dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
31
share rss forum feed


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

1 recommendation

reply to Oleg

Re: Feds warn PC users to disable Java

How many times have a seen this phrase in a security advisory?

quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.
--
Chris
Living in Paradise!!

slajoh01

join:2005-04-23

This java exploit affects linux, OSX,Unix as well. Not just Windows based OS.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yeah...well Apple must have juice with Oracle because they have access to a newer version of Java that doesn't have the vulnerability and they are having all their users install it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by Mele20:

Yeah...well Apple must have juice with Oracle because they have access to a newer version of Java that doesn't have the vulnerability and they are having all their users install it.

They are disabling it..»www.macrumors.com/2013/01/11/app···-threat/

Where did you get your info there is a newer version?
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to chrisretusn

said by chrisretusn:

How many times have a seen this phrase in a security advisory?

quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.

How does not using Windows secure you from this problem?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game

said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

said by StuartMW:

said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.

I read this in one of the security articles. I'll see if I can find it again. The article's author may have been misinformed but said that Apple, contrary to what was being bandied about the internet, was not disabling Java but instead requiring users to update Java to a brand new version not yet publicly available. I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Mele20:

I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.

FYI I was saying it is possible. I don't know for sure.

Besides

»JAVA 7u11 now available for download
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yeah... I see it is out so makes this all sort of moot.

Not sure I will install it though with all the reports of the Java registry key missing in the new version and thus Java won't work in Fx.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



kickass69

join:2002-06-03
Lake Hopatcong, NJ

Click for full size
It works and shows up just fine over here running Firefox 18.


Selenia
I love Debian
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to pandora

said by pandora:

said by chrisretusn:

How many times have a seen this phrase in a security advisory?

quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.

How does not using Windows secure you from this problem?

It might. One thing is using the openjdk and openjre. I avoid proprietary where open source works well. Many times, it works better(adapting to rapid software updates, etc) if the functions you need are supported. I breathed a sigh of relief when the support for my laptop's graphics chipset by the open source radeon driver matured enough to use it full time. No more fglrx hell(ATI/AMD's proprietary linux 3D graphicsdriver) of worrying that upgrades would break it or that it would not like particular software or configs. That being said, I use Java a lot and the openjre has supported everything I do well. So far, no security bulletins regarding this that I can find.
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


intok

join:2012-03-15
reply to Mele20

said by Mele20:

Yeah...well Apple must have juice with Oracle because they have access to a newer version of Java that doesn't have the vulnerability and they are having all their users install it.

Last I remember Apple writes their own Java implementation just as they do with their video drivers.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

3 recommendations

reply to pandora

said by pandora:

said by chrisretusn:

How many times have a seen this phrase in a security advisory?

quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.

How does not using Windows secure you from this problem?

It doesn't. You missed my point. That phrase (quoted above) is is used for a lot of software vulnerabilities including Microsoft ones, yet I don't recall being advised or encouraged by CERT or other security advisories to disable or remove Windows.

It was a bit of humor too.

Lot of folks jumping on the I don't run, removed it, never used it, band wagon. Well I've never been one to follow trends, no plans on following this one. I need Java for programs I use and some web sites I use also use Java. So Java stays.

For what it's worth, I have OpenJDK installed on this particular machine (Running Slackware64) and the IcedTea-Web Plugin with my browser (Firefox). I have other machines (a mix of operating systems) that have Oracle Java installed. I am not all that concerned about this latest "threat" as I seriously doubt I will be bothered by it.
--
Chris
Living in Paradise!!

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

said by chrisretusn:

For what it's worth, I have OpenJDK installed on this particular machine (Running Slackware64) and the IcedTea-Web Plugin with my browser (Firefox). I have other machines (a mix of operating systems) that have Oracle Java installed. I am not all that concerned about this latest "threat" as I seriously doubt I will be bothered by it.

Thanks for the response, I understand your post better.

This does bring up another question ... is the opensource Java product vulnerable to any of the exploits Java currently is?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

Based on Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code - No. There are some Java vulnerabilities that affect both. Example: Vulnerability Note VU#636312 - Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code
--
Chris
Living in Paradise!!


pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

I ran a google search for OpenJDK exploit within the past week, and encountered this - »security.stackexchange.com/quest···-icedtea

Java 7 and OpenJDK share a lot of common code, so, as a general rule, security issues in Java 7 also apply to OpenJDK. In that specific case, it seems that the vulnerability was reported in the Debian OpenJDK package, so yes, they are vulnerable. See this question on another stackexchange site. Since Oracle seems to have fixed their JDK, chances are that the same fix will appear in OpenJDK in a few hours or days.

the article goes on to more or less indicate the virtue of browsing with Linux as hardly anyone targets it do to Linux not being used much to browse. Security through obscurity came to mind.

If a lot of code is shared with the open Java and proprietary Java, it'd be tough for me to get warm fuzzies about either product.

Also here - »ubuntuforums.org/showthread.php?p=12452828

Looking here: »krebsonsecurity.com/2012/08/j...···o-flaws/

Sounds like Ubuntu "10" could be at risk. NOTE, I did discover 3 viruses, via Clamscan, nestled in a TMP cache. Caused no problems.


