Go Down

Topic: Java vulnerabilities (Read 464 times) previous topic - next topic

Jack Christensen

With all the recent brouhaha (US-CERT warnings, etc.) I wonder if Arduino users have any cause for concern, or if there are steps that should be taken to mitigate risks. Or is the main concern limited to browser plug-ins?
MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

Coding Badly


Good questions...

With all the recent brouhaha (US-CERT warnings, etc.) I wonder if Arduino users have any cause for concern, ...


Not from running the Arduino IDE.

Quote
...or if there are steps that should be taken to mitigate risks.


Yes.  Remove (or disable) the Java plug-in from your internet browser.  (Not the same as JavaScript.)

Quote
Or is the main concern limited to browser plug-ins?


Yes.


Java has (yet again) a security hole that allows a malicious website to gain direct access to your harddrive.  Two things have to happen to be affected: 1. Java has to be able to run in the context of your internet browser; 2. You have to access content from a malicious website.

Bear in mind that #2 is sometimes achieved by the miscreants buying advertising from companies like Google (but I don't think Google allows Java).  So the "malicious website" could be an advertisement displayed on a site that is otherwise harmless.

eried

Also, if you have Vista or newer your browser probably runs in a limited environment (sandboxed) so Java will be only have access to the cookies and temporal folder.

Check clicking some mailto: link, if there is a elevation request, you are pretty safe.
My website: http://ried.cl

pYro_65

I remember reading an article a while ago describing how some exploits of java were fixed with an update but at the same time opened an entirely new flaw.

Since then I reomved/disabled all java support in browsers, the arduino IDE is the only java app I run ( knowingly ).

@eried, good point, I have seen a few antivirus software packages that provide either their own browser or a sandboxed standard browser. I use mine for online banking/payments

eried

@pYro_65 windows already do that thanks to UAC, but probably only for IE9/10. I don't really like active antiviruses or these "security" solutions :D
My website: http://ried.cl

pYro_65

Quote
@pYro_65 windows already do that thanks to UAC, but probably only for IE9/10. I don't really like active antiviruses or these "security" solutions


I tend to stay away from IE, also I don't consider an antivirus a solution, I have learnt the hard way; only to rely on backups of backups.
I just like the sandbox features AV's provide, a very easy way to add a little more protection. However I wouldn't take a commercial AV very far without at least a copy of combofix.

Jack Christensen

Thanks for the info. I had already disabled the browser plugins and had Windows uninstall Java via control panel. Then the light went on and I realized I still had several instances, one for each release of Arduino that I have on the machine.

One thing I uninstalled was a Java updater that would pop up occasionally when there were new versions to install. Not sure which Java exactly this was updating and what it was used for, pretty sure it wasn't the copy that came with Arduino though.

Appreciate the replies again. Sayonara, Java :smiley-roll:
MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

eried

Even disabling java updates is a problem. Those guys don't learn. You have to open the control panel applet with admin privileges
My website: http://ried.cl

Go Up