IP: Re:ebates.com installs Java program on users computer: [risks] Risks Digest 21.49

[David Farber <dave () farber net>]

> Date: Tue, 26 Jun 2001 10:44:02 +0100
> To: farber () cis upenn edu
> From: David Byrden <David () Byrden com>
> Subject: Re: IP: ebates.com installs Java program on users computer:
>   [risks] Risks Digest 21.49
>
>
>
> > > Upon investigation, I found that ebates had installed a new folder named
> > > "C:\Program Files\topmoxie" that included the Javarun.exe program.
>
> The above message blamed Java for what is probably
> Microsoft's or Mr. Tolle's fault. Please let me clarify.
>
> First: *don't blame Java for installing the program*.
>
> Mr Tolle suspects the Java feature of his browser because
> this program was written in Java. But you might as well blame
> the word processor for installing a program that uses English.
>
> I am not an expert in IE4's capabilities but as far as I know,
> if you don't want websites to install EXE and DLL files then
> you can change the security settings. Most kinds of control
> or plugin, if you allow them to run, can potentially install files;
> therefore you should not allow them to run AT ALL.
>
> Java is *safer* than most because you can run Java applets
> and prevent them installing files or making any permanent
> change.
>
>
> Second: *this is not a Java Program.*
>
> The rogue program JAVARUN.EXE was probably written with
> Microsoft's pseudo-Java tools, but it's a Windows program.
> Java programs live in JAR and CLASS files, Windows programs
> live in EXE and DLL files.
>
> If the program were written in C++, it would be just as dangerous.
>
>
> To summarise: Java is not to blame for the threat posed by
> this program, and probably not to blame for installing it in the
> first place.
>
> David



For archives see: http://www.interesting-people.org/