Can someone explain (Please)

[Tovian]

When I go to Firefox's Manage Add-ons feature I find options for (1) add-ons; (2) extensions; and (3) plugins. In the past I've just checked all of them for whatever I was looking for, but I'm tired of not understanding what these really are, and/or what the differences are, and how/why they do things differently.

Can someone please explain - in language even I can understand - the differences in these features.

TIA

I finally got to this ugly place (in my head) because I'm still trying to figure out what to do about Java. Everyone wants to tell me all there is to know about Java, but no-one simply says, "Do this...".

[muungwana]

extensions are add-ons
plugins are add-ons.

Both are add-ons because they add functionality to the browser.

The difference btw an extension and a plugin is that an extension becomes a part of the browser and can reach and manipulate the browser internals as "first class citizens".

Plugins on the other hand are binary blobs.They run separately from the browser and interact with the browser through well defined interface called NSPR.

A firefox extension works only in firefox because they are intimate part of the browser and must have very intimate knowledge of the browser.This is also why they break with firefox upgrades.

Plugins on the other hand are tied not to a browser,but to the NSPR interface and this is why the same flash plugin or java plugin works in firefox as well as chrome,opera,konqueror among other browsers.

[Tovian]

Excellent answer - Thank You Very Much !!!

I'm going to leave this open for a day or two just in case anyone has something to add.

[horusfalcon]

Excellent answer - Thank You Very Much !!!

I'm going to leave this open for a day or two just in case anyone has something to add.

Recent news would seem to indicate the Feds (here in the U.S.) think that Java is a security risk at present.  They are recommending it be disabled on all computers wherever possible.

http://in.reuters.com/article/2013/01/14/java-oracle-security-idINDEE90D01020130114

That said, I don't know if I'd run out and disable Java everywhere.  Sure hope Oracle can sort out this mess (and that's like hoping for world peace...)

Later On,
D

[The Chief]

Isn't Java (the runtime) really just an interpreter for Java based programs?   

I suspect the real threat is the Java based program.  And how does it get executed? 

Doesn't it require some operator action?

[horusfalcon]

Isn't Java (the runtime) really just an interpreter for Java based programs?   

I suspect the real threat is the Java based program.  And how does it get executed? 

Doesn't it require some operator action?

Not entirely sure there, Chief.  I do know that older versions of the JRE have been deprecated in the past as security risks, and now this action by the government.  Oracle has been releasing updates as exploits come to their attention, but apparently not quickly or decisively enough?

Certainly, someone has to have malicious intent to really use an exploit, but the exploit must exist.  As someone who deals with Social Engineers day in and day out, yeah, I take your meaning - a lot of the threats out there still depend on social engineering as their primary attack vector, but not everything does.

It's really odd to me, because Java is designed to run in a "sandbox" that prevents it from obtaining low-level access to a machine's configuration, or so I thought.  Maybe a Java coder out there could clarify this?

Later ON,
D

[kjpetrie]

According to Wikipedia, Java "is specifically designed to have as few implementation dependencies as possible" which I take to mean it is self-contained and has fairly low-level access to the machine, rather than needing system libraries to provide access.

So, no, it doesn't run in a sandbox - quite the contrary, which is why it's such a security risk.

[muungwana]

Isn't Java (the runtime) really just an interpreter for Java based programs?   

I suspect the real threat is the Java based program.  And how does it get executed? 

Doesn't it require some operator action?

The threat is the java browser plugin,it allows arbitrary code from arbitrary websites to run on the system.This is a serious security hole and it requires a plugin written very carefully to limit how much the underlying system is exposed to the arbitrary code running in the plugin.

flash plugin does the same things and suffers the same security problems.

[horusfalcon]

According to Wikipedia, Java "is specifically designed to have as few implementation dependencies as possible" which I take to mean it is self-contained and has fairly low-level access to the machine, rather than needing system libraries to provide access.

So, no, it doesn't run in a sandbox - quite the contrary, which is why it's such a security risk.

Um... you might want to consider another source here?  (The sandbox model might not be accurate today, but it was once true.)

http://docs.oracle.com/javase/1.4.2/docs/guide/security/spec/security-spec.doc1.html

To quote:

1.1 The Original Sandbox Model

    The original security model provided by the Java platform is known as the sandbox model, which existed in order to provide a very restricted environment in which to run untrusted code obtained from the open network. The essence of the sandbox model is that local code is trusted to have full access to vital system resources (such as the file system) while downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox. This sandbox model is illustrated in the figure below. {see original source at link for figure - D }

    The previous context describes this graphic.

    The sandbox model was deployed through the Java Development Kit (JDK), and was generally adopted by applications built with JDK 1.0, including Java-enabled web browsers.

They go on to explain how the sandbox concept has evolved into one of "permission domains".  The JVM (Java Virtual Machine) still hands off low level interfaces to system calls via well-defined APIs to gain access, only after the proper permissions are set up for that access. 

That whole permission domains model in present-day Java is probably part of the problem, though... from what I'm reading about how to extend permissions for a given application, it is now possible for a remote applet to be configured to operate in a locally privileged domain - I think I'm understanding this at least part way.  Looks like they should never have forsaken the sandbox model, or made sure that local and remote domains never interacted.

This just points up the trade-offs made to strike a balance between security and usability.

Thanks for the challenge, kjpetrie!  I hadda go dig and learn a few things tonight. 

