Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Mac Community > Community Discussion > Apple, Industry and Internet Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 19, 2013, 05:52 AM   #1
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
Here we go again: Java 7u11 security patch incomplete

Link to story: http://arstechnica.com/security/2013...atest-version/

Summary: Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.

My analysis: Well, this is the latest in a series of black eyes / punches to the gut for Oracle and Java. How do you deal with such an unmitigated disaster? I don't know - but at this point, since all the exploits involve the web browser applet plugin, I'd be tempted to announce that Java applets, at least as we know them now, will cease to exist completely in Java SE 8 - the web plugin will go away, as will all code to support it. This is just a hypothetical "nuclear" measure; but in this day and age, with HTML5 being the clear way forward, it just may be worth it.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   0 Reply With Quote
Old Jan 19, 2013, 11:15 AM   #2
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Exploitation of these Java vulnerabilities is at least somewhat mitigated by requiring the end user to click "OK" to run unsigned and self signed Java applets by default.

Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.
munkery is offline   1 Reply With Quote
Old Jan 19, 2013, 12:47 PM   #3
snberk103
macrumors 603
 
Join Date: Oct 2007
Location: An Island in the Salish Sea
Quote:
Originally Posted by munkery View Post
...
Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.
I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.
__________________
My friends, love is better than anger. Hope is better than fear. Optimism is better than despair. So let us be loving, hopeful and optimistic. And we'll change the world. - Jack Layton
snberk103 is offline   0 Reply With Quote
Old Jan 19, 2013, 01:47 PM   #4
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by snberk103 View Post
I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.
I totally agree. Prior to Java sandbox bypass exploits being readily available, users had to accept running unsigned and self signed Java applets that required permission beyond those allowed by the Java sandbox and malware still used social engineering to trick users to gain those privileges.

Now Java requires all unsigned and self signed applets to be manually allowed regardless of the applets required permissions in relation to the Java sandbox. So, malware that uses Java applets will either require being manually allowed to run to execute a Java sandbox exploit or to prompt the user to accept a certificate to run with elevated privileges.

Basically, another layer of security has been added but users that are susceptible to being tricked via social engineering are still liable to be tricked.

At least now knowledgeable users that require Java enabled in the browser are more protected.
munkery is offline   0 Reply With Quote
Old Jan 20, 2013, 11:29 AM   #5
SactoGuy18
macrumors 68020
 
Join Date: Sep 2006
Location: Sacramento, CA USA
Send a message via Yahoo to SactoGuy18
That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.
__________________
3G iPod nano (8 GB teal blue case), 7G iPod nano (16 GB blue case), 4G iPod touch (32 GB), iPad Air "Silver" (32 GB)
SactoGuy18 is offline   0 Reply With Quote
Old Jan 20, 2013, 12:13 PM   #6
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by SactoGuy18 View Post
That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.
Anti-virus software will only protect you from specific known threats; unknown threats aren't reliably detected. Java applets as a whole aren't inherently bad so a specific definition is required for a malicious applet.

That's the reason why I don't use any online services that require Java and don't have Java enabled in my web browser.
munkery is offline   0 Reply With Quote


Reply
MacRumors Forums > Mac Community > Community Discussion > Apple, Industry and Internet Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Latest security patch installed now no icons, programs won't launch xray328 OS X Mavericks (10.9) 2 Apr 2, 2014 03:41 AM
Java 6.x security risk (?) vs Java 7.x and broken apps w/ v7.x installs? mgiamo Mac Basics and Help 1 Dec 15, 2013 03:48 PM
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions MacRumors MacRumors.com News Discussion 162 Feb 15, 2013 09:48 PM
Oracle Releases Patch to Address Security Vulnerability in Java 7 MacRumors MacRumors.com News Discussion 63 Sep 5, 2012 01:02 PM

Forum Jump

All times are GMT -5. The time now is 11:38 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC