Anytime you allow code to be run on your system you incur risk. The question is how much of a risk that is.
Java code run within a browser runs in a "sandbox" where it's access to your system is extremely limited. On Windows, unfortunately, it is pretty easy to permit code to extend beyond that sandbox, and many people do so. So long as you NEVER permit Java applets to access resources outside the "sandbox", you're pretty safe. If you're running IE on Windows, there are some designed-in ways to bypass that (especially if you can get a user to accept an ActiveX control), and it's pretty easy to get in trouble. Those bypasses aren't present in Firefox. If you see a message for a Java Applet asking to access your system resources, clicking yes may allow almost anything, and is generally not recommended unless the code is signed, you really trust the signer, and the signature is fully verified.
If you're running IE on Windows, it's highly recommended that you browse VERY carefully, or just switch to Firefox.
Java also supports a technology called "Web-Start" where a signed Jar file is downloaded and run like a local application. If you are running a Web-Start application, there are no fixed limits to what the application is permitted to do. It is recommended that you run web-start applications only if you're completely certain the publisher is trustworthy, and even then only if you've fully verified the Jar signature.
JavaScript is a completely different technology, and has a number of areas where it's known to permit excessive access. This is particularly true with IE on Windows, but IE on Mac has only slightly less dangerous, and even Firefox has a few issues.
The most common danger with JavaScript is when it is used to hide malicious activity from a user by, for example, rewriting the text in the address bar to hide a website switch.
Linux has far fewer issues with both technologies for 2 reasons:
1) The Linux Architecture is very different from Windows, and most malicious threats are not currently designed to handle Linux.
Many fail quietly, many others cause something obviously strange to happen.
2) Even if code is written to work on Linux, the design of the system is such that most user accounts are very limited in what
they can do (unless you're running as root, in which case you must be utterly insane to be running a browser session).
So long as you're following recommended practice for a Linux system (very few sodoers, root login disabled, etc...)
you shouldn't have too many problems.
I generally leave both Java and JavaScript disabled on my system, and only turn them on for sites where they're required, and I am reasonably certain
that the site is legitimate. I also have Flash disabled due to it's myriad insecure "Features". Various browsers have different ways of handling
these items. Firefox has 2 very nice extensions for this, FlashBlock blocks Flash until you click a "play" icon that replaces the Flash image, and
PrefBar allows you to place a simple checkbox on your toolbar to turn Java or JavaScript on or off on the fly.
Hope this helps.
==Joseph++
G Gambill wrote:
> is enabling Java and/or Java Scripts a Security Risk on:
>
> on Windows XP?
>
> on Linux?
>
> If so, under what conditions?
>
> George
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)