nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default

x 7
Silver badge

going to be a real challenge for the British NHS........so many programs rely on Java, especially the remote stuff accessed through The Spine. Even just logging onto it requires Java.

Because other applications require old versions of IE to run, many NHS staff use Chrome as their mainstream browser. Between outdated IE versions, lack of IE support in Windows 10 (when it arrives) and this decision with Chrome, in a years time the NHS is going to have to face the problem of either running insecure browsers, or finding much of their software infrastructure in unsustainable,

6
1
Anonymous Coward

isnt that a good thing?

It will generate new job opportunities for software developers. a $100bn contract for someone who went to school with whomever happens to be prime minister at the time, and runs a software company but doesnt understand the difference between software and a potato.

36
2
Holmes

Re: isnt that a good thing?

There is a difference between software and a potato?

16
0
Silver badge

Re: isnt that a good thing?

Easier to get a potato that does what its supposed to. Also backups are pretty straight-forward and they work much better with dead fish.

15
0
Anonymous Coward

Re: isnt that a good thing?

...and a potato also has a handy, built-in, self copying protocol.

9
0
Silver badge

Re: isnt that a good thing?

Not to mention that if you are unhappy with how the potato has performed in its primary capacity - or indeed when it is, perhaps, superseded - there are still many uses for it.

(Apart from the obvious.)

2
0
Gold badge

Re: isnt that a good thing?

"a handy, built-in, self copying protocol."

You mean if we don't stamp out this DNA stuff then it will infest the whole planet? Ahh ... that's proper malware, that is.

7
0
Silver badge

You mean if the NHS wants to run Java applets it'll have to use Firefox which doesn't CC everything to the Google mothership? And the downside is?

The primary purpose of potatoes is to make chips, anything else pales into insignificance.

14
1
Anonymous Coward

...clap... ...clap...

oh good, my Slow Clap Processor made it into this thing.

1
0
Coat

Re: isnt that a good thing?

I'm surprised that no-one has pointed out that a potato is a MUCH better use of chips than software.

5
0
Silver badge
Joke

Re: isnt that a good thing?

>"There is a difference between software and a potato?"

No - and anyone who claims there is doesn't have the first clue about software development.

2
0
Silver badge
Joke

@Andy Prough: Re: isnt that a good thing?

Andy,

Is there a differenece, cue some smart alec developing a mash-up to fix it all eh?

J.

3
1
Anonymous Coward

Re: isnt that a good thing?

"who went to school with whomever happens to be prime minister at the time"

You are predicting the result of the election, since Miliband went to Haverstock Hill Comp, and while its catchment area includes some fairly well off places, the sort of public school old boy network that exemplifies the Cameron government doesn't exist.

For Labour corruption, you need to look at who's who in the public sector after a few years - though to be fair the Conservatives have their own version of that.

If anything Labour bungled the NHS because they didn't have the OBN and took the large US vendors at face value, even as Richard Bacon* was digging into the incompetence on the PAC. If you want to see where government waste and corruption lies, it's often useful to see what the PAC is investigating - and how the government is trying to ignore their findings.

*Bacon is a co-author of Conundrum, a book about why public sector projects fail - which he attributes to the recruitment of the wrong kind of civil servants, ones who obsess about ideas but have no practical skills.

4
2
Anonymous Coward

"in a years time the NHS is going to have to face the problem of either running insecure browsers"

They already are. Chrome has over 1,000 known security vulnerabilities! That's about double the total for all versions of IE...

3
0

Re: isnt that a good thing?

Potato... Podildo

0
0
Anonymous Coward

Re: isnt that a good thing?

Posting a link on how to make a weapon? That was either brave or foolhardy.

Expect to be branded a terrorist and get a visit from the goon squad real soon...

1
1
Anonymous Coward

Re: isnt that a good thing?

"... wrong kind of civil servants ..."

You mean there are the right kind?!

