1 2 3 4 Previous Next 59 Replies Latest reply: Jul 8, 2011 6:20 AM by etresoft
seventy one Level 6 Level 6 (8,990 points)

Just chatting to my son recently about Mac defender etc etc, he mentioned that some of the Microsoft discussion pages were expressing concern about the inherent safety qualities of Java and Adobe.   The suggestion was that these could be weak links in the security required against Mac defender, amongst other bugs.

 

Okay, if we can avoid any banter about Microsoft, would any of our kind people answering forum questions have any idea of the truth behind the suggestion.

 

And one step further.   If these could be problematic sources, would it be possible, indeed practical to disable Java and Adobe and operate a Mac without them?    I ask the question because I seem to recall reading that Apple were trying to divorce themselves from Adobe in particular not too long ago.

 

Message was edited by: seventy one

  • 1. Re: Should I be wary of Java and Adobe.
    ds store Level 7 Level 7 (30,305 points)

    The MacDefender malware actually uses Javascipt to pop up a window in order to fool users into clicking and downloading.

     

    Java just got a update for OS X (Apple handles Java for OS X) and has had numerous security issues with bad websites.

     

    Flash is the same catagory as Java, a real POS.

     

     

    You can check the status of your plug-ins here:

     

    https://www.mozilla.com/en-US/plugincheck/

     

     

    You can turn off Java in Safari preferences and likely never have a need to use it, if you see the coffee cup symbol on a web page where something should be running and that would be Java. You could turn that back on temporarily.

     

    Flash is used quite a bit more than Java, so you can install a Click2Flash extension for Safari and this way Flash is off by default unless you click on a Flash element to run it.

     

    Javascript is used quite often on many webpages, out of hundreds of web sites I visit a day, perhaps 5-8 of them I need to turn on Javascipt for or else it won't work. (some I don't need it as i can read it just fine)

     

    For Safari going to the Preferences ten times a day to turn Javascript on/off isn't a option.

     

     

    So what I do is use the Firefox web browser and a Add-on called NoScript.

     

    Screen shot 2011-07-01 at 7.46.29 PM.jpg

     

    NoScript is a web cop, basically not allowing websites to pull trickery on you as you surf. It also turns off ALL scripts (Java, Javascript, Flash, Silverlight etc) by default.

     

    If you need the scripts to run, you click a Toolbar button and they are enabled for that site only for that time only.

     

    So this way one reduces their exposure window to malicious or compromised sites waiting for the next driveby victim with all their scripts running.

     

    Other add-ons are Ad Block Plus, Ghostery (web bugs), BetterPrivacy (deletes hidden Flash cookies), HTTPS Everywhere (asks websites for a secure connection), Certificate Patrol (helps you keep a eye out for stolen certificates), FlagFox (IP of site and background check) and WOT (Web of Trust)

  • 2. Re: Should I be wary of Java and Adobe.
    WZZZ Level 6 Level 6 (12,225 points)

    Short answer: yes.

     

    Just to add to what ds store has written, Java and Javascript are two different animals. They are easily confused because of the similarity of their names. JavaScript adds functionality to certain web pages. Many sites will still function well enough without it. Some absolutely need it. Like, ds store, I use Firefox with NoScript, which keeps JavaScript turned off and which can be allowed to run selectively within a site. Many exploits, including the MacDefender Trojan, get through via JavaScript. I haven't seen it yet and I've visited Google Images, which has been deeply infested with the Trojan, many times.

     

    There are Java exploits as well, through Java applets -- small programs -- that, like JavaScript, add certain functions to sites. I generally keep Java disabled and have it set not to run in NoScript unless allowed. I don't often encounter a site that requires a Java applet. If I do, I make sure it is one I can trust.

     

    As for Adobe, Flash and Reader are easy targets and under relentless attack. Flash is constantly being patched to keep up with the latest "critical vulnerability." Reader also. I have Reader, but my default PDF program is Preview.

     

    As the home page of NoScript used to say, "because the web is a jungle."

  • 3. Re: Should I be wary of Java and Adobe.
    seventy one Level 6 Level 6 (8,990 points)

    Very helpful, DS Store and WZZZ.    Big thank you.    Would welcome other comments too.

