Oracle Can’t Secure The Java Plug-In, So Why Is It Still Enabled By Default?

 

Java was responsible for 91 percent of all computer compromises in 2013. Most people not only have the Java browser plug-in enabled — they’re using an out-of-date, vulnerable version. Hey, Oracle — it’s time to disable that plug-in by default.

Oracle knows the situation is a disaster. They’ve given up on the Java plug-in’s security sandbox, originally designed to protect you from malicious Java applets. Java applets on the web get complete access to your system with the default settings.

The Java Browser Plug-in is a Complete Disaster

Defenders of Java tend to complain whenever sites like ours write that Java is extremely insecure. “That’s just the browser plug-in,” they say — acknowledging how broken it is. But that insecure browser plug-in is enabled by default in every single installation of Java out there. The statistics speak for themselves. And we’re a website that keeps telling our readers to uninstall Java or at least disable the plug-in.

Internet-wide, studies keep showing that the majority of computers with Java installed have an out-of-date Java browser plug-in available for malicious websites to ravage. In 2013, a study by Websense Security Labs showed that 80 percent of computers had out-of-date, vulnerable versions of Java. Even the most charitable studies are scary — they tend to claim more than 50 percent of Java plug-ins are out-of-date.

In 2014, Cisco’s annual security report said 91 percent of all attacks in 2013 were against Java. Oracle even tries to take advantage of this problem by bundling the terrible Ask Toolbar and other junkware with Java updates — stay classy, Oracle.

Oracle Gave Up on the Java Plug-in’s Sandboxing

The Java plug-in runs a Java program — or “Java applet” — embedded on a web page, similar to how Adobe Flash works. Because Java is a complex language used for everything from desktop applications to server software, the plug-in was originally designed to run these Java programs in a secure sandbox. This would prevent them from doing nasty things to your system, even if they tried.

That’s the theory, anyway. In practice, there’s a seemingly never-ending stream of vulnerabilities that allow Java applets to escape the sandbox and run roughshod over your system.

Oracle realizes the sandbox is now basically broken, so the sandbox is now basically dead. They’ve given up on it. By default, Java will no longer run “unsigned” applets. Running unsigned applets shouldn’t be a problem if the security sandbox was trustworthy — that’s why it’s generally not a problem to run any Adobe Flash content you find on the web. Even if there are vulnerabilities in Flash, they’re fixed and Adobe doesn’t give up on Flash’s sandboxing.

By default, Java will only load signed applets. That sounds fine, like a good security improvement. However, there’s a serious consequence here. When a Java applet is signed, it’s considered “trusted” and it doesn’t use the sandbox. As Java’s warning message puts it:

“This application will run with unrestricted access which may put your computer and personal information at risk.”

Even Oracle’s own Java version check applet — a simple little applet that runs Java to check your installed version and tells you if you need to update — requires this full system access. That’s completely insane.

In other words, Java really has given up on the sandbox. By default, you can either not run a Java applet or run it with full access to your system. There’s no way to use the sandbox unless you tweak Java’s security settings. The sandbox is so untrustworthy that every bit of Java code you encounter online needs full access to your system. You might as well just download a Java program and run it rather than relying on the browser plug-in, which doesn’t offer the additional security it was originally designed to provide.

As one Java developer explained: “Oracle is intentionally killing off the Java security sandbox under the pretense of improving security.”

Web Browsers Are Disabling It On Their Own

Thankfully, web browsers are stepping in to fix Oracle’s inaction. Even if you have the Java browser plug-in installed and enabled, Chrome and Firefox won’t load Java content by default. They use “click-to-play” for Java content.

Internet Explorer still automatically loads Java content. Internet Explorer has improved somewhat –  it finally began blocking out-of-date, vulnerable ActiveX controls along with the “Windows 8.1 August Update” (aka Windows 8.1 Update 2) in August, 2014. Chrome and Firefox have been doing this for much longer. Internet Explorer is behind other browsers here — again.

How to Disable the Java Plug-in

Everyone who needs Java installed should at least disable the plug-in from the java Control Panel. With recent versions of Java, you can tap the Windows key once to open the Start menu or Start screen, type “Java,” and then click the “Configure Java” shortcut. On the Security tab, uncheck the “Enable Java content in the browser” option.

Even after you disable the plug-in, Minecraft and any other desktop application that depends on Java will run just fine. This will only block Java applets embedded on web pages.

---

Yes, Java applets still exist in the wild. You’ll probably find them most frequently on internal sites where some company has an ancient application written as a Java applet. But Java applets are a dead technology and they’re vanishing from the consumer web. They were supposed to compete with Flash, but they lost. Even if you need Java, you probably don’t need the plug-in.

The occasional company or user that does need the Java browser plug-in should have to go into Java’s Control Panel and choose to enable it. The plug-in should be considered a legacy compatibility option.

