Java, is it safe or a risk

My scenario:I have a hardware firewall running in front of my xp pro machine blocking all incoming traffic, also a firewall on xp pro with no exceptions set, and symantec anti virus corporate edition version 10 with built in spyware detection.

I also have java installed, while surfing recently I noticed some action from java in the system tray and then a second popup (from the system tray with a red X)which said computer is infected with spyware click here to remove, there was no option to close the icon when I clicked on it it installed spy pest or similar, I know this is spyware but my question is it bypassed everything on my system/network/anti virus and came straight in ! It obviously came in through java, how should I be securing my system, I use a remote support tool to connect to my customers and it requires them to have java installed am I putting my customers at risk by installing it or is there a safer way to use it ?

Thanks!



LVL 6
Sid_FAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blue_zeeCommented:

I fear the problem you mention has nothing to do with Java. Probably IE or Messenger.

But on your topic, Java security, these links are useful:

Security and the Java Platform
http://java.sun.com/security/

Java Applet Security
http://java.sun.com/sfaq/

Java Security FAQ
The Unofficial Answers from the Princeton Secure Internet Programming Team
http://www.cs.princeton.edu/sip/faq/java-faq.php3

Secunia monitors vulnerabilities in more than 7,500 products
http://secunia.com/product/

Hope these may help you.

Zee
SunBowCommented:
Probably active x or more likely a web exploit (ie) - you need to ensure all the upgrades and are receved, installed, and implemented.

> Java, is it safe or a risk

depends on how you set it up. Think of it this way, how hard it is to install products when you are not the system administrator. If not installing, do not be admin.

Use ID you make yourself, with less privileges for those days of surfing. Why do you want to be more than a guest? Reserve those times of higher privilege, the malware needed your authority to install, do not blame java itself. You can disable 'install on demand' in IE

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
Java in itself is not the most risky thing. It has it's own built in security model, which I will not call 100% effective. However, the sandbox model has been a pretty safe one. Case in point: Look at all of the things you can do to someone using an ActiveX control.

How, I'd have to ask, how are you so sure that it was Java that brought in the spyware in question? Firewalls do NOT block spyware (just suspect network traffic), and quite often spyware scanners are reactive, not proactive. Also, spyware tends to come in with normal web traffic, so it's not nearly as easy to block as you'd like to think.

Like SunBow alluded to, you'd probably need to tweak settings in IE. Also, might want to implement another spyware solution (this isn't a knock on the antivirus program).
Sid_FAuthor Commented:
Thanks guys.  Thats given me food for thought, thats a good point about rights sunbow as I'm always in as administrator
SunBowCommented:
Thanx
(I do not practice what I preach as much as I ought, don't feel too bad, but I also have a good handful of other practices)
masnrock >  Look at all of the things you can do to someone using an ActiveX control.
:-))                        <sad>
> might want to implement another spyware solution
(no such thing - IMO)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.