flat assembler
Message board for the users of flat assembler.

Index > Heap > haven't heard the news? please disable your JAVA

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
Java is one of those things that can sometimes be really hard to avoid.

I do have Java installed because one of the hardware support programs I use needs it. So I'm going to name and shame that company here:

Lattice Semiconductor: Please update your tools to native applications and stop using the JVM. I am tired of having to run an external VM for your stuff because of the future and/or current Java vulnerabilities. [/rant]
Post 15 Jan 2013, 10:49
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
ManOfSteel wrote:

The only websites I've *ever* seen using Java are "Youtube video grabbing" websites and websites with simulations and demos (physics, astronomy, biology, etc.)


Yep. Java applets are not widely used nowadays.
Most people still prefer Flash, or HTML5.
Post 15 Jan 2013, 11:03
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8867
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
runescape is very fun to play,
http://www.runescape.com/
Post 15 Jan 2013, 12:13
View user's profile Send private message Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
revolution wrote:

Lattice Semiconductor: Please update your tools to native applications and stop using the JVM. I am tired of having to run an external VM for your stuff because of the future and/or current Java vulnerabilities.


This reminds me of Microchip's MPLAB X IDE. MPLAB X is based on NetBeans, while the old MPLABs were not.
Post 15 Jan 2013, 16:54
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
ManOfSteel wrote:
Meh, an old urban legend made to discourage people from visiting porn websites and using cracked warez.

The only websites I've *ever* seen using Java are "Youtube video grabbing" websites and websites with simulations and demos (physics, astronomy, biology, etc.)

Oh sure, you don't see Java applets being (ab)used on the "proper" warez/pr0n sites. But the crappy shams that lure you with w/p in order to make you join your botnet will surely be using drive-by Java-Applet, Flash and AdobePDF vulnerabilities (and OLE/ActiveX stuff) in addition to whatever browser-only exploits they attempt.

revolution wrote:
Lattice Semiconductor: Please update your tools to native applications and stop using the JVM. I am tired of having to run an external VM for your stuff because of the future and/or current Java vulnerabilities. [/rant]

Does it run in your browser? If not, it isn't really a security problem. That the interface might suck and the program is probably slower than necessary is quite another subject Smile

_________________
Image - carpe noctem
Post 15 Jan 2013, 17:09
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Image
Post 15 Jan 2013, 23:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
f0dder wrote:
revolution wrote:
Lattice Semiconductor: Please update your tools to native applications and stop using the JVM. I am tired of having to run an external VM for your stuff because of the future and/or current Java vulnerabilities. [/rant]
Does it run in your browser? If not, it isn't really a security problem.
It does not interact with my browser in any way. I do not know what it does internally and I don't have time to analyse its behaviour. I do not know what risk I am exposed to from using Java in this way and I'd rather not find out the hard way. Perhaps I am just being too overcautious, but better that than letting some criminal have their way with my system.
Post 16 Jan 2013, 00:36
View user's profile Send private message Visit poster's website Reply with quote
ASM-Man



Joined: 11 Jan 2013
Posts: 65
ASM-Man
WOW Is there Java's programmers in this forum?
Post 16 Jan 2013, 03:13
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
revolution wrote:
f0dder wrote:
revolution wrote:
Lattice Semiconductor: Please update your tools to native applications and stop using the JVM. I am tired of having to run an external VM for your stuff because of the future and/or current Java vulnerabilities. [/rant]
Does it run in your browser? If not, it isn't really a security problem.
It does not interact with my browser in any way. I do not know what it does internally and I don't have time to analyse its behaviour. I do not know what risk I am exposed to from using Java in this way and I'd rather not find out the hard way. Perhaps I am just being too overcautious, but better that than letting some criminal have their way with my system.


No you're not. You have no idea what could happen.

Hell even the old JAVA drive-by are still used these days.
Post 16 Jan 2013, 06:34
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
revolution wrote:
It does not interact with my browser in any way. I do not know what it does internally and I don't have time to analyse its behaviour. I do not know what risk I am exposed to from using Java in this way and I'd rather not find out the hard way. Perhaps I am just being too overcautious, but better that than letting some criminal have their way with my system.

Then security very isn't really an issue. The problem with Java is mainly applets - the Oracle/SUN Java browser plugin has had a lot of pwnz-vulns, and it's internet-facing.

But outside of the browser, unless you're running something that accepts incoming connections from the internet (remote exploit), or runs as a system service (local privilege escalation), I really wouldn't worry - if somebody has enough access to exploit regular Java applications on your machine, you have much bigger problems... and if anybody tries doing it, you're facing targeted attacks and not drive-bys... which also means you have big problems.

typedef wrote:
No you're not. You have no idea what could happen.

Hell even the old JAVA drive-by are still used these days.

And those are against applets.

If you want to defend yourself, know who the enemy is and which weapons he uses.

_________________
Image - carpe noctem
Post 16 Jan 2013, 08:23
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
f0dder wrote:
If you want to defend yourself, know who the enemy is and which weapons he uses.


Afghanistan?

IEDs man. Insurgents made from hatred because of "democracy".
Post 16 Jan 2013, 11:25
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Post 17 Jan 2013, 19:34
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Seriously this thing gets scarier by moment to us JAVA developers. Because we have the shitty exploitable software on our precious machines.

Maybe Google should dump JAVA and go with something .... like Assembly (OMG, I'd get a boner) . That'd be sweet
Post 17 Jan 2013, 22:50
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8867
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
maybe there got some concerted efforts to down market java, exploit it and turn anything that use java into chaos, seems like they are prepare to use it as excuse for some huge event in the future,

eg, ur favourite banks here,

are we witnessing a historical event at this moment, maybe,
Post 17 Jan 2013, 23:19
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
typedef wrote:
Seriously this thing gets scarier by moment to us JAVA developers. Because we have the shitty exploitable software on our precious machines.

