Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Article: Why you can't dump Java (even though you want to)

Reply
Thread Tools

Article: Why you can't dump Java (even though you want to)

 
 
Gene Wirchenko
Guest
Posts: n/a
 
      05-09-2012
On Tue, 08 May 2012 20:52:39 -0700, markspace <-@.> wrote:

>On 5/8/2012 6:03 PM, Arne Vajh°j wrote:
>> That worked fine 10 years ago.
>>
>> In these AJAX times the number of sites working without
>> JavaScript must be dropping pretty steep.


>A lot of sites don't work without JavaScript enabled. But many work
>well enough. It's a matter of playing the odds. The more sites you go
>to with JavaScript disabled by default, the less likely it is that
>you'll get some sort of malware from them.
>
>Sure I often have to enable JS, but only after I've seen the site first.
> If it looks dodgy, I just leave. And often I can still click on a few
>links or read an article without JS. It's rare I'll enable JS if I just
>need one thing from a site.


This is my experience, too. There are a lot of sites. Few
really need the JavaScript.

Sincerely,

Gene Wirchenko
 
Reply With Quote
 
 
 
 
Arved Sandstrom
Guest
Posts: n/a
 
      05-09-2012
On 12-05-08 10:13 PM, Arne Vajh°j wrote:
> On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
>> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>> This was in the morning's trade articles:
>>>
>>> http://www.infoworld.com/d/security/...ou-want-192622
>>>
>>> InfoWorld Home / Security / Security Adviser
>>> May 08, 2012
>>> Why you can't dump Java (even though you want to)
>>> So many recent exploits have used Java as their attack vector, you
>>> might conclude Java should be shown the exit
>>> By Roger A. Grimes | InfoWorld
>>>

>
>> I tend to agree with what Grimes wrote on the second page of his
>> article. As he pointed out, popular software always gets exploited. Part
>> of it is due to defects in the software, so in Java in this case, but a
>> major part of it for a programming language and platform (JVM) is how
>> people code in it. How many Java programmers have genuinely absorbed the
>> lessons in "Secure Coding Guidelines for the Java Programming Language",
>> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
>> percent? No way is it any higher than that.

>
> I think we need to distinguish between:
> A) malicious applet code that gets unauthorized access to desktop
> PC's when their users just browse the internet
> B) hackers that break into a Java web app using various
> security holes
>
> A is what I assume the article is about. And the security
> problems is caused by bugs in JVM and Java runtime.
>
> B is caused by bugs introduced by the Java web app
> developers. And this seems to be what that coding
> standard try to address.
>
> Arne
>

Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

AHS

1. And we've had that conversation a number of times in various threads.

--
Never interrupt your enemy when he is making a mistake.
--Napoleon
 
Reply With Quote
 
 
 
 
Roedy Green
Guest
Posts: n/a
 
      05-09-2012
On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko <(E-Mail Removed)>
wrote, quoted or indirectly quoted someone who said :

>
>http://www.infoworld.com/d/security/...ou-want-192622
>InfoWorld Home / Security / Security Adviser
>May 08, 2012
>Why you can't dump Java (even though you want to)
>So many recent exploits have used Java as their attack vector, you
>might conclude Java should be shown the exit
>By Roger A. Grimes | InfoWorld
>
> Comments?


If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.

I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.

If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
--
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML.
They forget that the simplest language is the one you
already know. They also forget that their simple little
markup language will bit by bit become even more convoluted
and complicated than HTML because of the unplanned way it grows.
..
 
Reply With Quote
 
Joshua Cranmer
Guest
Posts: n/a
 
      05-10-2012
cOn 5/9/2012 4:42 PM, Roedy Green wrote:
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.


The JavaScript language has no affordance for security by itself,
exactly like Java. The implementations of JS (in particular, what would
amount to standard libraries for JS) as found on most web browsers pay
as much attention to security as Java's applet sandboxing model does.
This includes going to such outlandish extremes as giving you the wrong
data for the color of some text on your page in certain circumstances.

--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth
 
Reply With Quote
 
BGB
Guest
Posts: n/a
 
      05-10-2012
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>>
>> The main problem is the human being, whether coder or user.
>>
>> AHS

>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
>
> I think the whole internet is doomed. no where to run and hide
> any more.
>


pretty much anything which has open sockets or reads from shared
data-files is a potential security risk.

is the code reading data from the socket sufficiently hardened?
how about the code parsing ones' document?
....

it isn't always an easy problem...


given programming languages can do a bit more, they present a much
bigger surface area to try to attack, making securing the language a
good deal harder.

but, with languages, it is a hard tradeoff between trying to give the
person using the language a lot of freedom while at the same time trying
to find ways to prevent the language from being used in unintended ways
by an attacker, which is also a bit of a problem.

 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-11-2012
On 5/9/2012 5:42 PM, Roedy Green wrote:
> On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko<(E-Mail Removed)>
> wrote, quoted or indirectly quoted someone who said :
>> http://www.infoworld.com/d/security/...ou-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>
>> Comments?

>
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.


Maybe you should learn a bit about JavaScript before writing about it.

JavaScript engine in a browser operates in a sandbox and has a
same origin policy. Which is not that far from Java applet model.

Arne
 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-11-2012
On 5/8/2012 11:52 PM, markspace wrote:
> On 5/8/2012 6:03 PM, Arne Vajh°j wrote:
>> That worked fine 10 years ago.
>>
>> In these AJAX times the number of sites working without
>> JavaScript must be dropping pretty steep.

>
> A lot of sites don't work without JavaScript enabled. But many work well
> enough. It's a matter of playing the odds. The more sites you go to with
> JavaScript disabled by default, the less likely it is that you'll get
> some sort of malware from them.
>
> Sure I often have to enable JS, but only after I've seen the site first.
> If it looks dodgy, I just leave. And often I can still click on a few
> links or read an article without JS. It's rare I'll enable JS if I just
> need one thing from a site.


That does not sound as 2012 to me.

Arne


 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-11-2012
On 5/8/2012 11:54 PM, markspace wrote:
> On 5/8/2012 6:04 PM, Arne Vajh°j wrote:
>>
>> Java should automatically update these days.

>
> The article specifically mentions Apple, who didn't patch their own
> special version of Java for several months, until they got bit hard by a
> trojan or something.


Ah - the use of "Few successful Java-related attacks" made me think
that it was general not specific to the MacOS X incident.

Auto update of course requires that there is a fix.

> Yes, Oracle's new version for the Mac does enable auto-updates. But
> there's enough old Java out there that I guess many don't have it.


And that auto update exists for the platform & version in question.

Arne


 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-11-2012
On 5/9/2012 3:50 PM, Arved Sandstrom wrote:
> On 12-05-08 10:13 PM, Arne Vajh°j wrote:
>> On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
>>> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>>> This was in the morning's trade articles:
>>>>
>>>> http://www.infoworld.com/d/security/...ou-want-192622
>>>>
>>>> InfoWorld Home / Security / Security Adviser
>>>> May 08, 2012
>>>> Why you can't dump Java (even though you want to)
>>>> So many recent exploits have used Java as their attack vector, you
>>>> might conclude Java should be shown the exit
>>>> By Roger A. Grimes | InfoWorld
>>>>

>>
>>> I tend to agree with what Grimes wrote on the second page of his
>>> article. As he pointed out, popular software always gets exploited. Part
>>> of it is due to defects in the software, so in Java in this case, but a
>>> major part of it for a programming language and platform (JVM) is how
>>> people code in it. How many Java programmers have genuinely absorbed the
>>> lessons in "Secure Coding Guidelines for the Java Programming Language",
>>> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
>>> percent? No way is it any higher than that.

>>
>> I think we need to distinguish between:
>> A) malicious applet code that gets unauthorized access to desktop
>> PC's when their users just browse the internet
>> B) hackers that break into a Java web app using various
>> security holes
>>
>> A is what I assume the article is about. And the security
>> problems is caused by bugs in JVM and Java runtime.
>>
>> B is caused by bugs introduced by the Java web app
>> developers. And this seems to be what that coding
>> standard try to address.


> Well, Grimes mentioned everything: Java apps as well as applets, users
> insisting on using old Java versions because they believe their apps
> need it [1], people not knowing what version they are running, unpatched
> Java etc. Which is why I seized the opportunity to bitch about insecure
> coding...which is ultimately the root of the problem anyway.
>
> But you're right, it's mostly defects in Java runtimes that Grimes is
> talking about.
>
> One point about the secure coding guidelines - let's not characterize
> that as "web app" coding. All those guidelines are about secure coding
> for Java, period. If I were a Java EE web app developer I'd read the Sun
> now Oracle secure coding guidelines for Java first, then something like
> OWASP.


Good point.

The advice are applicable to all types of apps.

Systems connected to the internet is just a bit more let us
say expected to be attacked.

Arne




 
Reply With Quote
 
BGB
Guest
Posts: n/a
 
      05-11-2012
On 5/8/2012 3:12 PM, Arved Sandstrom wrote:
> On 12-05-08 05:51 PM, markspace wrote:
>> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>>
>>>>
>>>> The main problem is the human being, whether coder or user.
>>>>
>>>> AHS
>>>
>>> There are now Trojans and viruses that attack the PC
>>> using JavaScript.
>>>
>>> One can't really shut down JavaScript in the browser like they can
>>> with the Java plugin to prevent applets from running.

>>
>>
>> Yes you can. I run Firefox with NoScript, an add-on that blocks
>> JavaScript. Most sites work OK without JavaScript. If I really need
>> to, NoScript makes it easy for me to temporarily enable a single website.
>>
>> In some cases, the problem is the platform. I.e., JavaScript, or
>> ActiveX. But there's work-arounds too.
>>

>
> I do the same thing: as much as possible I use various combos of Adblock
> Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
> in all of my browsers on all OS's. Not to mention cranking up the
> browsers' own mechanisms as much as possible. I also find that most
> sites work when imposed with severe restrictions - the ones that don't I
> just dismiss, unless they are among a handful that I need and I
> temporarily enable the minimum just like you.
>


I had used AdBlock and similar, but ironically, it was not for sake of
either security or dislike of banner ads, but rather, to reduce the
often severe browser lag caused occasionally by typically Flash-based
banner ads.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dump complete java VM state as core dump (not via OS) possible? halfdog Java 12 02-21-2013 06:14 AM
why why why why why Mr. SweatyFinger ASP .Net 4 12-21-2006 01:15 PM
findcontrol("PlaceHolderPrice") why why why why why why why why why why why Mr. SweatyFinger ASP .Net 2 12-02-2006 03:46 PM
why does the complier complain undeclare identifier even though i have included the header file? thinktwice C++ 3 02-10-2006 12:57 PM
Want PIX to log messages 305001 though 305004, says not found? Scott Townsend Cisco 2 04-20-2005 09:56 PM



Advertisments