On Sat, Aug 19, 2006 at 01:16:54PM +0200, Jeroen van Wolffelaar wrote: > > #267040: remote code execution hole due to lack of Java security manager > > This is 'fixed' by: > - Shows warning before loading an applet (Closes: #267040, #301134)
Not a big deal, #383704 brought my browser down before it was exposed to a security risk, so I didn't even see the warning =) > Which, IMHO, doesn't make this usable except in fully trusted > environments where the browser is exclusively used to browse a fully > trusted intranet where nobody can change web content that doens't > already have root on your machine. > > Which is, basicly nowhere (IMHO, and barring myself misunderstanding > something). > > The warning is talked about here: > http://langel.wordpress.com/2006/06/05/gcjwebplugin-is-actually-worth-using/ > (thanks Michael Koch for the link) > > I personally do not think we should offer this option to users, because > users tend to trust sites easily (and they are too often asked about > 'trusting' too, w.r.t. https websites, for example), even though the > wording used is strong, and the consequence is arbitrary remote code > execution. > > Anyway, I will followup to the bug in question for discussion about this > issue. Completely agreed. I even have doubts it's suitable for experimental. Without minimal privilege separation not even the roughest bleeding-edge users will dare to try it, so it's basicaly of no use there. Anyway, it's good to know there's ongoing work on this area.. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]