Article: Why you can't dump Java (even though you want to)

[Gene Wirchenko]

This was in the morning's trade articles:

www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

Sincerely,

Gene Wirchenko

 

[Arved Sandstrom]

This was in the morning's trade articles:

www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

Sincerely,

Gene Wirchenko

I tend to agree with what Grimes wrote on the second page of his
article. As he pointed out, popular software always gets exploited. Part
of it is due to defects in the software, so in Java in this case, but a
major part of it for a programming language and platform (JVM) is how
people code in it. How many Java programmers have genuinely absorbed the
lessons in "Secure Coding Guidelines for the Java Programming Language",
or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
percent? No way is it any higher than that.

The main problem is the human being, whether coder or user.

AHS

 

[Nasser M. Abbasi]

The main problem is the human being, whether coder or user.

AHS

There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

I think the whole internet is doomed. no where to run and hide
any more.


--Nasser

 

[markspace]

There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

Yes you can. I run Firefox with NoScript, an add-on that blocks
JavaScript. Most sites work OK without JavaScript. If I really need
to, NoScript makes it easy for me to temporarily enable a single website.

In some cases, the problem is the platform. I.e., JavaScript, or
ActiveX. But there's work-arounds too.

 

[markspace]

I think the whole internet is doomed. no where to run and hide
any more.

Arved wins this argument. From the article:

"Sure, I could opt not to use those Java-enabled services or install
Java and uninstall when I'm finished. But the core problem isn't
necessarily Java's exploitability; nearly all software is exploitable.
It's *unpatched* Java. Few successful Java-related attacks are related
to zero-day exploits. Almost all are related to Java security bugs that
have been patched for months (or longer)."


Again I use FireFox. After a recent upgrade of FF, it disabled the Java
plugin (a recent one, version 6 update 22 or so) calling it insecure.
OK whatever, so I downloaded a new one. It bugged me at the time but
now I see why: FF was forcing me to upgraded to a later patch. This
I'm removes known vulnerabilities.

It takes effort to stay on top of these things but it can be done. Now,
who's at fault for the Mac Java exploit? Oracle? Or Apple for
allowing users to run old, insecure versions of Java?

 

[Nasser M. Abbasi]

Yes you can. I run Firefox with NoScript, an add-on that blocks
JavaScript. Most sites work OK without JavaScript. If I really need
to, NoScript makes it easy for me to temporarily enable a single website.

In some cases, the problem is the platform. I.e., JavaScript, or
ActiveX. But there's work-arounds too.

Well, I know I can turn off Javascript from firefox, it is
easy. Tools->Options->Content->uncheck Javascript.

The point is, browsing the internet is almost useless when
JavaScript is off. How will you browse Yahoo, Google, etc..
with no JavaScript? Many things do not work any more. Some do yes,
but many things needs JavaScript to work.

It feels like driving a car with no wheels attached to it. Not
a fun thing to do.

--Nasser

 

[markspace]

The point is, browsing the internet is almost useless when
JavaScript is off.

Read what I wrote again. "NoScript makes it easy to temporarily enable
JavaScript for a single website."

Emphasis on the "makes it easy" and the "single website."

Using that feature allows me to browse safely, while still retaining the
option to quickly turn JS back on if I need it for a given website.

 

[Nasser M. Abbasi]

Read what I wrote again. "NoScript makes it easy to temporarily enable
JavaScript for a single website."

And you read what I wrote again. I said it is very easy for
me to turn off Javascript and turn it on.

But for me, this is no way to browse the internet.

When I click on something and it does not work, then I
have to turn on javascript. Then remember to turn it off
again, then on again, then off again. I'll be spending
my day turning off and on Javascript.

If this works for you, fine. Not for me.

--Nasser

 

[Gene Wirchenko]

Well, I know I can turn off Javascript from firefox, it is
easy. Tools->Options->Content->uncheck Javascript.

The point is, browsing the internet is almost useless when
JavaScript is off. How will you browse Yahoo, Google, etc..

Not even close. I use Firefox and NoScript as well. There are
few sites that I frequent that need JavaScript.

with no JavaScript? Many things do not work any more. Some do yes,

You need better examples. Both Yahoo! and Google work without
JavaScript (at least, the basic search function).

but many things needs JavaScript to work.

It feels like driving a car with no wheels attached to it. Not
a fun thing to do.

No, it is like driving a car with no chrome on it. One might
miss it a bit, but it is not necessary in order to drive.

Some sites do make it very difficult. On some sites, clicking on
a link requires JavaScript to be executed. The <a> tag works fine
without JavaScript so this is bogosity. I tend to very quickly leave
such sites and not go back.

I have wondered why no one has come up with a limited JavaScript
that does not allow such attacks.

Sincerely,

Gene Wirchenko

 

[Arved Sandstrom]

Yes you can. I run Firefox with NoScript, an add-on that blocks
JavaScript. Most sites work OK without JavaScript. If I really need
to, NoScript makes it easy for me to temporarily enable a single website.