--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

1 edit

Well here is my take on that information from »security.stackexchange.com/quest···-icedtea

There is this statement "Java 7 and OpenJDK share a lot of common code, so, as a general rule, security issues in Java 7 also apply to OpenJDK. In that specific case, it seems that the vulnerability was reported in the Debian OpenJDK package, so yes, they are vulnerable."

Well first there is no specific case sited (it could be assuming VU#625617) and the reference (»askubuntu.com/questions/181884/s···-for-now) to the reported vulnerability in the Debian OpenJDK package refers to the second link in my post VU#636312 dated 27 Aug 2012 which was been patched.

While it is possible that the current vulnerability affects OpenJDK, it is not specifically listed as affected by the vulnerability alert for VU#625617 dated 10 Jan 2013.

VU#625617 has been patched by Oracle and as I have already mentioned. I am not all that concerned about this; and this has nothing to do with my preferred operating system being Linux. I do run Windows and have Java install their as well. I think there is a lot of over reaction to this.

--
Chris
Living in Paradise!!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Mele20

said by Mele20:

said by StuartMW:

said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.

I read this in one of the security articles. I'll see if I can find it again. The article's author may have been misinformed but said that Apple, contrary to what was being bandied about the internet, was not disabling Java but instead requiring users to update Java to a brand new version not yet publicly available. I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.

Nevertheless your info was wrong. Period.

»www.applebitch.com/2013/01/12/ap···on-macs/
»www.applebitch.com/2013/01/14/ne···eleased/

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


goalieskates
Premium
join:2004-09-12
land of big

1 recommendation

reply to chrisretusn

said by chrisretusn:

VU#625617 has been patched by Oracle and as I have already mentioned. I am not all that concerned about this; and this has nothing to do with my preferred operating system being Linux. I do run Windows and have Java install their as well. I think there is a lot of over reaction to this.

That overreaction may be due at least in part to the fact DHS is involved. We've seen a lot of vulnerabilities over the years, some of which went unpatched for years - but I don't recall DHS getting into the act before. The warnings came from software houses or researchers or independent testers. I don't want to minimize a danger, but the skeptic in me wonders if this isn't some sort of test - by DHS.

Federal government sites use java. So wtf?


DownTheShore
Honoring The Captain
Premium
join:2003-12-02
Beautiful NJ
kudos:13
Reviews:
·Verizon Online DSL

Perhaps someone at DHS was sick and tired of Oracle never fully patching the thing and decided to use the power available to him or her in their position at DHS to give them a kick in the rear.

-------------------

La Luna, thanks for answering my question.


pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to goalieskates

said by goalieskates:

That overreaction may be due at least in part to the fact DHS is involved. We've seen a lot of vulnerabilities over the years, some of which went unpatched for years - but I don't recall DHS getting into the act before. The warnings came from software houses or researchers or independent testers. I don't want to minimize a danger, but the skeptic in me wonders if this isn't some sort of test - by DHS.

Federal government sites use java. So wtf?

I think it's nice DHS said something.

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

It appears both the open and proprietary Java versions should be considered vulnerable until someone demonstrates the open code isn't the same and is not vulnerable. Also waiting for Java proprietary to be patched, assuming the open source code is identical, sort of mitigates some of the claimed virtue of open source. Shouldn't the open source community have fixed this long ago?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

said by pandora:

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable. Not sure were you got that from.

In fact the advisory has been updated and OpenJDK and IcedTea are both listed as affected.

Does that change anything as far as I am concerned? No it does not. I am not disabling or removing Java from my machines. When a patch is released for OpenJDK I will apply it.
--
Chris
Living in Paradise!!

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

1 edit

said by chrisretusn:

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable.

The first post I replied to in this thread, indicated the solution (his solution iirc) was to disable Windows. As if this were a Windows problem. Upon follow up, I was assured the solution was open Java.

It doesn't appear either is a solution for this problem. Windows has earned a reputation for vulnerability on Internet over many years, and Linux a reputation for reliability. Windows has greatly improved it's security, while Linux when used as a desktop or desktop-like system (tablet, very smart phone) is almost always hackable (someone can find a way to get any phone or tablet rooted). Worse most customers are easily hacked by simple social engineering (almost any app will be installed regardless of what it does after installation).

The themes I was fascinated with were; 1) That Windows was the problem (in the case it isn't), and 2) Open source would save users from this hack (apparently not true in this case).

Sorry.
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


Selenia
I love Debian
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to pandora

Not saying the open code doesn't have certain vulnerabilities. It is fairly unlikely it is the same vulnerabilities though. The open source people have to use different code to achieve their goal, or run a severe risk of being slapped with a nasty lawsuit by Oracle. Same has long applied for things like Linux graphics drivers, too(btw, the open source radeon driver kicks the snot out of proprietary fglrx on my laptop, in terms of OpenGL performance, with no worries that upgrading my X or my kernel will break it. DirectX support is limited but I really don't need it for what I do in Linux.). There has also been no security alerts on the Open Java. With the number of devs that have been working on that project, I am pretty sure somebody has checked this out. It is not Linux perse that would protect against this vulnerability. It is running different code altogether that would. Oracle Linux users would be just as vulnerable, unless of course, they manage to comprehensively sandbox the app in question(Java). I used to run Firefox sandboxed, due to all its vulnerabilities, but found another browser I liked(Chromium) that sandboxes 1 of the biggest security liabilities on its own(Adobe Flash).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.