1
0
Silver badge

Re: isnt that a good thing?

@AC

"You mean there are the right kind?!"

Absolutely. They're just more concerned with doing their jobs than gaining the power that enables them to get their corporate mates sweet deals and earn them kickbacks. I.e. - they're the ones you never see nor hear of.

In other words, and to borrow at least the spirit of Douglas Adams' famous line, if you know the name of a public servant, they are therefore someone who is not to be trusted. The ones who do their jobs are, largely, anonymous and unsung, caring more about cold numbers and truth and accuracy than the myriad lies and maneuvering that out 'leaders' deal in.

7
0

IE in Win 10

"...lack of IE support in Windows 10..."

IE 11 will ship with Windows 10, it just won't be the default browser. It is supported until 2023-01-10 (the same date as Win 8) but will get no new features and there will not be an IE12. Hooray!

0
0
Gold badge

Re: isnt that a good thing?

Is a potato a zero or a one?

0
0

Re: isnt that a good thing?

It can be both: A zero if you boil it, or lots of ones if you make chips from it........

0
0
Silver badge

"Enterprise ready"

Ho hum. I generally use Chrome (long story, can't be othered to bore you why) but I have to connect to rather a lot of devices that insist on using Java. There are lots of top end stuff that uses Java in a browser for configuration and although some offer a much more powerful command line interface as well, sometimes they don't and sometimes I can't be arsed to remember and just want to click on stuff.

Hopefully whoever develops the next thing wot will configure lots of stuff will get it right but I doubt it. Whenever something gets popular enough to be used ubiquitously then it will be bought and sold mercilessly and then deprecated by NIH competitors in a damning display of what is wrong with patents as practiced currently.

I have rather a lot of browsers installed (and VMs for the rest). t'intertubes have been pretty much fixed with regards browser compatibility. NOW FIX MY FUCKING (V)LAN.

Jon

6
0

Re: "Enterprise ready"

Ho hum. I generally use Chrome (long story, can't be othered to bore you why) but I have to connect to rather a lot of devices that insist on using Java. There are lots of top end stuff that uses Java in a browser for configuration and although some offer a much more powerful command line interface as well, sometimes they don't and sometimes I can't be arsed to remember and just want to click on stuff.

This is the elephant in the room and it isn't possible to just wish it away. It's all very well saying "Oh, but you shouldn't be using this because of x, and z..." but if you need it then you need it and the discussion about whether you should be using it stops there. I've got several older devices here much like you describe, embedded web servers with Java applets, none of which are signed. It's getting increasingly difficult to support them, not because of any technical factors but because of the ego of some development team somewhere deciding that they know what I need better than I do.

12
1
Silver badge

Re: "Enterprise ready"

Yes, its a problem.

With Chrome such a popular browser, it might be that this really forces peoples hand.

BUT, some people just don't have the option - they can't just magic away the need to run Java no matter what changes are made by Chromium.

As someone who manages many systems for many different organisations using many different web applications from many different providers - with varying levels of importance to their businesses, I can assure everyone that the world simply does function the way these developers are deluding themselves to believe that it does.

With the move to web applications on the rise, the Chromium team are finding themselves where Microsoft have been for a long time - having to deal with security issues caused by third-party software. Of course, MS has its share of issues with the OS itself but third-party software like Flash and Java has been a constant bugbear for them.

The fanciful idea that once you move your applications into a browser you don't have to worry about compatibility or the local environment or anything is starting to crack. Well, not starting, but the cracks are more visible.

It might sound like sour grapes from someone who sees his 'traditional' IT experience muscled out by the world of 'cloud' and 'startup' but it's not - I am far busier now helping people make these new applications work in their environments than I have been support 'normal' software.

This promise of stuff 'just working' is, to any IT person, a fantasy and any vendor who claims otherwise is not to be believed. Of course, people still end up signing up and migrating to web-based applications based on these promises and only later do they find they have to call in IT support to pickup up the pieces and try to bridge the gap between what they have and what they expected based on inadequate testing and the enthusiastic sales pitches from 'evangelists'.

