Another reason why you shouldn't install Sun Java on your computer.

[wald]

Well, what I don't understand is that Microsoft Java remains on
my system, yet no problems with that.

I'm sorry, but that just shows your bias. A critical exploit has
only recently been in the
http://www.securityfocus.com/archive/1/404055

Microsoft posted a "solution" that does not patch the erroneous
behaviour, but just disables all javaprxy functionality.

Besides, the MS JVM is history since some time, and that's only a
good thing.

Kind regards,
Wald

 

[wald]

In answer to this, at least my system is currently without
spyware, viruses or Trojans. When I had Java, I had RedSherrif
and no way to stop it.


Heh. I live on earth and I don't need either online banking or
Java. In addition to that, I've yet to see a website that
requires Java and demands that I activate it.

It's your right to have that point of view. *Noone* really needs
online banking because banks still have offices where anyone can
go and do everything they need. *Noone* really needs a car either,
but it's damn handy for those long distance walks.

In other words: to me, online banking is among the more useful
applications of the internet, and well worth the Java install. I
have a feeling that you're a bit biased concerning the Sun JVM.

Regards,
Wald



Regards,
Wald

 

[Aaron]

The reason why Microsoft JVM is not hurting you is because you are
primarily using a gecko browser and that does not use MS JVM.

I can assure you letting Java applets run in the browser always entails
risks, after all you are running a full fledged program through your
browser. In fact, arguably, MS's version is even more risky than Sun's.

ActiveX was the same but always got much worse press, partially because
of a combination of poor defaults set by MS, poorly thought out prompts
that allowed constant spamming,security holes, and most importantly it
was confusing to users because it relied 100% on the user understanding
what a "signed activex" meant.

Java wasn't as bad, because initally, it had a sand boxing concept that
made it a touch harder to cause damage, but even then, there were
constant leaks, as people found ways to work around the sandbox causing
lots of Java updates.

Nowdays Java applets can be signed too, and my understanding that if
you accept a "signed applets" , the sandboxing restrictions are off,
and the applet has full reign of your computer.

The problem with this is that history of ActiveX has shown that most
people don't understand the concept of certificates. They see something
is signed, and they think it's okay.

So the same story is beginning again...

It seems firefox users are no better, since that "exploit" was the
basis of one of the "firefox infected by spyware" news story! You click
yes to the signed applet, and it starts downloading adware onto your
computer!

Makes the whole "leak my internal ip" business look positively trival,
don't you think?

 

[John Corliss]

I'm sorry, but that just shows your bias. A critical exploit has
only recently been in the
http://www.securityfocus.com/archive/1/404055

Microsoft posted a "solution" that does not patch the erroneous
behaviour, but just disables all javaprxy functionality.

Besides, the MS JVM is history since some time, and that's only a
good thing.

From what I've read, I agree.

Actually, it's not entirely clear whether or not I really have MS Java
on my system. I certainly never use it, and a file search doesn't seem
to indicate that I have it installed.

 

[John Corliss]

The reason why Microsoft JVM is not hurting you is because you are
primarily using a gecko browser and that does not use MS JVM.

I can assure you letting Java applets run in the browser always entails
risks, after all you are running a full fledged program through your
browser. In fact, arguably, MS's version is even more risky than Sun's.

ActiveX was the same but always got much worse press, partially because
of a combination of poor defaults set by MS, poorly thought out prompts
that allowed constant spamming,security holes, and most importantly it
was confusing to users because it relied 100% on the user understanding
what a "signed activex" meant.

Java wasn't as bad, because initally, it had a sand boxing concept that
made it a touch harder to cause damage, but even then, there were
constant leaks, as people found ways to work around the sandbox causing
lots of Java updates.

Nowdays Java applets can be signed too, and my understanding that if
you accept a "signed applets" , the sandboxing restrictions are off,
and the applet has full reign of your computer.

The problem with this is that history of ActiveX has shown that most
people don't understand the concept of certificates. They see something
is signed, and they think it's okay.

So the same story is beginning again...

It seems firefox users are no better, since that "exploit" was the
basis of one of the "firefox infected by spyware" news story! You click
yes to the signed applet, and it starts downloading adware onto your
computer!

Makes the whole "leak my internal ip" business look positively trival,
don't you think?

Guess so, Aaron. But this discussion thread has clarified some things
for me and brought excellent responses like yours, so thanks.

 

[John Corliss]

It's your right to have that point of view. *Noone* really needs
online banking because banks still have offices where anyone can
go and do everything they need. *Noone* really needs a car either,
but it's damn handy for those long distance walks.

In other words: to me, online banking is among the more useful
applications of the internet, and well worth the Java install. I
have a feeling that you're a bit biased concerning the Sun JVM.

Well, I guess that's fair. However and frankly, I just don't like any
version of Java on my system. And it would seem that along the way
somehow, my copy of MS Java disappeared as well.

I can understand why somebody who does online banking that requires Java
might like it, but it's simply a matter of YMMV.

 

[elaich]

Guess so, Aaron. But this discussion thread has clarified some things
for me and brought excellent responses like yours, so thanks.

If you are talking about Firefox users who are as clueless as IE users -
who don't keep up with the latest security news, who blindly trust
whatever they are told is safe, then yes. And with Firefox's increasing
popularity, there are more of those kind of users. However, I find that
most FF users are naturally more aware of security issues - that's what
led them to FF to begin with.

Once again, it boils down to the user. There is no protection against
him.

I agree with John. I will not have Java on my machine. As far as online
banking, I will not allow critical information about myself to be stored
on my computer to begin with. That's setting yourself up for a take
down. When I see how many people have major problems with spyware and
adware, and then think that they store credit card and bank account
numbers on their computer where malware could leak it.... that just
boggles the mind. P.T. Barnum was right.

