Go Back   Computer Forums > General Computing > Programming
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 03-08-2013, 04:06 PM   #1
In Runtime
 
Fujitsu_Technician's Avatar
 
Join Date: Sep 2012
Location: UK
Posts: 284
Default Java and viruses

Quote:
Originally Posted by berry120 View Post
Nah, Java applets have been frought with security holes for ages (which is why most modern browsers disable them by default anyway) but desktop Java is as secure as anything else.

Nice little starter app, although it's not resizable and doesn't scroll? Can't see the source because you haven't attached it to the jar, but try adding your main component to a scrollpane and making the JFrame resizable, which should solve that issue.
ok but most virus writers right in jarva and jarva script to infect a pc I hate jarva with a passion but but everyone is entitled to there opinion I guess I just like vb.net and assembley as my laguages to right in and script lanages vbscript and batch but good to see an open thought thead.

Kind Regards
__________________

__________________
Fujitsu_Technician is offline   Reply With Quote
Old 03-08-2013, 07:35 PM   #2
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java Programming Application

Quote:
Originally Posted by Fujitsu_Technician View Post
ok but most virus writers right in jarva and jarva script to infect a pc I hate jarva with a passion but but everyone is entitled to there opinion I guess I just like vb.net and assembley as my laguages to right in and script lanages vbscript and batch but good to see an open thought thead.

Kind Regards
Sorry, but unless you can point me to an authoritative source for that I'm going to say that's complete rubbish. All viruses I've seen have been in platform dependant, native code - you just can't hide a virus well enough that relies on Java, and you'll always have a very easy way of removing it!

Java would be one of the least likely languages to write a virus in. Perhaps you're getting confused with web based Applet attacks, or JavaScript?
__________________

__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-08-2013, 08:06 PM   #3
In Runtime
 
Fujitsu_Technician's Avatar
 
Join Date: Sep 2012
Location: UK
Posts: 284
Default Re: Java Programming Application

Quote:
Originally Posted by berry120 View Post
Sorry, but unless you can point me o an authoritative source for that I'm going to say that's complete rubbish. All viruses I've seen have been in platform dependant, native code - you just can't hide a virus well enough that relies on Java, and you'll always have a very easy way of removing it!

Java would be one of the least likely languages to write a virus in. Perhaps you're getting confused with web based Applet attacks, or JavaScript?
No web based virus attacks are different, they are written in PHP and send you to a server to download the infection to your pc. They are the Java scripted specific attacks normally not always some are written in ruby and c++ to be honest you can write a virus attack in any language but most viruses are written in java Script. Like I said I prefer vb.net and assembly programming myself. Java is not my coding language but it is down to personal choice when it comes down to it as there is so many languages you can sit down and learn. Why do you think they have antivirus software for Mac and Linux operating systems then? Please respect other views.
Kind Regards
__________________
Fujitsu_Technician is offline   Reply With Quote
Old 03-09-2013, 07:59 AM   #4
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java Programming Application

Quote:
Originally Posted by Fujitsu_Technician View Post
No web based virus attacks are different, they are written in PHP and send you to a server to download the infection to your pc. They are the Java scripted specific attacks normally not always some are written in ruby and c++ to be honest you can write a virus attack in any language but most viruses are written in java Script. Like I said I prefer vb.net and assembly programming myself. Java is not my coding language but it is down to personal choice when it comes down to it as there is so many languages you can sit down and learn. Why do you think they have antivirus software for Mac and Linux operating systems then? Please respect other views.
Kind Regards
Sorry, but this is plain wrong. I respect other views when it comes to subjective decisions - you hate Java, I rather like it, your favourite colour might be red, mine might be blue, you might like writing games, I might like writing web apps, I'm a Christian, you may be a Muslim / Buddhist / Athiest / Pastafarian. No qualms there at all.

What I do have objection to however is when people say stuff that's plain wrong, the same way you might (rightly) object if I say that all oranges are blue, or the current president of the USA is actually Bob Marley. And what you said here:
Quote:
ok but most virus writers right in jarva and jarva script to infect a pc
...is, as far as I can make out plain wrong, and along with what you've written already shows quite a limited and muddled understanding of the topic in hand.

Allow me to try and present my point and clear up some of the confusion here. Once again, I'm talking about desktop Java - *applets* are different, and I freely admit have huge numbers of security holes; their use for this reason is fading fast. If your argument was based around the fact that attacks through applets were hugely prevalent, I wouldn't hesitate to disagree, because I'm aware of various figures which has shown this to be the case. I still think you're probably confusing the figures over attacks through applets, rather than attacks through desktop Java applications.

Admittedly viruses / security isn't my specialist area, but Java is - I've used it almost daily as my primary language for the best part of the last decade, and written more lines of code in it than I care to count. So if you're saying something about it that's wrong, I will jump in there and pull you up on it. Same goes for anyone, not just you

Java is good for many things, but writing viruses is not one of them. Java apps aren't compiled natively, they're compiled to bytecode, and the bytecode runs on a JVM. This is great for platform independence, but awful for exploiting individual security holes on platforms, and makes the virus incredibly difficult to hide (there's always going to be a java(w) process hanging about somewhere) and incredibly difficult to remove (you could disable it by simply removing the JRE.)

Now, there are exceptions to all of the things I've written in the previous paragraph, but they take time, effort, and often involve sacrificing the platform independence that you get with Java to start with anyway. You can, if you really go to a lot of effort, compile Java code natively. You can, with an extreme amount of effort, go some way to hiding it without a java process running. But as a virus writer, why on earth would you when you could do the same thing incredibly easily using another language? It makes no sense. I've seen many annoying viruses written in C, C++, C#, and especially Delphi, but I can't recall any that have been Java based. I'm sure there have been some, but I'd be willing to bet many more viruses have been written in, say VB.NET than Java. If you have examples of any that have been I'd actually be genuinely interested if you could point them out (no sarcasm there, it's just so I can have a poke around at how they operate.)

Quote:
Why do you think they have antivirus software for Mac and Linux operating systems then?
Because these aren't usually the same viruses at all, they're usually entirely different, again written in native code, but targeted at a different platform. By that logic, the vast majority of viruses would equally affect every OS (because all that nasty platform independent Java code can get everywhere, right?)

Javascript (all one word) is an entirely different technology, one that has near enough nothing to do with Java, the naming is completely arbitrary.

So when you say:
Quote:
No web based virus attacks are different, they are written in PHP and send you to a server to download the infection to your pc. They are the Java scripted specific attacks normally not always some are written in ruby and c++ to be honest you can write a virus attack in any language but most viruses are written in java Script.
...you further muddle the point! This makes no sense whatsoever - what's a "web based virus attack?!" And how is this different to a "normal" virus as you would define it?
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-09-2013, 02:19 PM   #5
In Runtime
 
Fujitsu_Technician's Avatar
 
Join Date: Sep 2012
Location: UK
Posts: 284
Default Re: Java and viruses

this is not my thead I am off. find some else to insult
__________________
Fujitsu_Technician is offline   Reply With Quote
Old 03-09-2013, 02:28 PM   #6
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java and viruses

Quote:
Originally Posted by Fujitsu_Technician View Post
this is not my thead I am off. find some else to insult
By all means, if you can quote some sources or find a logical argument to prove me wrong, I'm all ears - my intention isn't to be insulting at all, simply to present the facts and show you why what you were saying was incorrect in a clear, cohesive manner.

If you choose to find that insulting, then that's entirely up to you.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-09-2013, 11:19 PM   #7
Solid State Member
 
Join Date: Mar 2013
Location: U.S.
Posts: 16
Default Re: Java and viruses

Quote:
Originally Posted by berry120 View Post
By all means, if you can quote some sources or find a logical argument to prove me wrong, I'm all ears - my intention isn't to be insulting at all, simply to present the facts and show you why what you were saying was incorrect in a clear, cohesive manner.

If you choose to find that insulting, then that's entirely up to you.
I've been reading this thread and I think I am following your logic. I used to code in C++ and assembly, but never JAVA, so I know nothing about it. I am going to assume by applets you mean something like add-ons in Firefox? Would Flashplayer be an applet? What I would like to do is enable the good part of JAVA and get rid of the other which seems to be a distinct subset or perhaps something altogether different. Any help would be appreciated. Floyd
__________________
FloydV is offline   Reply With Quote
Old 03-10-2013, 03:58 AM   #8
In Runtime
 
Fujitsu_Technician's Avatar
 
Join Date: Sep 2012
Location: UK
Posts: 284
Default Re: Java and viruses

Quote:
Originally Posted by berry120 View Post
By all means, if you can quote some sources or find a logical argument to prove me wrong, I'm all ears - my intention isn't to be insulting at all, simply to present the facts and show you why what you were saying was incorrect in a clear, cohesive manner.

If you choose to find that insulting, then that's entirely up to you.
since I don't know enough about the language I can not say but what I do know is that java and java script have been used in a lot of attacks I only said what happend to me not that I know java.

and if that is your subject then fair enough but What made me cross is that you started a tread in my name when it was not my thead you abused your power as a site team member you are wrong to start threads when I never asked you if I wanted to start a thead I would have done so.
__________________
Fujitsu_Technician is offline   Reply With Quote
Old 03-10-2013, 07:02 AM   #9
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Java and viruses

The thread isn't started in your name, it's clearly split from a different thread,

It's quite normal that if a thread is going off topic, but in an interesting way that the off topic posts may be split out to a new thread, preserving the original thread for the original topic and preserving the off topic content that is of interest in a new thread so that it can be discussed.

None of your posts have been edited, the words are all your own words.
The only thing that berry has contributed is the thread title.

If you have a problem with the thread title then it can be changed.
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 03-10-2013, 07:59 AM   #10
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java and viruses

Quote:
Originally Posted by FloydV View Post
I've been reading this thread and I think I am following your logic. I used to code in C++ and assembly, but never JAVA, so I know nothing about it. I am going to assume by applets you mean something like add-ons in Firefox? Would Flashplayer be an applet? What I would like to do is enable the good part of JAVA and get rid of the other which seems to be a distinct subset or perhaps something altogether different. Any help would be appreciated. Floyd
The applet plugin is an add-on for browsers, yes - applets are the programs that are designed to run in a browser with this plugin. So flash player isn't an applet (but in fairness that is frought with security vulnerabilities also, they're just a bit less publicised.)

The reasons the applet plugin is so insecure are numerous and rely on a few rather technical details of how it's been implemented, so I won't go into it here - but suffice to say they're really fighting against a broken architecture that's been in the plugin since day 1 and would require a huge re-write to address.

Instructions for disabling it in browsers can be found here, ignore the bit about uninstalling it completely at the bottom - pure scaremongering. Disable the browser plugin and you'll be fine.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-10-2013, 06:36 PM   #11
Solid State Member
 
Join Date: Mar 2013
Location: U.S.
Posts: 16
Default Re: Java and viruses

Quote:
Originally Posted by berry120 View Post
The applet plugin is an add-on for browsers, yes - applets are the programs that are designed to run in a browser with this plugin. So flash player isn't an applet (but in fairness that is frought with security vulnerabilities also, they're just a bit less publicised.)

The reasons the applet plugin is so insecure are numerous and rely on a few rather technical details of how it's been implemented, so I won't go into it here - but suffice to say they're really fighting against a broken architecture that's been in the plugin since day 1 and would require a huge re-write to address.

Instructions for disabling it in browsers can be found here, ignore the bit about uninstalling it completely at the bottom - pure scaremongering. Disable the browser plugin and you'll be fine.
Do you think Flashplayer will ever be safe? I don't have much use for it, but there are all sorts of web pages that insist on using it. So far, I've left it disabled.
__________________
FloydV is offline   Reply With Quote
Old 03-10-2013, 06:45 PM   #12
BSOD
 
Join Date: Feb 2013
Location: Parallel Universe
Posts: 313
Default Re: Java and viruses

Flash Player is OK, I just have my firewall settings on high, can this help prevent attacks?
__________________
XPikachu is offline   Reply With Quote
Old 03-10-2013, 06:50 PM   #13
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java and viruses

I don't know of any current vulnerabilities in the latest version of flash player, it's certainly had a troubled past but for the moment I think the general consensus is that it's safe - sorry I wasn't trying to worry people!

These days however its use too is fading fast - there's still flash games around sure, but most things such as youtube are gradually migrating across, and with flash unavailable on ios devices this has rather helped the speedup of HTML5 adoption.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-10-2013, 06:56 PM   #14
BSOD
 
Join Date: Feb 2013
Location: Parallel Universe
Posts: 313
Default Re: Java and viruses

What issues are there in Flash that are so bad anyway?
__________________
XPikachu is offline   Reply With Quote
Old 03-10-2013, 07:18 PM   #15
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java and viruses

This site doesn't tell the whole story by any means, and sometimes lists things as vulnerabilities that aren't really as severe as you might think (some for instance involve detailed man in the middle attacks that, while theoretically possible, would take an impractical amount of time and effort for each individual case, unless you're perhaps carrying top secret government files.)

