Resolved Java 7 update 51 and speedtest.net

[pierino84]

Hello guys,
I've (sadly) just updated to the latest java distribution, and now I am having so many issues with many sites.
Speedtest.net does not seem to load in Safari, instead there's a 1994 style page with the warning: "Speedtest.net requires Flash You must have Adobe Flash installed and JavaScript enabled to use Speedtest.net. We recommend using Google Chrome which includes both by default."

I have the latest flash and java versions, and they are both verified if I surf to the Adobe and Oracle test pages. Javascript is enabled and tested working.

Chrome does not work with the latest Java, since it is a 32 bit app.
Is any of you having the same issue?

I've also read somewhere that some days ago speedtest.net suffered a java injection attack.

Thanks.

 

[chrfr]

I have the latest flash and java versions, and they are both verified if I surf to the Adobe and Oracle test pages. Javascript is enabled and tested working.

In spite of a similarity in names, Java and Javascript are not the same thing. You don't need Java to run speedtest.net's tests.
The speedtest Java exploit was a year ago, long since patched.
Java 7u51 blocks unsigned Java applets so that is probably why many sites aren't working. You shouldn't need Java on many sites, however.

 

[jbarley]

Hello guys,
I've (sadly) just updated to the latest java distribution, and now I am having so many issues with many sites.
Speedtest.net does not seem to load in Safari, instead there's a 1994 style page with the warning: "Speedtest.net requires Flash You must have Adobe Flash installed and JavaScript enabled to use Speedtest.net. We recommend using Google Chrome which includes both by default."

I have the latest flash and java versions, and they are both verified if I surf to the Adobe and Oracle test pages. Javascript is enabled and tested working.

Chrome does not work with the latest Java, since it is a 32 bit app.
Is any of you having the same issue?

I've also read somewhere that some days ago speedtest.net suffered a java injection attack.

Thanks.

Checking my java version using this web page

I noticed this message part way down the web page…
this might be part of your problem.
----------------------
YOUR BROWSER LIES: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers. By and large, this is a good thing, but there seems to be a failure to communicate between Java and many web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled.
------------------------

 

[pierino84]

In spite of a similarity in names, Java and Javascript are not the same thing. You don't need Java to run speedtest.net's tests.
The speedtest Java exploit was a year ago, long since patched.
Java 7u51 blocks unsigned Java applets so that is probably why many sites aren't working. You shouldn't need Java on many sites, however.

Hello chrfr, thanks for replying. I had indeed set the security level to medium, since now unsigned applets are not authorized to run, if not present in the white-list.
I am receiving multiple error in safari console, when connecting to the speedtest site.
I know Java and JS are different, the weird thing is the occurrence of this issue just after the java update.

Jbarley, thanks for your link. It correctly states the latest java version from Oracle. I cannot find the button cited in that warning box, though.

 

[pierino84]

I finally managed to get speedtest.net work again on my mbp.
I'm writing this hoping it can help out anyone with the same issue.
I noted that the JS stuff not loading was coming from a the subdomain c.speedtest.net, which a reverse NS lookup helped me discover that it points to the domain edgecastcdn.net.
A connection to that domain was carelessly denied a couple of days ago through Little Snitch, since it warned me about a random requested connection to that domain by the system.
The problem is that Edgecast network is used by many companies in order to deliver data.
The rule created in Little Snitch prevented any browser to connect to it, so speedtest.net was not loading as expected.

As for Java, since version 7 is only for 64bit apps, and the update 51 breaks several applets (like the Italian popular speedtest site test.ngi.it, which is not working after the update), I downgraded to Apple v6 following the instructions here.
Thanks everyone!

 

[chrfr]

As for Java, since version 7 is only for 64bit apps, and the update 51 breaks several applets (like the Italian popular speedtest site test.ngi.it, which is not working after the update), I downgraded to Apple v6 following the instructions here.
Thanks everyone!

Note that you're far better off finding speed testing sites that do not depend on Java. If you must use Java, you should be using 7u51 and whitelisting sites as necessary.
Apple's Java is no longer patched or maintained and as such has multiple vulnerabilities.

 

[pierino84]

Note that you're far better off finding speed testing sites that do not depend on Java. If you must use Java, you should be using 7u51 and whitelisting sites as necessary.
Apple's Java is no longer patched or maintained and as such has multiple vulnerabilities.

Indeed I normally use speedtest.net, which does not rely on java.
The speedtest from ngi uses it as it executes multiple checks in addition to the speed (firewall etc.)
The problem with java v7 is that Chrome (which I use for web developing) is not yet compatible with it, while v6 is.
Moreover, whitelisted sites are not sandboxed anymore, as it was with previous v7 revisions.
So if a "good" site gets maliciously altered, then you are in trouble.

 

[chrfr]

Moreover, whitelisted sites are not sandboxed anymore, as it was with previous v7 revisions.
So if a "good" site gets maliciously altered, then you are in trouble.

Definitely true. All the more reason to not use it at all. It's unfortunate that Google is forcing Chrome users to stay with an obsolete version of Java if they need it by being behind the curve on developing a 64 bit version of Chrome.