Skip navigation

Should I be wary of Java and Adobe.

4145 Views 59 Replies Latest reply: Jul 8, 2011 6:20 AM by etresoft RSS
  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    Jul 2, 2011 5:27 PM (in response to seventy one)

    I don't think there is anything wrong with bringing Microsoft into the mix. They are in much the same boat as Apple. Microsoft doesn't want to be dependent upon Adobe for their interactive web experience any more than Apple does. While Microsoft has Silverlight, it hasn't caught on as well as they had hoped. Microsoft isn't the Microsoft they once were. Like Apple, Microsoft is focusing on HTML5 support for the future.

     

    Java is not a big deal because there is very little Java web content. I haven't seen an applet in years.

  • Ronda Wilson Level 8 Level 8 (40,555 points)
    Currently Being Moderated
    Jul 3, 2011 12:39 PM (in response to seventy one)

    You know what?

     

    I have both Java and JavaScript enabled. I use Safari. I search Google images regularly. And I have never encountered MacDefender or its various offshoots in my sojourns on the internet (knock wood).

     

    If it happens, I'll deal with it then. Until then, "What, me worry?"

     

    /___sbsstatic___/migration-images/155/15545469-1.jpg

  • Barney-15E Level 7 Level 7 (33,240 points)
    Currently Being Moderated
    Jul 3, 2011 6:10 PM (in response to ds store)

    java.net.InetAddress.getLocalHost()

     

    Is NOT a "hole" but a actual command feature of Java that exists today.

     

     

    One can test that right here on this site:

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Yep, still works, fully updated too.

     

     

    Now what Bob?

     

    So. Every programming environment has a way to get the local IP address. How else would a program manipulate them?

    Java is a programming language, just like C, C++, C#, Pascal, etc.

     

    Javascript has very little to do with Java, mostly just the "java" in their names.

     

    That javascript you linked to does call the Java API getLocalHost function, but that has nothing to do with the security of Java. Interstingly, that button does nothing on my system.

  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    Jul 4, 2011 9:43 AM (in response to ds store)

    ds store wrote:

     

    One can test that right here on this site:

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Yep, still works, fully updated too.

    It only works in Firefox and then only displays localhost. How is that a security hole?

     

    Interestingly, your example does bring up a topic I never knew about. Apparently it is possible to call Java from Javascript. Firefox and older browsers are apparently able to do this directly. Modern browsers can only access public methods from an applet, which already has extensive secuity checks.

     

    I was able to get more modern examples of this (known as "LiveConnect") to work in Safari. Apparently, this "hole" of accessing Java directly and revealing the user's localhost address of 127.0.0.1 (which is common to any computer with TCP/IP networking) only works in Firefox. 

  • Russa Level 4 Level 4 (1,315 points)
    Currently Being Moderated
    Jul 4, 2011 9:58 AM (in response to seventy one)

    JAVA and Adobe (Flash) are arguably standards in the industry. I guess you could use the Mac without these two software pieces, but then you would loose the "full experience". There was a recent Java update released under 10.6.8, And if you want to see Flash enabled video content on web pages then you'll need that support.

     

    I'm sure my next statement will draw some comments .. personally I use Intego's Virus Barrier 6 that offers a little more than just virus protection since it also has some internet and anomaly detection features.

     

    Keeping your MacOS (10.6.8) and support software current will provide as much protection as available in the industry.

  • Barney-15E Level 7 Level 7 (33,240 points)
    Currently Being Moderated
    Jul 4, 2011 4:32 PM (in response to Russa)

    Java is only required if you want to run something written in Java. As far as I can tell, there's not much in the "full experience" that I've needed since I asked Java its version and the OS asked if I wanted to install it. I'm not sure what I missed, but I guess I'll have to answer "no" to Jimi's question.

  • Klaus1 Level 8 Level 8 (43,300 points)
    Currently Being Moderated
    Jul 5, 2011 4:36 PM (in response to ds store)

    You can check the status of your plug-ins here:

    https://www.mozilla.com/en-US/plugincheck/

     

    No you can't.

     

    Quite the most useless thing I have seen in a while.

    It doesn't know that Flash 10.1 cannot be updated on this Mac.

    It describes all of the following as 'unknown plug-ins' that need further research:

    Flip4Mac

    Google Earth

    Adobe Acrobat and Reader

    RealPlayer

    Quartz Composer

    But presumably it is only for Firefox? Or Windows?

