Ditching Java might be a good move

Discussion in 'other security issues & news' started by ronjor, Dec 22, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    https://www.net-security.org/secworld.php?id=12136
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It would be nice if there were an alternative VM for Windows. I'm a bit surprised there isn't one - perhaps licensing issues.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Users having it isn't the problem. It's all the old websites, special functions of business sites and more that is the issue. I agree that it's time to go, but, telling users to dump something they may need has never worked well. Flash is a huge issue as well still, but try getting rid of that for a few days and see how well you do on the web, you know?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't see Flash as being as big an issue as Java.

    Flash actually rolls out updates and supports basic things like ASLR. They seem to at least be trying.

    Oracle doesn't do **** and their product is god awful.

    And Java is a much more likable target since exploits will be cross platform.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I still think Flash is a big issue simply because there are so many opportunities to get your payload out there. That being said, Adobe has come a long way in trying to keep Flash as safe as humanly possible. More can always be done, but, like you said, they're trying. In a better world, neither would be needed, but we're not there yet.
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Speaking of Java, I only realised that there had been a new update to Version 6 Update 30 earlier today. I think it's been out at least a week! I must be slipping.

    Check here
     
  7. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    This debate is getting old *yawn*
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If it were just HTML, CCS, and JS, we'd just see exploits in those.

    As it stands we have nice easy targets like Flash and Javascript. I see fewer and fewer Flash exploits and more and more Reader/ Java exploits though.
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Go to sleep, we'll wake you when something of your interest comes back up.
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I wouldn't count out Flash exploits just yet. It's going to be here a long time still. Unlike Flash/Java exploits, PDF exploits are ridiculously easy to avoid. Turn off Javascript in your reader of choice, and disable the browser plugin, and you've taken a huge chunk of danger out of it. Reader X does a good job of thwarting them as it is (not saying perfect), and with those two tweaks added in you're pretty safe. Meanwhile, there's very little you can do against Flash/Java without not using them, sandboxing the browser or another measure like that.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Oh I'm not counting them out, I just mean that they used to be much more popular than they are now.
     
  12. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I've already moved on from this thread. If you want to be involved in a discussion keeps going round and round in circles be my guest.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't really know what you mean. I mean, if this were about Firefox v Chrome or CIS or whatever I'd get it.

    But Java doesn't even come up that often in this context and there seems to be a fair consensus.
     
  14. wat0114

    wat0114 Guest

    Rather than stressing the need to update frequently, as well as suggesting ways to restrain the use of Java, the author instead takes the week-kneed easy way out, pandering to the complacent and apathetic by simply suggesting its removal as the ultimate solution to Java's security weaknesses :rolleyes:
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @wat

    I think the issues with Java is that it's not used very often and every time an exploit gets patched a new one is out in a very short time. The updater doesn't work very well either and users often ignore it.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're not alone. I had forgotten all about it as well. :eek: :blink:
     
  17. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I dont even have Java installed,Have found no reason to have it or needed it.
     
  18. wat0114

    wat0114 Guest

    True enough, but it can be manually downloaded and installed, and it's there when needed, even if it's rarely used. For me the concept of removing it is like admitting defeat to it's potential dangers, when really it's not the epic danger so many make it out to be.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It is fairly dangerous.

    But saying "remove it" is a bit silly because you either:

    1) Need it and can't install it

    2) Don't need it in which case duh, dont have it installed

    At the moment I just try to run it with EMET and hope for the best.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You don't need to hope for the best. You can set the browser only to allow Java for specific websites.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome already prompts before it runs Java. I'd rather not try to whitelist every site I might run into that uses Java.
     
  22. wat0114

    wat0114 Guest

    Well, if you hardly ever use it, as opposed to those who "don't even miss it", then whitelisting is a highly viable option.
     
  23. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    154
    Any tips to achieve this in IE9, Opera,Chrome/Iron/Chromium, and Firefox ?

    Thanks so much

    SKA
     
  24. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    I haven't installed Java in a good while now and don't miss it.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    With IE9, you can make use of ActiveX Filtering. -http://windows.microsoft.com/en-GB/windows7/how-to-use-tracking-protection-and-activex-filtering

    In Chrome/Chromium, you can go to chrome://settings/content and in Plugins, choose Block all, and then click Manage exceptions; in Hostname Pattern type the name of the domain, such as [*.]wilderssecurity.com, and then in Behavior, choose Allow.

    Another alternative is to enable the flag Click to play under chrome://flags. This option will then appear on top of Block all, mentioned above.

    Be aware that, whichever option you choose, it will apply to all plugins, unfortunately. It would be great to have a more refined configuration, so that we could choose individual plugins. Something like this should be part of the settings already, since day one. o_O

    So, if you block all plugins, you'll be blocking Java, Flash, etc., and you'll have to white list every website you know that requires any one those plugins.

    I cannot be of any assistance in what comes to Opera and Firefox. Maybe someone else can assist you. I don't know if Firefox has such native feature; I do know NoScript allows that kind of control, though.
     
Loading...
Thread Status:
Not open for further replies.