"Jay Masino" wrote in message
...
[...] As others have pointed out, the
probem with Java, javascript and flash is that the code is executing on
your computer, instead of the web server.

Well, to be fair, this is true even of plain old HTML. Just because one
looks like an actual "program" while the other looks more like "data", that
doesn't mean they both don't have the same potential for abuse.

Security flaws almost never involve taking advantage of high-level execution
units (e.g. a Java interpreter). They generally involve getting data to be
copied to your computer in a way that causes the data to be executed. This
is potentially just as easy to do with HTML, JPEGs, or even text files as it
is with Java, Javascript, Flash, etc.

Inasmuch as disabling scripted content does reduce one's total exposure to
downloaded data, doing so can reduce your risk exposure. But it's not
because the content is a "program" versus "data". It's just that you're
downloading less data, and fewer different kinds of data.

Pete