Java

[Nath]

Happen to read about Java today and found this on the wiki page, thought id share it:

On January 10, 2013, three computer specialists spoke out against Java, telling Reuters that it was not secure and that people should disable Java. Jaime Blasco, Labs Manager with AlienVault Labs stated that “Java is a mess. It’s not secure”, and added a cautious note that “You have to disable it.”^[50] This vulnerability affects Java 7 and it is unclear if it affects Java 6, so it is suggested that consumers disable it.^[51][52] Security alerts from Oracle announce schedules of critical security-related patches to Java.^[53]

On January 14, 2013, security experts said that the update still failed to protect PCs from attack.^[54] This exploit hole prompted a response from the United States Department of Homeland Security encouraging users to disable or uninstall Java.^[55] Apple blacklisted Java completely for any Mac OS X (Mac operating systems) computer to protect its systems.^[56]

Source: http://en.wikipedia.org/wiki/Java_(software_platform)#Security

[Flavia]

Well, Java has always been a mess from it’s inception.

The programming tools and the way they handle things like memory management, ended up making generations of lazy coders that code badly… Glutting the Java garbage collector, and in the end crashing the system it runs on.

Nothing new here…
I’ve been avoiding working on one specific product for years at work, just because it uses Java and Corba ( for internal [ Interprocess] communications on a unix system no less )…. And people are still wondering why the beast needs to be kicked alive several times a week… ( while another system that does the same thing, coded in C, and using Unix IPC is rebooted when the OS Kernel is patched… )

In case it wasn’t obvious : I hate Java in applications.

[Nath]

What about browser required Java?   the danish tax system login uses a java thingie, and the only download I see available is to download it to my desktop, which I thought is part of the problem application?

[Flavia]

Java, be it browser or not browser is Java…

Basically Java is the programming language source code as well as the compiler that generates the executable code ( well the Java applet ) and the virtual machine ( Aka Java machine ).

 

The Java machine can be client side and/or server side and is going to run the applet.
The applet is a compiled  java source code. [1]
The applet can be either a pure Java application ( no browser embedding, launched via weird [long] command lines : /usr/bin/java -X256M -E -f /home/Flav/JavaProgram  -D512M ….  ) or what is called a Java Applet ( launcher based )
It’s the same thing…. more or less…

The Java application is executed on the system the command line is executed, it’s display can be forwarded ( through various mechanisms, like XDMCP or Windows RDP for example ) to another  system, but the execution is on the starting system.

The Java applet is executed on the client ( browser ) side, but can forwards informations to open sockets present on the server side.

[1] in a Java format, that is preprocessed, compiled and not linked, to make it platform independant, the end of the compilation process [linking and such] takes place at execution time, like for languages like basic, perl, … [interpreted languages, where the source code is interpreted everytime the code is run.]

[Myror]

Or to put it a little more in perspective (without the I hate Java digression)

Java is as dangerous as any other non-Java program you run on you computer. Browers typically want to load all sorts of rubbish these days and execute them. I particularly loath the ones that want to download and run ActiveX controls behind the scenes in a browser.

ActiveX controls have even more freedom to mess with your computer then Java does. Java at least tries to limit what a download can do without your permission.

Unfortunately due to bad design the Java guys dropped the ball on this one. Their recent security fix wasn’t really a fix. They just turned one of their security settings to be on by default. Anyone who has it off either intentionally or more likely, because they don’t know it has been turned off, are still vulnerable.

Basically Java does not protect you from what you download and run on your computer. It is the same as any other program you download and run. If you trust where you got it from then well and good. Otherwise you’re taking a risk, whatever it is you downloaded.

Also to be clear, as far as I know, the Java vulnerability is when you run something. It is not someone taking over your PC because you have Java installed. It is someone giving you a Java program that takes liberties with your computer when you run it. The recommendation to disable Java is so you don’t accidently do it without noticing.

I don’t understand though why they are picking on Java for this, as an ActiveX control can do the same thing easier. I suspect Flash can as well, as it too is a programming environment, but maybe no one has figured out how yet. It too has settings that control what one of its apps can do to your PC.

[Nath]

Thank you for taking the time to explain and helping me understand! 🙂

[Flavia]

Java, Active-X, Flash all have ways of messing your computer behind your back.

They are based on the same kind of technology ( what I tried to describe… except that Flash and Active-X can only be run through a browser ) .

Now I agree with Myror, the most dangerous of the 3 is Active-X, as it’s execution environment is  deeply embeded into Internet Explorer and Windows , and a lot of the hookup points are kept in the dark by Microsoft…

[Author]

Posts