Author Topic: Java: Potential security risk?  (Read 1747 times)

0 Members and 1 Guest are viewing this topic.

Offline Devilmarkus

  • Vivid source of indefiniteness
  • 6128 Plus
  • ******
  • Posts: 4.035
  • Country: de
  • WebCPC / JavaCPC developer
    • index.php?action=treasury
    • CPC-Live website
  • Liked: 1012
  • Likes Given: 926
Java: Potential security risk?
« on: 15:39, 26 July 15 »
Please: Never tell me again, Java is a security risk!!!
 Top 10 of most riskful applications: (Numbers: Critical risks, total risks)

1: Internet Explorer: 179/217
2: Flash Player: 149/178
3: Mac OS X: 125/234
4: Windows: 112/146
5: Chrome: 88/152
6: Firefox: 56/127
7: Adobe Reader: 54/62
8: Thunderbird: 34/61
9: Java: 29/69
10: Office: 24/26

Source: Chip.de
Die gefährlichsten Tools der Welt - Bilder - CHIP
« Last Edit: 15:41, 26 July 15 by Devilmarkus »
When you put your ear on a hot stove, you can smell how stupid you are ...

Amstrad CPC games in your webbrowser

JavaCPC Desktop Full Release

Offline arnoldemu

  • Supporter
  • 6128 Plus
  • *
  • Posts: 5.335
  • Country: gb
    • Unofficial Amstrad WWW Resource
  • Liked: 2261
  • Likes Given: 3478
Re: Java: Potential security risk?
« Reply #1 on: 15:41, 26 July 15 »
LOL!
My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #2 on: 16:03, 26 July 15 »
That's still 69 vulnerabilities too many. The main use case of Java in the browser are online banking and government sites, so vulnerabilities in Java are more serious than e.g. Flash. Flash doesn't know my bank account information for starters.

Online andycadley

  • Supporter
  • 6128 Plus
  • *
  • Posts: 869
  • Liked: 410
  • Likes Given: 72
Re: Java: Potential security risk?
« Reply #3 on: 16:31, 26 July 15 »
The trouble with any set of figures like this is how they try to compare apples with oranges. Nobody counts vulnerabilities in the same way, software makers bundle some together, others get double counted because they're in different versions of a product etc.

Not that it matters much, Oracle have given up on Java Applets and all the major browser vendors are moving away from support of binary plugins like Java. It's a dead platform already.

Offline Devilmarkus

  • Vivid source of indefiniteness
  • 6128 Plus
  • ******
  • Posts: 4.035
  • Country: de
  • WebCPC / JavaCPC developer
    • index.php?action=treasury
    • CPC-Live website
  • Liked: 1012
  • Likes Given: 926
Re: Java: Potential security risk?
« Reply #4 on: 17:55, 26 July 15 »
That's still 69 vulnerabilities too many. The main use case of Java in the browser are online banking and government sites, so vulnerabilities in Java are more serious than e.g. Flash. Flash doesn't know my bank account information for starters.

True, but does it help, when you know this, when 100% of ALL banking, other things, etc, are running over your OS, which has much more security holes?
At least in my browsers (doesn't matter, which browser I use) I have to allow Java manually, whilst Flash and other apps, javascript, html5 (which IMHO is not less risk free) are running WITHOUT any feedback to the user!
When you put your ear on a hot stove, you can smell how stupid you are ...

Amstrad CPC games in your webbrowser

JavaCPC Desktop Full Release

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #5 on: 18:28, 26 July 15 »
True, but does it help, when you know this, when 100% of ALL banking, other things, etc, are running over your OS, which has much more security holes?
At least in my browsers (doesn't matter, which browser I use) I have to allow Java manually, whilst Flash and other apps, javascript, html5 (which IMHO is not less risk free) are running WITHOUT any feedback to the user!
True, but a Flash exploit has to scan your whole hard disk to find e.g. your credit card or bank account information (provided it is stored in a file at all). Or log your keystrokes hoping to find something usable. Java OTOH just gets all this sensitive information handed to it by users on a daily basis and people expect this process to be 100% secure.

Of course computers can be compromised on deeper levels (BIOS, HD controller, OS, malicious USB peripheral), but that's a whole different topic.  :)

Offline mr_lou

  • 6128 Plus
  • ******
  • Posts: 3.013
  • Country: dk
    • index.php?action=treasury
    • 8-bit Memoirs - a Blu-ray diskmag-like eBook about the 8-bit era
  • Liked: 1186
  • Likes Given: 2399
Re: Java: Potential security risk?
« Reply #6 on: 18:48, 26 July 15 »
The truth will never matter anyway.
Who wins the war is the one who has the most success spreading false rumours about their competitors - and then create competing software that does the same. (Or steal it if someone else made it already).

"Flash is shit - Hey look! Silverlight!"
"Java is shit - Hey look! .NET!"
And let's not forget:
"Mp3 files are dangerous! Hey look! WMA!"

