Article: Why you can't dump Java (even though you want to)

G

Gene Wirchenko

A lot of sites don't work without JavaScript enabled. But many work
well enough. It's a matter of playing the odds. The more sites you go
to with JavaScript disabled by default, the less likely it is that
you'll get some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

This is my experience, too. There are a lot of sites. Few
really need the JavaScript.

Sincerely,

Gene Wirchenko
 
A

Arved Sandstrom

I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes

A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.

B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.

Arne
Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

AHS

1. And we've had that conversation a number of times in various threads.
 
R

Roedy Green

www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.

If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
--
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML.
They forget that the simplest language is the one you
already know. They also forget that their simple little
markup language will bit by bit become even more convoluted
and complicated than HTML because of the unplanned way it grows.
..
 
J

Joshua Cranmer

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

The JavaScript language has no affordance for security by itself,
exactly like Java. The implementations of JS (in particular, what would
amount to standard libraries for JS) as found on most web browsers pay
as much attention to security as Java's applet sandboxing model does.
This includes going to such outlandish extremes as giving you the wrong
data for the color of some text on your page in certain circumstances.
 
B

BGB

There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

I think the whole internet is doomed. no where to run and hide
any more.

pretty much anything which has open sockets or reads from shared
data-files is a potential security risk.

is the code reading data from the socket sufficiently hardened?
how about the code parsing ones' document?
....

it isn't always an easy problem...


given programming languages can do a bit more, they present a much
bigger surface area to try to attack, making securing the language a
good deal harder.

but, with languages, it is a hard tradeoff between trying to give the
person using the language a lot of freedom while at the same time trying
to find ways to prevent the language from being used in unintended ways
by an attacker, which is also a bit of a problem.
 
A

Arne Vajhøj

If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

Maybe you should learn a bit about JavaScript before writing about it.

JavaScript engine in a browser operates in a sandbox and has a
same origin policy. Which is not that far from Java applet model.

Arne
 
A

Arne Vajhøj

A lot of sites don't work without JavaScript enabled. But many work well
enough. It's a matter of playing the odds. The more sites you go to with
JavaScript disabled by default, the less likely it is that you'll get
some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

That does not sound as 2012 to me.

Arne
 
A

Arne Vajhøj

The article specifically mentions Apple, who didn't patch their own
special version of Java for several months, until they got bit hard by a
trojan or something.

Ah - the use of "Few successful Java-related attacks" made me think
that it was general not specific to the MacOS X incident.

Auto update of course requires that there is a fix.
Yes, Oracle's new version for the Mac does enable auto-updates. But
there's enough old Java out there that I guess many don't have it.

And that auto update exists for the platform & version in question.

Arne
 
A

Arne Vajhøj

Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

Good point.

The advice are applicable to all types of apps.

Systems connected to the internet is just a bit more let us
say expected to be attacked.

Arne
 
B

BGB

I do the same thing: as much as possible I use various combos of Adblock
Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
in all of my browsers on all OS's. Not to mention cranking up the
browsers' own mechanisms as much as possible. I also find that most
sites work when imposed with severe restrictions - the ones that don't I
just dismiss, unless they are among a handful that I need and I
temporarily enable the minimum just like you.

I had used AdBlock and similar, but ironically, it was not for sake of
either security or dislike of banner ads, but rather, to reduce the
often severe browser lag caused occasionally by typically Flash-based
banner ads.
 
S

Stefan Ram

Arne Vajhøj said:
Maybe you should learn a bit about JavaScript before writing about it.

It is just true that whenever there is a security hole in a
browser with no fix yet, I read »in the meantime, one can
disable JavaScript as a workaround«.

