Why I don’t use Java

Why I don’t use Java, and why I block most Javascript from my browser.

Ars Technica has a story on a recent hacking episode here.

Developer Site behind Apple and Facebook hacks didn’t know it was booby-trapped

java logo

“What we’ve learned is that it appears a single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user’s computers,” he went on. “We’re still trying to determine the exploit’s exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013.”

The security breaches at both companies were due to an undocumented vulnerability in the browser plugin for Oracle’s Java — an increasingly common problem for those running Java on their machines. This is part of why Apple removed the Java plugin from all Mac-compatible Web browsers in late 2012, then blacklisted Java browser plugins on OS X twice already this year in order to prevent critical exploits. But many users — particularly developers — still have uses for the Java plugin, potentially putting them at increased risk for attack.

A reader comments:

“The explanation provided by iPhoneDevSDK.com isn’t clear, but based on the wording and […] the information provided by Facebook and Apple, here’s my guess what happened. The JavaScript injected into the site was used to make calls to the Java plugin installed on visitors’ browsers. These calls exploited a zero-day vulnerability in Java [that is, a vulnerability that had been unreported at that date] that allowed the attackers to surreptitiously install malware on the visitors’ computers.”

John Tranter:

I use a Mac computer. Please understand that Java is an operating-system-neutral operating environment that has nothing whatever to do with Javascript. ECMAScript is the scripting language that forms the basis of JavaScript, and is widely used for client-side scripting on the web, making web pages flexible and clever and dangerous. But both languages are complex, and both are exploitable and often exploited, and therefore unsafe. So…

1. Please delete Java from your machine (if you have a Mac, read this piece: “How to disable Java on your Mac”).

2. Please block Javascript in your browser, using a browser add-on like “No-Script”. If you don’t know how to do that, ask Google. “No-Script” allows you to turn Javascript back on when you feel your browser needs it, and when you know you can trust the site you have landed on, site by site.

Most photo slideshows use Javascript without telling you — why should a dummy like you want to know? — but there are ways of using simple XHTML (without dangerous Javascript) to make lovely slideshows of photos. You don’t believe me? Check my slideshow here. View the Page Source if you’d like to copy how I did it. Go ahead! Be my Guest!