On Mon, 6 Jun 2005 12:36, Russell Davie wrote: > Marek Wawrzyczny wrote: > > On Mon, 6 Jun 2005 11:30, Russell Davie wrote: > >>Hi > >>Please give your advice on security of Java in Linux. > >> > >>scenario: > >>I have just received a email from ANZ bank (which I don't bank with, so > >> its likely to be phishing) that is linked to a bunch of Java scripts. > >> This is shown in Mozilla-Thunderbird when I move the cursor over the > >> link. > > > > I got one too... but, there are no links to Java applets, do you mean > > javascript? Javascript is different and unrelated to Java. > > ok, yes > the line is to javascripts > > > Those phishing emails come up often, but seems that they're targeting > > aussie banks again. These emails seems to flare up every now and then. In > > most cases they take you to a fake site that exploits (usually an IE) bug > > that allows the author to obscure the real origin of the site. > > I have firefox running spoofstick, and this says the origin of the page. > > They then ask you for > > > personal information. Since the bank will never do that, delete the email > > straightaway. > > other users on this machine may not be so careful. > > > I have come across one site that had a Java applet that would try and > > overwrite a Windows DLL (the applet never ran), but typically they are > > not that sophisticated. The Security Manager should prevent that from > > happening anyway. Applets should run inside a sandbox and, by design, the > > JVM does not allow them to overwrite file outside the user directory (I > > believe). > > this is what I would like to be clear about > Apart from spamfilters, is reliance on JVM design enough? (apart from > continually reminding the users)
Hmmm, let's put it this way, should be enough. But is anyone going to guarantee that at some point, some version of Sun's or someone else's JVM won't have a security flaw? Even then, on Linux, the exploit would have to run with su privileges to gain access to any important system files... no I don't think there is anything to fear about. Sun's and Java's reputation relies on the JVM model being secure. -- --- Marek Wawrzyczny ------------------------------------- "Terrorism is the war of the poor, and, war is terrorism of the rich." - Peter Ustinov ------------------------------------- - Send instant messages to your online friends http://au.messenger.yahoo.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
