If Java is the most likely attack vector then shouldn't the first measure be to disable the Java plugin and webstart until it's actually needed? Phrased differently: who would the measure realistically benefit? By guesstimate I'd say that of people who have Java installed about .001 per cent actually need it and even then it doesn't always have 'net capabilities either: for example OpenOffice.org or LibreOffice may suggest Java as a dependency but IIRC it's only needed for specific math stuff?
...the more advanced question we have is: what can a browser access in our computer ??
e.g. could a Java Script launched by a WebPage inventory my /home/documents/correspondence directory and send copies of my memos to Hacker6@Ukrane.rus ??
I am running Firefox in the AppArmor proficle distributed by Cannonical but I need to learn more about the syntaxt of AppArmor in order to audit the given profile . we have trolls "out there" who threaten people with the cost of defending litigation as a means of extortion ...
Last edited by mike acker; January 11th, 2013 at 05:32 PM.
There's no way for Javascript to access those files unless the browser provides an interface to do so. If it does provide that interface you can bet that it's handled in some way that wouldn't allow arbitrary access.
@Unspawn,
You can disable the web plugin, sure. But then there'll be that day where you need to enable it for whatever site, and that's a pain.If Java is the most likely attack vector then shouldn't the first measure be to disable the Java plugin and webstart until it's actually needed? Phrased differently: who would the measure realistically benefit? By guesstimate I'd say that of people who have Java installed about .001 per cent actually need it and even then it doesn't always have 'net capabilities either: for example OpenOffice.org or LibreOffice may suggest Java as a dependency but IIRC it's only needed for specific math stuff?[
You can use Click To Play (that's how I do it) but uneducated users click "Yes" to anything, they've been trained to do so. The most obvious evidence of this is the proliferation of software that's packaged with other software ie: ask toolbar, babylon, etc.
So a solution like AppArmor, which works whether the code is run or not, is ideal for Java.
Beyond that, for people in many countries Java is a requirement for accessing government/ bank websites.
@Lou21,
Sort of. If an attacker has gained control over Firefox they'll be able to read/write to whichever Home directory Firefox has access to. If this is the case they could simply drop/write their own scripts and execute them.So if one were to keep any executables or scripts (e.g. self made ones) in their home folder then this would actually add considerable security...
A more significant benefit is that a process of UID X can't interact with a process of UID Y. It can't read its address space, or ptrace it, or do much at all to it. Essentially you isolate Firefox from other UIDs. The added benefit of it getting its own Home directory is less significant.
sig
Don't mean to "derail" this thread but ... http://www.libreoffice.org/get-help/...-require-java/
The sad thing is that many of these Java-loving banks also love another operating system as is implied here: How do I install 'proper' anti-virus protection for Online Banking satisfying its Terms of Use?
The other point which may already have been mentioned is that many of these exploits, Java or not, are "social" with a high degree of PEBKAC.
Bookmarks