Java is sneaky

Hello,

I recently learned that not only is it OK to remove old versions of Java from my computer, but it's highly recommended, as malware can call up old versions and use vulnerabilities they have to do their dirty work.

So I uninstalled all the old versions, and installed only the newest. Then I visited auditmypc.com, and found that the Java allowed auditmypc to see my internal IP address! So I promptly uninstalled Java, but now I'm having problems accessing some websites (of course), including my encrypted email account with Hushmail.

Can anybody tell me how to use Java selectively? (The newest version doesn't seem very user friendly to me.)

And how can I protect my privacy while running Java?

 

Harpo--Have you confirmed that the viewing of your internal IP address occurs only when you have Java enabled?
I am under the impression that the "seeing" of your external IP address when you visit a site is the normal way the internet works. In fact there are some sites that will tell you that to make you feel your security settings are not safe. But unless you run behind a proxy wall, I think, as I said, that your external IP address is visible to all sites you visit.
Here is a site that offers to show it to you as a service.
http://www.whatismyip.com/
Is your internal IP address different?

There is a way to turn off Java, but it is a bit of a nuisance. IE Tools|Internet Explorer|Advanced tab|uncheck the "Use Java..." box. You will have to reboot for that to take effect.
And the seeing of your IP address may be a javascript matter, not Java, but I am not sure about that. The two are different. You turn javascript off in IE Tools|Internet Explorer|Security tab|Current Level|Scripting section.

 

Hi there Weshjim,

Wow - whatismyisp is a fast site! It only showed my external, and not internal ISP. Try this link and tell me what results you get, please:
http://www.auditmypc.com/freescan/selscan.asp?S=2058

I use Firefox as my main browser, only using IE when absolutely necessary. I have an extension installed on FF that allows me to selectively choose what sites I want to all JS on - by default all are disallowed until I say otherwise. I love it!

Auditmypc actually showed me my internal IP as well as external, and it just blew me away. Thus far, I've only checked this at work, and not at home, but both setups are similar (I maintain small networks at work and at home), using a router, cable modem, and software firewall, but no proxy.

 

Harpo--Your link showed me my external IP address. I do not have an internal IP address. (Just one PC, directly linked to the internet through a cable modem.)
I suppose you have seen this site (a link from the site you provided)
http://www.auditmypc.com/free-spyware-removal.asp
There is an implication that I am missing some security patch since my IP Address and Host Name is shown (no super cookie or other info). But unless I used a proxy or a NAT box (which I do not), I think disclosure of that info is pretty standard. Also when I run the Shields UP! test offered at this site, it shows no attacks succeeded and that I am "stealthed ".
http://grc.com/default.htm
Try it. Maybe you will feel better!!
P.S. Here is a very lengthy discussion which may be of interest
http://flatrock.org.nz/topics/info_and_tech/make_mother.htm

 

Hi again,

Yes. My internal address is 192.168.1.2.

It showed my external (ISP) address as well. You MUST have an internal address - every computer has one!

The message I got from auditmypc said my "external IP address (shown) is always exposed...or you wouldn't be able to visit sites..." And my "internal IP address (192.168.1.2) should be protected and not be obtainable by websites. "

Further: "...we use Java to grab the information and then pass it on to the server (Notice how everything ran without prompting you?)" And "We used your internal IP for this demonstration because it's harmless (for the most part). Java passes this informaiton to the server where it can be collected. Many claim this is not possible and that only you can see this information..." And "A malicious website woner could use a similar method to grab a lot more than your internal IP address, and you wouldn't even know it! "

Re flatrock.org:

This section of the article was of interest to me, as it reminded me of an incident, oh about 9 years ago or so, where suddenly my computer was only reading the numerical IP addresses, and I couldn't find ANYTHING! I don't remember what the resolution of the problem was, but it was a really bizarre experience.

So, it would seem that something's going on w/the NAT translation that is revealing my private IP address to people who know how to look for it, such as auditmypc.

Where is the physical location of the NAT box? How do I know if I have one? How is the translation done without a NAT box?

How can a browser "mistakenly" arrive at a website?

I found that site years ago! It's one of my most trusted resources.

I made a mess out of my computer at work when I completely uninstalled Java. I still can't access my hushmail account, but at least today IE is only freezing up when the encryption engine tries to run, instead of shutting itself down like it was doing yesterday. Opera is non-responsive as well at the same function, but it shows me a portion of a graphic that says something about Java, so I know there's a connection.

I've performed several System Restores, but whatever changes were made with the uninstall, System Restore didn't fix it. I went back a whole week, and I've had to reinstall everything I'd changed in the past week.

The "current" version of Java on the computer now is 1.4.2_04. I had ver 5 both prior to and after System Restore, but something was wrong with it and I uninstalled it this morning. Ver 1.4.0_03 is still there, but it's missing a file it needs to uninstall. I've rebooted several times...

 

Hi

Harpo - minimum safe version of the 1.4.2 series is 1.4.2_08 it appears... the most recent appears to be 1.4.2_09

SA15671
Sun JRE Sandbox Security Bypass Vulnerability
Highly Critical
System access
From remote
Update to J2SE 5.0 Update 2 or 1.4.2_08

SA14640
Web Start JNLP File Command Line Argument Injection Vulnerability
Highly Critical
System access
From remote
fixed in J2SE release 1.4.2_07

SA13918
Sun Java Plug-In Two Vulnerabilities
Highly critical
Security Bypass
System access
From remote
fixed in version JRE 1.4.2_06 and later

SA13271
Java Plug-in Sandbox Security Bypass Vulnerability
Highly critical
System access
From remote
fixed in version JRE 1.4.2_06

best wishes, HJ

 

This is one reason why I tell people that they are fooling themselves with a false sense of security by using a proxy to hide http traffic. It normally only redirects the http port 80 traffic and simple tricks with java or an embedded 1x1Pixel numbered gif lets any webmaster , security admin, forum admin, FBI agent etc see your real IP (and that includes the one assigned to your modem,your router, and your internal IP ) .

There is nothing spooky or dangerous about this, to get any page from the internet you must send them your IP address for them to send it to you . A router or proxy just is an extra step along the way (your computer sends the request to the router which sends it to the modem which sends it to your ISP or proxy which sends it to the site and then it reverses for delivery).

Essentially what they are alerting you to is not a vulnerability in Java, but the fact that true anonymity on the internet is very hard to achieve.
If you are using an HTTP proxy to try to remain anonymous, you must make sure you limit yourself to only port 80 Http traffic, no java, no active x , no flash, no windows media or any other kind on the page.
Might as well go text only.


You can test your java virtual machine here
http://java.com/en/download/help/testvm.xml


You can check its security here
http://bcheck.scanit.be/bcheck/

 

indeed so, it's useful for measuring what version Java you have...

...but as far as "Congratulations, you have the latest version of Java" or "you are using an out of date version" are concerned, take what it says with a pinch of salt.

It's been in error (at least) twice, and at times when it matters. Times when folks have been wanting to upgrade their Java as the result of the older version going vulnerable.

So you upgrade and go to the "test my Java" page - and it promptly tells you that your version (the new one you've just downloaded from Sun) is out of date. For a couple of days... then the "test my Java" catches up (with which version it's meant to be considering as the most recent).

they may have fixed this / adopted a more realistic attitude now - I hope they have.

Web sites which are meant to be security tests but hand out misleading information are not good news...

even the "Shields Up!" at grc - looks good when it shows you a nice green square and says that you are "Stealthed "... but it doesn't test UDP, only TCP.

best wishes, HJ

 

I recently read that they've found a way to identify and track ANY PC on the web by it's internal clock. Anonymity is no longer possible.

I've been the round of extreme security, and it's very boring.

I'll do that when I'm back in the office on Monday. Hopefully that site will also point to an update link after running its test.

What's the diff between Java and Java Script?

 

Hello harpo,

Here are two references explaining the difference:

http://www.jsr.communitech.net/difference.htm

http://www.htmlgoodies.com/beyond/javascript/article.php/3470971

Both are security risks if not handeled well. The following is about the security aspect of them that I saved from a discussion on security:

Regards - Charles

 

Thanks for the links. I've always wondered what the difference was between the two. Now, while I don't understand completely, I understand better than I did.

Next question: On my home computer, I've got:
- Java 2 Runtime Environment, SE v1.2.2_04 and
- J2SE Runtime Environment 5.0 Update 4

After my horrifying experience at work, I'm afraid to uninstall the older version, because the program names aren't exactly the same. Can I safely uninstall the 1.2.2_04 version without causing a problem with the 5.0 version?

 

Hello Harpo,

It is a good idea to uninstall earlier versions, especially for security reasons.

Here's one thread on uninstalling oder verions in the Mozilla and Netscape forum: http://www.windowsbbs.com/showthread.php?t=44702&highlight=java+versions

Regards - Charles

 

The simple view which makes it easier to understand is that java virtual machine (now called java runtime environment)is a make believe machine (an emmulator) which runs within the operating system on your computer. It was concieved to be a cross platform (runs on most any machine regardless of operating system) system for content delivery which would keep this media seperate from your operating system. That proved harder than expected, and it was not long before bad guys figured out ways to escape the sandbox and change things on your computer OS from within the virtual machine.

Java Script , like Visual Basic Script is a code language in which small programs or instructions can be written (Scripts) . These are text based, so just like you can type

in notepad and save it as "htmltest.txt" (with quotes) and all files as type and it becomes a web page with a link to this site, they can put text into a web page which does not all show up but is an executable program.


In both cases, while this was designed to be a simple way to display and present content to make web pages more enjoyable, they can be exploited.

 

This may be a stupid question, but,

If I'm reading this right, then all the webpages I've coded by hand in Notepad are JavaScript?

 

This worked great! IE and Opera are now working fine.

But I still don't know what auditmypc.com was able to see my internal IP address. I guess I falsely blamed Java due to their statement that they used Java to get the info, but I'd still like to plug whatever hole let that info be seen.

 

No, that is an example of simple html.
I included it as a simple show of the fact that something which may appear as text in one form can do something entirely different when executed on your machine.