firefox blocks java

Tommy Trussell tommy.trussell at gmail.com
Sat Dec 21 16:38:14 UTC 2013


On Sat, Dec 21, 2013 at 2:34 AM, thufir <hawat.thufir at gmail.com> wrote:

> On Fri, 20 Dec 2013 12:55:45 -0600, Tommy Trussell wrote:
>
> >> http://www.securelist.com/en/analysis/204792310/
>
> Kaspersky_Lab_Report_Java_under_attack_the_evolution_of_exploits_in_2012_2013
> >>
> >>
> >>
> >>
> > On closer inspection that article is somewhat of an advertisement.
> > However I think you can glean from it that the major threat is not Java
> > alone, but Java embedded in web sites that exploit vulnerabilities --
> > the places you can jump OUT of the sandbox, essentially.
>
>
> It's not just an advertisement, it's misinformed:
>
> "...and the software was not built with security in mind."  This is just
> flat-out wrong, Java, from the get-go, has been a sandbox.  That was one
> of its selling points.
>
> In all honesty, I haven't looked into it.  However, Kaspersky is selling
> software for a different OS, an OS known to have security problems.
> They're not likely to say that the problem is inherent to the OS.
>
> I have no idea how it really works, but I'm wondering if it's not that the
> sandbox per se is compromised, but perhaps it's just not really possible
> to sandbox a VM on Windows?
>
> I've never seen, to my knowledge, and I haven't looked into it, a known
> case of the JVM sandbox, not sure of the technical term, not working on
> Linux.
>
> That is, is there an actual case of a program which can break out of the
> sandbox on Linux JVM?  I've never heard of one, and a cursory glance of
> the security mailing list, nothing popped out.
>

I will be the first to admit I don't know. All I know is what I have read,
and some of the articles specifically mention linux. For example:

http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

http://www.oit.umass.edu/news/2013-01-14/serious-java-vulnerability-targets-windows-macintosh-linux-computers-0

I don't understand what exact proof you are looking for. Could it be that
these security breaches are ALL essentially violations of the "sandbox"
concept? Since the fundamental idea is that Java should run the same way on
all platforms, if it's a security problem on one, I might assume it could
be on another platform, too.

My impression is that the general attitude in recent years has been to
mistrust Java security because there have been so many alarms. You may very
well be OK for your application.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20131221/7ac50eeb/attachment.html>


More information about the ubuntu-users mailing list