dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1727
share rss forum feed


thephantom

join:2001-04-24
Alamo, CA

Java Vs JRE??

With all the recent news about the Java exploit, I started wondering how safe is the Java 2 Runtime Environment? I have that installed and truthfully, I'm not sure why. I'm sure some program I once used needed it, but I don't remember which. What is the general opinion out there? Dangerous? Not? Worth having, or worth uninstalling?
TIA,



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

2 recommendations

If you don't think you need it, uninstall it.



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

said by trparky:

If you don't think you need it, uninstall it.

Yep, you can always redownload and reinstall if you need it.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·Comcast

1 recommendation

reply to thephantom

JRE is Java, you need it to run Java programs or programs that need Java.

There are a some web sites that use Java, to use them you need Java JRE (or JDK) installed along with the Java plug-in.

The are programs the need Java to run. LibreOffice for example needs Java for some of it's features, notably Base. Most of LibreOffice works just fine without Java.

There are programs written in Java, which you of course need Java to run. An example would be Data Crow or SuperbCalc.

I you don't use programs that need Java or web site that use Java Then you don't need Java. If you do use Java programs then it really up to you. Me? I need Java not just for running Java programs but for compiling so it will stay on my computers.
--
Chris
Living in Paradise!!



DataDoc
My avatar looks like me, if I was 2D.
Premium
join:2000-05-14
Martinsburg, WV
reply to thephantom

Until some program I really need whines about it, JAVA will stay uninstalled.
--
"Executive orders" or rule by fiat. You decide.



Boricua
Premium
join:2002-01-26
Sacramuerto
reply to thephantom

As much as Java and Flash are holier than swiss cheese, I have both installed. One don't know which website needs them until it complains .
--
Illegal aliens have always been a problem in the United States. Ask any Indian. Robert Orben



chachazz
Premium
join:2003-12-14
kudos:9
reply to thephantom

Java 2 reached end-of-life October 30th, 2008.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to thephantom

I could be wrong, but my understanding is that Java enabled in browsers is where the danger lies. If you own a program that uses Java that is generally safe to use. But you should uninstall all older Java using Java Ra.
»singularlabs.com/software/javara/
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


OZO
Premium
join:2003-01-17
kudos:2
reply to thephantom

If you don't need it - uninstall it. If you see a program that requires Java - find an alternative, that doesn't need it (I usually can find them).
Why to keep an additional vector of vulnerability in your computer? Especially Java, that always requires new security patches...
--
Keep it simple, it'll become complex by itself...



kontos
xyzzy

join:2001-10-04
West Henrietta, NY
reply to Mele20

said by Mele20:

I could be wrong, but my understanding is that Java enabled in browsers is where the danger lies.

It is more like that is where the danger is the most common. The Java browser plugin is just how most malware is delivered. You would still be at risk if somebody tricked you into downloading and running a malicious java program as well. It is just the browser plug-in that makes the code execute without any user action.

MorpheusUK

join:2003-09-09

said by kontos:You would still be at risk if somebody tricked you into downloading and running a malicious java program as well. It is just the browser plug-in that makes the code execute without any user action.
[/BQUOTE :

Of course the latter applies to all non-java executables you may download as well.
--
Just because you're paranoid, it doesn't mean they are not after you



kontos
xyzzy

join:2001-10-04
West Henrietta, NY

yes and no. Java is supposed to be a sandboxed environment and the problem is that there are calls in Java that can be used to break out and elevate privileges.



chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1

Supposed to be a sand boxed environment? According to what?
--
Chris
Living in Paradise!!



thephantom

join:2001-04-24
Alamo, CA
reply to chrisretusn

thanks all for the responses.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to chrisretusn

said by chrisretusn:

Supposed to be a sand boxed environment? According to what?

Perhaps according to this rather detailed Oracle document? Java Security Architecture

Obviously, a lot has evolved since that era... but the conceptual term has tended to stick.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

MorpheusUK

join:2003-09-09
reply to kontos

The point I was making is that it doesn't matter what language or environment the program was written in, if you download a malicious program and are tricked into running it via social engineering then your machine is at risk. It could be argued that this scenario is even more dangerous with a non-jvm language as there are less restrictions/hurdles to accessing the OS directly.

By all means say that the java browser plugin presents an unnecessary security risk for the majority of people but implying that because you can download a malicious program and run it leading to infection is a further and unique java vulnerability is stretching it a bit. It is no more dangerous in this scenario than downloading a random windows exe from the net and running it.

Morpheus
--
Just because you're paranoid, it doesn't mean they are not after you



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
reply to thephantom

Several here have correctly called out how Java Runtime Environment is the the same vulnerability as running an exe. A Java app can be every bit as dangerous.

BUT... very few are mentioning the WEB PLUGIN that causes all the exploits making the news. You can have JRE for local Java apps yet NOT have your browser vulnerable.

1) Java itself, a few revisions ago, allows Java browser plugins to be disabled. In Windows it's in Control Panel. I hear the Mac has a smart handling of Java, too.

2) I know Firefox can disable any plugin you want. You could, theoretically, enable it for only the time you need it. I think IE and Chrome can do this too.

I agree with many here. Uninstall it and see what happens. Maybe nothing.

HTH



kontos
xyzzy

join:2001-10-04
West Henrietta, NY
reply to MorpheusUK

said by MorpheusUK:

By all means say that the java browser plugin presents an unnecessary security risk for the majority of people but implying that because you can download a malicious program and run it leading to infection is a further and unique java vulnerability is stretching it a bit. It is no more dangerous in this scenario than downloading a random windows exe from the net and running it.

The Java browser plugin is particularly dangerous because in most cases it allows malicious programs to be executed without user intervention.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

said by kontos:

The Java browser plugin is particularly dangerous because in most cases it allows malicious programs to be executed without user intervention.

How does that happen unless you deliberately take the slider and put it to low? If you are using Fx then you have to contend with Fx warnings as well Java itself warnings.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


thephantom

join:2001-04-24
Alamo, CA
reply to thephantom

quick update: I uninstalled the JRE. I also happen to run PDFill and it turns out that it needs JRE to run. But I do have it disabled in my browser.
thanks for all the input. . .