Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #23489

Re: > Sandboxed power == More secure???

From Eric Sosman <esosman@comcast-dot-net.invalid>
Newsgroups comp.lang.java.programmer
Subject Re: > Sandboxed power == More secure???
Date 2013-04-17 15:49 -0400
Organization A noiseless patient Spider
Message-ID <kkmu66$s6g$1@dont-email.me> (permalink)
References <kkknq8$3u2$1@speranza.aioe.org> <516e04f5$0$32117$14726298@news.sunsite.dk> <kkmhjk$lkp$1@dont-email.me> <kkmkq0$g1f$1@dont-email.me> <kkmq0l$q94$1@dont-email.me>

Show all headers | View raw

On 4/17/2013 2:37 PM, markspace wrote:
> On 4/17/2013 10:09 AM, Eric Sosman wrote:
>
>>      Time to get my eyesight checked: When I read your post it
>> looked like a claim that Flash is secure!
>
> Well, you should get your eyesight checked.  Java is currently exploited
> far more often and far worse than Flash has been.  It's been all over
> the security related websites, and even some for the general public.  I
> see what you're saying, but Flash and Java don't really compare right
> now: things currently really bad for Java.  Example:
>
> <http://www.securityweek.com/unique-challenges-controlling-java-exploits>
>
> In short complaining that Flash really isn't secure is to complain about
> the mote in Flash's eye while ignoring the beam in Java's.

Searching the last three months' worth of the National Vulnerability
Database turns up 33 records for "Adobe Flash":

http://web.nvd.nist.gov/view/vuln/search-results?query=adobe+flash&search_type=last3months&cves=on

At a quick look I don't see how to search for "Java" without getting
"Javascript" at the same time, but searching for each in turn and
then subtracting gives 132-16=116 reports:

http://web.nvd.nist.gov/view/vuln/search-results?query=java&search_type=last3months&cves=on

http://web.nvd.nist.gov/view/vuln/search-results?query=javascript&search_type=last3months&cves=on

Admittedly, it's not as simple as "Java is 116/33=3.5 times worse
than Flash."  Some of the NVD notices cover multiple problems,
some cover only one.  Some "Java" problems are actually about
associated technologies like JBoss or non-Snoracle implementations
like IBM Java.  Different notices carry different CVSS severities,
and I haven't tried to catogorize them.

So the "3.5 times worse" figure certainly doesn't have two significant
digits, perhaps not even one full digit.  Still, "mote vs. beam" seems
to imply more difference of scale than the NVD data will support.

Let's face it: They're both bad.

> You still have a point though.  I use No-Script and both JavaScript and
> Flash are blocked by default on my system.  I guess I was referring to
> the fact that the vendors don't block their own systems by default.
>
> I also like the UI for NoScript better than Java's security pop-up. It's
> better integrated into the browser and OS, and provides wider options
> than just "permanently allow this page."  Which I think is all that the
> Java plug-in has in terms of options.

De gustibus, but my preference for a Java-safety UI is the simplest
one imaginable: I disable Java in my browsers, and never have to
worry about any popups at all.  Only two web sites that I (used to)
frequent require Java, and I've found I can live without them.

>>      (Yesterday I applied security updates for both Java and
>> Flash, also AIR.  Any bets on which requires its next update
>> sooner?)
>
> I doubt frequency of updates correlates to security.  I'd guess that
> company culture and resources correlate more strongly.

Yes, Adobe seems much more responsive -- at least, the frequency of
updates greatly exceeds Java's.  However, I didn't ask for bets about
when the next update would be available, but about when it would be
required.  :-(

-- 
Eric Sosman
esosman@comcast-dot-net.invalid

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

> Sandboxed power == More secure??? Richard Maher <maher_rjSPAMLESS@hotmail.com> - 2013-04-17 07:45 +0800
  Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-16 22:12 -0400
    Re: > Sandboxed power == More secure??? Lew <lewbloch@gmail.com> - 2013-04-16 19:25 -0700
      Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-16 22:30 -0400
    Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-17 09:14 -0700
      Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 13:09 -0400
        Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-17 11:37 -0700
          Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 15:49 -0400
            Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:10 -0400
            Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:13 -0400
              Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 21:12 -0400
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 21:34 -0400
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 21:39 -0400
      Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:06 -0400
        Re: > Sandboxed power == More secure??? Joerg Meier <joergmmeier@arcor.de> - 2013-04-18 03:04 +0200
  Re: > Sandboxed power == More secure??? Roedy Green <see_website@mindprod.com.invalid> - 2013-04-17 10:37 -0700
    Re: > Sandboxed power == More secure??? paul.cager@gmail.com - 2013-04-17 10:54 -0700
    Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:02 -0400
      Re: > Sandboxed power == More secure??? Richard Maher <maher_rjSPAMLESS@hotmail.com> - 2013-04-25 10:09 +0800
        Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-24 22:30 -0400
        Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-25 08:54 -0700
          Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-26 22:11 -0400
            Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-26 20:05 -0700
              Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-27 22:23 -0400
              Re: > Sandboxed power == More secure??? "Chris Uppal" <chris.uppal@metagnostic.REMOVE-THIS.org> - 2013-04-28 12:09 +0100
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-28 09:43 -0400

csiph-web