Re: > Sandboxed power == More secure???
On 4/17/2013 7:13 PM, Arne Vajh?j wrote:
[...]
Another statistic is the one from the original link:
"Java was the vehicle for 50 per cent of all cyber attacks last year in
which hackers broke into computers by exploiting software bugs,
according to Kaspersky. That was followed by Adobe Reader, which was
involved in 28 per cent of all incidents. Microsoft Windows and Internet
Explorer were involved in about 3 per cent of incidents, according to
the survey."
I suspect that a would-be penetrator would try a long list
of vulnerabilities on each system visited. Java vulnerabilities
would be particularly attractive, because they'd probably affect
many systems: Windows, Macs, Androids, UnameIts. Also, it seems
common (with all kinds of software) that a large percentage of
the vulnerable population lags "the latest and greatest" by more
than a few days ...
All in all, then, I think that if I were trying to penetrate
a large number of systems I would put my Java attacks near the
top of my hit list. They wouldn't be alone, just "preferred."
Things might be different if I were aiming at a particular
system. If I were Hell-bent on breaking into XYZBank, I'd spend
a lot of time studying what XYZBank uses and researching how I
might subvert it. But since
THREE BILLION DEVICES RUN JAVA
(according to Oracle's installation splash), if I'm just trolling
for easy marks I'll look for Java. It's a simple matter of balancing
success rate (high) and vulnerability rate (ditto).
In a sense, it's the same thing that happened to Windows. When
Windows was the only game in town, *everybody* ran it and *everybody*
who wasn't up-to-date with the patch from twenty minutes ago was
dead meat. Microsoft (to much derision, including mine) undertook to
improve Windows' security, and -- to their credit -- they've managed
to raise it to the "Not absolutely pathetic" level.
Java has not yet attained that lofty standard.
Java exposed to the Net is, as Mr. Nader might say, "Unsafe at
any speed." Maybe Oracle will apply the resources needed to
resuscitate it, but I sort of think they won't: It's now viewed
as a server-side technology (and it's just fine there, and that's
where Oracle's big investments lie), so its client-side deficiencies
will just sort of sit there and rot.
And rot. And rot. And rot. And rot. And rot.
Friends don't let friends run Java in their browsers.
--
Eric Sosman
esosman@comcast-dot-net.invalid