[ale] {OT} -- For the programmer on the list

Ron Frazier atllinuxenthinfo at c3energy.com
Thu Jan 12 20:41:40 EST 2012 

On 1/12/2012 8:29 PM, Ron Frazier wrote:
> On 1/12/2012 4:59 PM, Michael Potter wrote:
>    
>> On Thu, Jan 12, 2012 at 2:28 PM, Jay Lozier<jslozier at gmail.com>   wrote:
>>
>>      
>>> On 01/12/2012 01:29 PM, Jim Kinney wrote:
>>>
>>> +1
>>>
>>> Java is both a place and a beverage. It's not a language worthy of
>>> continuity.</snark>
>>>
>>>
>>> <snark>And it is one the major security problems in the Windows world. IMHO
>>> it is about halfway between a scripting language and an industrial strength
>>> language with all the worst features of both and none of the advantages of
>>> either</snark>
>>>
>>>
>>>        
>> Jay,
>>
>> Could you elaborate on what major security problems are introduced to
>> Windows because of the presence of Java/JVM?
>>
>> I use the JVM on windows and am interested in what security problems
>> exist in Java/JVM versions in current use on Windows.
>> I am not interested in the history of resolved problems.
>>
>> This is a sincere request for information, not bait for a debate.
>>
>>
>>      
> Hi Michael,
>
> I realize you directed your comment to Jay, but I thought I'd throw this
> in.  I am not a security expert, but I do listen to some security
> podcasts like Security Now ( http://twit.tv/sn ,
> http://www.grc.com/securitynow.htm ) and other computer related podcasts
> on the TWIT (This Week In Tech, http://twit.tv ) network.  These
> frequently provide useful information.  They're always talking about
> flaws in Java and security vulnerabilities related to Java.  While I
> cannot cite specific examples, I can assure you that it is a risk to any
> machine it's running on that is exposed to the public.  You could try
> searching through the transcripts of the show at grc.com .  You could
> also do some research at http://www.sans.org/security-resources/ .  I
> remember one problem they were discussing where a security researcher
> was able to bypass the same origin policy.  As I understand it, if your
> Java app is connected to nytimes.com, then an infected page shouldn't be
> able to load something ugly from hacker.com, etc.  They were able to get
> around that somehow.  There was a very notable case last year where a
> malicious ad was injected into the automated ad stream at the New York
> Times and several thousand users were infected with a trojan (I think)
> just by visiting the site.
>
> I realize that this sounds a bit shallow without me giving specific
> references.  I don't have the time to look them up right now.  I will
> say, though, that I've become so convinced that Java is a security risk
> that I've removed it from my Son's computer and my Dad's computer which
> I maintain and another relative's computer which I assist with as
> needed.  I'm working on learning Java programming, and I have some Java
> dependent applications, so it has to stay on my machines.  Any machine
> which has Java on it must be updated routinely.  I try to update the
> following every week, and at least every month, on my machines: OS
> patches, AV software, Firefox, Firefox addons, Java, Adobe Flash, and
> Adobe Reader. This includes Windows and Linux machines.  It's kind of my
> weekly ritual on Monday.
>
> There is one genre of vulnerability that Java, or JavaScript, or any
> scripting language that can be in a web page, definitely opens up.
> Unfortunately, I speak from the personal experience of a relative whose
> computer I had to rebuild after it got a virus, twice.  That
> vulnerability is social engineering.  She somehow encountered a
> malicious web page.  Some form of scripting, probably Java or
> JavaScript, allowed the malicious page to create a new popup window with
> an EXTREMELY real looking display that said it was the AV software
> scanning her system, had found some viruses, and click here to remove
> them.  To us geeks, that may sound like a common ploy to deploy a virus,
> which it is.  But, to an end user who's never seen it before, it is
> quite convincing and scary.  In the 5 seconds of indecision, even though
> she's a pretty savvy user, she clicked the button, and that let the
> virus get it's hooks into the system.  Modern malware is so
> sophisticated in some cases, that you can never really be sure you've
> gotten rid of it without erasing the hard drive and restoring backup
> data and reinstalling applications.  Right after the incident, she
> called me.  And, that procedure is exactly what I did to her machine.
> The backups were old, so it was almost like building a system from
> scratch.  It took 4 days.  I also took the opportunity to upgrade her to
> Vista, which is easier to secure than XP.  I've also heard of cases were
> a malicious web page injects a virus without user assistance.  On her
> machine, which is now running Vista, I have the User Account Control
> turned up to the max, so it's supposed to tell the user if anything
> requiring high security privileges occurs.  She got another virus one
> half a year later and she's pretty sure she didn't click any buttons to
> invite it in.  That one immediately hid all her system files, and
> started producing very real looking hard disk sector error messages.  It
> had me going for a while and I was ready to replace the hard drive.
> Then, I booted a Linux CD and found that all the files were still
> there.  That took me another 3 days to fix, and I still don't know how
> it got in.  Again, I'm pretty sure scripting was part of the culprit.
>
> I recommend to anyone who will listen to run Firefox instead of IE, and
> to run the NoScript plugin.  This disallows all scripting (including
> Java, JavaScript, Flash, and downloads) from running on a web page
> unless the site is explicitly trusted by the user.  This totally
> prevents so called "drive by" attacks.  I eat my own dog food, and run
> the plugin myself.  Sure, it's a pain when my banking site doesn't
> work.  But, I just click a couple of buttons to tell the system to trust
> my bank, and the sites it relies on, then it works.  I only have to do
> that once.  My relative's computer is still running IE, and can still
> react to JavaScript, so this could happen again.  She says she couldn't
> possibly work if she had to approve every site to get it to work.  I
> think it wouldn't be as bad as she thinks.  I just hope she's really
> careful and keeps routine backups.
>
> Hope this info helps.
>
> PS, there are always "zero day" exploits that nobody in the good guys
> community knows about until they are exploited by the bad guys.  Of
> course, there's no way to know which ones of those exist in the current JVM.
>
> Sincerely,
>
> Ron
>
>
>    
PS to my other message.  I always delete the older version of Java from 
my machine when I do an update.  That way, malicious code cannot invoke 
the older unpatched JVM.

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list