 

[John Corliss]

From what I've read, I agree.
Actually, it's not entirely clear whether or not I really have MS Java
on my system. I certainly never use it, and a file search doesn't seem
to indicate that I have it installed.

Well, it's clear now. I opened a DOS window and typed "jview". I do
indeed have MS Java VM installed, and it's version 5.00.3810.

I've looked around in Google and there seems to be no way to uninstall
it. I was only able to find instructions for uninstalling it from XP,
but I use Millennium Edition.

 

[Jim Byrd]

Hi John -
http://www.microsoft.com/technet/interopmigration/jvm/msjvmp05.mspx
Microsoft Java Virtual Machine Transition Guide for IT Professionals, v2.2
Chapter 5: The MSJVM Removal Tool
Published: June 7, 2005

"The removal option works with Windows 98, Windows 98 SE, Windows 2000,
Windows Millennium Edition (ME), and Windows XP. Removal of MSJVM files are
under system file protection in Windows 2000 and Windows ME; if you run the
removal tool on one of these operating systems, all MSJVM files are replaced
with 1-byte empty files of a higher version number, effectively disabling
MSJVM."

"Download the MSJVM Removal Tool by going to:

http://www.microsoft.com/downloads/...19-B4D5-4013-83BC-4A8AD95E959F&displaylang=en"

 

[elaich]

"Download the MSJVM Removal Tool by going to:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F2002119-B4D5-
4013-83BC-4A8AD95E959F&displaylang=en"

"The download you requested is unavailable. If you continue to see this
message when trying to access this download, go to the "Search for a
Download" area on the Download Center home page."

 

[elaich]

"Download the MSJVM Removal Tool by going to:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F2002119-B4D5-
4013-83BC-4A8AD95E9

Try:

http://www.majorgeeks.com/download.php?det=4158

 

[Jim Byrd]

Hi Elaich - Thanks for catching that and providing the re-direct.

 

[John Corliss]

Try:

http://www.majorgeeks.com/download.php?det=4158

Not only that, but at the Majorgeeks page it says the following:

"Editors Note: The MSJVM Removal Tool is no longer hosted on Microsoft
download servers. Because the MSJVM Removal Tool affects the whole
system, and because these effects are not reversible, it was decided
that this utility would be made available only to system administrators,
to network administrators, and to other IT professionals. Unless you
just found this."

Thanks Elaich and Jim. 80)>

 

[Art]

Hi John -
http://www.microsoft.com/technet/interopmigration/jvm/msjvmp05.mspx
Microsoft Java Virtual Machine Transition Guide for IT Professionals, v2.2
Chapter 5: The MSJVM Removal Tool
Published: June 7, 2005

"The removal option works with Windows 98, Windows 98 SE, Windows 2000,
Windows Millennium Edition (ME), and Windows XP. Removal of MSJVM files are
under system file protection in Windows 2000 and Windows ME; if you run the
removal tool on one of these operating systems, all MSJVM files are replaced
with 1-byte empty files of a higher version number, effectively disabling
MSJVM."

Interesting. I wasn't aware of this tool. Seems though that from a
security POV, there is negligible gain in using it. So I wonder why
it's used? Perhaps some sys admins prefer that users not have Java
available to do online banking at work, or something like that
And users who have Java enabled in IE are at somewhat more
risk. So there would be a security consideration in some situations,
I suppose.

I haven't had Sun Java installed on my machines in ages, simply
because I don't have a need for it. But eradicating MSJVM simply
because I have no need for it doesn't seem justified merely on
the basis of cutting down a bit on file storage space.

Art

http://home.epix.net/~artnpeg

 

[elaich]

But eradicating MSJVM simply
because I have no need for it doesn't seem justified merely on
the basis of cutting down a bit on file storage space.

If you don't use it, why not lose it?

Seriously, from what I have read, only IE can invoke MSJVM. If you don't
use IE, it's no problem.

 

[Art]

If you don't use it, why not lose it?

Seriously, from what I have read, only IE can invoke MSJVM. If you don't
use IE, it's no problem.

Actually, I did use the tool to remove MSJVM from my Win 2K PC. JVM is
embedded in the OS, as is IE, and I figure there might be some
security "hardening". Right now, I'm in the process of doing some
checks to see if there is any negative impact. Basically, I agree 100%
with your attitude of "if you don't use it, why not lose it".

Art

http://home.epix.net/~artnpeg

 

[David]

If you live in some non real world, you don't need Java. If you carry
online banking, and a host of other necessary sites, it's either java or
bust.

You obviously bank with the wrong bank. Mine does not use Java. If it
did I would stop using Internet Banking altogether or change to
another bank which did not use it.

 

[John Corliss]

You obviously bank with the wrong bank. Mine does not use Java. If it
did I would stop using Internet Banking altogether or change to
another bank which did not use it.

I was wondering about this. I always thought that online banking
required Javascript or ActiveX. Never heard of any bank requiring Java.

 

[elaich]

Actually, I did use the tool to remove MSJVM from my Win 2K PC. JVM is
embedded in the OS, as is IE, and I figure there might be some
security "hardening". Right now, I'm in the process of doing some
checks to see if there is any negative impact.

Please post if you have any trouble. I held off on removing it from my W2K
box, to see if others did it successfully first.

 

[Exeter]

Hey! This is no place for logic. Disregarding that the whole
exercise is totally pointless, I do find it interesting that the same
FUD site relies on the dangerous Java for its "speed test"; go
figure....

I don't think it does. I think it uses java script. On that site I can
toggle the " Java Enabled = . NO" on and off by turning script on and off.
If I toggle "Java" the site only responds to the current state of script.

I tend not to trust a site that does not distinguish between *java* the
programming language and *java script* the scripting system.