Re: > Sandboxed power == More secure???
On 4/17/2013 2:37 PM, markspace wrote:
On 4/17/2013 10:09 AM, Eric Sosman wrote:
Time to get my eyesight checked: When I read your post it
looked like a claim that Flash is secure!
Well, you should get your eyesight checked. Java is currently exploited
far more often and far worse than Flash has been. It's been all over
the security related websites, and even some for the general public. I
see what you're saying, but Flash and Java don't really compare right
now: things currently really bad for Java. Example:
<http://www.securityweek.com/unique-challenges-controlling-java-exploits>
In short complaining that Flash really isn't secure is to complain about
the mote in Flash's eye while ignoring the beam in Java's.
Searching the last three months' worth of the National Vulnerability
Database turns up 33 records for "Adobe Flash":
http://web.nvd.nist.gov/view/vuln/search-results?query=adobe+flash&search_type=last3months&cves=on
At a quick look I don't see how to search for "Java" without getting
"Javascript" at the same time, but searching for each in turn and
then subtracting gives 132-16=116 reports:
http://web.nvd.nist.gov/view/vuln/search-results?query=java&search_type=last3months&cves=on
http://web.nvd.nist.gov/view/vuln/search-results?query=javascript&search_type=last3months&cves=on
Admittedly, it's not as simple as "Java is 116/33=3.5 times worse
than Flash." Some of the NVD notices cover multiple problems,
some cover only one. Some "Java" problems are actually about
associated technologies like JBoss or non-Snoracle implementations
like IBM Java. Different notices carry different CVSS severities,
and I haven't tried to catogorize them.
So the "3.5 times worse" figure certainly doesn't have two significant
digits, perhaps not even one full digit. Still, "mote vs. beam" seems
to imply more difference of scale than the NVD data will support.
Let's face it: They're both bad.
You still have a point though. I use No-Script and both JavaScript and
Flash are blocked by default on my system. I guess I was referring to
the fact that the vendors don't block their own systems by default.
I also like the UI for NoScript better than Java's security pop-up. It's
better integrated into the browser and OS, and provides wider options
than just "permanently allow this page." Which I think is all that the
Java plug-in has in terms of options.
De gustibus, but my preference for a Java-safety UI is the simplest
one imaginable: I disable Java in my browsers, and never have to
worry about any popups at all. Only two web sites that I (used to)
frequent require Java, and I've found I can live without them.
(Yesterday I applied security updates for both Java and
Flash, also AIR. Any bets on which requires its next update
sooner?)
I doubt frequency of updates correlates to security. I'd guess that
company culture and resources correlate more strongly.
Yes, Adobe seems much more responsive -- at least, the frequency of
updates greatly exceeds Java's. However, I didn't ask for bets about
when the next update would be available, but about when it would be
required. :-(
--
Eric Sosman
esosman@comcast-dot-net.invalid