Java taking heat...

Started by Darren Dirt, January 23, 2013, 08:37:06 AM

Previous topic - Next topic

Darren Dirt

_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

People are dumb, there has been Java hate since the very first plugins started lumbering their way into browsers. Then the confusion between Java and JavaScript... don't even get me started. It has a reputation way before any security crap.

HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins. This falls directly on the shoulders of Oracle who have not kept a tidy house.

I find the most amusing quotes from the articles so far, stuff like "they should just take a muligan and rewrite Java"

Suuuuuuuuuuure, and while we're at it we'll pave the roads with rubber and put concrete tires on all cars.
By Grabthar's Hammer

Thorin

I wonder how this will affect Minecraft playing hours...
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

Quote from: Mr. Analog on January 23, 2013, 08:58:06 AM
HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins.

The bolded/underlined above is the key fact here -- countless idiots will disable Java, not just as a plugin in the web browser, but ENTIRELY on their PCs ... and then get angry at Windows or whatever when their non-web stuff suddenly doesn't work quite right. ...months later.
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

Quote from: Thorin on January 23, 2013, 09:02:20 AM
I wonder how this will affect Minecraft playing hours...

For gamers that use the browser client, if they have disabled the Java plug in they will be outta luck
By Grabthar's Hammer

Tom

Quote from: Darren Dirt on January 23, 2013, 09:17:18 AM
Quote from: Mr. Analog on January 23, 2013, 08:58:06 AM
HOWEVER that said, there are some serious security issues with the JVM that, while known, have only recently been exploited through browser plugins.

The bolded/underlined above is the key fact here -- countless idiots will disable Java, not just as a plugin in the web browser, but ENTIRELY on their PCs ... and then get angry at Windows or whatever when their non-web stuff suddenly doesn't work quite right. ...months later.
The vulnerabilities are in java. Not just the plugin. So its not entirely a bad idea to disable java entirely. All it takes is using it along with another vulnerability to get full system access.
<Zapata Prime> I smell Stanley... And he smells good!!!

Mr. Analog

While true, the weak point where remote code can be executed has been demonstrated through a plugin on software you're already running (your browser).

If you've downloaded and run a malicious piece of software it wouldn't matter if it was in the JVM or not, it's already on your system running as you.
By Grabthar's Hammer

Tom

Quote from: Mr. Analog on January 23, 2013, 10:23:30 AM
While true, the weak point where remote code can be executed has been demonstrated through a plugin on software you're already running (your browser).

If you've downloaded and run a malicious piece of software it wouldn't matter if it was in the JVM or not, it's already on your system running as you.
Or like in some cases, they get in through js or flash vulnerabilities, then execute some java to get even greater permissions.
<Zapata Prime> I smell Stanley... And he smells good!!!

Mr. Analog

Not sure about which js exploit you mean, there are a few out there that can grant remote execution to anything, Flash is still a plugin though.
By Grabthar's Hammer

Tom

Quote from: Mr. Analog on January 23, 2013, 10:48:45 AM
Not sure about which js exploit you mean, there are a few out there that can grant remote execution to anything, Flash is still a plugin though.
It really doesn't matter which exploit. So long as it lets you execute code you can then get admin permissions via other exploits on the system, including via java.
<Zapata Prime> I smell Stanley... And he smells good!!!

Mr. Analog

Which is the statement I made earlier about plugins
By Grabthar's Hammer