Skip navigation

Should I be wary of Java and Adobe.

4147 Views 59 Replies Latest reply: Jul 8, 2011 6:20 AM by etresoft RSS
  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 6, 2011 6:34 AM (in response to ds store)

    ds store wrote:

     

    I was hoping to ask the "15 years with Java" guy all about it.

     

    I guess technically I'm a "15 years with Java" guy too. I first used Java in 1996. I try to avoid it but I don't always succeed. If you want to read up on the security details of the Java/Javascript bridge, here is some additional information: http://download.oracle.com/javase/1.3/docs/guide/plugin/security.html#liveconnec t

     

    I think you're really on a wild goose chase here. Revealing one's internal IP address is not in any way a security risk. It is an internal address. No one on the outside can ever get to it. It doesn't exist beyond your router.

     

    Very few of these security updates hold any meaningful real-world risk. They are the result of self-styled internet "security researchers" looking for potential vulnerabilities. The security threats that people worry most about are the ones that have the least likelihood of ever occuring in the real world. Nothing mentioned in this thread is ever going to hurt anyone. This sort of hacking just doesn't happen - ever. Why on earth would a hacker try to break into one person's Mac on a local network behind a router? That takes an extraordinary amount of skill. It is far easier to use a 15 year-old, hacking 101 SQL injection exploit and steal identities and credit cards of millions of people from some web site.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 6, 2011 7:38 AM (in response to Bob Lang1)

    Bob Lang1 wrote:

     

    Ah! Got it working now: because I don't routinely use Firefox I hadn't updated for years.  A new update of Firefox and I now get localhost/127.0.0.1 returned.

     

    I'm intrigued that this might be a security risk but I'm not sure how. 

     

    Bob


    Oh, thanks Bob, I thought you were "with Java for 15 years" as a programmer or deeply assocaited with Sun/Oracle in some fashion.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 6, 2011 8:12 AM (in response to etresoft)

    etresoft wrote:

     

     

     

    I guess technically I'm a "15 years with Java" guy too. I first used Java in 1996. I try to avoid it but I don't always succeed. If you want to read up on the security details of the Java/Javascript bridge, here is some additional information: http://download.oracle.com/javase/1.3/docs/guide/plugin/security.html#liveconnec t

     

     

    Thanks.

     

    I think you're really on a wild goose chase here. Revealing one's internal IP address is not in any way a security risk. It is an internal address. No one on the outside can ever get to it. It doesn't exist beyond your router.

     

    Sure, anyone running a compromised website can call Java and get the internal IP, however my understanding is the security benefit of the router is to MASK the internal IP's from the outside world correct?

     

    And since Safari doesn't allow Java to call this command, kind of begs the question why?

     

     

    Very few of these security updates hold any meaningful real-world risk. They are the result of self-styled internet "security researchers" looking for potential vulnerabilities. The security threats that people worry most about are the ones that have the least likelihood of ever occuring in the real world. Nothing mentioned in this thread is ever going to hurt anyone. This sort of hacking just doesn't happen - ever. Why on earth would a hacker try to break into one person's Mac on a local network behind a router? That takes an extraordinary amount of skill. It is far easier to use a 15 year-old, hacking 101 SQL injection exploit and steal identities and credit cards of millions of people from some web site.

     

    The "for profit" motivation is not the issue here.

     

    For example, I might have come up with a cure for cancer which would attract the most brilliant minds to hack into my machine to gain access to this valuable knowledge and publish it as their own.

     

    In the purposes of this example I might be a biological genius, but not a computer genius.

     

    I do know that the less THEY know, the better.

     

    I like to know what does what, and what reveals what, that a attacker can use to gain entry by the process of deduction and elimination.

     

    People are clever and can fill in the blanks, but not if all the spaces are blank. Like a Soduku puzzle with no numbers filled in, they have nothing to go on.

     

    Java giving up the internal IP of computer for really no good purpose whatsoever is just another filled in blank spot which can be eliminated.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 6, 2011 8:57 AM (in response to ds store)

    ds store wrote:

     

    Sure, anyone running a compromised website can call Java and get the internal IP, however my understanding is the security benefit of the router is to MASK the internal IP's from the outside world correct?

    It doesn't work that way. A router doesn't just mask the internal IP addresses. The router creates a separate, internal network. Hosts on the internal network are not reachable from the outside world at all. You have to establish NAT entries on the router that will route connections to the router's port X to an internal address at port Y. Without those NAT entries, nothing will get through the router. Knowing someone's internal IP address is useless knowledge.

     

    And since Safari doesn't allow Java to call this command, kind of begs the question why?

    It is nothing that Safari does on purpose. It is just an old feature of Netscape that Firefox still has. It just never caught on with anyone else.

     

    I do know that the less THEY know, the better.

     

    I like to know what does what, and what reveals what, that a attacker can use to gain entry by the process of deduction and elimination.

     

    People are clever and can fill in the blanks, but not if all the spaces are blank. Like a Soduku puzzle with no numbers filled in, they have nothing to go on.

    THEY are a whole lot less clever than you give them credit for. There are many scripts floating around to hack into poorly built web sites. There are many virus and trojan templates floating arround that can hijack a Windows PC. The people controlling these scripts are called "script kiddies". They have no idea how they work, they just know what buttons to press. Even the most basic, rudimentary security practices will defeat them.

     

    Java giving up the internal IP of computer for really no good purpose whatsoever is just another filled in blank spot which can be eliminated.

