[ale] OT: Shoul I keep Java on my PC

JD jdp at algoloma.com
Tue May 10 08:47:50 EDT 2011


On 05/08/2011 11:17 AM, Boris Borisov wrote:
> On my family PC I have Java installed and and I've done regular updates. But when I think for a moment recently I have not seen web site that uses a some form of java apps ( client side ). So keep it or remove it ?

Delete Java if you aren't specifically using it!

It is the 2nd most popular attack vector for malware.
Definitely disable it in your browser unless you have a specific need.
If you do have a need, lock down Java applets to that single specific
website using NoScript.

This applies to all software on your system. You don't want anything
there that you don't use. They are each a security risk.  The top 4
attack vectors that you can easily control are:

# Adobe PDFs - remove Adobe's version, disable Javascripting in whatever
version is left.  Adobe is the current leader in unpatched exploits
according to ZDI http://www.zerodayinitiative.com/advisories/published/

# Java - I love the language, but hate every implementation. Big and
slow. More and more cross platform attacks are java-based. Oracle is
ranked 4th on the unpatched exploits list. Most are Java related.

# Flash - Block flash by default and enable it only from trusted sites
via NoScript. Too bad most of us won't disable Flash completely.

# MS-Office documents containing Flash or other scripting - run
LibreOffice instead

Just because we run Linux doesn't make us impenetrable. We're lucky due
to our small numbers.


More information about the Ale mailing list