Yep, it looks like my take on Java's security model was somewhat dated.  (It figures.  Last time I tried to learn Java I got an object-oriented headache.)

I hope Oracle can still get Java to un-screw itself...

Later On,
D

[ternor]

In about:config in Firefox there is a setting 'plugins.click_to_play' which you can set to true so that you have to click to activate a plugin.  In about:permissions you can choose specific settings for domains you have visited.

On the navigation bar (on some pages) there is an icon at the left of the urlbar which you can click to activate plugins.

If you wish to control the sites on which scripts can run there is an excellent add-on called NoScript.

[Phil]

Hi Tovian,

I have noscript installed, only allows scripts to run on sites or part sites if you allow. Get it installed.

I also have better privacy installed

[kjpetrie]

According to Wikipedia, Java "is specifically designed to have as few implementation dependencies as possible" which I take to mean it is self-contained and has fairly low-level access to the machine, rather than needing system libraries to provide access.

So, no, it doesn't run in a sandbox - quite the contrary, which is why it's such a security risk.

Um... you might want to consider another source here?  (The sandbox model might not be accurate today, but it was once true.)

http://docs.oracle.com/javase/1.4.2/docs/guide/security/spec/security-spec.doc1.html

To quote:

1.1 The Original Sandbox Model

    The original security model provided by the Java platform is known as the sandbox model, which existed in order to provide a very restricted environment in which to run untrusted code obtained from the open network. The essence of the sandbox model is that local code is trusted to have full access to vital system resources (such as the file system) while downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox. This sandbox model is illustrated in the figure below. {see original source at link for figure - D }

    The previous context describes this graphic.

    The sandbox model was deployed through the Java Development Kit (JDK), and was generally adopted by applications built with JDK 1.0, including Java-enabled web browsers.

They go on to explain how the sandbox concept has evolved into one of "permission domains".  The JVM (Java Virtual Machine) still hands off low level interfaces to system calls via well-defined APIs to gain access, only after the proper permissions are set up for that access.  

That whole permission domains model in present-day Java is probably part of the problem, though... from what I'm reading about how to extend permissions for a given application, it is now possible for a remote applet to be configured to operate in a locally privileged domain - I think I'm understanding this at least part way.  Looks like they should never have forsaken the sandbox model, or made sure that local and remote domains never interacted.

This just points up the trade-offs made to strike a balance between security and usability.

Thanks for the challenge, kjpetrie!  I hadda go dig and learn a few things tonight.  

Yep, it looks like my take on Java's security model was somewhat dated.  (It figures.  Last time I tried to learn Java I got an object-oriented headache.)

I hope Oracle can still get Java to un-screw itself...

Later On,
D

That means Java creates an internal sandbox to run untrusted code. It doesn't run in one, but tries to contain some code within itself. It is presumably that internal sandbox which leaks.

[menotu]

I simply don''t have Java installed. Full Stop.

If the Java Plugin is enabled in your main browser I would strongly suggest disabling it.

If you do need Java on certain sites a safer solution is to use a two browser setup and only use the Java Enabled browser for those particular sites

The following link may help answer a few queries in regard to Java

http://www.pclinuxos.com/forum/index.php/topic,112334.0.html

From the above link re Java and JavaScript it mentions

Q: Okay, I think I’m covered on Java. But what about Javascript?

A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

[Tovian]

This is really good information - Thank you for all these replies.

A week or so ago I read that Larry Ellison (Oracle CEO) regarding this latest exploit had stated, "If you don't need Java turn it off". Now that's the advice from the Chairman of the company that owns/publishes the product. It is quite unambiguous. I'm wondering if the right way to deal with the "Java issue" comes from the line quoted above, "people confuse Java with Javascript. But these are two completely different things". I'm thinking I should uninstall JRE on (at least most of) my machines, but leave Javascript enabled. Or is that backwards ? Or is it completely wrong ?

Here's a snippet from an announcement I just found regarding an emergency fix Oracle has issued - and it may also help clarify the "sandbox" issue...
"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory today. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."

The vulnerability was being exploited by a zero-day Trojan horse called Mal/JavaJar-B, which was already identified as attacking Windows, Linux and Unix systems and being distributed in exploit kits "Blackhole" and "NuclearPack," making it far more convenient to attackers.

source: http://news.cnet.com/8301-1009_3-57563730-83/oracle-releases-software-update-to-fix-java-vulnerability/

[menotu]

thinking I should uninstall JRE on (at least most of) my machines, but leave Javascript enabled. Or is that backwards ? Or is it completely wrong ?

Yup - if  Java isn't needed I'd remove it.

For browser use of JavaScript  the NoScript add-on is excellent as it gives control over which site can use JavaScript

For my Firefox setup I add two of the NoScript icons onto my toolbar giving me quick access to them.

The first image shows the Temporarily Allow icon



The second one shows all the "components" on that site (the site in both images is ITPRO)



Edit - just noticed the ITPRO site I was on was a blog discussing Java.

Andrew Storms, director of security operations at compliance software firm nCircle, said the security problems that have recently blighted Java should prompt Oracle into overhauling the platform.

“Oracle should just redesign Java from the ground up before everyone completely loses faith in it and other Oracle products,” said Storms.

“Obviously, there’s something broken in Java development or design cycles. Oracle needs to wake up and get serious about secure software development, it’s not like there aren’t a lot of examples on how to do it right.”