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #7 on: 19:14, 26 July 15 »
It's simply hard to create something both highly secure and sandboxed, but also highly performant. And of course the creators of Flash, Silverlight etc. have all kinds of incentives to create software with snooping functions. In the "best" case, this is used by marketing firms to track users and create personal profiles, in the worst case government agencies use this to spy in citizens.

As the NSA/Hacking Team leaks showed, Microsoft, Apple, Facebook, and all the big tech companies have very cozy relations with the NSA, so it's no wonder some zero-day exploits used by the spooks never get fixed by Microsoft. Microsoft and Co. create shoddy software with lots of security holes and then look the other way and claim ignorance of how these defects are exploited for spying on people. A very convenient system for everyone involved.

Offline PhilZeVibe

  • 464 Plus
  • *****
  • Posts: 469
  • Country: fr
    • CPCBox - CPC emulator in JavaScript
  • Liked: 163
  • Likes Given: 187
Re: Java: Potential security risk?
« Reply #8 on: 21:07, 26 July 15 »
Java, Flash and Silverlight are proprietary plugins.
As the web platform has matured (with ES6, WebAssembly, CSS3, TypeScript, ...), these plugins don't bring anything useful anymore to the web.

That's why browser makers decided that those technologies have no future.
At some point, I'm sure all those plugins will be disabled by default in browsers.
Atwood's law (2007): "Any application that can be written in JavaScript, will eventually be written in JavaScript."

Offline Bryce

  • The Hardware Guy.
  • Supporter
  • 6128 Plus
  • *
  • Posts: 11.228
  • Country: wf
  • It's not broken, it just hasn't been fixed yet.
    • index.php?action=treasury
  • Liked: 3929
  • Likes Given: 415
Re: Java: Potential security risk?
« Reply #9 on: 21:52, 26 July 15 »
Please: Never tell me again, Java is a security risk!!!
 Top 10 of most riskful applications: (Numbers: Critical risks, total risks)

1: Internet Explorer: 179/217
2: Flash Player: 149/178
3: Mac OS X: 125/234
4: Windows: 112/146
5: Chrome: 88/152
6: Firefox: 56/127
7: Adobe Reader: 54/62
8: Thunderbird: 34/61
9: Java: 29/69
10: Office: 24/26

Source: Chip.de
Die gefährlichsten Tools der Welt - Bilder - CHIP

AmsDOS: 0/0 :)

Bryce.

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #10 on: 22:54, 26 July 15 »
AmsDOS: 0/0 :)

Bryce.
Then we should really sell some CPCs and some old typewriters to the German Bundestag; I hear they need new spy-proof infrastructure:D

Offline Executioner

  • Supporter
  • 6128 Plus
  • *
  • Posts: 783
  • Country: au
  • WinAPE Developer
    • WinAPE
  • Liked: 391
  • Likes Given: 60
Re: Java: Potential security risk?
« Reply #11 on: 00:17, 27 July 15 »
True, but a Flash exploit has to scan your whole hard disk to find e.g. your credit card or bank account information (provided it is stored in a file at all). Or log your keystrokes hoping to find something usable. Java OTOH just gets all this sensitive information handed to it by users on a daily basis and people expect this process to be 100% secure.

I don't know which banks you're talking about because none of the banks I use ever use Java. It's all https/css/js.

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #12 on: 00:46, 27 July 15 »
I don't know which banks you're talking about because none of the banks I use ever use Java. It's all https/css/js.
I don't use online banking personally and have had Java disabled in my browser since 1999 or so. But whenever I claim that nobody needs Java anymore, people always say they still need it for banking. So IDK, maybe it's a European thing and banks are a bit backwards here.  ;)

Offline Devilmarkus

  • Vivid source of indefiniteness
  • 6128 Plus
  • ******
  • Posts: 4.035
  • Country: de
  • WebCPC / JavaCPC developer
    • index.php?action=treasury
    • CPC-Live website
  • Liked: 1012
  • Likes Given: 926
Re: Java: Potential security risk?
« Reply #13 on: 01:16, 27 July 15 »
Then we should really sell some CPCs and some old typewriters to the German Bundestag; I hear they need new spy-proof infrastructure:D

Prooved:
Windows XP im Bundestag
When you put your ear on a hot stove, you can smell how stupid you are ...

Amstrad CPC games in your webbrowser

JavaCPC Desktop Full Release

Offline Morn

  • 464 Plus
  • *****
  • Posts: 346
  • Country: de
  • Liked: 94
  • Likes Given: 59
Re: Java: Potential security risk?
« Reply #14 on: 01:20, 27 July 15 »
Prooved:
Windows XP im Bundestag
Ha, ha! So it's even worse than I imagined!

Quick, to the CPC-mobile, Robin! We need to stage an intervention.  ;D