Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #23499

Re: > Sandboxed power == More secure???

Show key headers only | View raw

On 4/17/2013 7:13 PM, Arne Vajhøj wrote:
>[...]
> Another statistic is the one from the original link:
>
> "Java was the vehicle for 50 per cent of all cyber attacks last year in
> which hackers broke into computers by exploiting software bugs,
> according to Kaspersky. That was followed by Adobe Reader, which was
> involved in 28 per cent of all incidents. Microsoft Windows and Internet
> Explorer were involved in about 3 per cent of incidents, according to
> the survey."

     I suspect that a would-be penetrator would try a long list
of vulnerabilities on each system visited.  Java vulnerabilities
would be particularly attractive, because they'd probably affect
many systems: Windows, Macs, Androids, UnameIts.  Also, it seems
common (with all kinds of software) that a large percentage of
the vulnerable population lags "the latest and greatest" by more
than a few days ...

     All in all, then, I think that if I were trying to penetrate
a large number of systems I would put my Java attacks near the
top of my hit list.  They wouldn't be alone, just "preferred."

     Things might be different if I were aiming at a particular
system.  If I were Hell-bent on breaking into XYZBank, I'd spend
a lot of time studying what XYZBank uses and researching how I
might subvert it.  But since

                  THREE BILLION DEVICES RUN JAVA

(according to Oracle's installation splash), if I'm just trolling
for easy marks I'll look for Java.  It's a simple matter of balancing
success rate (high) and vulnerability rate (ditto).

     In a sense, it's the same thing that happened to Windows.  When
Windows was the only game in town, *everybody* ran it and *everybody*
who wasn't up-to-date with the patch from twenty minutes ago was
dead meat.  Microsoft (to much derision, including mine) undertook to
improve Windows' security, and -- to their credit -- they've managed
to raise it to the "Not absolutely pathetic" level.

     Java has not yet attained that lofty standard.

     Java exposed to the Net is, as Mr. Nader might say, "Unsafe at
any speed."  Maybe Oracle will apply the resources needed to
resuscitate it, but I sort of think they won't: It's now viewed
as a server-side technology (and it's just fine there, and that's
where Oracle's big investments lie), so its client-side deficiencies
will just sort of sit there and rot.

     And rot.  And rot.  And rot.  And rot.  And rot.

     Friends don't let friends run Java in their browsers.

-- 
Eric Sosman
esosman@comcast-dot-net.invalid

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

> Sandboxed power == More secure??? Richard Maher <maher_rjSPAMLESS@hotmail.com> - 2013-04-17 07:45 +0800
  Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-16 22:12 -0400
    Re: > Sandboxed power == More secure??? Lew <lewbloch@gmail.com> - 2013-04-16 19:25 -0700
      Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-16 22:30 -0400
    Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-17 09:14 -0700
      Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 13:09 -0400
        Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-17 11:37 -0700
          Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 15:49 -0400
            Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:10 -0400
            Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:13 -0400
              Re: > Sandboxed power == More secure??? Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-04-17 21:12 -0400
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 21:34 -0400
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 21:39 -0400
      Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:06 -0400
        Re: > Sandboxed power == More secure??? Joerg Meier <joergmmeier@arcor.de> - 2013-04-18 03:04 +0200
  Re: > Sandboxed power == More secure??? Roedy Green <see_website@mindprod.com.invalid> - 2013-04-17 10:37 -0700
    Re: > Sandboxed power == More secure??? paul.cager@gmail.com - 2013-04-17 10:54 -0700
    Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-17 19:02 -0400
      Re: > Sandboxed power == More secure??? Richard Maher <maher_rjSPAMLESS@hotmail.com> - 2013-04-25 10:09 +0800
        Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-24 22:30 -0400
        Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-25 08:54 -0700
          Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-26 22:11 -0400
            Re: > Sandboxed power == More secure??? markspace <markspace@nospam.nospam> - 2013-04-26 20:05 -0700
              Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-27 22:23 -0400
              Re: > Sandboxed power == More secure??? "Chris Uppal" <chris.uppal@metagnostic.REMOVE-THIS.org> - 2013-04-28 12:09 +0100
                Re: > Sandboxed power == More secure??? Arne Vajhøj <arne@vajhoej.dk> - 2013-04-28 09:43 -0400

csiph-web