Skip navigation

Should I be wary of Java and Adobe.

4182 Views 59 Replies Latest reply: Jul 8, 2011 6:20 AM by etresoft RSS
  • Barney-15E Level 7 Level 7 (33,560 points)
    Currently Being Moderated
    Jul 5, 2011 7:38 PM (in response to ds store)

    You'd be better off disabling Javascript.

  • Barney-15E Level 7 Level 7 (33,560 points)
    Currently Being Moderated
    Jul 5, 2011 7:58 PM (in response to WZZZ)

    The "more info about you" page gets the internal IP using Java.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jul 5, 2011 8:15 PM (in response to Barney-15E)

    Barney-15E wrote:

     

    The "more info about you" page gets the internal IP using Java.

    Even if I have Java disabled in the browser? What's the "more info about page?"

     

    If I go to

     

    http://www.whatsmyip.org/

     

    it won't display my internal IP until I "allow" the site with JS (using NoScript.) Is that JS calling Java? Not possible, since I have Java disabled. Must be through JS alone.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 8:18 PM (in response to WZZZ)

    WZZZ wrote:

     

    If I go to

     

    http://www.whatsmyip.org/

     

    it won't display my internal IP until I "allow" the site with JS (using NoScript.) Is that JS calling Java? Not possible, since I have Java disabled. Must be through JS alone.

     

    Web sites know your regular ISP given IP as your connecting to them. What your not seeing is the display of this IP because you have scripts turned off with NS. (the site used ot work before without scripts)

     

     

     

    The link here

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    when you click it uses Javascript to use Java to get your internal IP, the one that connects your Mac to your router which is possibly a security concern as in Safari it doesn't work but on FF (without NS enabled) does work.

     

    *crawls under the bed*

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 8:23 PM (in response to Barney-15E)

    Barney-15E wrote:

     

    You'd be better off disabling Javascript.

     

    Oh, that's been done ages ago with FF + NoScript. All scripts are turned off by defualt and enabled on a per site, per need basis until I've estabilished trust with the stie.

     

    The "more info about you" page gets the internal IP using Java.

     

    You mean under the Apple menu?

     

     

    *starts shivering in fear*

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jul 5, 2011 8:22 PM (in response to ds store)

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

  • Barney-15E Level 7 Level 7 (33,560 points)
    Currently Being Moderated
    Jul 5, 2011 8:26 PM (in response to ds store)

    The first link in the left bar of the Whatsmyip site, under networking tools.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 8:30 PM (in response to WZZZ)

    WZZZ wrote:

     

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

     

    Right you are, seems I was running with the FF Java enabled, now it's off and even

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Doesn't work now even if I hit the NS button. How could I let my computer go around giving up my internal IP like that, even to sites I've trusted?

     

    *whips oneself repeatedly*

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jul 5, 2011 8:35 PM (in response to ds store)

    ds store wrote:

     

    WZZZ wrote:

     

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

     

    Right you are, seems I was running with the FF Java enabled, now it's off and even

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Doesn't work now even if I hit the NS button. How could I let my computer go around giving up my internal IP like that, even to sites I've trusted?

     

    *whips oneself repeatedly*

    But it does work from whatsmyip, with Java disabled, but JS enabled. I've said this maybe three times now.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 8:41 PM (in response to Barney-15E)

    Barney-15E wrote:

     

    The first link in the left bar of the Whatsmyip site, under networking tools.

     

    *screams in terror*

     

    "They found me, ahhh!"

     

    Ha, but they don't have my Internal IP!, it was that other guy who was sitting in my driveway last night, he did it.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 8:46 PM (in response to WZZZ)

    WZZZ wrote:

     

    But it does work from whatsmyip, with Java disabled, but JS enabled. I've said this maybe three times now.

     

    No. it doesn't, well not here anyway. Your scaring me, I'm p.a.r.a.n.o.i.d you know.

     

    1: Java plugin disabled via FF add-ons

     

    2: NoScript enabled

     

    Equals....no internal IP reveled!

     

    I'm safe, plausible deniability is restored!

  • Bob Lang1 Level 5 Level 5 (4,080 points)
    Currently Being Moderated
    Jul 5, 2011 10:28 PM (in response to ds store)

    ds store wrote:

    I was hoping to ask the "15 years with Java" guy all about it.

    And I'd tell you to read up about Java security managers.  You might also like to check with the API description for getLocalHost which states:

     

    If there is a security manager, its checkConnect method is called with the local host name and -1 as its arguments to see if the operation is allowed. If the operation is not allowed, an InetAddress representing the loopback address is returned.

     

    If anyone thinks they've discovered a security hole in [Mac] Java then it should be reported to

    http://bugreporter.apple.com or http://download.oracle.com/javase/6/docs/api/

     

    Bob

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 10:52 PM (in response to Bob Lang1)

    Welcome back Bob

     

    Question for you.

     

    We recently discovered that Javascript can be used to call a Java instruction.

     

    This Java instruction reveals the internal IP of particular machine on the LAN by a website.

     

    How come this works on browsers like Firefox, yet not on Safari?

     

     

    I've heard reports/grumbling etc that revealing the internal IP is a security concern, and if so how come Apple doesn't allow Java to return a internal IP on Safari and other browsers do?

     

    For instance this site reveals the internal IP on Firefox (all scripts running) and not on Safari (all scripts running)

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

     

    Could you answer me/us this question? Is it because there is a different form on Java on Mac's that is not compatible with the site above, or is it Apple who decided to add a bit more security to the Java pie?

     

    And if/when Apple doesn't maintain Java anymore and it becomes standalone like Flash, will the problem with this issue return to Mac users?

     

    Thanks Bob

  • Bob Lang1 Level 5 Level 5 (4,080 points)
    Currently Being Moderated
    Jul 5, 2011 11:46 PM (in response to ds store)

    I've tried this on Safari, Firefox and Chrome, and nothing happens on any of them when I press the button.  I've double checked that Java, Javascript, etc are all enabled.

     

    I'm running the latest bog standard Java on 10.6.8 - how about the rest of you? 

     

    Bob

  • Bob Lang1 Level 5 Level 5 (4,080 points)
    Currently Being Moderated
    Jul 6, 2011 12:23 AM (in response to Bob Lang1)

    Ah! Got it working now: because I don't routinely use Firefox I hadn't updated for years.  A new update of Firefox and I now get localhost/127.0.0.1 returned.

     

    I'm intrigued that this might be a security risk but I'm not sure how. 

     

    Bob

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.