Re: OT - Is Java/Java Scripts a Security Risk?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MSiri Amrit Kaur at <-
MAlex Dean at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: G Gambill
Date:  
To: plug-discuss
Subject: Re: OT - Is Java/Java Scripts a Security Risk?
Joseph, Ditto that

George

> From: Siri Amrit Kaur <>
> Subject: Re: OT - Is Java/Java Scripts a Security Risk?
> Date: Sat, 18 Jun 2005 04:06:12 -0700
> Reply-To:
>
> Wow, Joseph, thanks for the information! I've always wondered about
> the differences between Java and JavaScript, and whether or not they
> were safe to allow. This is the best summarization of the subject
> I've ever read. And thanks, too, for the info about Flash. I don't
> even bother to install it.
>
> Siri Amrit
>
> On Thursday 16 June 2005 08:45 pm, Joseph Sinclair wrote:
> > Anytime you allow code to be run on your system you incur risk.
> > The question is how much of a risk that is.
> >
> > Java code run within a browser runs in a "sandbox" where it's
> > access to your system is extremely limited. On Windows,
> > unfortunately, it is pretty easy to permit code to extend beyond
> > that sandbox, and many people do so. So long as you NEVER permit
> > Java applets to access resources outside the "sandbox", you're
> > pretty safe. If you're running IE on Windows, there are some
> > designed-in ways to bypass that (especially if you can get a user
> > to accept an ActiveX control), and it's pretty easy to get in
> > trouble. Those bypasses aren't present in Firefox. If you see a
> > message for a Java Applet asking to access your system resources,
> > clicking yes may allow almost anything, and is generally not
> > recommended unless the code is signed, you really trust the signer,
> > and the signature is fully verified. If you're running IE on
> > Windows, it's highly recommended that you browse VERY carefully, or
> > just switch to Firefox. Java also supports a technology called
> > "Web-Start" where a signed Jar file is downloaded and run like a
> > local application. If you are running a Web-Start application,
> > there are no fixed limits to what the application is permitted to
> > do. It is recommended that you run web-start applications only if
> > you're completely certain the publisher is trustworthy, and even
> > then only if you've fully verified the Jar signature.
> >
> > JavaScript is a completely different technology, and has a number
> > of areas where it's known to permit excessive access. This is
> > particularly true with IE on Windows, but IE on Mac has only
> > slightly less dangerous, and even Firefox has a few issues.
> >
> > The most common danger with JavaScript is when it is used to hide
> > malicious activity from a user by, for example, rewriting the text
> > in the address bar to hide a website switch.
> >
> > Linux has far fewer issues with both technologies for 2 reasons:
> >          1) The Linux Architecture is very different from Windows,
> > and most malicious threats are not currently designed to handle
> > Linux. Many fail quietly, many others cause something obviously
> > strange to happen. 2) Even if code is written to work on Linux, the
> > design of the system is such that most user accounts are very
> > limited in what they can do (unless you're running as root, in
> > which case you must be utterly insane to be running a browser
> > session). So long as you're following recommended practice for a
> > Linux system (very few sodoers, root login disabled, etc...) you
> > shouldn't have too many problems.

> >
> > I generally leave both Java and JavaScript disabled on my system,
> > and only turn them on for sites where they're required, and I am
> > reasonably certain that the site is legitimate. I also have Flash
> > disabled due to it's myriad insecure "Features". Various browsers
> > have different ways of handling these items. Firefox has 2 very
> > nice extensions for this, FlashBlock blocks Flash until you click a
> > "play" icon that replaces the Flash image, and PrefBar allows you
> > to place a simple checkbox on your toolbar to turn Java or
> > JavaScript on or off on the fly.
> >
> > Hope this helps.
> >
> > ==Joseph++
> >
> > G Gambill wrote:
> > > is enabling Java and/or Java Scripts a Security Risk on:
> > >
> > > on Windows XP?
> > >
> > > on Linux?
> > >
> > > If so, under what conditions?
> > >
> > > George
> > >
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list -
> > > To subscribe, unsubscribe, or to change you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> --__--__--
>
> _______________________________________________
> PLUG-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> End of PLUG-discuss Digest
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: PDF scaled print?Re: PDF scaled print?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)