    20" 2.1GHz iSight iMac G5,, Mac OS X (10.5.8), iLife 9 but iMovie 6, QTPro 7.6.9, Safari 5.0.5
  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 5:42 PM (in response to etresoft)

    etresoft wrote:

     

    It only works in Firefox and then only displays localhost. How is that a security hole?

     

    Interestingly, your example does bring up a topic I never knew about. Apparently it is possible to call Java from Javascript. Firefox and older browsers are apparently able to do this directly. Modern browsers can only access public methods from an applet, which already has extensive secuity checks.

     

    I was able to get more modern examples of this (known as "LiveConnect") to work in Safari. Apparently, this "hole" of accessing Java directly and revealing the user's localhost address of 127.0.0.1 (which is common to any computer with TCP/IP networking) only works in Firefox. 

     

    Yes, this is interesting, the site doesn't work in Safari. So I'm assuming here Apple perhaps understands a potential security risk with revealing the internal IP?

     

    I don't know, I'm not a network guru, but I heard bad things about this particular Java feature, especially with malicious sites, that it kind of negates the security of the router.

     

    I was hoping to ask the "15 years with Java" guy all about it.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 5:45 PM (in response to Barney-15E)

    Barney-15E wrote:

     


    So. Every programming environment has a way to get the local IP address. How else would a program manipulate them?

    Java is a programming language, just like C, C++, C#, Pascal, etc.

     

    Javascript has very little to do with Java, mostly just the "java" in their names.

     

    That javascript you linked to does call the Java API getLocalHost function, but that has nothing to do with the security of Java. Interstingly, that button does nothing on my system.

     

    Likely because your running Safari, anyway read my response to etresoft if you would.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 5:50 PM (in response to Klaus1)

    Klaus1 wrote:

     

    You can check the status of your plug-ins here:

     

    https://www.mozilla.com/en-US/plugincheck/

     

    No you can't.

     

    Quite the most useless thing I have seen in a while.

    It doesn't know that Flash 10.1 cannot be updated on this Mac.

    It describes all of the following as 'unknown plug-ins' that need further research:

    Flip4Mac

    Google Earth

    Adobe Acrobat and Reader

    RealPlayer

    Quartz Composer

    But presumably it is only for Firefox? Or Windows?

     

    It's supposed to be for all browsers, but i've noticed it's not perfect at times.

     

    And a funny thing, I used the mozilla link check and it found a update for Flash for my system, but when I ran the installed Flash updater to check, it said I was up to date! (thread in the Lounge, sorry others )

     

    https://discussions.apple.com/thread/3156226?tstart=0

     

    So anyway It's a mystery how both of these funcitons are operating.

  • Barney-15E Level 7 Level 7 (33,240 points)
    Currently Being Moderated
    Jul 5, 2011 6:34 PM (in response to ds store)

    Likely because your running Safari, anyway read my response to etresoft if you would.

    I did, but I'm still wondering why you are conflating Java with Javascript. They are two different things, totally unrelated.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 6:45 PM (in response to Barney-15E)

    Barney-15E wrote:

     

    I did, but I'm still wondering why you are conflating Java with Javascript. They are two different things, totally unrelated.

     

    I've been around computers for 24 years and do know the difference there.

     

    What is interesting is that Javascript can call Java, that I didn't know.

     

    Likely the vise versa is true as well. Surprising how much we DON'T know about the plug-ins we allow on our machines.

     

    *places tin foil hat on*

  • Barney-15E Level 7 Level 7 (33,240 points)
    Currently Being Moderated
    Jul 5, 2011 7:11 PM (in response to ds store)

    What's so insecure about knowing my internal IP address?

    I bet I could guess six to ten times and hit about 90% of all internal home IP addresses.

    10.0.0.2, 10.0.1.2, 192.168.0.2, 192.168.1.2, 192.168.0.100, 192.168.1.100, 172.16.0.2, 172.16.1.2, 172.16.0.100, 172.16.1.100.

    If I did any research on default router configurations, I could likely tighten that up.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 5, 2011 7:25 PM (in response to Barney-15E)

    And if I set my own internal IP and didn't want anyone to know it, then I should have Java off correct?

     

    *tightens tin foil hat further*

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Jul 5, 2011 7:42 PM (in response to ds store)

    If I go to

     

    http://www.whatsmyip.org/

     

    it won't display my internal IP until I "allow" the site with JS (using NoScript.) Is that JS calling Java? Not possible, since I have Java disabled. Must be through JS alone.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.