Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

Safe and Easy Fun with Orable

Relax - it's safe and easy!


Get It

Try It

REDWOOD SHORES (Rixstep) — There are two add-on components to personal computers that you should never use. One is Flash. The other is Java. Both are so radically outdated that they either bring your system to its knees, or open you up to hacking, or both.

Add to that the sheer sloppiness in preparing and packaging these components and you have a cordon bleu recipe for disaster.

Tested by the Brunerd

Not exactly born yesterday but still constrained to use Java on his networks, Joel Bruner decided to have a closer look at what was going on in the latest Java release. What the esteemed engineers of Larry Ellison's Oracle have done is on a par with the worst of the mishaps of Adobe and their Flash.

The trick of infecting an Installer.app package has been seen before - fanboys who can't be bothered wandering over to apple.com for an official download get easily hacked. Now here it is again. But an Oracle installer?

So what did the Brunerd do to test the safety of Oracle's latest tragedy? He replaced the Java bits with an old Apple QuickTime.

At this point the package should know something's wrong, but no. At this point - or once you submit your password and give away the keys to the kingdom - the system is no longer yours. Not yours alone at any rate. And as long as that installer runs - and anything inside it runs - there is someone else who has full access to your system, even the parts you can't ordinarily go to yourself.

That's why secure packaging is so important.

Let's see if Larry Ellison's Oracle detects the fishy smell.

Nope! We're good to go! Now we can install Java 8! Or QuickTime. Or whatever. Notice the blurb: 'safe and easy'. Safe and easy for who? The engineer who wrote this before the morning coffee break?

At this point in his test, the Brunerd's just about losing it.

By 'easy' you mean: checking lots of trust boxes and clicking 'Run' buttons a lot to get a Java app working (plus crossing your fingers)?

By 'safe' you mean: a steady stream of high scored CVEs with low complexity? Or even running in Unsafe Mode when needed?

Just to drive his point home, the Brunerd links to a glorious page of outstanding Java vulnerabilities - a page he calls a 'steady stream of high scored CVEs with low complexity'.

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html

And if you don't feel insulted enough by now, just hold on. You'll soon have your fill.

You always wanted that search app from Ask, didn't you? But you were too shy to get it? To ask?

And so the install begins. Armoured with your administrative password. No checks whatsoever on what's really inside.

Note the blurb above. Yes, because there are 3 billion dimbulbs in the world, it must be perfectly OK to run this crap. Alternatively, this is an informal census on how many dimbulbs are still on the loose.

Install Complete!

And so we've installed. The install is complete. Of super-secure Java from Oracle. Or was that QuickTime? Who knows? Who cares? Oracle engineers sure don't.

The process took five seconds. In five seconds you're owned. By anyone. You'll never know it, never know what hit you.

The Brunerd gets the final word.

Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.

Sheesh. Is the Ask contract that lucrative? Oracle made $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion. I guess IAC have got money to spend and Oracle will take it (but not invest in more secure installers).

Parting note for Oracle:

Sign your critical packages! If you insist on using your glorified 'Ask Toolbar installer app' to do this, then require that it verify the package integrity in some way, Orable! (That was a typo but I like it: Orable!)

There's a reason Apple systems don't ship with Flash or Java anymore. A really good reason. Think about it.

Postscript: Not Happy with Larry Anyway

Security is the big issue with the Java installer, but the fanboys seem to have missed this; instead they're worried about the Ask component (which the Brunerd showed can be easily disappeared). Courtesy MacSurfer.

http://www.pcmag.com/article2/0,2817,2477905,00.asp
http://www.theregister.co.uk/2015/03/06/oracle_java_ask_toolbar/
http://betanews.com/2015/03/06/oracle-how-about-some-adware-to-go-with-that-new-java-for-mac/
http://www.macworld.com/article/2894034/installing-java-on-a-mac-beware-the-now-bundled-askcom-toolbar.html

See Also
Brunerd: Java 8 Update 40 Installer App Fun

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.