  • 4. Re: Should I be wary of Java and Adobe.
    Bob Lang1 Level 5 Level 5 (4,080 points)

    It's probably worth mentioning that Java is developed by a committed community with an oversight by Oracle. This community take all security issues in Java very seriously and work hard to eliminate them when they're discovered. I've been involved with Java from its very beginning about 15 years ago, and even then it was designed with security in mind, so the number of exploitable security holes in Java is very few and reducing all the time.

     

    The idea that Java is leaky sieve that will immediately corrupt your computer with malware is just a myth. 

     

    As long as you keep your Java up to date then you are as safe with Java as you are with any other technology.

     

    Bob

  • 5. Re: Should I be wary of Java and Adobe.
    Carolyn Samit Level 10 Level 10 (89,730 points)

    Adding to the Java and Adobe issues...

     

    How to avoid or remove Mac Defender malware

  • 6. Re: Should I be wary of Java and Adobe.
    ds store Level 7 Level 7 (30,305 points)

    Bob Lang1 wrote:

     

    I've been involved with Java from its very beginning about 15 years ago, and even then it was designed with security in mind, so the number of exploitable security holes in Java is very few and reducing all the time.

     

     

    Yea, revealing the users computers internal IP to malicious sites is a real security feature. Not.

     

    As long as you keep your Java up to date then you are as safe with Java as you are with any other technology.

     

    Another Flash update headache here we come. *rolls eyes*

  • 7. Re: Should I be wary of Java and Adobe.
    WZZZ Level 6 Level 6 (12,225 points)

    Apple Pushes Fixes for 11 Java Vulnerabilities in Mac OS X

     

     

    Apple Patches Java in Mac OS X Leopard and Snow Leopard

     

    Apple patched 27 Java vulnerabilities in its latest update to close security flaws that allowed malicious Java applets to execute outside the browser.

     

     

     

    I guess you could take comfort in the fact that these patches were released. Or you could be alarmed that so many were needed. And, you might be asking yourself, what's next? There have been a flurry of attacks over the past few years.

     

     

    The lag time often exposed Mac users who remained unprotected after the vulnerabilities were publicized and other platforms had already fixed the issues....

    Apple not exactly up to speed, either.

  • 8. Re: Should I be wary of Java and Adobe.
    Bob Lang1 Level 5 Level 5 (4,080 points)

    ds store wrote:

     

    Yea, revealing the users computers internal IP to malicious sites is a real security feature. Not.

    It's taken 15 years for anyone to discover that hole and it's now fixed. Are you going to reject OS X next time it has a security hole?  If so, you're soon going to run out of technologies.

     

    Bob

  • 9. Re: Should I be wary of Java and Adobe.
    ds store Level 7 Level 7 (30,305 points)

    WZZZ

     

    Java programmers know about

     

    java.net.InetAddress.getLocalHost()

     

    <Edited by Host>

  • 10. Re: Should I be wary of Java and Adobe.
    dwb Level 7 Level 7 (20,210 points)

    Don't take his criticism to heart - remember, until recently his avatar was a face with egg on it

  • 11. Re: Should I be wary of Java and Adobe.
    ds store Level 7 Level 7 (30,305 points)

    ds store wrote:

     

    Yea, revealing the users computers internal IP to malicious sites is a real security feature. Not.

    Bob Lang1 wrote:

     

    I've been involved with Java from its very beginning about 15 years ago

     

    Bob Lang1 wrote:


    It's taken 15 years for anyone to discover that hole and it's now fixed. Are you going to reject OS X next time it has a security hole?  If so, you're soon going to run out of technologies.

     

     

    java.net.InetAddress.getLocalHost()

     

    Is NOT a "hole" but a actual command feature of Java that exists today.

     

     

    One can test that right here on this site:

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Yep, still works, fully updated too.

     

     

    Now what Bob?

  • 12. Re: Should I be wary of Java and Adobe.
    Bob Lang1 Level 5 Level 5 (4,080 points)

    ds store wrote:

     

    Now what Bob?

    Ooops! 

     

    Sadly, there is no egg on face smiley...

     

    Bob

  • 13. Re: Should I be wary of Java and Adobe.
    ds store Level 7 Level 7 (30,305 points)

    dwb wrote:

     

    Don't take his criticism to heart - remember, until recently his avatar was a face with egg on it

     

    And if you take the hair disguise off of your avatar one is left looking at Homer Simpson.

  • 14. Re: Should I be wary of Java and Adobe.
    dwb Level 7 Level 7 (20,210 points)

    Doh!

1 2 3 4 Previous Next