I've seen it time and again and several times I have been called in where a department has signed a contract for a cloud-based service and only a afterwards realised that their (e.g.) end-of-months reports won't work properly or some feature that they need and were sold on requires a whole bunch of additional plugins that aren't compatible.

With this specific issue, I am seeing reprecussions right now with a cloud software provider (who tells users that they must use Chrome) who supply a plugin to perform some relatively important function that the client uses 'all the time'. Guess which type of plugin it is . . .

When questioned, they don't have plans to update the plugin. Why not? Oh well, that's because they have an 'app' that does this and much more besides and is much simpler to boot. The catch? Nothing much - it's needs Office 365. When questioned, their response was that they couldn't understand why the client wasn't using Office 365. I could only agree with them: they didn't understand.

(For the record, their - overseas - parent company manages all e-mail and licensing and has quite strict policies on this kind of thing.)

Such is the way of these things - the promise is that the move to 'cloud' and 'web' somehow magically resolves all the issues and concerns that occur with that old, out-dated software. The truth is that all the concerns still exist, they are just shifted and often to a location you have no control over.

Again, I get plenty of work from all this - it's just frustrating seeing the same thing happen again and again and vendors still keep selling the lie that the solution to every problem is more cloud. More frustrating is that people keep buying it.

(The disclaimer is that I have no problem with 'cloud' and 'web' based software - at least not as a rule. The problem is that using such software doesn't mean that you can just ignore the considerations that normally go with choosing and running software.)

28
1

Re: "Enterprise ready"

Good points. The Cloud/Internet based madness gets even worse with mobile devices, as Enterprise firms tend to stick with older devices for far too long and the Cloud/Internet apps are not the ready made "it just works" solution for that, either. You'd be surprised how many enterprise firms are still deploying iPhone 4S, Samsung Galaxy Tab1, Note 1 and 2, and doing custom Android development that can only be described as shoddy/botched code, at best. As unrealistic as desktop/laptop computer expectations can be when connected cloud/Internet apps are used, the problem gets much worse with mobile devices that are company deployed.The tech support nightmare grows even more of a headache if the devices are BYOD, the user botches things up with some app store purchased app that isn't compatible with their work apps, and botches up a personal device which isn't covered by an RMA process from tech support.

0
0

Re: "Enterprise ready"

I'm glad I wasn't the only one to see this problem.

Guess I'll be uninstalling chrome. (which is unfortunate. It works fairly well)

2
0

Good timing on our part then. Our first(?) Java application to be completely rewritten as a HTML 5 app goes live this week.

4
1
Silver badge

Genuinely interested; is it proving to be a write-once-run-everywhere experience?

Good luck!

1
0
Silver badge

HTML 5 app

You mean JavaScript/ECMAScript app?

5
1
JDX
Gold badge

Which is easier to type?

1
0

Genuinely interested; is it proving to be a write-once-run-everywhere experience

Sort of - we've done a pretty nice job of creating a new UI for the applet client. Just having some issues in that the tech to run it originally only existed in Chrome, and I think most modern designers know how buggy Chrome's engine is. Now we're testing on FF and finding issues that people are blaming on FF, but are actually down to Chrome bugs.

In terms of device, it's actually working pretty damn well. We have a seamless Flash fallback for browsers that don't have the appropriate tech, and that'll be phased out in time. I've tried it on a range of devices and it's hard to trip up. The new JS APIs are pretty solid, it seems.

1
0

You mean JavaScript/ECMAScript app?

Technically I mean a HTML 5/Typescript/CSS app, but "HTML 5 app" is much easier to say, and most people understand what I mean just fine. It's become an acceptable shorthand for a modern collection of language versions, no?

