Article: Why you can't dump Java (even though you want to)

Discussion in 'Java' started by Gene Wirchenko, May 8, 2012.

  1. This was in the morning's trade articles:

    www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
    InfoWorld Home / Security / Security Adviser
    May 08, 2012
    Why you can't dump Java (even though you want to)
    So many recent exploits have used Java as their attack vector, you
    might conclude Java should be shown the exit
    By Roger A. Grimes | InfoWorld

    Comments?

    Sincerely,

    Gene Wirchenko
     
    Gene Wirchenko, May 8, 2012
    #1
    1. Advertising

  2. On 12-05-08 12:51 PM, Gene Wirchenko wrote:
    > This was in the morning's trade articles:
    >
    > www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
    > InfoWorld Home / Security / Security Adviser
    > May 08, 2012
    > Why you can't dump Java (even though you want to)
    > So many recent exploits have used Java as their attack vector, you
    > might conclude Java should be shown the exit
    > By Roger A. Grimes | InfoWorld
    >
    > Comments?
    >
    > Sincerely,
    >
    > Gene Wirchenko


    I tend to agree with what Grimes wrote on the second page of his
    article. As he pointed out, popular software always gets exploited. Part
    of it is due to defects in the software, so in Java in this case, but a
    major part of it for a programming language and platform (JVM) is how
    people code in it. How many Java programmers have genuinely absorbed the
    lessons in "Secure Coding Guidelines for the Java Programming Language",
    or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
    percent? No way is it any higher than that.

    The main problem is the human being, whether coder or user.

    AHS
    --
    Never interrupt your enemy when he is making a mistake.
    --Napoleon
     
    Arved Sandstrom, May 8, 2012
    #2
    1. Advertising

  3. On 5/8/2012 3:14 PM, Arved Sandstrom wrote:

    >
    > The main problem is the human being, whether coder or user.
    >
    > AHS


    There are now Trojans and viruses that attack the PC
    using JavaScript.

    One can't really shut down JavaScript in the browser like they can
    with the Java plugin to prevent applets from running.

    I think the whole internet is doomed. no where to run and hide
    any more.


    --Nasser
     
    Nasser M. Abbasi, May 8, 2012
    #3
  4. Gene Wirchenko

    markspace Guest

    On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    > On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >
    >>
    >> The main problem is the human being, whether coder or user.
    >>
    >> AHS

    >
    > There are now Trojans and viruses that attack the PC
    > using JavaScript.
    >
    > One can't really shut down JavaScript in the browser like they can
    > with the Java plugin to prevent applets from running.



    Yes you can. I run Firefox with NoScript, an add-on that blocks
    JavaScript. Most sites work OK without JavaScript. If I really need
    to, NoScript makes it easy for me to temporarily enable a single website.

    In some cases, the problem is the platform. I.e., JavaScript, or
    ActiveX. But there's work-arounds too.
     
    markspace, May 8, 2012
    #4
  5. Gene Wirchenko

    markspace Guest

    On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:

    > On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >>
    >> The main problem is the human being, whether coder or user.
    >>


    > I think the whole internet is doomed. no where to run and hide
    > any more.



    Arved wins this argument. From the article:

    "Sure, I could opt not to use those Java-enabled services or install
    Java and uninstall when I'm finished. But the core problem isn't
    necessarily Java's exploitability; nearly all software is exploitable.
    It's *unpatched* Java. Few successful Java-related attacks are related
    to zero-day exploits. Almost all are related to Java security bugs that
    have been patched for months (or longer)."


    Again I use FireFox. After a recent upgrade of FF, it disabled the Java
    plugin (a recent one, version 6 update 22 or so) calling it insecure.
    OK whatever, so I downloaded a new one. It bugged me at the time but
    now I see why: FF was forcing me to upgraded to a later patch. This
    I'm removes known vulnerabilities.

