An Apple announcement [...]]]> Firefox told me I needed the Java Runtime Environment (JRE) plugin when I tried to run the Glasnost test. I am testing computing without Java on a Windows 7 computer. This was the first time I had needed it since it was banished over three weeks ago.

An Apple announcement that Java would no longer be preloaded on Macs was the inspiration for my test. Java updates frequently appear on our computers. They always include a checked box to install an unwanted and unnecessary toolbar from Yahoo, Bing, or Google.

Java is a technology developed in the 1990s. It is a programming language and tools that allows Java applications to run cross-platform. It is used on mobile devices, personal computers and desktops. Java applications or applets appear on today’s main operating systems: Windows, Mac OS X, Linux, but not iOS. This cross-platform feature makes Java desirable for programmers. They need not write multiple versions of an application, but can instead code once for all operating systems. (Java is not the same as the similarly named JavaScript.)

Java was supposed to be secure, because it runs in a virtualized environment, supposedly sandboxed from the device’s system. Unfortunately, it turns out that Java is insecure and a vector for malware. Presently, it is the number one target for malware. It has security issues. Oracle patches it as these security problems are exposed and publicized. It is foolish to ignore these updates.

Updates are a fact of computational life. Windows, Mac, and Linux computers get regular updates to their operating systems. I rarely work on a client’s computer without seeing some item notifying me that it needs to be updated. These deferred or ignored updates are for Adobe Reader, Adobe Flash or Oracle’s Java. I install the updates, hoping I will remember what I was planning to do before the update got in the way.

Sometimes Adobe installs something besides their software. This usually happens when you visit their website and miss the checked box for Norton, McAfee or another company’s shovelware. The Adobe updater seems to be devoid of this.

Java always adds unwanted items, usually toolbars. It is easy to click the “Next, Agree, Next…” buttons without reading the information in the dialog windows. We all have wasted too much time doing this. We just want the update to finish so that we can do what we want. Oracle counts on our inattention to these dialogs as a way of installing these unwanted toolbars.

We don’t want to update Java if we don’t use it. We don’t want to have to uninstall a useless toolbar, which we didn’t want, that was only installed because we missed a checkbox.

To begin my experiment, I went to my Windows 7 Control Panel, and uninstalled the program. I also checked Firefox for any JRE plugins and uninstalled those as well. And then I waited.

I expected that I would run into some program or website that needed Java, long before the Glasnost test. Since I am on my computer many hours each day and I use many applications and visit hundreds of websites a week, I thought it would be a brief time before I ran into something requesting me to reinstall Java. Surprisingly, it took 26 days. Your mileage will vary.

I did not install the JRE for the Glasnost test. I decided that the benefit of not having to update Java every week, uncheck the add “XYZ” toolbar checkbox and wait for the update to finish, outweighs finding out if Optimum Online is throttling my Internet connection. (They probably aren’t.) You can uninstall it from your computers too. You may not miss it. If you do, reinstall.

A recent study found the average computer is faced with 75 updates or software patches a year. That is for each computer, which means that many of us have two or three times that number. I feel like I get 75 a week.

We also get updates for our cellphones and iPods. [...]]]>  

A recent study found the average computer is faced with 75 updates or software patches a year. That is for each computer, which means that many of us have two or three times that number. I feel like I get 75 a week.

We also get updates for our cellphones and iPods. It is quite common for me to sit down at a client’s computer to see that they have not updated their operating system nor key applications. When I start to run the updates they frequently ask, “How do I know what to update? How often should I update?”

Many of today’s updates are security patches, often in response to publicly released exploits that take advantage of a hole in the software to let the bad guys gain access. These bad guys are shrewd and sophisticated. Where once viruses, Trojans and the like were written by teenage boys intent only on proving their programming chops, the current strain of “black-hat hackers” are professional criminals intent on making money from getting control of your devices. They weaponize email and websites to achieve their goals. Although some malware still uses a shotgun approach, today’s techniques often use sophisticated spearfishing exploits targeted at specific software or configurations.

Commonly exploited applications are Adobe Reader, Internet Explorer and Microsoft Word. But any application, in any operating system can be a target. The bad guys identify a security hole, design a plan of attack and seed email and unsuspecting websites with their payloads. When the malware finds the targeted software it attacks. Unprotected and/or poorly hardened applications and operating systems (Windows XP comes to mind) are infected by these spearfishing attacks.

So the answer to my first question, “Should you update?” is yes, you should update. This applies whether you are using Windows or Mac computers. Macs are not invulnerable. They represent a small percent of the world market for computational devices, less than 5%. But they are rich targets that should attract the black-hats.

My second question, “When should you update?” is a bit harder to answer. If the patch is for an application or web technology, for example Adobe Reader, Adobe Flash, or Java, I suggest you update immediately. Be careful to uncheck any add-ons offered with the patch lest your browser become infested with extra, unwanted toolbars.

Operating system patches may warrant more caution. Many Windows users have automatic updates set for Windows updates. Others only have the Windows Update application notify them when updates are available. Macs only notify the user. Downloading and installing Apple updates is a matter of choice. I recommend you not wait too long to update after patches are issued.

Once Microsoft and Apple release updates the black-hats are likely to read the related documentation and design attacks for unpatched systems. You don’t want to be the prey for a spearfishing attack do you?

Last month, on Patch Tuesday, the second Tuesday of the month, when Microsoft released their monthly patches, a small number of Windows XP users reported that their machines blue-screened after rebooting. Many bloggers were happy to point a finger at Microsoft for borking these machines. It turns out the machines were infected with a rootkit that was the cause of the blue screen. One of the patches changed critical operating system files that the rootkit was using for its attack. When Microsoft patched these files the rootkit caused the blue screen. The owners of the affected machines did not know they were infected until the patch caused the blue screen problem. Microsoft immediately withdrew the patch and later reissued a revised version that removed the rootkit infection. Props to Microsoft.