    It is a non-issue. Even if you know the internal IP addresses, you can't get to them. You can only access them through the router. The hackers already have port scanners that check routers for known P2P ports.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 6, 2011 9:53 AM (in response to etresoft)

    etresoft wrote:

     

    It doesn't work that way. A router doesn't just mask the internal IP addresses. The router creates a separate, internal network. Hosts on the internal network are not reachable from the outside world at all. You have to establish NAT entries on the router that will route connections to the router's port X to an internal address at port Y. Without those NAT entries, nothing will get through the router.

     

    Ok thanks, I figured something like that was occuring or what's the use right?

     

     

    Yet by the return the internal IP one can determine how many devices are present on the LAN correct?

     

    The people controlling these scripts are called "script kiddies". They have no idea how they work, they just know what buttons to press. Even the most basic, rudimentary security practices will defeat them.

     

    My interest is giving malicious hackers as little as possible, either information or exposure. Creating a hardened machine/network basically.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 6, 2011 12:10 PM (in response to ds store)

    ds store wrote:

     

     

     

    Yet by the return the internal IP one can determine how many devices are present on the LAN correct?

    Not necessarily. IP addresses just get handed out as they are requested. A device will keep its IP address as long as its network interface stays up - or it could get auto renewed. You could be the first IP address at 10.0.1.2 or the 3rd (and last) at 10.0.1.18. A hacker wouldn't know or be physically able to access any of it until they had gotten in to your router.

     

    My interest is giving malicious hackers as little as possible, either information or exposure. Creating a hardened machine/network basically.

     

    The kind of hacking you are worried about could be attempted by only a few dozen people in the world. Even then, only certain routers and certain firmwares are hackable. I can assure you that they aren't interested in hacking your network.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 6, 2011 12:20 PM (in response to etresoft)

    etresoft wrote:

     

    Not necessarily. IP addresses just get handed out as they are requested. A device will keep its IP address as long as its network interface stays up - or it could get auto renewed. You could be the first IP address at 10.0.1.2 or the 3rd (and last) at 10.0.1.18. A hacker wouldn't know or be physically able to access any of it until they had gotten in to your router.

     

    So what do you think of the practice of some who stay behind two routers?

     

    Kind of crazy or are they just assuming one will be hacked?

  • dwb Level 6 Level 6 (19,675 points)
    Currently Being Moderated
    Jul 6, 2011 12:21 PM (in response to ds store)

    Please, send them to my tin hat store

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 6, 2011 12:27 PM (in response to dwb)

    Hey dwb!

     

    You got any cans of that spray-on tin foil left?

     

    I'm going to shave my again head.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 6, 2011 3:17 PM (in response to ds store)

    ds store wrote:

     

     

    So what do you think of the practice of some who stay behind two routers?

     

    Kind of crazy or are they just assuming one will be hacked?

     

    When I said "a few dozen", I wasn't exaggerating. The likelihood of your router being hacked is far less than winning the lottery. How do I know this? Because people win the lottery all the time. Hacking a router is technically possible, but doesn't ever happen.

     

    Don't make me start posting links to documented occurences of fish and other unlikely critters falling from the sky. I'll do it.

  • Klaus1 Level 8 Level 8 (43,300 points)
    Currently Being Moderated
    Jul 6, 2011 3:30 PM (in response to etresoft)
    20" 2.1GHz iSight iMac G5,, Mac OS X (10.5.8), iLife 9 but iMovie 6, QTPro 7.6.9, Safari 5.0.5
  • Bob Lang1 Level 5 Level 5 (4,080 points)
    Currently Being Moderated
    Jul 7, 2011 2:33 AM (in response to Klaus1)

    Why does it only ever rain fish, frogs, etc.

     

    Why is there never a rain of MacBook Pros, 42" Plasma TVs, or something useful like that?

     

    Bob

  • Ronda Wilson Level 8 Level 8 (40,555 points)
    Currently Being Moderated
    Jul 7, 2011 8:00 PM (in response to Bob Lang1)

    They would break and/or break arms and heads trying to catch them.

     

    Wouldn't it be the pits to have a nice new MBP fall from the sky and miss catching it?

    /___sbsstatic___/migration-images/155/15574783-1.gif

  • Khurt Williams Level 1 Level 1 (10 points)
    Currently Being Moderated
    Jul 8, 2011 3:51 AM (in response to Bob Lang1)

    Respectfully I disagree.  The wrote once run anywhere promise is broken and so is the security model.  I put Java and Adobe Flash in the same bucket.  Legacy technology that needs to be removed from every browser.  I've removed all traces of Adobe Flash from my Mac and I'm looking for ways to remove Java. I'm certainly happy Apple is remove both from OS X Lion.

     

    Chester Wisniewski from Sophos took the same line in his blog post on the issue, saying:

     

    If you haven't already, I recommend testing out your standard OS images without the Java plug-in. Most people aren't using Java these days and it reduces the attack surface for exploits delivered over the internet.

    http://www.zdnet.co.uk/blogs/jacks-blog-10017212/java-security-holes-need-fixing -immediately-10022661/

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 8, 2011 6:20 AM (in response to Bob Lang1)

    Probably because all of those beasties are fairly numerous and fairly lightweight. Whatever propels things into the sky in sufficient quantities to rain down would be unlikely to do the same to even a 13" MacBook Pro. There aren't enough of them in one spot and they are too heavy.

     

    However, if rumors are correct, there may be a location in southern China that has up to 15 million thinner and very lightweight iPhone 5s. Chances are very good for widespread iPhone 5 showers this Fall.

1 2 3 4 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.