Security and Java

Skybird · 03-01-11, 02:39 PM

I recently realised that my understanding of security aspects of Java and Javascript seems to be wrong. I so far tend to think that Javascript, usually to be found in the browser settings, is a security risk, and so is Java itself. Microsoft Virtual Machine and Jscript however have no real meaning for me.

But over the past days I read here and there that Javascript is especially safe, and that that is the reason why it is often to be found on banking sites.

Others say that Javascriupt is unsafe, but Java itself is safe. Or that Sun Java is better than Microsoft'S Java, or the other way around.

Can anyone clear this mess up for me, and provide me with a basic understanding of what is what and how secure it is to leave it activated and what is recommendable to be deactivated and avoided, please?

I maybe switch from Microsoft software to OpenOffice, if the sometimes reported compatability issues of Microsoft-based documents and OpenOffice is a non-issue in fact, but I also have earned that OpenOffice needs Java.

the_tyrant · 03-01-11, 03:23 PM

http://www.gnucitizen.org/blog/hacki...drive-by-java/
I'm pretty sure the Java drive by is the most common type of browser attack today

my own tests confirm it:http://sihanstechblog.blogspot.com/2...-tests-in.html
(Internet explorer that uses java got attacked, while the others that don't use java are safe)

Quote:

Over the years, I’ve been using this type of attack in a number of scenarios and I am not extremely happy to say this (although I had may fare share of fun) but it works so well that it almost feels surreal. The attach tar file contains a tool which I wrote long time ago to compile and sign Applets and JAR files in a few simple steps. I use it every time I can, just to prove that having Java enabled on workstation part of a large enterprise is kind of a bad idea.

Skybird · 03-01-11, 05:29 PM

So I had it right to think of Java and Javascript as something dangerous in general...!?

the_tyrant · 03-01-11, 05:55 PM

Quote:

Originally Posted by Skybird

So I had it right to think of Java and Javascript as something dangerous in general...!?

If your paranoid

but really, just leave java support on. The chances that you will be attacked through java is extremely low.

goldorak · 03-01-11, 07:23 PM

Quote:

Originally Posted by the_tyrant

If your paranoid

but really, just leave java support on. The chances that you will be attacked through java is extremely low.

Nope, the lesson people have to learn is that no software is safe.
Every one of them has vulnerabilities that can be exploited, and if that software connects to the internet you to keep your eyes open 2 times as much.
I had an old version of the JRE, and guess what ? I got infected almost 2 years ago because of a vulnerability in Java. Lesson learned. Don't go thinking for a moment that javascript is in any way more secure than Java. You just have to find the correct vulnerability and exploit it. Is pdf a secure format ? Nope, and there are thousands of ducements out there that exploit a vulnerability in Adobe's pdf viewer to attack the local system. Guess what Adobe updated its viewer. You think flash is secure ? And so on. The lesson to learn is 2 fold, one is to upgrade your software to the latest version (if you can't be bothered to do it manually because you tend to forget these things then enable auto-update) and second use a firewall and an antivirus software.

I mean even postscript documents !!! can be embeded with malicious code than can wipe your computer clean. And postscript is an interpreted language just as Java is.

Skybird · 03-02-11, 07:39 AM

Quote:

Originally Posted by the_tyrant

If your paranoid

I always thought - and Goldorak just confirmed that above - that in the world of computer networks and internet, paranoia simply is not possible.

the_tyrant · 03-02-11, 12:44 PM

you just gave me an idea, i should create the following text file and keep it on my desktop:

Dear Mr Hacker

The porn is in the AES encrypted file conveniently labeled (encrypted porn)
the password is "myporn"

Please don't delete anything, and feel free to add some

Thank you!

the best way to keep yourself safe in my opinion is to use multiple computers(never through out your old equipment). Use each one for a specific use. For example i have a porn computer

03-01-11, 02:39 PM	#1
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,612 Downloads: 10 Uploads: 0	Security and Java I recently realised that my understanding of security aspects of Java and Javascript seems to be wrong. I so far tend to think that Javascript, usually to be found in the browser settings, is a security risk, and so is Java itself. Microsoft Virtual Machine and Jscript however have no real meaning for me. But over the past days I read here and there that Javascript is especially safe, and that that is the reason why it is often to be found on banking sites. Others say that Javascriupt is unsafe, but Java itself is safe. Or that Sun Java is better than Microsoft'S Java, or the other way around. Can anyone clear this mess up for me, and provide me with a basic understanding of what is what and how secure it is to leave it activated and what is recommendable to be deactivated and avoided, please? I maybe switch from Microsoft software to OpenOffice, if the sometimes reported compatability issues of Microsoft-based documents and OpenOffice is a non-issue in fact, but I also have earned that OpenOffice needs Java. __________________ If you feel nuts, consult an expert.

03-01-11, 05:29 PM	#3
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,612 Downloads: 10 Uploads: 0	So I had it right to think of Java and Javascript as something dangerous in general...!? __________________ If you feel nuts, consult an expert.

03-02-11, 12:44 PM	#7
the_tyrant Admiral Join Date: Jun 2010 Location: Canada Posts: 2,272 Downloads: 58 Uploads: 0	you just gave me an idea, i should create the following text file and keep it on my desktop: Dear Mr Hacker The porn is in the AES encrypted file conveniently labeled (encrypted porn) the password is "myporn" Please don't delete anything, and feel free to add some Thank you! the best way to keep yourself safe in my opinion is to use multiple computers(never through out your old equipment). Use each one for a specific use. For example i have a porn computer __________________ My own open source project on Sourceforge OTP.net KGB grade encryption for the rest of us