Article: Why you can't dump Java (even though you want to)

Gene Wirchenko · May 9, 2012

A lot of sites don't work without JavaScript enabled. But many work
well enough. It's a matter of playing the odds. The more sites you go
to with JavaScript disabled by default, the less likely it is that
you'll get some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

This is my experience, too. There are a lot of sites. Few
really need the JavaScript.

Sincerely,

Gene Wirchenko

Arved Sandstrom · May 9, 2012

I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes

A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.

B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.

Arne

Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

AHS

1. And we've had that conversation a number of times in various threads.

Roedy Green · May 9, 2012

www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.

If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
--
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML.
They forget that the simplest language is the one you
already know. They also forget that their simple little
markup language will bit by bit become even more convoluted
and complicated than HTML because of the unplanned way it grows.
..

Joshua Cranmer · May 10, 2012

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

The JavaScript language has no affordance for security by itself,
exactly like Java. The implementations of JS (in particular, what would
amount to standard libraries for JS) as found on most web browsers pay
as much attention to security as Java's applet sandboxing model does.
This includes going to such outlandish extremes as giving you the wrong
data for the color of some text on your page in certain circumstances.

BGB · May 11, 2012

There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

I think the whole internet is doomed. no where to run and hide
any more.

pretty much anything which has open sockets or reads from shared
data-files is a potential security risk.

is the code reading data from the socket sufficiently hardened?
how about the code parsing ones' document?
....

it isn't always an easy problem...

given programming languages can do a bit more, they present a much
bigger surface area to try to attack, making securing the language a
good deal harder.

but, with languages, it is a hard tradeoff between trying to give the
person using the language a lot of freedom while at the same time trying
to find ways to prevent the language from being used in unintended ways
by an attacker, which is also a bit of a problem.

Arne Vajhøj · May 11, 2012

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

Maybe you should learn a bit about JavaScript before writing about it.

JavaScript engine in a browser operates in a sandbox and has a
same origin policy. Which is not that far from Java applet model.

Arne

Arne Vajhøj · May 11, 2012

A lot of sites don't work without JavaScript enabled. But many work well
enough. It's a matter of playing the odds. The more sites you go to with
JavaScript disabled by default, the less likely it is that you'll get
some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

That does not sound as 2012 to me.

Arne

Arne Vajhøj · May 11, 2012

The article specifically mentions Apple, who didn't patch their own
special version of Java for several months, until they got bit hard by a
trojan or something.

Ah - the use of "Few successful Java-related attacks" made me think
that it was general not specific to the MacOS X incident.

Auto update of course requires that there is a fix.

Yes, Oracle's new version for the Mac does enable auto-updates. But
there's enough old Java out there that I guess many don't have it.

And that auto update exists for the platform & version in question.

Arne

Arne Vajhøj · May 11, 2012

Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

Good point.

The advice are applicable to all types of apps.

Systems connected to the internet is just a bit more let us
say expected to be attacked.

Arne

BGB · May 11, 2012

I do the same thing: as much as possible I use various combos of Adblock
Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
in all of my browsers on all OS's. Not to mention cranking up the
browsers' own mechanisms as much as possible. I also find that most
sites work when imposed with severe restrictions - the ones that don't I
just dismiss, unless they are among a handful that I need and I
temporarily enable the minimum just like you.

I had used AdBlock and similar, but ironically, it was not for sake of
either security or dislike of banner ads, but rather, to reduce the
often severe browser lag caused occasionally by typically Flash-based
banner ads.

Stefan Ram · May 11, 2012

Arne Vajhøj said:
Maybe you should learn a bit about JavaScript before writing about it.

Bent C Dalager · May 11, 2012

That does not sound as 2012 to me.

I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so.

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

Bent D.

Gene Wirchenko · May 11, 2012

I decide on site use by something other than fashion.

There are many Websites that are not decked out in a fashionable
manner but that are very useful. I prefer them.

I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so.

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

Exactly. Except that the JS-to-click design might also be due to
a gratuitous complexity bug (in the coder).

Sincerely,

Gene Wirchenko

javax.swing.JSnarker · May 12, 2012

Exactly. Except that the JS-to-click design might also be due to
a gratuitous complexity bug (in the coder).

I'm convinced that in most cases it's deliberate: punish users who
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.

Of course, Adblock Plus + enable JS and the user still gets the last laugh.

Sleepy the Dwarf · May 13, 2012

I'm convinced that in most cases it's deliberate: punish users who
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.

And so they can be tracked!

Arne Vajhøj · May 21, 2012

It is just true that whenever there is a security hole in a
browser with no fix yet, I read »in the meantime, one can
disable JavaScript as a workaround«.

Some years ago, I started to collect such reports as a
proof. But then I ceased to collect more such reports,
because I needed my time for other things. Thus, when my
records are dated now, this does not mean that there are no
more such reports today; I just do not collect them anymore.
If I would have continued, the list would be very much longer.
Having said this, here is a copy of a dated post of mine
with regard to JavaScript security from about 2006. At its
end, there is a long list of said reports.

[actual list omitted]

It is a long list.

But you can also find a long list for Java applets and Flash Player.

Even "not really executing code" plugins like AcrobatReader have
had security holes.

Arne

Arne VajhÃ¸j · May 21, 2012

I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so.
Correct.

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

????

Considering AJAX heavy web sites to be terrible designed
it not exactly the trend seen on the web.

Arne

Arne Vajhøj · May 21, 2012

I decide on site use by something other than fashion.

There are many Websites that are not decked out in a fashionable
manner but that are very useful. I prefer them.

That is your privilege.

Just be prepared that the share of web sites working without
JS will drop every year.

Arne

Gene Wirchenko · May 21, 2012

That is your privilege.

Just be prepared that the share of web sites working without
JS will drop every year.

I have not noticed that, but it really does not matter. If the
Websites that I find useful tend not to use JavaScript, then I do not
have to enable JavaScript very often. It does not matter to me if the
proportion of useful sites to non-useful sites is low. What matters
is the number of useful sites, and yes, I do find enough of them.

I have found that a Website requiring JavaScript for simple
functionality is a fairly good indication that the Website will not be
useful to me.

Sincerely,

Gene Wirchenko

kulandai · May 21, 2012

Arne Vajhøj said:
On 5/8/2012 4:59 PM, markspace wrote:

Java should automatically update these days.

Arne

Silent update like Chrome may not be suitable for Java. Application server dependencies are there.

Evaluating and opting for update is a better choice (as in practice now)

Joseph

On sandboxes, and why you should care	0	Mar 31, 2006
have you read emacs manual cover to cover?; (was Do we need a"Stevens" book?)	0	Jul 31, 2010
POSSIBLE SECURITY PROBLEM in Java 5!	9	Feb 22, 2006
Can't make this page work	6	Mar 8, 2006
Replies to Seebach - attempting to post to clc moderated	5	Sep 11, 2009
Ruby Weekly News 24th - 30th October 2005	0	Nov 1, 2005
Asp.net Important Topics.	0	Jan 18, 2007

Article: Why you can't dump Java (even though you want to)

Gene Wirchenko

Arved Sandstrom

Roedy Green

Joshua Cranmer

BGB

Arne Vajhøj

Arne Vajhøj

Arne Vajhøj

Arne Vajhøj

BGB

Stefan Ram

Bent C Dalager

Gene Wirchenko

javax.swing.JSnarker

Sleepy the Dwarf

Arne Vajhøj

Arne VajhÃ¸j

Arne Vajhøj

Gene Wirchenko

kulandai

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads