The entire Internet runs on JavaScript. There’s a reason for that. Java programs are “write once run anywhere” — portable, easy to use, and thus very popular.
Unfortunately, JavaScript itself is basically the computational version of AIDS. It won’t kill your computer, but it’ll lay out the red carpet for some virus that wants to do exactly that.
If you want an understanding of just how incredibly dangerous it is, let’s talk about a Java exploit just discovered that works perfectly every time. And before some jerk pipes up in the comments about how he doesn’t have to worry about it because he runs Linux… it works on you too, buddy.
Errata Security has the full breakdown, but for non-nerds this is the important part:
So to be clear I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1.
I have tested the following browsers: Firefox 14.0.1 (Windows, Linux,OSX), IE 9, Safari 6.
They same exploit worked on all of them. The configuration I used to test would be caught by a IPS with good rules. If you just enable the Metasploit built-in SSL options an IPS would be blinded to this. I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again,, they really aren’t designed to. This is a perfect exploit to use for phishing, or target social media users with.
In other words, this is the equivalent of walking through Camden at midnight. It’s the equivalent of touching the genitals of a Kardashian. It’s the equivalent of going up to anybody bald from Breaking Bad and laughing at their lack of hair.
Sure, they’ll patch the exploit. But there’s another one coming. So do yourself a favor, and give yourself some Internet protection. Either carefully manage what sites can use Java, or only use a certain browser with Java disabled for sensitive communications and transactions.
Failing that there’s always hiding in fear. Did we mention there’s a lot of Java in Android?