Some years ago, I started to collect such reports as a
proof. But then I ceased to collect more such reports,
because I needed my time for other things. Thus, when my
records are dated now, this does not mean that there are no
more such reports today; I just do not collect them anymore.
If I would have continued, the list would be very much longer.
Having said this, here is a copy of a dated post of mine
with regard to JavaScript security from about 2006. At its
end, there is a long list of said reports.

~~~~~ a copy of my 2006 post follows

JavaScript might be used to validate input immediatly or to
add support, but well educated web authors do this in such a
manner that the main functionality can still be used without
JavaScript: »Google«, for example, can be used without
JavaScript, while JavaScript adds some features.

»Content developers must ensure that pages are accessible
with scripts turned off or in browsers that don't support
scripts.«

http://www.w3.org/TR/WCAG10-HTML-TECHS/

A web based computer magazine I read usually reports about 2 - 4
browser exploits and security holes a month and about 80 %
of the time the advice is »until the manufacturer has a patch
finished, the problem can be avoided by disabling JavaScript«. [1]

In an October 2004 study, 80 % of home computers were found to
be infected with spyware or adware, even though 85 % had
antivirus software installed.

http://web.archive.org/web/20050331213714/http://www.staysafeonline.info/news/safety_study_v04.pdf

»according to an alert issued Thursday by the U.S.
Computer Emergency Readiness Team (US-CERT), a division of
the Department of Homeland Security (...) A CERT alert
said Explorer users also can protect themselves by turning
off the JavaScript function in their browsers. «

http://www.washingtonpost.com/wp-dyn/articles/A6746-2004Jun25.html

»If JavaScript is enabled in these applications, then the
system is vulnerable to exploitation.«

http://www.uscert.gov/current/current_activity.html#iis5

Even Microsoft recommends to disable JavaScript:

»Under Security level for this zone, move the slider to High.«

http://www.microsoft.com/athome/security/online/browsing_safety.mspx

And Microsoft recommends not to click on links (Yes!) but to
type in URIs because of security risks by »javascript:«-links.

»Do not click any hyperlinks that you do not trust.
Type them in the Address bar yourself.«

http://support.microsoft.com/?id=833786

[1]
A selection of reports of security holes usually cured by
disabling JavaScript and related reports (Sorry: in German
language!)

http://www.heise.de/newsticker/meldung/48769
http://www.heise.de/newsticker/meldung/48725
http://www.heise.de/newsticker/meldung/63430
http://www.heise.de/newsticker/meldung/48589
http://www.heise.de/newsticker/meldung/48016
http://www.heise.de/newsticker/meldung/48016
http://www.heise.de/newsticker/meldung/47993
http://www.heise.de/newsticker/meldung/60340
http://www.heise.de/newsticker/meldung/47998
http://www.heise.de/newsticker/meldung/47494
http://www.heise.de/newsticker/meldung/47282
http://www.heise.de/newsticker/meldung/46923
http://www.heise.de/newsticker/meldung/61499
http://www.heise.de/newsticker/meldung/60240
http://www.heise.de/newsticker/meldung/69558
http://www.heise.de/newsticker/meldung/66952
http://www.heise.de/newsticker/meldung/66943
http://www.heise.de/newsticker/meldung/66511
http://www.heise.de/newsticker/meldung/67698
http://www.heise.de/newsticker/meldung/67132
http://www.heise.de/newsticker/meldung/69894
http://www.heise.de/newsticker/meldung/68579
http://www.heise.de/newsticker/meldung/69225
http://www.heise.de/newsticker/meldung/66846
http://www.heise.de/newsticker/meldung/68391
http://www.heise.de/newsticker/meldung/69015
http://www.heise.de/newsticker/meldung/66480
http://www.heise.de/newsticker/meldung/66928
http://www.heise.de/newsticker/meldung/66350
http://www.heise.de/newsticker/meldung/64771
http://www.heise.de/newsticker/meldung/58788
http://www.heise.de/newsticker/meldung/61350
http://www.heise.de/newsticker/meldung/59374
http://www.heise.de/newsticker/meldung/60644
http://www.heise.de/newsticker/meldung/60855
http://www.heise.de/newsticker/meldung/64426
http://www.heise.de/newsticker/meldung/60615
http://www.heise.de/newsticker/meldung/68394
http://www.heise.de/newsticker/meldung/58228
http://www.heise.de/newsticker/meldung/61700
http://www.heise.de/newsticker/meldung/61646
http://www.heise.de/newsticker/meldung/61828
http://www.heise.de/newsticker/meldung/57578
http://www.heise.de/newsticker/meldung/56354
http://www.heise.de/newsticker/meldung/54973
http://www.heise.de/newsticker/meldung/59330
http://www.heise.de/newsticker/meldung/56795
http://www.heise.de/newsticker/meldung/56323
http://www.heise.de/newsticker/meldung/53382
http://www.heise.de/newsticker/meldung/59449
http://www.heise.de/newsticker/meldung/54272
http://www.heise.de/newsticker/meldung/56646
http://www.heise.de/newsticker/meldung/53186
http://www.heise.de/newsticker/meldung/53042
http://www.heise.de/newsticker/meldung/54063
http://www.heise.de/newsticker/meldung/52995
http://www.heise.de/newsticker/meldung/52935
http://www.heise.de/newsticker/meldung/55138
http://www.heise.de/newsticker/meldung/54716
http://www.heise.de/newsticker/meldung/52844
http://www.heise.de/newsticker/meldung/54431
http://www.heise.de/newsticker/meldung/54734
http://www.heise.de/newsticker/meldung/54487
http://www.heise.de/newsticker/meldung/54605
http://www.heise.de/newsticker/meldung/55396
http://www.heise.de/newsticker/meldung/53582
