It's not weird, it's the scamware taking advantage of whatever it can.

It did nothing on my computer, because it could not find Java.

On my phone it redirected me to a weight training supplement.

....it will take whatever you give it, and run with it.

There are very few cases to ever have Java actively installed in your browser. It still has desktop and app useage, but that's different than applets. You can't run Photoshop CS6 under El Capitan without the Java SE 6 runtime installed for instance.

If you have Java active in your browser here's what I suggest:

You can listen to vid1900 (I would) or you can listen to Alex (in this case, I would not), you can listen to me. Either way, do yourself a favor, and just go into your settings, and uncheck it. Turn it off. Restart your browser to be safe. Then try it. You know what will happen? Nothing. You won't notice a difference. And you'll be safer.

But here's my argument if you're interested:

We cover this stuff at Ars Technica (where I work) on a regular basis. We're a world renown publication when it comes to our security coverage. Don't listen to the creative director, look at the people who make it their job to understand these things. Look what our security editor, Dan Goodin, wrote just this last July for instance:

"Internet users should take renewed caution when using both Adobe Flash and Oracle's Java software framework; over the weekend, three previously unknown critical vulnerabilities that could be used to surreptitiously install malware on end-user computers were revealed in Flash and Java."

"Ars is once again advising readers to limit, or if possible completely curtail, use of both Flash and Java, at least until fixes for these three critical bugs are available."

— Source: http://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hacking-team-combine-with-java-0-day/

Once again. Because we say it all the time. Such as ...

"Ars has long advised people to assess if they truly required Java and other browser plugins and if not to consider uninstalling them."

— Source: http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-malware-was-likely-active-for-3-weeks/

One of our other writers who covers the programming and security beats:

"Chrome 42, released to the stable channel today, will take a big step toward pushing old browser plugins, including Java and Silverlight, off the Web. Those plugins use a 1990s-era API called NPAPI ("Netscape Plugin API") to extend the browser, and with Chrome 42, that API is now off by default."

— Source: http://arstechnica.com/information-technology/2015/04/chrome-starts-pushing-java-off-the-web-by-disabling-plugins/

Chrome turned that shit off, and it's not coming back now. Chrome is a major browser heavyweight. And they don't even support it anymore. Does it really seem that necessary to you?

Remember, Java ≠ javascript. Your bank might ask you to have javascript on, they won't ask you to have Java on. And if they do, time to get a bank that understands modern technology, because I wouldn't leave my money with one that required Java.

Also, on the topic of fake virus scam artists, this is IMHO a hilarious but informative take on trolling one of those guys by one our own writers who they made the mistake of trying to scam:

I am calling you from Windows: A tech support scammer dials Ars Technica

When the call came yesterday morning, I assumed at first I was being trolled—it was just too perfect to be true. My phone showed only "Private Caller" and, when I answered out of curiosity, I was connected to "John," a young man with a clear Indian accent who said he was calling from "Windows Technical Support." My computer, he told me, had alerted him that it was infested with viruses. He wanted to show me the problem—then charge me to fix it.

This scam itself is a few years old now, but I had not personally received one of the calls until yesterday—the very day that the Federal Trade Commission (FTC) announced a major crackdown on such "boiler room" call center operations. The very day that six civil lawsuits were filed against the top practitioners. The very day on which I had just finished speaking with Ars IT reporter Jon Brodkin, who spent the morning on an FTC conference call about this exact issue. And here were the scammers on the other end of the line, in what could only be a cosmic coincidence.

I walked around my office with the phone against my ear, then settled into my desk chair and put the call on speakerphone. I wanted to know just what it felt like to be on the receiving end of such a call. I wanted to know how a group of scammers half a world away convinced random and often tech-illiterate people to do things like run the built-in Windows Event Viewer, then connect to a website, download software, and install it (together, no easy feat for many mainstream users). I wanted to know just how the scammers eventually convinced their marks to open up remote control of their PCs to strangers who had just called them on the telephone.

So I played along—which was difficult without a Windows PC in my office. To buy time, I told the scammer that I was waiting for my nonexistent computer to "boot up," then sent a furious blast of instant messages to Brodkin, asking him to do whatever the scammer told me to do and report back on the results. Luckily he was at his computer and immediately agreed—and we were off.

You can read the rest here if you like:

http://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/

That one stung.....but it was funny. Now go to bed, it's past your bed time young man.

Sounds like a bunch of Java Jive to me.

Actually the opposite. Thursday morning already, and I wake up early... too early.

I have the Java runtime environment installed to enable me to run software that allows me to communicate with Atmel microprocessors over USB. I have no Java enabled in my browsers. I type in the suspect pinballife site and it redirects me to a legitimate real estate website. So yes, it will do whatever it can, and on my PC all it can do is a redirect, even though there is "Java" installed on my PC. Just as we distinguish between Java and Javascript, I think also a little bit of attention needs to be given to the difference between the JRE development environment and Java on your browser.

I know jack squat about computers but have had no viruses on my Mac laptop in the ~3 years~ I've had it. Thank you Mr. Jobs, you were the best!