0
0

Firefox

All the Dell and HP servers I've connected to use Java as well as KVMs. Firefox always worked best for this anyway...

4
0
Silver badge

Re: Firefox

Doesn't the CISCO SDM (or whatever it's called) use Java too?

I remember an issue with a new client's site where everything had gone to hell with the last IT provider closing down and them left with very little information. I had to try and access the servers via OOB (can't remember if it was iDRAC or iLO) and also access the Cisco PIX via the SDM because there was no console cable (I was unprepared for the Cisco as they had said it was a 'D-Link' when asked) and the telnet seemed to be disabled and SSH didn't work - probably wasn't setup properly.

Cue SDM only working with an older Java and the iDrac/iLO only working with a newer version . . .

Oh the fun.

But these are the situations you can find yourself in.

1
0
Silver badge
Unhappy

Re: Firefox

You don't have to use Java for HP's these days, you can use .net as well.

Feel free to choose which one you want to lock into.

2
0
Silver badge

Re: Firefox

Ha!

I believe it was Dell which but yes, you're right - choose your poison.

0
1
Facepalm

Just use a better browser. What's the big deal?

2
3
Silver badge
Facepalm

The "better browsers" BREAK the antiquated-yet-irreplaceable plugins on which your business relies. What's your answer to an antiquated-yet-irreplaceable piece of custom software that's too expensive to replace yet so insecure and rickety it can break at any moment?

3
0

Who has written such a thing for Chrome??? When I said better browser I meant better than Chrome. It's horrible.

8
3
Silver badge

@Charles 9

In all honesty, the best bet - where possible - is to set up some VMs running an older version of the browser (set to not update) deployed as a published app and then lock down those VMs as much as possible.

How much you can sandbox it all really depends on the app itself and of course many need access to all manner of local and remote resources that seriously restrict what you are able to do to secure it.

And, again, this is 'where possible'. You have to have the infrastructure and licenses and so forth and an app that will even work this way. But, where you can isolate the application to a couple of VMs accessed via a published app, this may be the best option.

Many, many businesses run legacy software due to complex interdependencies that render the necessary upgrades prohibitively expensive.

Bringing it back to my previous comment about cloud software, I saw an instance recently where a client had some staff stuck on an older OS due to a piece of legacy software that, to be compatible on newer a client OS would require a full upgrade through the back-end, costing, well, a lot. It was a piece of software they had largely migrated from but that was still essential for several specific staff.

The department signed-up for a new cloud-based application that, for whatever reason, required the use of several (unsigned, of course) ActiveX plugins and thus would only work with Internet Explorer. Now, while these plugins were compatible with IE 8 (the latest version that runs on XP), the website itself was coded such that it required IE 10. It would load, more-or-less, in IE8 but much of the navigation and many of the windows and functions would display incorrectly or flat not work.

Thankfully, most of the parts that required the plugins did work well-enough in IE8 that these people could use them but, unfortunately, getting to those pages and section just didn't work as the menus wouldn't load. So, those poor users ended up running Chrome and IE side-by-side and would navigate to pages with Chrome and then copy and paste URLs (many of which contained record identifiers and so change for each item) over into IE, where they could then run the functions against those records.

For a while they would try to use a spare PC and we trialled using a KVM to control 2 PCs as well as setting up VirtualBox but in the end we sold them a remote desktop server setup so that it was easier for the users - as they were quite peeved by this time.

Of course, we couldn't run the legacy application on that as the license didn't support deployment in that manner and, given that the client was running an old version and they hadn't maintained support (as they couldn't install updates anyway!), the vendor insisted that they either pay their 4 years back-support - for the whole install (originally 10 licenses) despite there only being 3 people using it currently or else they would need to upgrade to the new version to obtain the required licenses to install on a TS - which would be moot at that point, anyway.

