Results 1 to 10 of 10
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    377
    Thanks
    1
    Thanked 29 Times in 24 Posts



    IN THE WILD

    Java brews up a large pot of malware


    By Robert Vamosi

    A recent blog by the Microsoft Malware Protection Center reported that attacks on Java code far exceeded Adobe exploits in 2010.

    In light of this finding, it's time to review your PC for any unneeded or out-of-date versions of Oracle's OS.

    The full text of this column is posted at WindowsSecrets.com/2010/11/11/06 (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 13:53.

  2. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    Viola, Delaware, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    "... JavaScript, a subset of the full Java operating environment."

    It may surprise you to know that Java and JavaScript have almost nothing in common. Java was created by Sun as a complete platform.
    JavaScript was developed by Netscape as a programming language used by the client's browser.

    The similarity of the names sometimes confuses even industry insiders.

    The article was in turn confusing since the second & third exploits used the PHP language and none were related to the misrepresented Javascript.
    Both PHP exploits were general programming errors unrelated to the language and ran on a server. A browser was
    used to perform the exploits.

  3. #3
    Lounger
    Join Date
    Dec 2009
    Posts
    38
    Thanks
    0
    Thanked 4 Times in 3 Posts
    "Today, most Web sites use Adobe Flash, not Java. And if they do use it, it's more likely to be JavaScript, a subset of the full Java operating environment."

    I would have thought Windows Secrets would have known that Javascript is not a 'subset of Java' but a totally different thing entirely. Java is a full programming language, and is compiled into Java Applets which are run in the browser via the JRE application. Javascript bears no relation to Java, it is a scripting language run directly by the browser. Its only connection with Java are the first four letters of its name. Far too many people get this wrong and I would have hoped WS would have used this as an opportunity to put people right rather than publish fud.

    OpenOffice by the way works just fine with Java disabled, including the database. Only a very small number of functions rely on Java and I never encounter them in my daily usage.

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Virginia Beach, Va
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Are you familiar with JavaRA? I've been using it for years. I noticed that when Java updated, it wouldn't remove previous versions. I just run JavaRa occasionally and everything is fine.

    http://raproducts.org/javara.html


    All these issues are a good reason to utilize Secunia online software inspector, http://secunia.com/vulnerability_scanning/online/.

  5. #5
    New Lounger
    Join Date
    Nov 2010
    Location
    MA
    Posts
    10
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Robert Vamosi mentions: "In Google Chrome, type chrome://plugins/ into the address bar"
    which is pretty useful -
    I wonder if there are other chrome://**** tidbits -and where one might find documentation ?

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    NH, USA
    Posts
    3
    Thanks
    0
    Thanked 1 Time in 1 Post
    Although not implicated in this article, BeanShell is a proper subset of Java:
    http://www.beanshell.org/

  7. #7
    New Lounger
    Join Date
    Jan 2010
    Location
    Tucson, AZ, USA
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    "In light of this finding, it's time to review your PC for any unneeded or out-of-date versions of Oracle's OS."

    Java is not an OS, it is a programming language that must be interpreted by a JIT compiler run on a host OS.

  8. #8
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    There are a few web apps which use Java in its full-blown runtime version. One is the weather radar from the National Weather Service. And there are others.

    My Windows XP Pro laptop has a Java Runtime which came in with OpenOffice. I need it to connect to Access for Windows 95 databases which I still use for my personal finances.

    Secunia PSI will keep track of and automatically update all current versions of Java and Java Runtime, as well as alert you to older versions which should be removed or at least disabled, including browser plug-in versions. Chrome automatically updates any Java plug-ins which are installed in to this browser.

    So there really is no excuse to be caught with our Java pants down when exploits use older versions.
    -- Bob Primak --

  9. #9
    New Lounger rogueleader's Avatar
    Join Date
    Feb 2010
    Location
    Peterborough, Ontario, Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Michael and Dave are entirely correct. As the Wikipedia article on JavaScript notes (emphasis mine):

    JavaScript uses syntax influenced by that of C. JavaScript copies many names and naming conventions from Java, but the two languages are otherwise unrelated and have very different semantics. The key design principles within JavaScript are taken from the Self and Scheme programming languages.
    The Wikipedia article also notes that the confusion probably stems from some coincidental timing of JavaScript's name changed (originally called LiveScript) and Java support in Netscape Navigator:

    The change of name from LiveScript to JavaScript roughly coincided with Netscape adding support for Java technology in its Netscape Navigator web browser. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web-programming language.
    I'd hate to see JavaScript, a widely used scripting language that has no relationship to Java, tarnished with the same bad security reputation that Java is now getting.

  10. #10
    New Lounger rogueleader's Avatar
    Join Date
    Feb 2010
    Location
    Peterborough, Ontario, Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Bob Primak View Post
    There are a few web apps which use Java in its full-blown runtime version. One is the weather radar from the National Weather Service. And there are others.
    I use a program called Ted (Torrent Episode Downloader) that also relies on Java. Although, the program isn't working as well as it used to (old, invalid show definitions, torrents, etc.) so I may ditch it soon for something else.

    ...

    I had also thought that OpenOffice.org was built on Java. I thought that was partly the reason it took so damn long to load. I read somewhere (can't find the source now) that LibreOffice is trying to move away from remaining dependencies to Java, I'm sure partly because of the bad blood between the Document Foundation and Oracle, but mainly because of the way Oracle is making Java less Free (as in speech).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •