Java: Potential security risk?

[Devilmarkus]

Please: Never tell me again, Java is a security risk!!!
Top 10 of most riskful applications: (Numbers: Critical risks, total risks)

1: Internet Explorer: 179/217
2: Flash Player: 149/178
3: Mac OS X: 125/234
4: Windows: 112/146
5: Chrome: 88/152
6: Firefox: 56/127
7: Adobe Reader: 54/62
8: Thunderbird: 34/61
9: Java: 29/69
10: Office: 24/26

Source: Chip.de
Die gefährlichsten Tools der Welt - Bilder - CHIP

[arnoldemu]

LOL!

[Morn]

That's still 69 vulnerabilities too many. The main use case of Java in the browser are online banking and government sites, so vulnerabilities in Java are more serious than e.g. Flash. Flash doesn't know my bank account information for starters.

[andycadley]

The trouble with any set of figures like this is how they try to compare apples with oranges. Nobody counts vulnerabilities in the same way, software makers bundle some together, others get double counted because they're in different versions of a product etc.

Not that it matters much, Oracle have given up on Java Applets and all the major browser vendors are moving away from support of binary plugins like Java. It's a dead platform already.

[Devilmarkus]

That's still 69 vulnerabilities too many. The main use case of Java in the browser are online banking and government sites, so vulnerabilities in Java are more serious than e.g. Flash. Flash doesn't know my bank account information for starters.

True, but does it help, when you know this, when 100% of ALL banking, other things, etc, are running over your OS, which has much more security holes?
At least in my browsers (doesn't matter, which browser I use) I have to allow Java manually, whilst Flash and other apps, javascript, html5 (which IMHO is not less risk free) are running WITHOUT any feedback to the user!

[Morn]

True, but does it help, when you know this, when 100% of ALL banking, other things, etc, are running over your OS, which has much more security holes?
At least in my browsers (doesn't matter, which browser I use) I have to allow Java manually, whilst Flash and other apps, javascript, html5 (which IMHO is not less risk free) are running WITHOUT any feedback to the user!

True, but a Flash exploit has to scan your whole hard disk to find e.g. your credit card or bank account information (provided it is stored in a file at all). Or log your keystrokes hoping to find something usable. Java OTOH just gets all this sensitive information handed to it by users on a daily basis and people expect this process to be 100% secure.

Of course computers can be compromised on deeper levels (BIOS, HD controller, OS, malicious USB peripheral), but that's a whole different topic. 

[mr_lou]

The truth will never matter anyway.
Who wins the war is the one who has the most success spreading false rumours about their competitors - and then create competing software that does the same. (Or steal it if someone else made it already).

"Flash is shit - Hey look! Silverlight!"
"Java is shit - Hey look! .NET!"
And let's not forget:
"Mp3 files are dangerous! Hey look! WMA!"

[Morn]

It's simply hard to create something both highly secure and sandboxed, but also highly performant. And of course the creators of Flash, Silverlight etc. have all kinds of incentives to create software with snooping functions. In the "best" case, this is used by marketing firms to track users and create personal profiles, in the worst case government agencies use this to spy in citizens.

As the NSA/Hacking Team leaks showed, Microsoft, Apple, Facebook, and all the big tech companies have very cozy relations with the NSA, so it's no wonder some zero-day exploits used by the spooks never get fixed by Microsoft. Microsoft and Co. create shoddy software with lots of security holes and then look the other way and claim ignorance of how these defects are exploited for spying on people. A very convenient system for everyone involved.

[Phi2x]

.

[Bryce]

Please: Never tell me again, Java is a security risk!!!
Top 10 of most riskful applications: (Numbers: Critical risks, total risks)

1: Internet Explorer: 179/217
2: Flash Player: 149/178
3: Mac OS X: 125/234
4: Windows: 112/146
5: Chrome: 88/152
6: Firefox: 56/127
7: Adobe Reader: 54/62
8: Thunderbird: 34/61
9: Java: 29/69
10: Office: 24/26

Source: Chip.de
Die gefährlichsten Tools der Welt - Bilder - CHIP

AmsDOS: 0/0

Bryce.

[Morn]

AmsDOS: 0/0

Bryce.

Then we should really sell some CPCs and some old typewriters to the German Bundestag; I hear they need new spy-proof infrastructure. 

[Executioner]

True, but a Flash exploit has to scan your whole hard disk to find e.g. your credit card or bank account information (provided it is stored in a file at all). Or log your keystrokes hoping to find something usable. Java OTOH just gets all this sensitive information handed to it by users on a daily basis and people expect this process to be 100% secure.

I don't know which banks you're talking about because none of the banks I use ever use Java. It's all https/css/js.

[Morn]

I don't know which banks you're talking about because none of the banks I use ever use Java. It's all https/css/js.

I don't use online banking personally and have had Java disabled in my browser since 1999 or so. But whenever I claim that nobody needs Java anymore, people always say they still need it for banking. So IDK, maybe it's a European thing and banks are a bit backwards here. 

[Devilmarkus]

Then we should really sell some CPCs and some old typewriters to the German Bundestag; I hear they need new spy-proof infrastructure. 

Prooved:
Windows XP im Bundestag

[Morn]

Prooved:
Windows XP im Bundestag

Ha, ha! So it's even worse than I imagined!

Quick, to the CPC-mobile, Robin! We need to stage an intervention.