question on recent Java virus affecting JRE/applets

[Nasser M. Abbasi]

I have been reading more lately about a virus from some
Java applets.

This article below suggest to disable Java plugins in the browser,
which I just did just in case:

http://news.techeye.net/security/virus-installs-in-your-memory

http://www.h-online.com/security/ne...being-exploited-on-a-large-scale-1485681.html

------------------------------
"However, not even those who use the most current version of Java can
feel entirely safe"
....
"To be on the safe side, users can completely uninstall Java
or at least disable the browser plug-in"
------------------------

My question: Does this virus problem also affects downloading
a java application as a jar file and running it on the PC
or you think it only affects JRE and applets that run
in a browser?

Because sometimes I do download a java jar file, and wanted to
know if I should also stop that (until this Java virus thing
is all resolved).

--Nasser

 

[Arne Vajhøj]

I have been reading more lately about a virus from some
Java applets.

This article below suggest to disable Java plugins in the browser,
which I just did just in case:

http://news.techeye.net/security/virus-installs-in-your-memory

http://www.h-online.com/security/ne...being-exploited-on-a-large-scale-1485681.html


------------------------------
"However, not even those who use the most current version of Java can
feel entirely safe"
...
"To be on the safe side, users can completely uninstall Java
or at least disable the browser plug-in"
------------------------

The known problem is fixed in latest versions so upgrading closes
those security holes.

The rumor about another security hole with no fix is difficult to
comment on. It may be true or it may not be true. Most likely there
are one or more unknown vulnerabilities in Java. But there are most
likely also one or more unknown vulnerability in each of Flash,
IE, FireFox, Chrome, Windows, Linux and MacOS X.

My question: Does this virus problem also affects downloading
a java application as a jar file and running it on the PC
or you think it only affects JRE and applets that run
in a browser?

The problem is an applet problem - it is a problem related
to the applet sandbox.

If you download a jar and runs it then it has full access
(as defined by the account running it) by default - and that
it not even a bug.

Arne

 

[Stefan Ram]

The rumor about another security hole with no fix is difficult to

One can assume that for most wide-spread browsers, plug-ins
and operating systems, zero-day exploits are available for
money. Experience teaches that there always are more holes
already being exploited than known to the public. But this
does not only apply to Java.

According to "heise Verlag", a zero-day exploit for Chrome
or IE costs up to $ 200000, Firefox/Safari $ 150000, Windows
$ 120000, then Word, Flash, Java, Android and OS X, finally,
Flash $ 5000 - $ 30000. (http://heise.de/-1479675)

However, one might be able to restrict rights for the JVM
under windows using integrity levels and Software
Restriction Policies, so that Java-software still can
perform its benign activities. This gives an additional
container of security around the internal Java-Sandbox.

Most ways of infections via web browser can be avoided if
one disables ... not Java, but JavaScript.

If you download a jar and runs it then it has full access
(as defined by the account running it) by default - and that
it not even a bug.

In this case, one has to »trust« the source anyway. But it
can happen that a program from a trustable source might have
been tampered with by a third party.

However, a jar can be decompiled, inspected and finally
recompiled, which is not possible in the case of many other
executable file types. Insofar, Java is safer.