Re: Java vs JavaScript
ram@zedat.fu-berlin.de (Stefan Ram) writes:
?according to an alert issued Thursday by the U.S.
Computer Emergency Readiness Team (US-CERT), a division of
the Department of Homeland Security (...) A CERT alert
said Explorer users also can protect themselves by turning
off the JavaScript function in their browsers. ?
http://www.washingtonpost.com/wp-dyn/articles/A6746-2004Jun25.html
And just today, many press stories are breaking about a
new zero-day drive-by security hole
http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being
, and the suggestion sometimes given for this new hole is to
disable JavaScript in the IE by setting the Security Level
to ?High?. They don't write it his way. They just write to
set the Security Level to ?High?, but they usually do not
mention ?JavaScript?.
A source says:
?The attack vector is quite ingenious in loading a Flash SWF
file, using it to selectively spray memory, and looping back
to a JavaScript program in IE.?
??????????
The usual cuplrits: Flash and JavaScript.
However, nowadays, the press will not mention ?JavaScript?
and often not even ?Flash?, they avoid this, the security
problem is ascribed to the browser - after all the browser
hosts the JavaScript implementation and is the actual
program a person can install or deinstall. But ?Java? is
mentioned each time when there is a security problem in the
JRE because ?Java? /is/ an installable entity itself.
So, JavaScript is not mentionend in the press because it is
a technical details of the browser, while Java is a
freestanding product, not part of the browser. Because of
this avoidance of the mentioning of JavaScript, some people
do believe that JavaScript today has become more secure. But
you can find the technical details I quoted above if you
search for them.