham, NC—April 21, 2011— Online criminals are relying more heavily on Java security holes to distribute computer malware, according to research generated from G Data Security Labs. Not only has Java malware been on the rise since 2010, last month five of G Data’s Top 10 malware programs targeted Java or Javascript. These unclosed security holes are playing a progressively larger role in the infection of Windows systems and have been gaining the attention of the security community." ( http://www.gdata-software.com/g-data-malware-targeting-java-vulnerabilities-dominate-2011/ )Alex Chituhttps://www.blogger.com/profile/02618542750965508582noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-40753786981654659802011-06-23T20:29:17.079-07:002011-06-23T20:29:17.079-07:00I would also point out that Google is censoring di...I would also point out that Google is censoring discussions about this on the Chromium bug forums. I brought up my concerns about the technical reasons for this not being valid, given that Flash is a major source of security vulnerabilities as well. I also raised the concern that Google was doing this to retaliate against Oracle for the Android lawsuit. My comments were censored by deleting them. And the threads were locked so I could not respond again.<br /><br />Google claims to not be evil, and claims to support freedom. But they are exactly the opposite of what they claim. They suppress free speech. They create unfair playing fields for RIA technologies. Again, if Microsoft tried this, they would be slapped with an antitrust lawsuit.<br /><br />Make no mistake. Google is evil, and should be avoided whenever possible. Try duckduckgo.com as an alternative to Google for Web searches btw. They don't track you like Google does. And they don't censor your search results based on what the think you might be interested in. I've been using it for the last few days, and am very happy with it.Pantheraleo2012https://www.blogger.com/profile/10238071800672218669noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-58230699732636843512011-06-23T18:39:31.663-07:002011-06-23T18:39:31.663-07:00Alex,
The fact that Google is all buddy buddy wit...Alex,<br /><br />The fact that Google is all buddy buddy with Adobe and is bundling Flash only adds weight to my suspicion that Google is intentionally trying to undermine Java FX 2 and Apache Pivot as RIA platforms on Chrome.<br /><br />Also, a lot of malware uses Flash vulnerabilities to infect computers as well. So applying this double standard makes no sense unless there is an ulterior motive at work. I have already stated what that ulterior motive is. A combination of partnership with Adobe, combined with malice against Oracle because of the Android lawsuit.<br /><br />And again, Microsoft Silverlight (i) has a large user base (because it is bundled with .NET by default, which is installed with all new versions of Windows), (ii) not very many sites actually uses it compared to other plugins. (iii) it's a security vulnerability. So Silverlight would seem to fall in the same category as Java. Except Silverlight is getting a pass, and Java is not.<br /><br />It might be true that Google can't sandbox plugins, but again, why are they giving Silverlight a free pass, but not Java? Java has been singled out as the only RIA technology they are blocking. Silverlight is allowed. Flash is allowed. If Microsoft tried to pull this on Internet Explorer, you can bet that they would be back in antitrust court right now for intentionally trying to undermine Java's future as an RIA technology. But so far, Google is being allowed to get away with it. They are singling out Java for unfair treatment, while allowing flash and Silverlight to get a free pass.<br /><br />I don't consider this far or acceptable. And the decision impacts my enterprise clients that use Java applets. Because of that, I am no longer using Chrome. And I am no longer recommending Chrome to my clients, or considering it to be a supported platform. In fact, I am telling my clients that we recommend they do NOT use Chrome, because we will not support it. We support Firefox, and IE.<br /><br />I honestly never thought the day would come when I would recommend Internet Explorer over Chrome, or say that we support Internet Explorer, but not Chrome. But that is the position I am in now. Because Google has forced me into it by deciding that Java is a second class citizen in the RIA space.Pantheraleo2012https://www.blogger.com/profile/10238071800672218669noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-48688080741374064412011-06-23T14:01:49.664-07:002011-06-23T14:01:49.664-07:00Flash is bundled with Chrome and Google works on s...Flash is bundled with Chrome and Google works on sandboxing the plugin. Chrome also bundles a PDF viewer which can be used instead of Adobe Reader.<br /><br />Java and Quicktime have three characteristics: (i) they have a large user base, (ii) not many sites use them, compared to other plugins, (iii) a lot of malware uses Java/Quicktime vulnerabilities to infect computers. This is not cheap a move to annoy Oracle and Apple, it's an overly protective feature. Google can't sandbox plugins, so it tries to minimize their impact by warning you when they need to be updated or when you are about to load some objects that could be malware. These are just some of the many security features recently added by Chrome. I agree that some are annoying and they should be imoroved, but the goal is to protect users, not to attack Oracle or Apple.Alex Chituhttps://www.blogger.com/profile/02618542750965508582noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-11045722362362083962011-06-23T13:14:56.048-07:002011-06-23T13:14:56.048-07:00"Fair enough in blocking Java but blocking Qu..."Fair enough in blocking Java but blocking QuickTime seems like more of an attempt to annoy Apple than a security feature."<br /><br />Well, I'd argue that blocking Java is more likely retaliation against Oracle for the Android lawsuits then anything else. If they were really concerned about security, they'd be doing the same thing with Flash. There have been and are tons of flash vulnerabilities out there. They don't block Silverlight content either, which they would be doing if blocking plugins that "lots of people have installed, but do not actually use" was the real reason for doing this.