    It takes effort to stay on top of these things but it can be done. Now,
    who's at fault for the Mac Java exploit? Oracle? Or Apple for
    allowing users to run old, insecure versions of Java?
     
    markspace, May 8, 2012
    #5
  6. On 5/8/2012 3:51 PM, markspace wrote:
    > On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    >> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >>
    >>>
    >>> The main problem is the human being, whether coder or user.
    >>>
    >>> AHS

    >>
    >> There are now Trojans and viruses that attack the PC
    >> using JavaScript.
    >>
    >> One can't really shut down JavaScript in the browser like they can
    >> with the Java plugin to prevent applets from running.

    >
    >


    > Yes you can. I run Firefox with NoScript, an add-on that blocks
    > JavaScript. Most sites work OK without JavaScript. If I really need
    > to, NoScript makes it easy for me to temporarily enable a single website.
    >
    > In some cases, the problem is the platform. I.e., JavaScript, or
    > ActiveX. But there's work-arounds too.
    >


    Well, I know I can turn off Javascript from firefox, it is
    easy. Tools->Options->Content->uncheck Javascript.

    The point is, browsing the internet is almost useless when
    JavaScript is off. How will you browse Yahoo, Google, etc..
    with no JavaScript? Many things do not work any more. Some do yes,
    but many things needs JavaScript to work.

    It feels like driving a car with no wheels attached to it. Not
    a fun thing to do.

    --Nasser
     
    Nasser M. Abbasi, May 8, 2012
    #6
  7. Gene Wirchenko

    markspace Guest

    On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:

    > The point is, browsing the internet is almost useless when
    > JavaScript is off.



    Read what I wrote again. "NoScript makes it easy to temporarily enable
    JavaScript for a single website."

    Emphasis on the "makes it easy" and the "single website."

    Using that feature allows me to browse safely, while still retaining the
    option to quickly turn JS back on if I need it for a given website.
     
    markspace, May 8, 2012
    #7
  8. On 5/8/2012 4:15 PM, markspace wrote:
    > On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
    >
    >> The point is, browsing the internet is almost useless when
    >> JavaScript is off.

    >
    >
    > Read what I wrote again. "NoScript makes it easy to temporarily enable
    > JavaScript for a single website."
    >


    And you read what I wrote again. I said it is very easy for
    me to turn off Javascript and turn it on.

    But for me, this is no way to browse the internet.

    When I click on something and it does not work, then I
    have to turn on javascript. Then remember to turn it off
    again, then on again, then off again. I'll be spending
    my day turning off and on Javascript.

    If this works for you, fine. Not for me.

    --Nasser
     
    Nasser M. Abbasi, May 8, 2012
    #8
  9. On Tue, 08 May 2012 16:01:07 -0500, "Nasser M. Abbasi" <>
    wrote:

    >On 5/8/2012 3:51 PM, markspace wrote:
    >> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    >>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:


    >>>> The main problem is the human being, whether coder or user.


    >>> There are now Trojans and viruses that attack the PC
    >>> using JavaScript.
    >>>
    >>> One can't really shut down JavaScript in the browser like they can
    >>> with the Java plugin to prevent applets from running.


    >> Yes you can. I run Firefox with NoScript, an add-on that blocks
    >> JavaScript. Most sites work OK without JavaScript. If I really need
    >> to, NoScript makes it easy for me to temporarily enable a single website.
    >>
    >> In some cases, the problem is the platform. I.e., JavaScript, or
    >> ActiveX. But there's work-arounds too.


    >Well, I know I can turn off Javascript from firefox, it is
    >easy. Tools->Options->Content->uncheck Javascript.
    >
    >The point is, browsing the internet is almost useless when
    >JavaScript is off. How will you browse Yahoo, Google, etc..


    Not even close. I use Firefox and NoScript as well. There are
    few sites that I frequent that need JavaScript.

