[LINK] Security problems with Java in browsers

Robin Whittle rw at firstpr.com.au
Tue Sep 18 12:35:09 AEST 2012 

Hi Fernando,

Thanks to the pointer to the NoScript Firefox extension:

  https://addons.mozilla.org/en-US/firefox/addon/noscript/

After restarting Firefox, there was nothing about it in the Tools menu,
but I see there is an "S" icon to the left of the address bar.  As a
reviewer noted, it has confusing icons for the state of things - a slash
means clicking the icon will stop something, implying that it is
currently allowed.  This kind of conflation of indicators regarding
current status and what will happen if the indicator is pressed is such
a PITA - such as sound or video players which show a pause symbol when
they are playing, and a play symbol when they are stopped.

Looking at the options, I would say this is a complex extension.  It
wasn't obvious to me whether it was possible to configure what was
allowed for individual sites on the whitelist.

I wrote "looks really complex" meaning to refer just to the instructions
for disabling Java in MSIE:

  http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/


>> Unless there is a clear need for it, it may be easier to uninstall Java
>> from the computer entirely.

It was easier for me to uninstall Java from two PCs where I think it is
not needed than to follow the above instructions on disabling it in
MSIE, since it is possible that MSIE could be used on those machines for
the not-uncommon situation where a website doesn't seem to do what it
should with Firefox.


> This is complete FUD. Java is more than a browser plug-in (which BTW, is
> used for things like Intel´s driver update software, "powered by
> SystemRequirements", some on-line banking secure log-in and other useful
> sites like KeepVid.com to download youtube videos).

I know it is used for other purposes.  On one PC I sometimes run this
Java standalone program for bidding on eBay items:

  http://www.jbidwatcher.com


> It´s curious how every patch tuesday there´s "critical security updates"
> coming down the wire from WindowsUpdate for components like ActiveX and
> Microsoft´s .Net, yet there´s not a single headline this year suggesting
> users "remove .Net completely".

Yes, but as far as I know, once Java is installed it will install itself
into the one or more browsers and enable itself, without user
interaction.  The next time the browser accesses any page which has a
Java applet, the applet will run, perhaps invisibly to the user, without
any user interaction.  Even though I had Oracle's Java automatic updates
on, yesterday my version was one with the critical vulnerability (as
best I could tell) and only by manually updating Java was it replaced.
So if I had done nothing, despite running Norton AntiVirus, I understand
Firefox could have accessed a page with a suitably crafted Java applet
and soon, without any visible signs, depending on how well Norton
AntiVirus worked, this Windows XP machine and the others on the LAN
would all have been infected with a pernicious rootkit and other malware
which gives complete control of the machine to the attacker.

I don't need Java so much as to have to spend so much time on it, so I
now only run it on one PC.  From what I read, if Oracle had been more
responsive, it could have fixed the vulnerability in April and got this
out to most or almost all PCs which use its Java interpreter before the
August exploits.

As far as I know, .NET isn't exposed in Firefox like this.  I guess it
is with MSIE, but I don't really know.  I only use MSIE when I think a
site doesn't function properly with Firefox.

Adobe Flash player is a worry.  I normally try to keep it updated, but
in the last month or so, every time it tries to do this, or I try to
install a fresh version, there is some unresolvable error.  Since I like
to watch videos, it is still installed and I haven't taken time to
research it more fully.

I don't accept what I think you are implying - that the sites I linked
to which urged people to disable Java were driven in some way by
Microsoft's efforts to turn people away from this important and valuable
language.  However, I don't have time to research the politics of Java
vs. .NET any further.

  - Robin

More information about the Link mailing list