Have you disabled Java?

It needs my permission to run anyways, so there's little point to disabling it completely.

 

Does this apply to java scripts as well?

 

Java Scripts is Java.. Java is the interpreting engine for the scripts. So if you block scripts, you are blocking Java.

 

No, this does not apply to Javascript. The two are unrelated programming languages.

Javascript is NOT Java.

 

No, I haven't. With the policies I have in place I've no concern with it.

 

Ahh yes I should consult my son first. ;-) Looks like a lot of us get this confused, I have never worked in java personally (or javascript), but they appear to be nothing more than distant cousins. So this basically applies to Java-Proper, which I see no reason to disable either..

Java is a statically typed language; JavaScript is dynamic.
Java is class-based; JavaScript is prototype-based.
Java constructors are special functions that can only be called at object creation; JavaScript "constructors" are just standard functions.
Java requires all non-block statements to end with a semicolon; JavaScript inserts semicolons at the ends of certain lines.
Java uses block-based scoping; JavaScript uses function-based scoping.
Java has an implicit this scope for non-static methods, and implicit class scope; JavaScript has implicit global scope.

Here are some features that I think are particular strengths of JavaScript:

JavaScript supports closures; Java can simulate sort-of "closures" using anonymous classes. (Real closures may be supported in a future version of Java.) All JavaScript functions are variadic; Java functions are only variadic if explicitly marked. JavaScript prototypes can be redefined at runtime, and has immediate effect for all referring objects. Java classes cannot be redefined in a way that affects any existing object instances. JavaScript allows methods in an object to be redefined independently of its prototype (think eigenclasses in Ruby, but on steroids); methods in a Java object are tied to its class, and cannot be redefined at runtime.

 

I still have Java installed as I use Apache Open Office - (database needs it) otherwise I would have terminated it. To mitigate, I have Java 'sandboxed' by Comodo and all browser plugins disabled.

Cheers!

 

Uninstalled as I rarely use it. One of the articles I read today said Java has replaced both Adobe reader and flash
as the easiest exploit.

Are there any good recommendations to replace Adobe reader or flash that are more secure?

 

Foxit IMO is the best PDF reader. Great product I have used for half a decade. Rock solid stable, secure, and fast.

http://www.foxitsoftware.com/Secure_PDF_Reader/

Best part, you can default it to 'Safe PDF', which is a sandbox/Antiexploit system internal to Foxit. Foxit has an exploit team that monitors, and rapidly deploys fixes and updates if needed for security reasons. To date I am unaware of Foxit being vulnerable to traditional PDF vulnerabilities. Foxit integrates with all browsers as well.

http://www.foxitsoftware.com/company/press.php?action=view&page=201205231830.html

Flash is being replaced by HTML5. If you disable flash you will find most videos on youtube resort to HTML5 as a replacement. Hopefully within the next couple of years flash will be fully phased out. At least we can dream, right?

 

If you use all Adobe Reader's features, I don't think there is any other securer alternative (not considering security by minority). I don't know of any other "complete" PDF Reader that implements sandbox and all the other security features that latest Adobe Reader has.

If you use only the basic features of Adobe Reader, Sumatra PDF may be a good alternative. It's very small and doesn't support javascript, so it has a smaller attack surface. It's also actively developed and not extremely popular.

As for Flash, you can't use something else with sites or whatever that strictly require Flash (YouTube isn't always one of them, as it allows people to view most of its videos without Flash, requiring only a browser that supports HTML5). So, no alternatives on the broadest sense.

 

Normally I would agree for the most part, but then there is this.

 

Wow amazing timing. Now let's wait and see how fast they fix it, since it was revealed yesterday. At the least, Foxit offers some security through obscurity, adobe is heavily targeted. Maybe time to check out some different products.

 

Thanks for the replies. I didn't mean to hijack the thread. After reading the article today it looked like
Java, Adobe reader and Adobe Flash seem to be the top 3 security exploits.

 

Sumatra is a beast, loads instantly, very very fast PDF scrolling, and really really light.. I've dumped Foxit, after 5 years of using it. Thanks for the tip, I really like this little puppy. I especially like the 'tiny' security attack surface as you point out, virtually unknown product - and most hackers go for big numbers.

 

I've just removed Java from my computer and have no intention of reinstalling it unless it's essential which I can't see happening anytime soon. I find myself growing tired of the problems with Java and their relaxed approach to security.

 

Java's a bloody nuisance as well as a security risk. Chrome & Opera can be set so that it will only run if you allow it. There's also QuickJava for Firefox users. If I didn't run OpenOffice I would probably uninstall it completely.

 

I never totally got on with Foxit, I still prefer PDF-XC. I haven't used Adobe's reader in quite some time.

 

You are mixing up Java with Javascript.

The security risk in question is more about Java, which is installed as a distinct application on the computer, and not a browser plugin or browser integration. JRE libraries, etc.. This specifically;

http://www.java.com/en/download/index.jsp

To disable it, you need to uninstall it.. Frankly I do not have it installed on more than 2 machines in the home, and they are quite well locked down. They need java because a significant number of things they do require it.

 

No, you are jumping to conclusions. I'm not mixing anything up. You can use an extension to toggle the Java runtime on/off on Firefox. It is called QuickJava. It is not related to NoScript or Javascript (although the extension allows control of Javascript among other things). Other browsers have inbuilt systems for running/not running Java. I assume that Java applets can be a security risk on a Webpage. Not enabling them to run is a security preference.

 

Just disable java in your browser(s), and enable it temporarily only on trusted sites and only when absolutely needed. I need it for some financial charting.

 

No java here as well. As a side note, using SumatraPDF also and have Palemoon built-in PDF previewer activated via about:config settings.

 

In my case both Scriptsafe and my firewall are used to restrict Java to only where I allow.

 

Doing a little research I see positive reviews for Sumatra and also PDF Exchange.

 

PDF-XChange Viewer

The No.1 rated BEST PDF Reader - as voted by Life Hacker Readers by a 2-1 margin for the 2nd year in a row! ~ from Tracker Software Products official page.