Stop yelling that the sky is falling - it's the browser plugin that's problematic, not the JRE or JDK by itself.

As for Android, the Dalvik VM is different from whOracle's JVM. While the Android SDK API includes a large subset of the JavaSE API, it's a clean-room re-implementation. In other words, bugs that let you exploit whOracle are very unlike to exploit Android.

There's also the OpenJDK, but I'm not sure of it's state compared to mainline whOracle these days - there was something about making OpenJDK the reference implementation of Java7, but you never really know with whOracle .

Anyway, just get rid of the browser plugin and you'll be fine.

_________________
Image - carpe noctem
Post 18 Jan 2013, 00:02
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
sleepsleep wrote:
maybe there got some concerted efforts to down market java, exploit it and turn anything that use java into chaos, seems like they are prepare to use it as excuse for some huge event in the future,


No. I guess at worst it can only affect the desktops running it exploitable by crackers (?)

On the other hand, desktop is not what most Java developers targeting at.
Server, mobile phone, and embedded system (?) are.

I'm pretty sure though that some people (esp Java haters) think Java will be doomed due to this bug. Wink
Post 18 Jan 2013, 01:30
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
f0dder wrote:
typedef wrote:
Seriously this thing gets scarier by moment to us JAVA developers. Because we have the shitty exploitable software on our precious machines.

Stop yelling that the sky is falling - it's the browser plugin that's problematic, not the JRE or JDK by itself.

As for Android, the Dalvik VM is different from whOracle's JVM. While the Android SDK API includes a large subset of the JavaSE API, it's a clean-room re-implementation. In other words, bugs that let you exploit whOracle are very unlike to exploit Android.

There's also the OpenJDK, but I'm not sure of it's state compared to mainline whOracle these days - there was something about making OpenJDK the reference implementation of Java7, but you never really know with whOracle .

Anyway, just get rid of the browser plugin and you'll be fine.


I disabled it. But my point was that you have to have the JDK in order to develop for android. So if Google dropped using JAVA then there would be no point in having it anymore.
Post 18 Jan 2013, 03:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
f0dder wrote:
But outside of the browser, unless you're running something that accepts incoming connections from the internet (remote exploit), or runs as a system service (local privilege escalation), I really wouldn't worry - if somebody has enough access to exploit regular Java applications on your machine, you have much bigger problems... and if anybody tries doing it, you're facing targeted attacks and not drive-bys... which also means you have big problems.
The only protection I have from incoming connections is my firewall. I recently switched to a whitelist and this makes me feel much more comfortable than with a blacklist. My VM does not get to connect to the outside world (assuming my firewall is doing its job properly).
Post 19 Jan 2013, 16:06
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
TmX wrote:
No. I guess at worst it can only affect the desktops running it exploitable by crackers (?)

Some of the exploits used to exploit Java applets could definitely be used for mischief outside of the browser as well. But targetting Java outside the browser, the code is already running, well, outside of the browser. If you've gotten this far, you'd probably be able to run native code anyway. So, for "desktop" java exploitation to be a problem, you'd need to be able to somehow target a Java program running with more privileges than the current user account.

There's not a whole lot of desktop Java software, for regular users the only thing that comes to mind is MineCraft Smile (which has regular user privileges) - and perhaps CrashPlan (which does run as a higher-privilege service). For developers, there's obviously a fair amount of potential targets, but they tend to run with regular user privileges, and thus aren't interesting.

TmX wrote:
On the other hand, desktop is not what most Java developers targeting at.
Server, mobile phone, and embedded system (?) are.

And there could be some interesting server related targets - some of the recent attacks have been against bugs in the API rather than against the JVM (like, the reflection API getting some safeguards wrong). Outside of the browser, I'm still no sure how much of a problem this is, though. To exploit such a thing, you'd need to be able to plant code on the target system - and in such a case, there'd normally be much bigger problems, much easier attack vectors. There's probably some real-life ways to exploit, but

typedef wrote:
I disabled it. But my point was that you have to have the JDK in order to develop for android. So if Google dropped using JAVA then there would be no point in having it anymore.

Well, unless you use one of the Java-based IDEs, of course Smile - and I kinda doubt google is going to drop the Java dependency. Sure, their VM is Dalvik and not Java, but the /language/ is Java and huge parts of the API are 1:1 copies of the Java standard library... I guess you could do JRE-less development with a raw text editor, the JARs from the JDK, and non-whOracle compiler (IBM used to have one, but I have no idea whether it's still around and which version of Java it supports). But for Google to "drop Java" would mean a massive cost, so it's not going to happen unless there's a really good reason for it (lawsuits could be such a thing, exploits galore isn't, as long as the exploits are fixed. Especially considering that the runtime Android platform isn't exploitable by the same bugs as the JRE.)

revolution wrote:
The only protection I have from incoming connections is my firewall. I recently switched to a whitelist and this makes me feel much more comfortable than with a blacklist. My VM does not get to connect to the outside world (assuming my firewall is doing its job properly).

I don't run any firewall except Windows' built-in (which is just fine IMHO - I don't see a point in 3rd party firewalls these days)... but I also do have a NAT'ing router, and only forward the specific ports I need. So, anyway, as long as you don't have the browser plugin installed/enabled, you probably don't have a security problem Smile

_________________
Image - carpe noctem
Post 19 Jan 2013, 21:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.