    >with no JavaScript? Many things do not work any more. Some do yes,


    You need better examples. Both Yahoo! and Google work without
    JavaScript (at least, the basic search function).

    >but many things needs JavaScript to work.
    >
    >It feels like driving a car with no wheels attached to it. Not
    >a fun thing to do.


    No, it is like driving a car with no chrome on it. One might
    miss it a bit, but it is not necessary in order to drive.

    Some sites do make it very difficult. On some sites, clicking on
    a link requires JavaScript to be executed. The <a> tag works fine
    without JavaScript so this is bogosity. I tend to very quickly leave
    such sites and not go back.

    I have wondered why no one has come up with a limited JavaScript
    that does not allow such attacks.

    Sincerely,

    Gene Wirchenko
     
    Gene Wirchenko, May 8, 2012
    #9
  10. On 12-05-08 05:51 PM, markspace wrote:
    > On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    >> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >>
    >>>
    >>> The main problem is the human being, whether coder or user.
    >>>
    >>> AHS

    >>
    >> There are now Trojans and viruses that attack the PC
    >> using JavaScript.
    >>
    >> One can't really shut down JavaScript in the browser like they can
    >> with the Java plugin to prevent applets from running.

    >
    >
    > Yes you can. I run Firefox with NoScript, an add-on that blocks
    > JavaScript. Most sites work OK without JavaScript. If I really need
    > to, NoScript makes it easy for me to temporarily enable a single website.
    >
    > In some cases, the problem is the platform. I.e., JavaScript, or
    > ActiveX. But there's work-arounds too.
    >


    I do the same thing: as much as possible I use various combos of Adblock
    Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
    in all of my browsers on all OS's. Not to mention cranking up the
    browsers' own mechanisms as much as possible. I also find that most
    sites work when imposed with severe restrictions - the ones that don't I
    just dismiss, unless they are among a handful that I need and I
    temporarily enable the minimum just like you.

    AHS
    --
    Never interrupt your enemy when he is making a mistake.
    --Napoleon
     
    Arved Sandstrom, May 8, 2012
    #10
  11. On Tue, 08 May 2012 16:41:31 -0500, "Nasser M. Abbasi" <>
    wrote:

    >On 5/8/2012 4:15 PM, markspace wrote:
    >> On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
    >>
    >>> The point is, browsing the internet is almost useless when
    >>> JavaScript is off.


    >> Read what I wrote again. "NoScript makes it easy to temporarily enable
    >> JavaScript for a single website."


    >And you read what I wrote again. I said it is very easy for
    >me to turn off Javascript and turn it on.
    >
    >But for me, this is no way to browse the internet.
    >
    >When I click on something and it does not work, then I
    >have to turn on javascript. Then remember to turn it off
    >again, then on again, then off again. I'll be spending
    >my day turning off and on Javascript.


    When I try opening a door and it is locked, then I have get out
    my keys and unlock the door. Then I have to remember to lock the door
    again. Unlock and lock. I will be spending my day unlocking and
    locking doors.

    >If this works for you, fine. Not for me.


    Leaving the barn door open has advantages but also significant
    downside.

    Sincerely,

    Gene Wirchenko
     
    Gene Wirchenko, May 8, 2012
    #11
  12. Gene Wirchenko

    markspace Guest

    On 5/8/2012 2:41 PM, Nasser M. Abbasi wrote:

    > And you read what I wrote again. I said it is very easy for
    > me to turn off Javascript and turn it on.



    What you said was:


    "> The point is, browsing the internet is almost useless when
    > JavaScript is off."



    Which is false.

    > When I click on something and it does not work, then I
    > have to turn on javascript. Then remember to turn it off
    > again, then on again, then off again. I'll be spending
    > my day turning off and on Javascript.



    This is what I'm trying to explain to you, if you'll listen. NoSript
    DOES NOT WORK LIKE THIS.

