[ale] {OT} -- For the programmer on the list

Ron Frazier atllinuxenthinfo at c3energy.com
Thu Jan 12 20:29:33 EST 2012 

On 1/12/2012 4:59 PM, Michael Potter wrote:
> On Thu, Jan 12, 2012 at 2:28 PM, Jay Lozier<jslozier at gmail.com>  wrote:
>    
>> On 01/12/2012 01:29 PM, Jim Kinney wrote:
>>
>> +1
>>
>> Java is both a place and a beverage. It's not a language worthy of
>> continuity.</snark>
>>
>>
>> <snark>And it is one the major security problems in the Windows world. IMHO
>> it is about halfway between a scripting language and an industrial strength
>> language with all the worst features of both and none of the advantages of
>> either</snark>
>>
>>      
> Jay,
>
> Could you elaborate on what major security problems are introduced to
> Windows because of the presence of Java/JVM?
>
> I use the JVM on windows and am interested in what security problems
> exist in Java/JVM versions in current use on Windows.
> I am not interested in the history of resolved problems.
>
> This is a sincere request for information, not bait for a debate.
>
>    

Hi Michael,

I realize you directed your comment to Jay, but I thought I'd throw this 
in.  I am not a security expert, but I do listen to some security 
podcasts like Security Now ( http://twit.tv/sn , 
http://www.grc.com/securitynow.htm ) and other computer related podcasts 
on the TWIT (This Week In Tech, http://twit.tv ) network.  These 
frequently provide useful information.  They're always talking about 
flaws in Java and security vulnerabilities related to Java.  While I 
cannot cite specific examples, I can assure you that it is a risk to any 
machine it's running on that is exposed to the public.  You could try 
searching through the transcripts of the show at grc.com .  You could 
also do some research at http://www.sans.org/security-resources/ .  I 
remember one problem they were discussing where a security researcher 
was able to bypass the same origin policy.  As I understand it, if your 
Java app is connected to nytimes.com, then an infected page shouldn't be 
able to load something ugly from hacker.com, etc.  They were able to get 
around that somehow.  There was a very notable case last year where a 
malicious ad was injected into the automated ad stream at the New York 
Times and several thousand users were infected with a trojan (I think) 
just by visiting the site.

I realize that this sounds a bit shallow without me giving specific 
references.  I don't have the time to look them up right now.  I will 
say, though, that I've become so convinced that Java is a security risk 
that I've removed it from my Son's computer and my Dad's computer which 
I maintain and another relative's computer which I assist with as 
needed.  I'm working on learning Java programming, and I have some Java 
dependent applications, so it has to stay on my machines.  Any machine 
which has Java on it must be updated routinely.  I try to update the 
following every week, and at least every month, on my machines: OS 
patches, AV software, Firefox, Firefox addons, Java, Adobe Flash, and 
Adobe Reader. This includes Windows and Linux machines.  It's kind of my 
weekly ritual on Monday.

There is one genre of vulnerability that Java, or JavaScript, or any 
scripting language that can be in a web page, definitely opens up.  
Unfortunately, I speak from the personal experience of a relative whose 
computer I had to rebuild after it got a virus, twice.  That 
vulnerability is social engineering.  She somehow encountered a 
malicious web page.  Some form of scripting, probably Java or 
JavaScript, allowed the malicious page to create a new popup window with 
an EXTREMELY real looking display that said it was the AV software 
scanning her system, had found some viruses, and click here to remove 
them.  To us geeks, that may sound like a common ploy to deploy a virus, 
which it is.  But, to an end user who's never seen it before, it is 
quite convincing and scary.  In the 5 seconds of indecision, even though 
she's a pretty savvy user, she clicked the button, and that let the 
virus get it's hooks into the system.  Modern malware is so 
sophisticated in some cases, that you can never really be sure you've 
gotten rid of it without erasing the hard drive and restoring backup 
data and reinstalling applications.  Right after the incident, she 
called me.  And, that procedure is exactly what I did to her machine.  
The backups were old, so it was almost like building a system from 
scratch.  It took 4 days.  I also took the opportunity to upgrade her to 
Vista, which is easier to secure than XP.  I've also heard of cases were 
a malicious web page injects a virus without user assistance.  On her 
machine, which is now running Vista, I have the User Account Control 
turned up to the max, so it's supposed to tell the user if anything 
requiring high security privileges occurs.  She got another virus one 
half a year later and she's pretty sure she didn't click any buttons to 
invite it in.  That one immediately hid all her system files, and 
started producing very real looking hard disk sector error messages.  It 
had me going for a while and I was ready to replace the hard drive.  
Then, I booted a Linux CD and found that all the files were still 
there.  That took me another 3 days to fix, and I still don't know how 
it got in.  Again, I'm pretty sure scripting was part of the culprit.

I recommend to anyone who will listen to run Firefox instead of IE, and 
to run the NoScript plugin.  This disallows all scripting (including 
Java, JavaScript, Flash, and downloads) from running on a web page 
unless the site is explicitly trusted by the user.  This totally 
prevents so called "drive by" attacks.  I eat my own dog food, and run 
the plugin myself.  Sure, it's a pain when my banking site doesn't 
work.  But, I just click a couple of buttons to tell the system to trust 
my bank, and the sites it relies on, then it works.  I only have to do 
that once.  My relative's computer is still running IE, and can still 
react to JavaScript, so this could happen again.  She says she couldn't 
possibly work if she had to approve every site to get it to work.  I 
think it wouldn't be as bad as she thinks.  I just hope she's really 
careful and keeps routine backups.

Hope this info helps.

PS, there are always "zero day" exploits that nobody in the good guys 
community knows about until they are exploited by the bad guys.  Of 
course, there's no way to know which ones of those exist in the current JVM.

Sincerely,

Ron


-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list