<br /><br />Also, the recent Apple MacDefender infections are proof enough that making a user confirm something doesn't work anyway. It's trivial to track the average user into clicking Yes on something when they should be clicking No.<br /><br />Again, I smell a rat. And it smells like retaliation against Oracle to undermine JavaFX 2's ability to compete as an RIA technology. And I think they are doing it in response to the Android lawsuit.Pantheraleo2012https://www.blogger.com/profile/10238071800672218669noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-4616613454177507952011-06-22T20:34:02.408-07:002011-06-22T20:34:02.408-07:00you're sad, Google. "not required for tod...you're sad, Google. "not required for today's internet experience"? I use QT all day long on my, um, Mac. I know you're upset by Apple's relentless kicking of your ass (how'd you like that "reader" in iOS5, huh? kind of makes internet ads useless, don't it?), but basically disabling QT? guess it's time to go back to firefox...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-9835140515763766382011-06-13T15:15:51.054-07:002011-06-13T15:15:51.054-07:00Java applets already have a security mechanism bui...Java applets already have a security mechanism built in. An applet runs in a sandbox and can be either a signed or unsigned applet. If it is a signed applet then a security dialog will appear to the user before the applet is allowed to run. If it is an unsigned applet then it can only run in the sandbox and cannot harm the computer. I don't like this new prompt from google chrome at all. I think that if the user has an up to date JRE then no prompt is necessary. Please reconsider this new policy.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-19755469278716902202011-05-22T07:37:12.875-07:002011-05-22T07:37:12.875-07:00I don't need a nanny, Google. The lack of a w...I don't need a nanny, Google. The lack of a way to indicate that a plug-in should be run on all sites without prompting is completely unacceptable. If I can't find a way around it, Chrome will no longer be my default browser.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-12487301887519092502011-04-29T15:43:09.295-07:002011-04-29T15:43:09.295-07:00Sounds great... but what is "a site?" ...Sounds great... but what is "a site?" I just loaded some language software with QuickTime files in multiple directories. Each subdirectory is apparently considered a "site." So, the prompt is everywhere. Further, these are on my hard disk, not some nefarious website. How about if I can approve everything recursively under a certain directory? In my mind, "site" is protocol://site, e.g. http://www.google.com .jcgsamplehttps://www.blogger.com/profile/16994898111283078052noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-81962110934543398152011-04-21T09:38:59.054-07:002011-04-21T09:38:59.054-07:00A well-planned jab. Both plug-ins obviously pose a...A well-planned jab. Both plug-ins obviously pose a security risk, which gives Google the perfect excuse to 'block' them.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-19425709057278907492011-04-19T16:47:24.655-07:002011-04-19T16:47:24.655-07:00Anonymous above clearly can't read. What do yo...Anonymous above clearly can't read. What do you think the button "Always run on this site" means?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-42296752459003730962011-04-18T17:58:10.713-07:002011-04-18T17:58:10.713-07:00I have used a weather radar applet in my start up ...I have used a weather radar applet in my start up page for 15 years. This page auto refreshes every 10 minutes. Now I will have to give permission every time the page reloads? Why do they hate us so much? What did we do to them to warrant this crap? :(Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-64443416431647707422011-04-18T16:08:35.035-07:002011-04-18T16:08:35.035-07:00Definitely a jab a Oracle and Apple. If you think ...Definitely a jab a Oracle and Apple. If you think it's anything else, you are fooling yourself.dallas.mayhttps://www.blogger.com/profile/16639407284133790777noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-26157207326759686672011-04-18T09:34:05.126-07:002011-04-18T09:34:05.126-07:00Maybe this makes sense, but it certainly has the a...Maybe this makes sense, but it certainly has the appearance of an attack on Java and Quicktime.<br /><br />Actually, it is an attack on them, the question is whether it is justified.<br /><br />Will this apply to plug-ins like silverlight and H264? Will this turn into an attack on anything that Google doesn't like?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-79644019953974033702011-04-18T07:49:58.987-07:002011-04-18T07:49:58.987-07:00Didnt windows vista do something very similar and ...Didnt windows vista do something very similar and it wasn't very effective. I think the core lesson was click fatigue does not produce security.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-30639010210534145522011-04-18T06:46:16.584-07:002011-04-18T06:46:16.584-07:00This is a good idea! Brian Krebs actually recommen...This is a good idea! <a href="http://krebsonsecurity.com/" rel="nofollow">Brian Krebs</a> actually recommends uninstalling Java.<br /><br />I have ran into the occasional QuickTime file and even more rarely the Java file, so instead of uninstalling or turning off Java, I'd rather be prompted to run it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-38133419427853036172011-04-18T06:10:25.677-07:002011-04-18T06:10:25.677-07:00A little bit annoying. It would be nice to have th...A little bit annoying. It would be nice to have that "always run this plugin" button.<br /><br />Some API additions to properly implement NoScript would have been better also, then this.Raduhttp://www.faravirusi.comnoreply@blogger.comtag:blogger.com,1999:blog-18157064.post-23625647757843862252011-04-18T05:22:56.447-07:002011-04-18T05:22:56.447-07:00Good. Both times my computer got malware it was be...Good. Both times my computer got malware it was because of the Java plugin. Because of that I uninstalled Java (and I uninstalled QuickTime ages earlier), but this is still nice to see.Andrew Rabonhttps://www.blogger.com/profile/15380851188492853560noreply@blogger.comtag:blogger.com,1999:blog-18157064.post-66673641733175870222011-04-18T05:07:29.461-07:002011-04-18T05:07:29.461-07:00Fair enough in blocking Java but blocking QuickTim...Fair enough in blocking Java but blocking QuickTime seems like more of an attempt to annoy Apple than a security feature.Samhttp://google.comnoreply@blogger.com