    I enable JavaScript for ONE SITE. No other sites. I don't have to turn
    JavaScript back off because it's still off for all other sites. Usually
    I just use the "temporary" option so JS is enabled for one session.
    When I quit, JS is back off again for all my temporary sites.

    Sometimes I visit a site often enough that I enable it permanently, but
    I have relatively few of those.

    GET NOSCRIPT ALREADY and stop complaining that "it doesn't work" because
    you have no idea what you are talking about.
     
    markspace, May 8, 2012
    #12
  13. On May 8, 1:36 pm, "Nasser M. Abbasi" <> wrote:
    > On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >
    >
    >
    > > The main problem is the human being, whether coder or user.

    >
    > > AHS

    >
    > There are now Trojans and viruses that attack the PC
    > using JavaScript.
    >
    > One can't really shut down JavaScript in the browser like they can
    > with the Java plugin to prevent applets from running.
    >
    > I think the whole internet is doomed. no where to run and hide
    > any more.


    I will also second (or third?) firefox and noscript. Yes it's a pain,
    and yes there's some websites that require javascript to work, but
    it's better than nothing for a little amount of hassle.
     
    Joshua Maurice, May 8, 2012
    #13
  14. Gene Wirchenko

    Arne Vajhøj Guest

    On 5/8/2012 4:51 PM, markspace wrote:
    > On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    >> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >>> The main problem is the human being, whether coder or user.

    >>
    >> There are now Trojans and viruses that attack the PC
    >> using JavaScript.
    >>
    >> One can't really shut down JavaScript in the browser like they can
    >> with the Java plugin to prevent applets from running.

    >
    >
    > Yes you can. I run Firefox with NoScript, an add-on that blocks
    > JavaScript. Most sites work OK without JavaScript. If I really need to,
    > NoScript makes it easy for me to temporarily enable a single website.


    That worked fine 10 years ago.

    In these AJAX times the number of sites working without
    JavaScript must be dropping pretty steep.

    Arne
     
    Arne Vajhøj, May 9, 2012
    #14
  15. Gene Wirchenko

    Arne Vajhøj Guest

    On 5/8/2012 4:59 PM, markspace wrote:
    > On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
    >> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
    >>> The main problem is the human being, whether coder or user.

    >
    >> I think the whole internet is doomed. no where to run and hide
    >> any more.

    >
    > Arved wins this argument. From the article:
    >
    > "Sure, I could opt not to use those Java-enabled services or install
    > Java and uninstall when I'm finished. But the core problem isn't
    > necessarily Java's exploitability; nearly all software is exploitable.
    > It's *unpatched* Java. Few successful Java-related attacks are related
    > to zero-day exploits. Almost all are related to Java security bugs that
    > have been patched for months (or longer)."


    ????

    Java should automatically update these days.

    Arne
     
    Arne Vajhøj, May 9, 2012
    #15
  16. Gene Wirchenko

    Arne Vajhøj Guest

    On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
    > On 12-05-08 12:51 PM, Gene Wirchenko wrote:
    >> This was in the morning's trade articles:
    >>
    >> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
    >> InfoWorld Home / Security / Security Adviser
    >> May 08, 2012
    >> Why you can't dump Java (even though you want to)
    >> So many recent exploits have used Java as their attack vector, you
    >> might conclude Java should be shown the exit
    >> By Roger A. Grimes | InfoWorld
    >>


    > I tend to agree with what Grimes wrote on the second page of his
    > article. As he pointed out, popular software always gets exploited. Part
    > of it is due to defects in the software, so in Java in this case, but a
    > major part of it for a programming language and platform (JVM) is how
    > people code in it. How many Java programmers have genuinely absorbed the
    > lessons in "Secure Coding Guidelines for the Java Programming Language",
    > or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
    > percent? No way is it any higher than that.


    I think we need to distinguish between:
    A) malicious applet code that gets unauthorized access to desktop
    PC's when their users just browse the internet
    B) hackers that break into a Java web app using various
    security holes

    A is what I assume the article is about. And the security
    problems is caused by bugs in JVM and Java runtime.

