Arduino Forum upgrade scheduled for Monday, October 20th, 11am-4pm (CEST). Sorry for the inconvenience!
Pages: [1]   Go Down
Author Topic: Java vulnerabilities  (Read 449 times)
0 Members and 1 Guest are viewing this topic.
Grand Blanc, MI, USA
Offline Offline
Faraday Member
**
Karma: 97
Posts: 4118
CODE is a mass noun and should not be used in the plural or with an indefinite article.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

With all the recent brouhaha (US-CERT warnings, etc.) I wonder if Arduino users have any cause for concern, or if there are steps that should be taken to mitigate risks. Or is the main concern limited to browser plug-ins?
Logged

MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

Global Moderator
Dallas
Online Online
Shannon Member
*****
Karma: 216
Posts: 13140
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset


Good questions...

With all the recent brouhaha (US-CERT warnings, etc.) I wonder if Arduino users have any cause for concern, ...

Not from running the Arduino IDE.

Quote
...or if there are steps that should be taken to mitigate risks.

Yes.  Remove (or disable) the Java plug-in from your internet browser.  (Not the same as JavaScript.)

Quote
Or is the main concern limited to browser plug-ins?

Yes.


Java has (yet again) a security hole that allows a malicious website to gain direct access to your harddrive.  Two things have to happen to be affected: 1. Java has to be able to run in the context of your internet browser; 2. You have to access content from a malicious website.

Bear in mind that #2 is sometimes achieved by the miscreants buying advertising from companies like Google (but I don't think Google allows Java).  So the "malicious website" could be an advertisement displayed on a site that is otherwise harmless.
Logged

Chile
Offline Offline
Edison Member
*
Karma: 35
Posts: 1251
Arduino rocks?
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Also, if you have Vista or newer your browser probably runs in a limited environment (sandboxed) so Java will be only have access to the cookies and temporal folder.

Check clicking some mailto: link, if there is a elevation request, you are pretty safe.
Logged

My website: http://ried.cl

North Queensland, Australia
Offline Offline
Edison Member
*
Karma: 76
Posts: 2246
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

I remember reading an article a while ago describing how some exploits of java were fixed with an update but at the same time opened an entirely new flaw.

Since then I reomved/disabled all java support in browsers, the arduino IDE is the only java app I run ( knowingly ).

@eried, good point, I have seen a few antivirus software packages that provide either their own browser or a sandboxed standard browser. I use mine for online banking/payments
Logged


Chile
Offline Offline
Edison Member
*
Karma: 35
Posts: 1251
Arduino rocks?
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

@pYro_65 windows already do that thanks to UAC, but probably only for IE9/10. I don't really like active antiviruses or these "security" solutions smiley-grin
Logged

My website: http://ried.cl

North Queensland, Australia
Offline Offline
Edison Member
*
Karma: 76
Posts: 2246
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
@pYro_65 windows already do that thanks to UAC, but probably only for IE9/10. I don't really like active antiviruses or these "security" solutions

I tend to stay away from IE, also I don't consider an antivirus a solution, I have learnt the hard way; only to rely on backups of backups.
I just like the sandbox features AV's provide, a very easy way to add a little more protection. However I wouldn't take a commercial AV very far without at least a copy of combofix.
Logged


Grand Blanc, MI, USA
Offline Offline
Faraday Member
**
Karma: 97
Posts: 4118
CODE is a mass noun and should not be used in the plural or with an indefinite article.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Thanks for the info. I had already disabled the browser plugins and had Windows uninstall Java via control panel. Then the light went on and I realized I still had several instances, one for each release of Arduino that I have on the machine.

One thing I uninstalled was a Java updater that would pop up occasionally when there were new versions to install. Not sure which Java exactly this was updating and what it was used for, pretty sure it wasn't the copy that came with Arduino though.

Appreciate the replies again. Sayonara, Java smiley-roll
Logged

MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

Chile
Offline Offline
Edison Member
*
Karma: 35
Posts: 1251
Arduino rocks?
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Even disabling java updates is a problem. Those guys don't learn. You have to open the control panel applet with admin privileges
Logged

My website: http://ried.cl

Pages: [1]   Go Up
Arduino Forum upgrade scheduled for Monday, October 20th, 11am-4pm (CEST). Sorry for the inconvenience!
Jump to: