Why is it risky to run Java applets in browsers?

Asked

Viewed 523 times

7

In my company, we have two websites that need a Java applet (to authenticate using digital certificates). And these two sites give a lot of headache, mainly, whenever Oracle releases an update from JRE, which restricts more security access, usually blocking the applets. Not to mention Java plugin being blocked by Chrome, Firefox, IE and etc.

Our applets today are already suited to the new security rules (digitally signed, with manifest stating which websites can run the applet and etc.), but I ask :

  • What are the risks that a Java applet can bring to a user browser?
  • And why the JRE plugin is locked by default in so many browsers?

1 answer

6

The Matter of G1, It’s too long, I summed it up. If you want to take a look at the link, there are several hyperlinks and the article much more complete!

There are many malicious websites exploiting the Java plugin

Many developers criticized the column (G1) for using information from Microsoft saying that the Java plugin is today the most attacked component on malicious web sites. Microsoft is a developer of the . Net technology which, in various situations, directly competes with Java. There would therefore be a conflict of interest.

Microsoft data is similar to other companies' data. Kaspersky Lab released statistics in early August showing that Java is the third most attacked, behind Internet Explorer and Adobe Reader. Kaspersky added that "malicious code in Java [applets] is the easiest way to bypass operating system protections".

Symantec, the manufacturer of the antivirus Norton, made similar observations. The company’s threat report pointed out that the most common attack kit (Phoenix) uses flaws in Java, Windows Media Player, Flash Player and Adobe Reader.

The company further specifically noted that Java is under attack because it is

an "attractive point of entry" for criminals due to the lack of security resources that modern browsers use, as shown in the above graph. Also, as Java applets are processed by the Java Runtime Environment (JRE) software, security software have difficulties to analyze them, giving yet another advantage for criminals

.

Symantec commented on the possibility of differences in these statistics. Since malicious code kits exploit one failure after another in sequence, and the order is not always the same, there may be differences in what is detected as more or less common.

Cisco, better known as an Internet infrastructure equipment manufacturer and with the Scansafe protection service, noted the increasingly common use of Java attacks for the same reasons given by Symantec.

There are no specific statistics for Brazil. But in general, national websites, when hacked by Brazilian criminals, are changed to include a Java applet. You don’t usually use malicious code in Flash or PDF.

Examples include the website of São Paulo FC, the beverage company Ambev and the telephone operator Oi. The way that Brazilian criminals have found to disseminate malicious code, in all of these cases and many others, was a Java applet (the code has already been removed from these sites).

Recently, millions of pages have been changed to exploit a flaw in Internet Explorer, one in Windows, one in Adobe Reader, and two flaws in Java. (When the G1 published the report, the number was 790,000; that number later rose to one million).

Loss of function and safety

Readers commented that disabling a function is not to increase security, but rather to lose functionality. On the contrary: the basic procedure for leaving any system safe is to disable what is not used. If a feature is not needed, leaving it enabled adds unnecessary risks, in the same way that installing software that will not be used just takes up more disk space. The column argument is that most people will not see a loss of functionality when disabling the Java plugin, that is, there are only significant gains in security.

Java is user friendly? Software developed in Java ("the" Java programming language) can be user-friendly. However, "o" Java - also called the Java Runtime Environment (JRE), the software responsible for processing Java applications -, on Windows, has problems.

One of the problems - and this is cross-platform - is that digitally signed applets, even those with invalid signatures, display a warning to the user to execute the applet. In a single click on this screen, that jumps over the site, the internet user will have his computer infected. And still: the criminal chooses some information that will be displayed, such as the name of the program, among others, giving more possibility for deception (social engineering).

The CERT of Carnegie Mellon University

pointed out in 2008 the safety problems with this practice and recommended that users disable the execution of applets with invalid signatures.

CERT even made the same comparison, drawing parallels between today’s Java and Microsoft’s Activex in 2004

SOURCE: http://g1.globo.com/tecnologia/noticia/2011/08/entenda-por-que-deactivar-o-plugin-do-java-help_safetyhtml

  • 1

    Hi Rafael. It’s okay that you put the original source of the information, but the copy of the content the way it was made is pretty bad, in my opinion. For example, I started reading and asked myself, "What the hell is this column?". It would be good not to simply copy the content, but to work on it so that it is useful here and for several people. Otherwise, it would be better if you put the article link as a comment. P.S.: I saw that you "gave a summary" only when I arrived at the end of the reading. Maybe it’ll be better if you just put this information at the beginning of the answer.

  • Too much text and not enough answer! Or the font and a summary, or just the original text. But still, it was worth the answer!

  • 2

    @Luizvieira thanks for the tip, I chose not to put only the link, because as they say, if the link is off the air, we would still have a backup. I did as you instructed, put the summary remark at the beginning of the reply and tried to make some changes. Constructive criticisms are quite welcome. Thank you!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.