Re: Java vs JavaScript
On 4/24/2014 4:20 AM, Richard Maher wrote:
On 4/24/2014 10:22 AM, Arne Vajh?j wrote:
On 4/23/2014 11:39 AM, Roedy Green wrote:
I have always thought the Java sandbox was so restrictive, there was
nothing a user need worry about. There is no way an unsigned applet
could do any damage.
That is true assuming there are no bugs in the Java applet security
implementation.
I think they have found 200-300 bugs during the last 2-3 years.
So what? How does the imapact-meter rate with the likes of Heart-Bleed
and OpenSSL?
For number of actual impacted users: much higher.
But Oracle and the browsers are acting like unsigned Applets are
highly dangerous, making you do override after override to run them.
If a bug in Java allows an unsigned applet to gain privs, then it is
extremely dangerous as a malicious site could run a 1 pixel applet
that infected the PC without the user not even knowing that Java was
running.
You don't need a 1px applet; 0x0 is just fine.
That just makes it worse.
Once again, look at the
following link to BSD Socket functionality and Contacts lookup and so on
and then ask the Applet Slaggers to shut their fucking mouths!
https://wiki.mozilla.org/WebAPI
That does not remedy observed Java security problems.
Apparently Oracle does no longer believe that they can fix all
security bugs.
Just the incompetent people they've hired.
Given the recent history, then that seems realistic.
Given you're a knob I need not respond.
On the other hand I don't think JavaScript has any sort of sandbox at
all, and everyone blissfully runs scripts that can do anything.
Not true.
JavaScript is sandboxed and has about the same access as an unsigned
applet.
Wake up to modern Web-Apps!
And because there are no concept of signed JavaScript with granted
privs then it is probably easier to avoid bugs as the code must be
a lot simpler.
Why the double standard? Is JavaScript safer than I thought?
There has been found plenty of JavaScript bugs over the years.
But JavaScript has done better than Java in recent years.
There are none so blind as those who will not see.
The stats are rather hard on Java:
October 2010 - 6u22 - 29 security fixes
February 2011 - 6u24 - 21 security fixes
June 2011 - 6u26 - 17 security fixes
October 2011 - 6u29/7u1 - 20 security fixes
Februar 2012 - 6u31/7u3 - 14 security fixes
June 2012 - 6u33-7u5 - 14 security fixes
August 2012 - 6u35/7u7 - 1/4 security fixes
October 2012 - 6u37/7u9 - 30 security fixes
February 2013 - 6u39/7u13 - 50 security fixes
February 2013 - 6u41/7u15 - 5 security fixes
March 2013 - 6u43 /7u17- 2 security fixes
April 2013 - 6u45/7u21 - 42 security fixes
June 2013 - 7u25 - 40 security fixes
October 2013 - 7u45 - 51 security fixes
January 2014 - 7u51 - 36 security fixes
April 2014 - 7u55/8u5 - 37 security fixes
Arne