Jan 19, 2013, 05:52 AM
|
#1 |
|
Here we go again: Java 7u11 security patch incomplete
Link to story: http://arstechnica.com/security/2013...atest-version/
Summary: Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers. My analysis: Well, this is the latest in a series of black eyes / punches to the gut for Oracle and Java. How do you deal with such an unmitigated disaster? I don't know - but at this point, since all the exploits involve the web browser applet plugin, I'd be tempted to announce that Java applets, at least as we know them now, will cease to exist completely in Java SE 8 - the web plugin will go away, as will all code to support it. This is just a hypothetical "nuclear" measure; but in this day and age, with HTML5 being the clear way forward, it just may be worth it.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, Ubuntu |
|
|
0
|
|
Jan 19, 2013, 11:15 AM
|
#2 |
|
Exploitation of these Java vulnerabilities is at least somewhat mitigated by requiring the end user to click "OK" to run unsigned and self signed Java applets by default.
Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so. |
|
|
|
1
|
|
Jan 19, 2013, 12:47 PM
|
#3 | |
|
Quote:
But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.
__________________
My friends, love is better than anger. Hope is better than fear. Optimism is better than despair. So let us be loving, hopeful and optimistic. And we'll change the world. - Jack Layton |
||
|
|
0
|
|
Jan 19, 2013, 01:47 PM
|
#4 | |
|
Quote:
Now Java requires all unsigned and self signed applets to be manually allowed regardless of the applets required permissions in relation to the Java sandbox. So, malware that uses Java applets will either require being manually allowed to run to execute a Java sandbox exploit or to prompt the user to accept a certificate to run with elevated privileges. Basically, another layer of security has been added but users that are susceptible to being tricked via social engineering are still liable to be tricked. At least now knowledgeable users that require Java enabled in the browser are more protected. |
||
|
|
0
|
|
Jan 20, 2013, 11:29 AM
|
#5 |
|
That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.
__________________
3G iPod nano (8 GB teal blue case), 7G iPod nano (16 GB blue case), 4G iPod touch (32 GB), iPad 2 white (32 GB) |
|
|
|
0
|
|
Jan 20, 2013, 12:13 PM
|
#6 | |
|
Quote:
That's the reason why I don't use any online services that require Java and don't have Java enabled in my web browser. |
||
|
|
0
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | Search this Thread |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 01:52 AM.