During Thanksgiving, I just cleaned two MACs that were massively infected with adware and the users didn't even know it. Mr Jobs didn't do such a great job, really.

Nope, he did. Fact/science

Sorry!

How in the world do you get adware in your media access control addresses?

Ahh nerd jokes. Or is that a dad joke?

I just rammed my floppy disc into a hard drive a few minutes ago, I downloaded some good data.

Thank you to the show Continuum for a great sex bet with trophy on who the queen of hearts was!

And run labels at USPS.com

So many clueless people its shocking. Java is just one of MANY MANY vessels and not even a predominant one for the proliferation of malware.

Using java requires MULTIPLE affirmative user interactions to be able to do ANYTHING. More so than any other mechanism.

I guess the old adage is correct. You can make something idiot proof (multiple alerts), and god will go and invent a better idiot.

Tremendous HUGE RED X's that say "DO NOT PROCEED" and people still click proceed and you guys somehow think that's java's fault? Comical at best. Sad is more like it.

P.S. as much as google is trying to crush npapi which is probably a good thing, their approach is horrible and has caused monumental institutional outages. Just about EVERY browser integration uses it. For example, those of you that use Citrix to connect to work. No NPAPI, no Citrix. Citrix has to rewrite their plugin for a new architecture specifically to work in Chrome now that npapi is disabled.

You don't always get alerts and warnings. The reason why Java is such a high security risk is that it can easily be exploited and that there are new zero-day exploits always being discovered and used for months (or years) before they are eventually patched.

Actually you do. CVE-2015-2590. The user is still prompted to accept the runtime and thus provide permission for the exploit to execute. The absolute first component in the javasec library is the infallible call for approval to run any app that hasn't explicitly be put on the "safe" list by the user. Items can only be put on the safe list by MANUALLY putting it there typing the URL by hand, it can't be put there by an accidental click.

One other thing to note is CVE-2015-2590 is the first zero day vulnerability found in java in 3 years prior to its discovery. Ask your favorite browser how many they have had in that same timeframe?

http://thehackernews.com/2015/11/android-hacking-chrome.html

ZOMG Android users, stop using your phones.

The old saying that eternal vigilance is the price of liberty should be copied to the internet world to say:

Eternal vigilance is the price of technology. If you can't trust your own eyes not to do what you are being told not to do then there is no hope for you anyway.

You keep looking more and more foolish the harder you try to defend your reckless position.

Do you think that Maxwell clicked to give his permission 3 times to install that virus? Really???

In your mind, it's always best to blame the victim than to accept that Java installed a virus on this poor man's computer.

You are a sad man.

-

Chrome got rid of of Java 6 months ago.

No giant outcry.

The web did not break.

Everyone still did their banking, Black Friday sales, watched lol cat videos.

Yep 41% of web surfers are no longer using Java and most did not even know it.

=-------------------

UNINSTALL JAVA FROM YOUR WEB BROWSER RIGHT NOW!!!!!

IT'S DANGEROUS AND UNNEEDED!!

Again, check here and make sure that you DO NOT have Java installed:

https://www.java.com/en/download/installed.jsp

Head in the fucking sand approach. Smart. You might as well shut your machine down and vtoc your drives as your approach is to simply remove 1% of the attack vectors against the user and some how lull them into a false sense of security.

I guess the world should be glad your not an enterprise technologist and especially not one in security.

And yes with 99% of viruses that get installed on user machines they had to take action for it to actually land there. There are very few exploits that RCE occurs just by the visitation of a site and with no additional user action.

Think i'm making that number up? Go visit the qualys site or any other AMAV lab. Users cause their own fate. So in this case it really is a blame the victim. You are taught at every job that uses a computer, don't open or click on anything you aren't 100% sure about.

Sorry but your excuse of lack of common sense is the only foolish and wreckless thing here.

And chrome did NOT remove java btw. They disabled npapi which disabled about 80% of browser plugins and shit did break. TONS of shit.

Sheesh...why are you so against and getting so riled up about a simple security precaution?

I've printed USPS Priority labels for the last 2 years without Java installed.

Trust me, you don't need Java.

He can't quit.

That type of personality is unable to ever just admit they are wrong.

Or I guess it's possible he writes malware and get's paid when we get sprayed?

Because it's better to educate than to hide. Far better. Remove something that provides valuable warnings to a user it doesn't prep them for the million other items that will ask them to "allow / run" that will actually cause problems.

You can't disable any/all of that so instead of it being a teaching experience and a good one because it provides 3 (possibly 4) different toll gates you just remove/obfuscate it so the next threat that can't be disabled just pops up in their face.

Both are the best kind of jokes

What's Forrest Gump's password?

1forrest1

I don't care if anyone uninstalls Java or not, but I can tell you our Warehouse Management System is Java based and is accessed through a web interface (internally hosted).

They are a major software provider to supply chain related business (beverage or otherwise) so it is still being actively used today.

Obviously that has no bearing on a web browsing home user.

Of course there are legitimate uses for Java; Cable Boxes, O-scopes, Servers...

But for surfing the web, it's bullshit 3 years past it's expiration date.

java-malware.jpg.jpeg

Its amazing how the sheep follow Vid/Frank Furhter no matter what he says in any area of life.. lol

I blame JJP for the virus.