In some cases, the problem is the platform. I.e., JavaScript, or
ActiveX. But there's work-arounds too.

I do the same thing: as much as possible I use various combos of Adblock
Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
in all of my browsers on all OS's. Not to mention cranking up the
browsers' own mechanisms as much as possible. I also find that most
sites work when imposed with severe restrictions - the ones that don't I
just dismiss, unless they are among a handful that I need and I
temporarily enable the minimum just like you.

AHS

 

[Gene Wirchenko]

And you read what I wrote again. I said it is very easy for
me to turn off Javascript and turn it on.

But for me, this is no way to browse the internet.

When I click on something and it does not work, then I
have to turn on javascript. Then remember to turn it off
again, then on again, then off again. I'll be spending
my day turning off and on Javascript.

When I try opening a door and it is locked, then I have get out
my keys and unlock the door. Then I have to remember to lock the door
again. Unlock and lock. I will be spending my day unlocking and
locking doors.

If this works for you, fine. Not for me.

Leaving the barn door open has advantages but also significant
downside.

Sincerely,

Gene Wirchenko

 

[markspace]

And you read what I wrote again. I said it is very easy for
me to turn off Javascript and turn it on.

What you said was:


"> The point is, browsing the internet is almost useless when

JavaScript is off."

Which is false.

When I click on something and it does not work, then I
have to turn on javascript. Then remember to turn it off
again, then on again, then off again. I'll be spending
my day turning off and on Javascript.

This is what I'm trying to explain to you, if you'll listen. NoSript
DOES NOT WORK LIKE THIS.

I enable JavaScript for ONE SITE. No other sites. I don't have to turn
JavaScript back off because it's still off for all other sites. Usually
I just use the "temporary" option so JS is enabled for one session.
When I quit, JS is back off again for all my temporary sites.

Sometimes I visit a site often enough that I enable it permanently, but
I have relatively few of those.

GET NOSCRIPT ALREADY and stop complaining that "it doesn't work" because
you have no idea what you are talking about.

 

[Joshua Maurice]

There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

I think the whole internet is doomed. no where to run and hide
any more.

I will also second (or third?) firefox and noscript. Yes it's a pain,
and yes there's some websites that require javascript to work, but
it's better than nothing for a little amount of hassle.

 

[Arne Vajhøj]

Yes you can. I run Firefox with NoScript, an add-on that blocks
JavaScript. Most sites work OK without JavaScript. If I really need to,
NoScript makes it easy for me to temporarily enable a single website.

That worked fine 10 years ago.

In these AJAX times the number of sites working without
JavaScript must be dropping pretty steep.

Arne

 

[Arne Vajhøj]

Arved wins this argument. From the article:

"Sure, I could opt not to use those Java-enabled services or install
Java and uninstall when I'm finished. But the core problem isn't
necessarily Java's exploitability; nearly all software is exploitable.
It's *unpatched* Java. Few successful Java-related attacks are related
to zero-day exploits. Almost all are related to Java security bugs that
have been patched for months (or longer)."

????

Java should automatically update these days.

Arne

 

[Arne Vajhøj]

I tend to agree with what Grimes wrote on the second page of his
article. As he pointed out, popular software always gets exploited. Part
of it is due to defects in the software, so in Java in this case, but a
major part of it for a programming language and platform (JVM) is how
people code in it. How many Java programmers have genuinely absorbed the
lessons in "Secure Coding Guidelines for the Java Programming Language",
or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
percent? No way is it any higher than that.

I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes

A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.

B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.

Arne

 

[Arne Vajhøj]

This was in the morning's trade articles:

www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

The article is true but still completely BS.

There is a need for code running client side in web
solutions.

That code runs sandboxed and in theory does not have access
to anything on the client PC.

In practice there are some security bugs in the sandbox that
allows malicious code to gain access that it was not supposed
to have.

Same story whether it is Java applet, Flash, Silverlight,
JavaScript/HTML5 or even to some extent JavaScript/oldHTML.

As long as there is a need for code running client side
then the problem will exist.

Whether it is Java or something else does not matter.

So suggesting disabling Java in the browser is BS.

On can suggest disabling Java, Flash, JavaScript etc.
and see if one can live with the 1996 feeling.

Arne

 

[markspace]

That worked fine 10 years ago.

In these AJAX times the number of sites working without
JavaScript must be dropping pretty steep.

A lot of sites don't work without JavaScript enabled. But many work
well enough. It's a matter of playing the odds. The more sites you go
to with JavaScript disabled by default, the less likely it is that
you'll get some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

 

[markspace]

Java should automatically update these days.

The article specifically mentions Apple, who didn't patch their own
special version of Java for several months, until they got bit hard by a
trojan or something.

Yes, Oracle's new version for the Mac does enable auto-updates. But
there's enough old Java out there that I guess many don't have it.

 

[Eric Sosman]

A lot of sites don't work without JavaScript enabled. But many work well
enough. It's a matter of playing the odds. The more sites you go to with
JavaScript disabled by default, the less likely it is that you'll get
some sort of malware from them.

For even more security, disable HTML.