http://www.heise.de/newsticker/meldung/52776
http://www.heise.de/newsticker/meldung/52752
http://www.heise.de/newsticker/meldung/61245
http://www.heise.de/newsticker/meldung/52365
http://www.heise.de/newsticker/meldung/52377
http://www.heise.de/newsticker/meldung/54636
http://www.heise.de/newsticker/meldung/54719
http://www.heise.de/newsticker/meldung/54714
http://www.heise.de/newsticker/meldung/54697
http://www.heise.de/newsticker/meldung/52377
http://www.heise.de/newsticker/meldung/54582
http://www.heise.de/newsticker/meldung/52390
http://www.heise.de/newsticker/meldung/52255
http://www.heise.de/newsticker/meldung/54352
http://www.heise.de/newsticker/meldung/51995
http://www.heise.de/newsticker/meldung/51751
http://www.heise.de/newsticker/meldung/53644
http://www.heise.de/newsticker/meldung/60908
http://www.heise.de/newsticker/meldung/51511
http://www.heise.de/newsticker/meldung/50968
http://www.heise.de/newsticker/meldung/50363
http://www.heise.de/newsticker/meldung/50128
http://www.heise.de/newsticker/meldung/50111
http://www.heise.de/newsticker/meldung/50179
http://www.heise.de/newsticker/meldung/53489
http://www.heise.de/newsticker/meldung/52018
http://www.heise.de/newsticker/meldung/54188
http://www.heise.de/newsticker/meldung/49517
http://www.heise.de/newsticker/meldung/53499
http://www.heise.de/newsticker/meldung/49219
http://www.heise.de/newsticker/meldung/49219
http://www.heise.de/newsticker/meldung/49240
http://www.heise.de/newsticker/meldung/49240
http://www.heise.de/newsticker/meldung/49240
http://www.heise.de/newsticker/meldung/48877
http://www.heise.de/newsticker/meldung/48793
http://www.heise.de/newsticker/meldung/48892
http://www.heise.de/newsticker/meldung/53964
http://www.heise.de/newsticker/meldung/53519
http://www.heise.de/newsticker/meldung/53544
 
B

Bent C Dalager

That does not sound as 2012 to me.

I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so. :)

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

Bent D.
 
G

Gene Wirchenko

I decide on site use by something other than fashion.

There are many Websites that are not decked out in a fashionable
manner but that are very useful. I prefer them.
I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so. :)

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

Exactly. Except that the JS-to-click design might also be due to
a gratuitous complexity bug (in the coder).

Sincerely,

Gene Wirchenko
 
J

javax.swing.JSnarker

Exactly. Except that the JS-to-click design might also be due to
a gratuitous complexity bug (in the coder).

I'm convinced that in most cases it's deliberate: punish users who
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.

Of course, Adblock Plus + enable JS and the user still gets the last laugh.
 
S

Sleepy the Dwarf

I'm convinced that in most cases it's deliberate: punish users who
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.

And so they can be tracked!
 
A

Arne Vajhøj

It is just true that whenever there is a security hole in a
browser with no fix yet, I read »in the meantime, one can
disable JavaScript as a workaround«.

Some years ago, I started to collect such reports as a
proof. But then I ceased to collect more such reports,
because I needed my time for other things. Thus, when my
records are dated now, this does not mean that there are no
more such reports today; I just do not collect them anymore.
If I would have continued, the list would be very much longer.
Having said this, here is a copy of a dated post of mine
with regard to JavaScript security from about 2006. At its
end, there is a long list of said reports.

[actual list omitted]

It is a long list.

But you can also find a long list for Java applets and Flash Player.

Even "not really executing code" plugins like AcrobatReader have
had security holes.

Arne
 
A

Arne Vajhøj

I think it's generally well accepted that using protection may detract
from the experience somewhat, but this does not automatically make it
a bad idea to do so. :)
Correct.

Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.

????

Considering AJAX heavy web sites to be terrible designed
it not exactly the trend seen on the web.

Arne
 
A

Arne Vajhøj

I decide on site use by something other than fashion.

There are many Websites that are not decked out in a fashionable
manner but that are very useful. I prefer them.

That is your privilege.

Just be prepared that the share of web sites working without
JS will drop every year.

Arne
 
G

Gene Wirchenko

That is your privilege.

Just be prepared that the share of web sites working without
JS will drop every year.

I have not noticed that, but it really does not matter. If the
Websites that I find useful tend not to use JavaScript, then I do not
have to enable JavaScript very often. It does not matter to me if the
proportion of useful sites to non-useful sites is low. What matters
is the number of useful sites, and yes, I do find enough of them.

I have found that a Website requiring JavaScript for simple
functionality is a fairly good indication that the Website will not be
useful to me.

Sincerely,

Gene Wirchenko
 
Joined
May 21, 2012
Messages
1
Reaction score
0
On 5/8/2012 4:59 PM, markspace wrote:

Java should automatically update these days.

Arne

Silent update like Chrome may not be suitable for Java. Application server dependencies are there.

Evaluating and opting for update is a better choice (as in practice now)

Joseph
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,717
Messages
2,569,382
Members
44,704
Latest member
FawnBernay

Latest Threads

Top