    B is caused by bugs introduced by the Java web app
    developers. And this seems to be what that coding
    standard try to address.

    Arne
     
    Arne Vajhøj, May 9, 2012
    #16
  17. Gene Wirchenko

    Arne Vajhøj Guest

    On 5/8/2012 11:51 AM, Gene Wirchenko wrote:
    > This was in the morning's trade articles:
    >
    > www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
    > InfoWorld Home / Security / Security Adviser
    > May 08, 2012
    > Why you can't dump Java (even though you want to)
    > So many recent exploits have used Java as their attack vector, you
    > might conclude Java should be shown the exit
    > By Roger A. Grimes | InfoWorld
    >
    > Comments?


    The article is true but still completely BS.

    There is a need for code running client side in web
    solutions.

    That code runs sandboxed and in theory does not have access
    to anything on the client PC.

    In practice there are some security bugs in the sandbox that
    allows malicious code to gain access that it was not supposed
    to have.

    Same story whether it is Java applet, Flash, Silverlight,
    JavaScript/HTML5 or even to some extent JavaScript/oldHTML.

    As long as there is a need for code running client side
    then the problem will exist.

    Whether it is Java or something else does not matter.

    So suggesting disabling Java in the browser is BS.

    On can suggest disabling Java, Flash, JavaScript etc.
    and see if one can live with the 1996 feeling.

    Arne
     
    Arne Vajhøj, May 9, 2012
    #17
  18. Gene Wirchenko

    markspace Guest

    On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
    > That worked fine 10 years ago.
    >
    > In these AJAX times the number of sites working without
    > JavaScript must be dropping pretty steep.



    A lot of sites don't work without JavaScript enabled. But many work
    well enough. It's a matter of playing the odds. The more sites you go
    to with JavaScript disabled by default, the less likely it is that
    you'll get some sort of malware from them.

    Sure I often have to enable JS, but only after I've seen the site first.
    If it looks dodgy, I just leave. And often I can still click on a few
    links or read an article without JS. It's rare I'll enable JS if I just
    need one thing from a site.
     
    markspace, May 9, 2012
    #18
  19. Gene Wirchenko

    markspace Guest

    On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
    >
    > Java should automatically update these days.



    The article specifically mentions Apple, who didn't patch their own
    special version of Java for several months, until they got bit hard by a
    trojan or something.

    Yes, Oracle's new version for the Mac does enable auto-updates. But
    there's enough old Java out there that I guess many don't have it.
     
    markspace, May 9, 2012
    #19
  20. Gene Wirchenko

    Eric Sosman Guest

    On 5/8/2012 11:52 PM, markspace wrote:
    > On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
    >> That worked fine 10 years ago.
    >>
    >> In these AJAX times the number of sites working without
    >> JavaScript must be dropping pretty steep.

    >
    >
    > A lot of sites don't work without JavaScript enabled. But many work well
    > enough. It's a matter of playing the odds. The more sites you go to with
    > JavaScript disabled by default, the less likely it is that you'll get
    > some sort of malware from them.


    For even more security, disable HTML.

    --
    Eric Sosman
    d
     
    Eric Sosman, May 9, 2012
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. craig dicker
    Replies:
    9
    Views:
    682
    Juan T. Llibre
    Jul 7, 2005
  2. Paul
    Replies:
    1
    Views:
    420
    Adam Maass
    Aug 14, 2003
  3. Mr. SweatyFinger
    Replies:
    2
    Views:
    2,008
    Smokey Grindel
    Dec 2, 2006
  4. thinktwice
    Replies:
    3
    Views:
    338
    Daniel T.
    Feb 10, 2006
  5. Gary
    Replies:
    4
    Views:
    1,532
    Martin Gregorie
    Oct 8, 2010
Loading...

Share This Page