I invite everyone to read the Microsoft report where they present facts showing that Java was the main vehicle for malware attacks in Q3 2010.

http://download.microsoft.com/download/6/0/5/605BE103-9429-4493-898B-E3D50AB68236/Microsoft_Security_Intelligence_Report_volume_10_July-Dec2010_English.pdf

Kaspersky Labs stated 2012 was "the year of Java vulnerabilities". In 2012 Java surpassed even Flash as the most used vehicle to carry out attacks.

http://www.kaspersky.com/about/news/virus/2012/Oracle_Java_surpasses_Adobe_Reader_as_the_most_frequently_exploited_software

Read those, and decide for yourself.

I hate Java but it is absolutely required for many government systems..and thus required for many.

My dad installs viruses all the time on his PC... so my mom bought him a macbook to to surf the web. Meanwhile i installed Norton on his PC with harsh settings. So now his Mac is virus infested and his PC has been clean for a year or so. LOL

Articles from 5 and 3 years ago which are no longer relevant since the implementation of the jsl library. Can't anyone find anything current? NOPE.

Here is one from 2015: http://www.csoonline.com/article/2875535/application-security/java-is-the-biggest-vulnerability-for-us-computers.html

If you know why Java is installed on your PC, then you keep it. If you don't know why it's installed on your PC, then uninstall it. Worst case scenario you have to reinstall it when you need it again.

Doesn't make people stupid or stubborn to uninstall unnecessary software that is a potential liability. Not everyone has the time or desire to be an IT wizard or internet security expert. Some people are busy being doctors, parents, engineers, carpenters...

Remember this gem from last year:

https://pinside.com/pinball/forum/topic/virus-on-pinside#post-1981784

And now we get this nugget in this thread:

Then in the same previously-mentioned thread we have this one:

Now you are spouting off about why disabling Java is a bad idea?

Methinks that arguing is more your MO instead of actually providing any sort of solid security advice.

You people wouldn't be having this argument if you had all just stuck with a Commodore 64.

Did you actually read what you quoted? I said the same exact thing three times. Maybe the wording was too technical?

Maybe:
http://www.mts.net/~kbagnall/commodore/java.html

I bet you are a lot of fun at parties.

Why is this abortion of a thread still open? Just when you thought stroking off to Hobbit or Comic Strip pinball machines was as nerdy as you can get this happens

surprised Terry hasn't chime in yet with "wait, what did I do wrong again?"

Vid is correct. Java as a web/services platform is still an important thing and many services run on its backend. Java as a front-end technology is no longer relevant and has some serious issues.

Marc

If you want security on your computer as an expert I can tell you, just uninstall the software and the operating system and you're good to go! No viruses! Your computer will now be a paperweight but at least you'll sleep at night!

Just this morning I installed Java, with cream and sugar, and I feel fine, no virus... hmmm...In fact I think I'll go update my Java installation now and have a cookie with it!!! Enable Cookies!!!

But, are you a Red Hat Certified Engineer?

You can't be a computer expert unless you wasted money on RHCE certification.

logo_text.png

Just give it up. Most people here are super old and can barely use a computer. They're not qualified to have an intelligent argument with facts about anything technical. You're wasting your time trying to convince them. And what do you care what they believe?

I don't know what's worse ... Pinball snobs or computer snobs.

Actually ... wine snobs are worse than both of them. Or "wine wankers" as I prefer to call them. It's grape juice ... Get over it.

rd

So we present evidence, and you just attack us all as being stupid. While ignoring the evidence. Actually, I'm not clueless, I'm educated on the topic. And demonstrated it with links, written not by random strangers, but by people I work with daily.

You mean like the 0-day exploit from July of this year that I posted above that you're conveniently not addressing?

Are you just being stubborn because it's your nature? Or is there something else going on here? I hope JJP's online strategy isn't centered around using a browser-based Java applet or something.

Sorry but the only writer on ars tech I trust is Erica Sadun. I don't consider this a definitive source.

I came here for arguments about pinball, not arguments about computer security.

A: I'm sorry, but I'm not allowed to argue anymore.
M: What?!
A: If you want me to go on arguing, you'll have to pay for another five minutes.
M: Yes, but that was never five minutes, just now. Oh come on!
A: (Hums)
M: Look, this is ridiculous.
A: I'm sorry, but I'm not allowed to argue unless you've paid!
M: Oh, all right.
(pays money)
A: Thank you.
short pause
M: Well?
A: Well what?
M: That wasn't really five minutes, just now.
A: I told you, I'm not allowed to argue unless you've paid.
M: I just paid!
A: No you didn't.
M: I DID!
A: No you didn't.
M: Look, I don't want to argue about that.
A: Well, you didn't pay.
M: Aha. If I didn't pay, why are you arguing? I Got you!
A: No you haven't.
M: Yes I have. If you're arguing, I must have paid.
A: Not necessarily. I could be arguing in my spare time.

I don't know Alex... I'd like to think I'm computer savvy, but some of you guys should make me wear a helmet and ride the short bus...