There's considerable chatter on the Net about recent Java security
exploits:
http://www.kb.cert.org/vuls/id/625617
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html
I note that the CERT page thwarts IBM's policy of security-by-obscurity by
publishing considerable detail. But is z/OS vulnerable? I suppose IBM won't
say. We must just until and if IBM issues an APAR with conspicuously
insufficient information. What is the provenance of z/OS Java? Is it
maintained by Oracle (I suspect not), or by IBM from source code obtained
from Oracle (on what terms?)
The Oracle page avers that it addresses only browsers (mostly Windows), not
stand-alone Java apps. This is likely sufficient for the masses, for whom the
computer _is_ the browser, and the Internet _is_ the WWW, but perhaps
not for us.
I wonder what happens if a JavaScript exposure requires browser suppliers
to disable all JavaScript, and users are uable to get to PayPal?
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