Of course, the contract for the new cloud application was signed without any involvement with their in-house IT or us (we were performing high-level support to the in-house team) as the salesperson had told them all that there was "typically no need to involve the IT department" as it didn't require any software installations. Before we knew there was a problem, the client was in for a 24 month contract and had already migrated their data into the new system.

But hey - it worked on mobile phones!!

3
0
Silver badge

"How much you can sandbox it all really depends on the app itself and of course many need access to all manner of local and remote resources that seriously restrict what you are able to do to secure it."

Some antiquated software also drives antiquated hardware and therefore CAN'T be virtualized (and the hardware itself can't be replaced because there's no substitute or it's still being amortized). NOW what?

1
1
Gold badge

Sigh...

If only there was a version of Java that was designed to be provably secure. Then all someone would have to do was implement the spec and we'd have a write-once-run-anywhere platform that was also the answer to all our malware woes.

1
0
Silver badge

Re: Sigh...

Except because we're only human, every single implementation would be vulnerable to some human mistake. The chief (and irremovable) reason software is vulnerable is because it or something else along the line is made by humans.

1
1
Boffin

Re: Sigh...

And the irony is that Java is probably the most secure of the "stuff that can run remote code" out there, even though it did have gaping holes a couple of years ago. But alas, it has been permanently tainted by those dark days.

Funny that JavaScript is "teh hotness" these days with web developers, but that thing is actually worse than Java in the security field. Its just going to be a matter of time for truly evil JavaScript malware to really screw the pooch. Meanwhile, what can be used that isn't Java or .NET for client-side heavy stuff (i.e. strong encryption, digital signatures)? There's no way I'm trusting on JS for that. At least Java does have the security sandbox by default.

1
0
Silver badge

Although plugin vendors are dancing to Google's tune

FTFY.

By the way, Google have underestimated the amount of things that need NPAPI in their rush to kill it and replace it with whatever wonderful idea they've had while playing ping-pong this week. Safari on Mac managed to keep NPAPI plugins but stick them in a sandbox with only a little effort required by the developer.

Anything with client-side digital signing needs Java because there's nothing else cross-platform that can do it (with the dishonourable exception from ActiveX in South Korea) and in many countries banking and government stuff needs that. They're not going to kill NPAPI that quickly.

Not that I like Java in the browser that much, I run it with click-to-play so I can use it only when I really need it.

4
1
Silver badge

Re: Although plugin vendors are dancing to Google's tune

Java's supposed to be sandboxed, too. Guess what happened? Malware found ways to escape sandboxes, so perhaps Google doesn't consider a sandbox much of an assurance. Firefox added the capability, too, but it's not on by default. Probably because of the risk of the access restrictions breaking essential plugins: another concern of any form of new access restriction.

2
2
Silver badge

Re: Although plugin vendors are dancing to Google's tune

Google say the primary reason for forcing everyone over to PPAPI is it's sandboxed...

http://blog.chromium.org/2012/08/the-road-to-safer-more-stable-and.html

However Apple have managed an NPAPI sandbox and as you say Mozilla are developing one. Looks like Google were too quick to drop NPAPI.

2
1
Silver badge

Re: Although plugin vendors are dancing to Google's tune

Unless Google is claiming NPAPI is too old TO sandbox properly. We don't know if Apple's approach is breaking stuff since the MacOS presence is relatively small. Meanwhile, like I said, Firefox's is off by default, which leads me to suspect it's likely to break things. If the only way to properly sandbox NPAPI breaks too much, then perhaps Google has a point.

1
1
Silver badge

Re: Although plugin vendors are dancing to Google's tune

Didn't all the Browsers using Sandboxes get theirs quickly kicked open at PWN2OWN a few weeks ago?

1
0

Goodbye Chrome

It only takes a few important (to the user) sites not working with a browser for users to switch to a different browser. The "We know best and you will do as we say" attitude of the Chrome developers is likely to kill Chrome (and Chromebooks if they do not have another browser loaded).

5
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing