Additionally, why not use NoScript? No autostarting Applets anymore.
Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability. The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins …
Additionally, why not use NoScript? No autostarting Applets anymore.
"Uninstall TSA! Groping, probing, stealing and fondling (plus possibly cancer-installing) by uniformed nontrustworthies perfoming security theater will take years to fix. Additionally, the effectiveness of TSA is marginal. We recommend that every tax-paying citizen no longer deal with this product."
Bet it won't come.
I know I am going to get the crap down voted for this comment but most of the sympathy I had for survivors who lost loved ones in 9/11 flew out the window when they pushed for the creation of the Ministry of Love (Department of Homeland Security who oversee TSA). Surprised they didn't push to bring back the Un-American Activities Committee in the House as well.
...Surprised they didn't push to bring back the Un-American Activities Committee in the House as well...
Actually, they did, only under a bunch of different names.
"who lost loved ones in 9/11 flew out the window"
Unfortunate use of that phrase, there, asdf,
My bank has Windows PCs running IE displaying an internal app with lots of text boxes that the user tabs between to enter the numbers.
I suggest replacing the virus prone PC and the malware prone browser with some sort of custom hardware which sends tab characters directly down a wire to the big computer and receives the text to print in the box directly from the same wire. The custom box wouldn't have an OS or be able to access facebook
Can anyone suggest a name for this technology?
You could call it a smart terminal as it's smart enough not to be a security problem.
...using a handful of websites that demand your browser supports Java", why not apply a small piece of selotape to a corn cob.
As the title reads... Just as never turning the machine on will eliminate all except for WAKE ON technologies.
Its true that... if you have no plan to use it, or need it, why is it installed... However lets be realistic... Its not half as bad as Adobe's issues given most users probably werent aware that 11.5.502.146 was released recently since code for prior versions went public... and could easily be blocked by decent AV heuristics... because it mainly targets JMX classes in java.
Now lets focus upon more pressing matters such as... nginx, IIS 8 and Apache 2.4.3 ... IE 7,8,9 and 10 connection handling overruns which result in a DoS... and can be performed remotely!
It's said to work on more browsers than just IE 7,8,9,10
I am still to see one which isnt currently vulnerable to it? Suggestions anyone?
And while we're at it. Why not just disable everything?
MAKE webdesigners... pardon... web-programmers.. . do proper websites again.
Instead of a horrible piece of ECMA-code use a simple bloody HTML-tag like this one
(A HREF="http://www.site.com/pic.jpg" target="_blank">Link</A) to open an image in another window!
Yes, GSMArena I'm pointing AT YOU (amongst others)!!!
For the record I removed the first < and last > to get the code displayed itself.
Firefox, Chrome, Chromium, Lynx, Epiphany, W3m, Opera, IE <- This is the most affected
I'm thinking the TCP stack might need re-writing! Or some network engineers get forensics training?
JBoss App Server versions 4.0.2, 4.2.2 , 4.2.1 , 4.0.*,4.2.* is RCE'd too since:
web-console/Invoker allows you to invoke jboss.admin:service=DeploymentFileRepository without permissions
OMG - you mean I could get hacked playing Minecraft!
Fix Java NOW!
...now would be a good time to learn Python. Right now.
Moved to Android (Google's version of Java) development two years ago. It has been a real interesting learning curve. If you think you know Java, try Android development.
Java is a beautiful programming language and not a superset of anything like C++.
Oracle JVM can be substituted with OpenJDK. It works fine for development. Netbeans has no trouble with it and OpenJDK does not suffer from said security problem.
Such a ridiculous comment you couldn't even add your name to it.
Why should this have any consequence on the use of java where it is most commonly used? Applets probably cover less than 1% of java deployments (no data, just a guess based on my experience). They were great years ago but have been superseded by browser improvements, were they solved "real" problems webstart is by far the better solution.
Java desktop and server applications are not affected by this issue at all, it's irrelevant. I know python well and it just can't scale up to the demands that most software have placed on it, especially in an enterprise, you know the software that the many businesses and governments rely on.
So your real name is 'vic 4' is it?
Will we see then end of one of the most inefficient and bloated software ever?
FLASH: YOUR NEXT!
I haven't got a next.
And I wouldn't show it to you, if I did.
So remember that HTML 5 is just another environment, is brand new, and does not require an attack to break out of whatever sandbox the browser has wrapped around it. That's because HTML5 is now the OS as far as Web apps are concerned; there's already proof of concept attacks on it. It's bound to be riddled with flaws, and one day the anti virus vendors will be selling AV for your browser...
The HTML 5 proponents are being highly overconfident in my view, and the more it gets extended and the more OS-like it becomes the more dangerous it is. If Web apps really take off as replacements for JAVA, OSes, native apps, Flash, etc it won't take long before attackers start finding the holes in it and using them. Except their attacks may well be successful across a wider range of machines, because the browser author has probably made the same mistakes in the Windows, Mac and Linux versions.
Who at Oracle pissed in the US government's cornflakes? From the way the DHS has been carrying on about Java lately, you'd think they were the fourth arm of the Axis of Evil!
Exactly what I was thinking.
Same here. It's bizarre.
I bet if you wander the US Gov's halls, you'll find PC after PC running Microsoft Windows and IE !! The most insecure operating system and browser in existence,
A quick Google search for: security hole .net
returns a few results too.
I've tried butting in and explaining it to the support technicians myself, but when I do their eyes just glaze over because SIMILAR WORDS BE CONFUSING
Anon for obvious reasons.
The only solution the 'security experts' seem to be able to come up with is : "turn it off".
Of course that is a valid solution if you know you will never need Java in the browser.
However Java is still widely used in the browser, perhaps not so much on public internet (except perhaps netbanks), put is - in my experience - pretty much omnipresent on corporate intranets.
Any plugin (being it Java, Flash, .NET) that allows you to download code on-the-fly and then execute it is vulnerable, sandbox or not. Bugs will always exist. The only way forward is to educate users not to say 'yes' to execute something that they don't know what is. The real problem is that too many users have had their browsers configured in such a way so that code would be executed without any prompt or active accept from the user.
There are multiple ways to force your browser (or the plugin) to give you that prompt. The new increased default security level in Java 7 Update 11 does just that. Chrome has always had this functionality. Firefox users can use NoScript extension, etc.
Personally I'm perfectly happy with the solution resulting from the new default security level in Java 7 Update 11. I believe that will provide me all the protection I need ... also against vulnerabilities that have not yet been discovered. But as far as I understand this solution has indeed always been available to me: I could have increased the default security level myself. I could have done that last week when the reports about the vulnerability first came out. But all the 'security experts' could muster was the recommendation to 'turn it all off'.
Does it give you root access to the underlying Operating System?
One does not need root access to do bad things with a Linux system - "the standard user" is so powerful that most interesting things on a Linux system is run on crippled accounts deliberately.
Malware-injectors, all kinds of bots, spam-mailers, DDOS-applications, kiddie-porn distribution, whatever - will be perfectly functional as a normal user. Easier to install too.
they are the experts in leaky systems - they leak all over the place.
Maybe Manning had a virus on his machine?