[FieldName.TransCode] (CrossPost)

[FieldName.TransCode]:

While the whole world running for Open UI but I am still flagging my own old issues.Recently during performance improvement drive from my inner soul,  i read an interesting property while querying on Multilingual fields. If you know about TransCode function this post in not for you.

In Multilingual environment, with loads of records, querying on Multilingual field can be really taxing as these searches require a join to the S_LST_OF_VAL table in the resulting SQL code. To increase the performance one can append "TransCode" function with field name to retrieve the (untranslated) language-independent code (LIC) from a column in the base table, rather than returning the display value.
Syntax:
[Status.TransCode] = 'closed'

This function can be used in
1 - In Calculated Fields.
2 - In script. for ex. in GetFieldValue("Status.TransCode") statement
3 - In Workflows.
4 - In Link/Picklist searchspec.
5 - In DVM validation expression.

I am sure most of guys in siebel development will be aware of this thing but if you are not aware of this Transcode it can be helpful in future implementations.


Happy Crunching!!

Merry Christmas

 

Here’s wishing you a Merry Christmas.

Siebel goodies on the net

 

Its amazing what you can find on the net ! The other day I was searching for piece of Siebel code for a tricky requirement, and I found the answer in the most unlikely of places: Google Code. Somebody had developed an application and shared it there for free.

Try searching on open source project sharing sites for some cool goodies:

Google Code

SourceForge

 

Please do check the licensing agreements before using them in your production code though.

Like: The Siebel Power Tools is a really neat utility developed in AutoHotkey to simplify development.

Inbound E-mail Database Operations - Does not Validate Picklists

 

The “Inbound E-mail Database Operations” vanilla business service is a favorite with Siebel developers, it is used when Siebel’s rules regarding business objects comes in the way of your actual business requirement. It can be used to modify records into any Business Component under a business object different from your workflow’s BO. But I recently found an issue in its working when there are bounded picklists involved. Usually when one tries to set a value to a picklist field, and the picklist is configured as bounded, Siebel throws up a validation error saying the value cannot be found in the bounded picklist….. In the case of Inbound E-mail BS, the error is not thrown ie, an exception is not caused. Try this out on your Siebel installation.

The business component Action has a field “Type”, which has a predefault and a bounded picklist.

The picklist is bounded

Now I use the Business Service Simulator view to use the Inbound E-Mail BS’s InsertRecord method to insert an acitivity record.

I have set a incorrect value for all three picklist fields, the values are simply not present in the vanilla LOV system. When the simulation is run, we expect Siebel to throw up a picklist validation exception. Instead, we get a success message and an Activity is created.

Instead of taking the wrong value we provided, Siebel has taken the predefault value directly. If the input value was a valid one, Siebel creates the record correctly.

We had an automation workflow which received inputs from Inbound XML to create an activity, and when the values in the incoming XML were wrong, the activities were still getting created without validation errors.  The solution we implemented was to add a validation step in the workflow to ensure the records had correct, validated values.

If you are using this BS in your project, do check if the possibility of this error occuring in your business flow.

Tools–SIF from multiple objects

Siebel Tool’s “Add to Archive” feature which creates SIF files is a real lifesaver when code needs to be migrated in development phase.  You can create a SIF from different selections in one object selection, eg: you can SIF multiple applets together:

Or you can create a SIF from an entire project, in which case all the different objects in that project get added into a single file.

But is it possible to create a SIF file from different objects in different projects ? Siebel Tools documents how this can be done in its help system, but generally developers are not aware of this feature.

First select the first objects types to be added into the archive file, here it’s applets :

Next, without closing the popup applet in front, use the object explorer to navigate to the other object type which needs to be added. Here, I am adding Business Components from a totally different project. Again , select the business components to be added , right-click and select ‘Add to Archive’

The selected objects also get added to the same archive file, even if they are from different projects.

This can be repeated for all repository objects , giving a single file with required objects. However, on the target tools system, all the different projects have to be locked for object insertion. Tools will tell you which project needs to be locked  during the import process.

CMRFly - a new CRM system on Windows

I was just browsing my HackerNews RSS feed when I cam across a post with screenshots of CRMFly, a small CRM tool developed for the Windows platform. It looks like a very watered down version of the most common CRM functions in a small executable package. Some of the screenshots of the application show it's similarity to Microsoft Outlook. And for more, head up to CRMFly website.

Interestingly, the customer support site of the tool looks like it is built on Desk.com. Desk.com is a new offering from Salesforce.com for small and medium businesses.

Tasks

Track your projects and tasks in the same location as you track your leads and opportunities.   A project can have many tasks and Each Project is tied to a customer.

Configuration

With Configurable lists, you can control your workflow. Configure your own Task Statuses, Project Statuses, Task Contexts, Project Types, Product Types, Goal Types, Opportunity Statuses, Goal Types, and more.