But it does give a rough idea.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-10-2013, 07:39 PM   #16
BSOD
 
Join Date: Feb 2013
Location: Parallel Universe
Posts: 313
Default Re: Java and viruses

Wow seem like it is insecure as my back door's deadbolt lock.
__________________
XPikachu is offline   Reply With Quote
Old 03-10-2013, 09:34 PM   #17
Solid State Member
 
Join Date: Mar 2013
Location: U.S.
Posts: 16
Default Re: Java and viruses

Quote:
Originally Posted by berry120 View Post
This site doesn't tell the whole story by any means, and sometimes lists things as vulnerabilities that aren't really as severe as you might think (some for instance involve detailed man in the middle attacks that, while theoretically possible, would take an impractical amount of time and effort for each individual case, unless you're perhaps carrying top secret government files.)

But it does give a rough idea.
Excellent site. I bookmarked it. Floyd
__________________
FloydV is offline   Reply With Quote
Old 03-12-2013, 09:05 AM   #18
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Java and viruses

For what it's worth...

I agree with the sentiment of the original poster.
if you have a look at most Java updates for version 1.6.1 to version 1.6.?? (currently at version 43) most updates are security focused, because The Java runtime environment opens up a host of exploits for the OS.

In just this last week new patches and updates have been issued for JRE because there are exploits, and they are being used in the wild.


Worse still the default behaviour for client updates are to add the new client, but leave the old client available.
Often updating the JRE can break something that some software depends on. (for example the remote desktop on RSAii cards (remote supervisor adapter) for IBM servers that provides out of band access does not work in JRE 1.6.13+ because functionality previously acceptable or recommended is removed.

but that's actually OK, because as I said, the default behaviour is to leave clients installed, and applications can request a different version of the JRE to the current installed latest...


Which leaves us with the following recommendations.

Update your version of the JRE,
Remove older versions of JRE
Hope and prey that they Java based software you're using wasn't relying on a quirk of the environment that's no longer available.

and all so you can run an application...
Java is good for developers with it's write once run anywhere nature.
but it's also good for malware and virus writers, with it's annoying updater that a lot of people get infuriated with an disable, an updater that leaves exploitable software by default on a system.

good for developers, yes.
good for end users... debatable... (and that's before you get around to the question of running a runtime environment (with multiple layers) on-top of an OS)
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 03-12-2013, 09:38 AM   #19
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,434
Default Re: Java and viruses

Quote:
In just this last week new patches and updates have been issued for JRE because there are exploits, and they are being used in the wild.
True, but as far as I'm aware, every single one of those exploits targets the applet plugin (which everyone knows is a pile of proverbial.)

So the statement:

Quote:
The Java runtime environment opens up a host of exploits for the OS.
...as far as I can tell, simply isn't true - at least if you're talking about the runtime environment in the strict sense of the word.

The thing is, if you download and run a Java application on the desktop JRE, then the concept of an exploit becomes a bit blurred - you've downloaded and allowed an application to run in you environment, by definition you've pretty much said "I trust you, do what you want." If that application turns around and does something nasty, that's not really exploiting anything other than user error / stupidity, because the application can do what it likes by design. You could say the same for any application under the sun, Java or not.

Quote:
Often updating the JRE can break something that some software depends on. (for example the remote desktop on RSAii cards (remote supervisor adapter) for IBM servers that provides out of band access does not work in JRE 1.6.13+ because functionality previously acceptable or recommended is removed.
Sure thing, but this is almost always down to shoddy coding (especially if things break between minor versions.) Java has the concept of various internal classes that may change at a moment's notice (the com.sun.* branch), as well as various private methods that can be changed in a similar way. Now developers shouldn't rely on any of this functionality whatsoever, but invariably people do, and that's usually how things wind up not being backwards compatible. Sometimes the story is a bit more mixed in major versions, but I've never seen a fundamentally breaking change in a minor version number that's not because a programmer has done something they shouldn't have done.

In this case (from the little reading around I've done) it seems a NullPointerException is thrown with versions 1.6.13+, which I just can't see happening unless the person writing it wasn't coding the way they should have been. I may have made an exception for 1.6.10, which was a relatively major update albeit with a minor release number, but not really for any others.

