Dodgy "Update Flash Player" site?

Energize said:
That's different to a web app, and a private JRE can be used for applications like that, I deploy private JRE's with my java apps because then the user does not need to install a public JRE which can be accessed by any application and used maliciously. Java along with PDF's and Flash forms the triangle of evil as far as web vulnerabilities are concerned.
Click to expand...

No it's a web app. You launch a browser and then connect to a website and after a challenge/response pin it logs me in remotely to my work PC - within my browser. I think it's a rebadged "LogMeIn" or something similar. If the Java browser plugin is disabled then it simply won't connect. It's often a pain but at least the advantage is that I can login to my work PC from any device that supports the Java browser plugin and I have my smartphone handy (the challenge/response pin is on the RSA tool which runs on my phone).
 
Hades said:
No it's a web app. You launch a browser and then connect to a website and after a challenge/response pin it logs me in remotely to my work PC - within my browser. I think it's a rebadges "LogMeIn" or something similar. If the Java browser plugin is disabled then it simply won't connect.
Click to expand...

Good grief that sounds horrible.

Why on earth are you not using the industry standard VNC software? You most certainly don't need Java to access a PC remotely!

This kind of obsolete software is what I'm talking about, it's all been superseded years ago removing the requirement for java web apps these days.
 
Last edited:
Energize said:
That sounds like terrible application design...

VNC sounds much more suited to that kind of use anyway, so you most certainly can work from home without Java!
Click to expand...
Energize said:
Good grief that sounds horrible.

Why on earth are you not using the industry standard VNC software? You most certainly don't need Java to access a PC remotely!

This kind of obsolete software is what I'm talking about, it's all been superseded years ago removing the requirement for java web apps these days.
Click to expand...

I don't disagree. But with VNC wouldn't you have to have a VNC client installed on your PC? This is a huuuuge multinational company and I guess the idea behind it is that anyone can work from home without dedicated hardware or software. You just download the challenge/response tool to your smartphone and then simply point your browser at a URL and can connect securely without any additional software.

Bearing in mind we're talking about tens of thousands of employees, would it be better to expect them to install VNC on their home machines (their own machines, not company machines) or expect them to connect with any of the industry standard browsers?

Oh, this is the second large multi-national that I've worked for that uses this product - so between the two companies that's around 400,000 employees worldwide that could use this product (and I assume many more multi nationals too). At that number of users managing a VNC install or troubleshooting it becomes quite time consuming when a browser and Java plugin "works". I don't like it but that's just the way it is and I can see their reasons.
 
Last edited:
Hades said:
Oh, this is the second large multi-national that I've worked for that uses this product - so between the two companies that's around 400,000 employees worldwide that could use this product (and I assume many more multi nationals too). At that number of users managing a VNC install or troubleshooting it becomes quite time consuming when a browser and Java plugin "works". I don't like it but that's just the way it is and I can see their reasons.
Click to expand...

'Easy way out' does not equate to 'proper method'. Number of users is irrelevant.

I wonder how many people who have been forced into Java have been affected by a Java exploit. These are the same people who'd have trouble using VNC right? ;)
 
Last edited:
Hades said:
I don't disagree. But with VNC wouldn't you have to have a VNC client installed on your PC? This is a huuuuge multinational company and I guess the idea behind it is that anyone can work from home without dedicated hardware or software. You just download the challenge/response tool to your smartphone and then simply point your browser at a URL and can connect securely without any additional software.

Bearing in mind we're talking about tens of thousands of employees, would it be better to expect them to install VNC on their home machines (their own machines, not company machines) or expect them to connect with any of the industry standard browsers?

Oh, this is the second large multi-national that I've worked for that uses this product - so between the two companies that's around 400,000 employees worldwide that could use this product (and I assume many more multi nationals too). At that number of users managing a VNC install or troubleshooting it becomes quite time consuming when a browser and Java plugin "works". I don't like it but that's just the way it is and I can see their reasons.
Click to expand...

You don't need the VNC client installed, it's an executable file.

Also a VPN client is built into every operating system I know of, even smartphones, so that's another options for certain use cases.
 
asim18 said:
I wonder how many people who have been forced into Java have been affected by a Java exploit. These are the same people who'd have trouble using VNC right? ;)
Click to expand...

By a quirk of fate I have not long posted in the Windows forum about "Exploit:Java/CVE-2013-0422" which seems to have appeared on my PC twice in the last few days and I don't know why.

I don't think I have any special need for Java beyond making websites work when browsing - I guess I have it installed because it appears that you are supposed to...
 
Energize said:
You don't need the VNC client installed, it's an executable file.

Also a VPN client is built into every operating system I know of, even smartphones, so that's another options for certain use cases.
Click to expand...

Just tried it from my Linux install and no VNC client installed. Don't recall one being installed on my Windows partition by default (could be wrong) or my Macbook (could be wrong again but don't recall it). I can install one of course but it's not there right now. It's certainly not installed by default on any of the smartphones I've owned :confused: What do you mean by an executable file?

Assuming it is installed on every OS then I guess each VNC client would work differently so the company's helpdesk would need knowledge of every OS's VNC client out there rather than only how to configure the main browsers and install Java?
 
Hades said:
Just tried it from my Linux install and no VNC client installed. Don't recall one being installed on my Windows partition by default (could be wrong) or my Macbook (could be wrong again but don't recall it). I can install one of course but it's not there right now. It's certainly not installed by default on any of the smartphones I've owned :confused: What do you mean by an executable file?

Assuming it is installed on every OS then I guess each VNC client would work differently so the company's helpdesk would need knowledge of every OS's VNC client out there rather than only how to configure the main browsers and install Java?
Click to expand...


I said VPN not VNC. ;)

An executable file is a file containing machine code that runs directly, it doesn't need installation. So you can just download the VNC file and run it without any installation, just type in your username and password along with the host address and it connects.
 
Energize said:
Java along with Adobe Reader and Adobe Flash forms the triangle of evil as far as web vulnerabilities are concerned.
Click to expand...

The latest versions of Reader & Flash are fairly solid. They both have decent sandbox technology & auto-update.

Mr Badger said:
I don't think I have any special need for Java beyond making websites work when browsing - I guess I have it installed because it appears that you are supposed to...
Click to expand...

You probably don't need it.

Control Panel\All Control Panel Items > Java > Security
Untick 'Enable Java content in the browser'.
See if you can live without it. :)

FoxEye said:
Also BT's speedtester/diagnostic site still uses it.
Click to expand...

Incorrect. It uses Flash.
 
FoxEye said:
Minecraft? :p

Also BT's speedtester/diagnostic site still uses it.
Click to expand...

Everyone knows speedtest.net is better and doesn't require JAVA. Sadly pingtest.net does need it if you want to test packet loss, the rest of the test runs fine but your score will be a B* max because of that.

Since my banking sites updated and didn't require JAVA any more I haven't had it installed for over a year. Not come across any non work related web apps that require it either.
 
You must log in or register to reply here.
Back
Top Bottom