Linux is far from being free of malware??!! NEW: Java Security Implications

Aere Greenway Aere at Dvorak-Keyboards.com
Sat Jan 4 20:35:31 UTC 2014


On 01/04/2014 12:02 PM, Israel wrote:
> The best way to protect your system is in how you interact with the 
> internet.  And install all security updates (especially Java, IMO)
Israel and all:

Here is more information regarding your Java concerns.

If you don't have Java, no Java applet or application will run at all.

However, with Java, your applications (GUI and all) will run on any 
machine having the Java Virtual Machine (JVM).  No compiling, linking, 
or anything is required.  You can just copy the '.jar' file containing 
the application to your machine, and it runs - regardless what OS is used.

The same program works for Windows, Mac OS X, Linux, Unix, or whatever.  
So you can probably understand what a useful thing this is to have.

There are two aspects of using Java applications.  First, there are Java 
applets that run in your browser (client-side), and second, there are 
Java applications you can install on your machine using Java Web-Start 
(icedtea/netx).

With browser-based Java applets, it attempts to run the applet when you 
browse the page having the Java applet.  Browser based applets run in a 
sandbox, so they are limited in what they can and can't do.

For example, the video games on my personal web-site can't save 
parameters and keep track of high-scores.  You have to specify the 
parameters each time you play it.

Any Java applet has to be signed.  Signed code ensures that the checksum 
of the code matches what is proposed to be run.  But currently they can 
be self-signed.  In a Java update soon to come, only trusted 
signing-certificates will be allowed.

Currently, browsers won't just run browser-based applets.  A security 
dialog appears, indicating an applet wants to run, and if you don't give 
it permission to run, it won't.  A text message will appear on the 
web-page in place of the applet.

An example of a browser based Java applet is the link you can click on 
Oracle's www.java.com website, used to determine if your (Windows) 
system currently has the latest version of Java.  It runs only if you 
allow it (as described in the prior paragraph), and it does have a 
trusted code-signing certificate.

Separate from the browser-based applets, are applications you install 
via Java Web-Start.  They cannot just run - you have to click on links 
to install them.  If there were a link to surreptitiously do such an 
install, the process of installing will explicitly state what is being 
done, and you have to give it permission to proceed.

Some browsers (Safari, for example), will not download the launcher 
(.jnlp file) when you click on such a link.  If you right-click 
(2-finger click) on it, you can choose to download the launcher file.  
Then you have to browse to it and double-click it, and again (as stated 
above), the system will inform you that you are doing an installation, 
displaying the certificate information, and require your permission to 
proceed.

Again, these must have a code-signing certificate, and soon self-signed 
certificates will not be allowed (it must be a trusted, revocable 
certificate).  In addition, applications deployed from the web also 
indicate internally (checksum-protected) the URL they come from, and 
that information must agree with the launcher file, or it will not be run.

As with browser-based applets, Java applications normally must run 
within a 'sandbox'.  But if your application interfaces with 
device-drivers (ALSA, for example), you will have to request additional 
permissions.  The user is informed of this request, and must consent to 
it in order for the application to be allowed to run.

Anyway, this is quite long-winded, but I think it is always better to 
have an understanding of something, rather than only a fear or distrust 
of it.

-- 
Sincerely,
Aere




More information about the Lubuntu-users mailing list