Fog Creek Software
Discussion Board




Is Java is security risk

I've noticed that all Java applications appear to my firewall (Zone alarms freebie) as Java.exe, with no information about what actual Java app is running.

It seems to me that once one java application is given permission across the firewall, it's an open door for everything inside the VM.

Considering that just about every Java application uses extensive plug ins, especially Eclipse, this seems to be a big security issue waiting to happen.

Am I right to be wary of allowing Java.exe free reign, or is it perfectly safe?

Ged Byrne
Thursday, August 26, 2004

Use policy files with your JVM.  Problem solved.

muppet
Thursday, August 26, 2004

If giving free reign to java.exe scares you, I can only imaging the nightmares you have running an application written in Assembly. or C/C++, FORTRAN, Basic, etc..

Download Process Explorer (from sysinternals dot com) or some such tool. You can see the handles/dlls and such that the java.exe process owns. (i.e. if its got D:\Tomcat\shared\lib, its probly Tomcat)

PopCulture
Thursday, August 26, 2004

Assembly? C? C++? What the hell are you talking about? Those show up as separate processes, not as the same VM. Did you even read what he wrote?

sid
Thursday, August 26, 2004

Muppet,

Thanks for the heads up on Policy Files.

Link for anybody else whose interested.
http://java.sun.com/j2se/1.3/docs/guide/security/PolicyFiles.html

Ged Byrne
Thursday, August 26, 2004

sid-

Obviously, in other languages you can name the process anything you want, and there are a million and one ways to hide the process from the control-alt-delete process explorer, which is the farthest 99.9% of people will go. To me, thats just as dangerous, if not more because you're not limited to just to investigating java.exe processes.

I've never thought of everything running as java.exe as a security risk, because if you use the proper diagnostic tools, you can peer in to the java.exe process and see its handles and Dll's and be reasonably confident about whats going on. Maybe I should rethink things, I dunno.

none of that should distract from Muppet's answer of using the policy file, which is a great suggestion that could really help the OP.

PopCulture
Thursday, August 26, 2004

Popculture,

My concerns are regarding firewalls such as ZoneAlaram, which relies on the Process and Executable location for permissions.

Ged Byrne
Thursday, August 26, 2004

Actually, Zone Alarm checks some sort of program identifier vs its database. I assume it's a hash, but I don't know for sure. I can tell this because it tells me that an app has changed when I use a new version of it.

What scares me is that SVCHOST and Rundll are all or nothing and I don't have any way of vetting which processes have access to the network.

Miles Archer
Thursday, August 26, 2004

> I've never thought of everything running as java.exe as a security risk, because if you use the proper diagnostic tools, you can peer in to the java.exe process and see its handles and Dll's and be reasonably confident about whats going on.

Is this something that home users need to do in order to use java securely?

Dan Matthews
Thursday, August 26, 2004

Java?  WTF?  You question Java while Microsoft technologies are in heavy use. ActiveX and the like are a billion times more likely to have security issues. 

Ha
Thursday, August 26, 2004

Java is a security risk for a sufficiently broad definition of "risk".  I think the real name of this thread should be "Zone Alarm is unable to firewall Java apps well".

Brian
Friday, August 27, 2004

You can also rename java.exe to something like myapp.exe and start your app like this:

myapp.exe -jar theapp.jar

I had to do it in the past when running multiple  instances of some server in one box & being able to kill them without doing mistakes.

RedFox
Friday, August 27, 2004

if you think that is scary, just run this from the command prompt and see if you notice..

start http://www.grc.com/dos/drdos.htm

now, just write a little bit of 'trojan' to make IE launch on a url of your choice - on another virtual screen, which NT supports yet no-one really uses...

Outbound connection blocking was only effective whilst only you were doing it.. as it reached critical mass, so trojans and viruses began to simply side-step it.

i like i
Friday, August 27, 2004

Our installer generates a native Java launcher: a java.exe replacement with all the characteristics you want for your program: your process name name, property fields (version, manufacturer, etc.), icon, etc.

This way, you will never see java.exe, but yourprogram.exe instead. Very useful from Task Manager to various personal firewalls.

http://www.advancedinstaller.com/java.html

Catalin (www.rotaru.com)
Friday, August 27, 2004

The more serious problem is svc host and run.dll

However if a virus can hook up to any other program that has permission it can use that to get through.

Zone Alarm will inform you that the app has changed however.

It would also be nicer if there were less programs that insisted on using 127.0.0.1 to run.

Stephen Jones
Friday, August 27, 2004

I think really the lesson learned is:

DO NOT RUN EXECUTABLE FILES THAT YOU DO NOT TRUST.

I thought that was kinda the defacto standard since 1993.

If you expext Zone Alarm to provide you an out-of-the-box panacea of computing security, then you are an id10t.

next question please?

PopCulture
Sunday, August 29, 2004

*  Recent Topics

*  Fog Creek Home