Quote:
...and applications can request a different version of the JRE to the current installed latest...
With desktop Java, sortof (but as I've discussed earlier you've already by this point given the application full privileges anyway so does it really matter?)
With the applet plugin, not a chance - applets are served up in whatever version of the plugin happens to be installed in that browser, and in all implementations of the JVM that I know of, that's the latest one (as it should be.) You can't, as an applet, request a buggier / unstable / previous version of the plugin, that would be insane. You can *check* which version of the plugin you're running under, but that's about it. So saying that the updater leaves "exploitable software" on the system by default isn't really true, unless the updater happened to leave the applet plugin hanging around. If that is true, then it's definitely not just Java that's in trouble, .NET behaves exactly the same way and *has* to much more so than Java because major updates aren't necessarily backwards compatible to the same degree Java is.

In the wake of all these recent exploits that have come to light which are pretty universally to do with the applet plugin, there seems to be loads of articles saying things along the line of "ah just to be sure, you should uninstall Java completely", "just remove it, that way you can be completely safe", "the updater is terrible, it means you're still vulnerable even if you upgrade" and so on. These statements are all false, and I'm not sure why this scaremongering seems to have taken off on such a large scale, but it does seem to have swept the internet in a bit of a storm.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 03-12-2013, 12:18 PM   #20
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Java and viruses

right...

So you're saying that exploits, malware and viruses that can enter a system where Java (or at least the JRE) as a vector are not important.

Because you told them to run? you gave the program the ability to run.

well surely by the same logic no viruses are problems then, if you hadn't used that OS, or if you hadn't clicked that file...?

The point is that Java does open new vectors for attack simply because it adds new methods for running code which should run in a reliable way, (or does run in a reliable way) at the OS layer, but in the abstraction layer that the runtime is adding nefarious things are happening. -i.e there is no way for the OS to adequately see that some kind of exploit is attempted.

one product and soooooo many security problems.

have a look at the update history.

Java version history - Wikipedia, the free encyclopedia

Java SE 7 Update 13 2013-02-01 50 security fixes

Fifty!!!

but then less than three weeks after that

Java SE 7 Update 15 2013-02-19 5 Security Fixes

another five

a fortnight later another couple of security holes.


I understand that things can change in what may be executed in code, but I doubt that IBM rolled out worldwide a piece of hardware containing a processor running code to be interoperated by the JRE that was a bit sloppy doing things it shouldn't have.

how do you define the ways you should use something? if something is good code, and it works, BUT using a feature in a slightly different way is a bug or can lead to an exploit, then Sun's fix was just to rip out the feature, and to hell with a million of so integrated hardware devices deployed over the world. -they will have to use the old buggy version that we know if full of security holes!


as for the scare mongering, the update can leave older versions, (not only is this a pain because it leaves insecure and exploitable software on the system, it also uses up a fair whack of disk space per version installed. (as a note this behaviour seems to have been fixed, though whether it was fixed or I just found the right setting to stop it happening is anyone's guess).

as a test, I've pressed update now.
it's currently saying it's installing update 35, why? who knows why that's certainly not the latest version.
after the update is complete I check the Java version as 1.7._17 (well that's not what it told me it was installing!)


Though it has removed the older version 1.6._ that was on my computer previously. (so the updater's behaviour may have changed...)



anyway, all this goes back to what I was saying originally.
Java, write once run anywhere.
great for developers.

having a huge new attack vector isn't so great for the users.

as far as business software goes, (where you may control the software running on a given machine, and where that machine has access to, such that nobody can find some dodgy jar file to run. then that's OK.



as for applets requesting older version of the runtime environment.

Java Control Panel
If a JNLP file requests a JRE that is not installed, then this option specifies what action is performed...

Applications CAN and do request different versions of JRE, the behaviour is defined, and you can go into the options in the control panel to control and configure what things can run.

which is fine for someone who knows how to.
though even then that leaves someone like myself with the problem that they need a machine with an old insecure version configured to work at request, but there is still no way to say, "only work for this request" or at this time or whatever.

as if to prove a point, the first application I tried to use after updating java tried to request an old version (1.6.23). (that I no longer have installed).

If if was installed then I'd have just gotten a "do you want to run this" message not "do you want to run this version with 173 known security issues" message. (and when you talk about users having installed and therefore allowed code to run on their system there is a huge difference between these messages.
Attached Images
File Type: png java.png (23.4 KB, 0 views)
__________________

__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 02:46 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0
×