Hi Bill & everyone, > what is the likelihood that oracle does something drastic with Java as > a result of the scare?
I am confident that Oracle will do their best to patch such vulnerabilities, and take steps to mitigate future ones. Two days ago Oracle released a patch for the current issue [1]. Unfortunately, security experts say the fix does not fully address the bug [2]. Still, of particular note is that fact the default behavior now always prompts users to confirm execution of the applet: "The fixes in this Alert include a change to the default Java Security Level setting from 'Medium' to 'High'. With the 'High' setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run." This means that while there may be more zero-day exploits discovered in Java in the future, they will have much less impact than before because attackers can no longer exploit them to silently install malware. It may still be possible to trick users into clicking OK to a malicious applet. But if you can trick a user into clicking OK to such a dialog box, you may as well sign your malicious applet (which presents a similar dialog box) to grant it full user privileges straight away, rather than relying on a Java bug. In other words, I expect zero-day Java exploits to be largely impotent from now on. > Maybe this situation is more run-of-the-mill than my gut is feeling > right now. Actually, I agree it is quite unusual for the local news to be widely reporting such things, and also rare for the U.S. government to recommend actually uninstalling the affected software. Adobe Flash (which I think has a larger install base than Java does) has chronically suffered from similar issues (e.g., [3]), but to my knowledge, it was not as widely covered nor recommended to uninstall it. Similarly, Internet Explorer itself has had similar remote code execution exploits, one of which was fixed just yesterday [4]. The point is that software is buggy, browsing the net is inherently insecure, and people should make a strong effort to avoid malicious web sites. (In particular, don't click links in spam emails!) It is best to assume your system *always* has at least one remote code execution exploit which could be used against you if you browse the wrong web page. Regards, Curtis [1] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html [2] http://www.independent.ie/business/technology/emergency-patch-for-java-fails-to-fix-cybercrime-holes-warn-experts-3351321.html [3] http://msisac.cisecurity.org/advisories/2012/2012-077.cfm [4] http://technet.microsoft.com/en-us/security/bulletin/ms13-008 On Sat, Jan 12, 2013 at 7:35 AM, Mohler,William <[email protected]>wrote: > Yes, thanks. What I'm worried about is society's tendencies to be blind > to sensible approaches. Eg, what is the likelihood that oracle does > something drastic with Java as a result of the scare? Maybe this situation > is more run-of-the-mill than my gut is feeling right now. > > Bill > > > > > Jason Swedlow <[email protected]> wrote: > > Hi Bill- > > Curtis and Johannes suggested very sensible approaches. > > I believe this is what you are referring to, and this clearly says to > disable Java in your web browser: > > http://www.kb.cert.org/vuls/id/625617 > > Cheers, > > Jason > > -------------------- > Centre for Gene Regulation & Expression | Open Microscopy Environment | > University of Dundee > > Phone: +44 (0) 1382 385819 > email: [email protected]<mailto:[email protected]> > > Web: http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow > Open Microscopy Environment: http://openmicroscopy.org< > http://openmicroscopy.org/> > > > From: <Mohler>, William <[email protected]<mailto: > [email protected]>> > Date: Friday, 11 January 2013 20:41 > To: Jason Swedlow <[email protected]<mailto: > [email protected]>>, "[email protected]<mailto: > [email protected]>" <[email protected]<mailto: > [email protected]>> > Subject: Re: [ImageJ-devel] What about this huge Java security issue?? How > do we keep ImageJ users both safe and satisfied with a Java platform? > > I'm hoping just what you're thinking. But the press here is telling > people to "uninstall java" as the only certain way to avoid having their > systems hacked. This is now backed by an announcement by US Dept of > Homeland Security that there is no other recourse... Not easy stuff to > deal with, right or wrong. > > > > Jason Swedlow <[email protected]<mailto:[email protected]>> > wrote: > > Bill- > > Still trying to verify this, but this is about browser plug-ins, which you > can turn off. > > > http://developers.slashdot.org/story/13/01/10/1540202/java-zero-day-vulnerability-rolled-into-exploit-packs > > Cheers, > > Jason > > -------------------- > Centre for Gene Regulation & Expression | Open Microscopy Environment | > University of Dundee > > Phone: +44 (0) 1382 385819 > email: [email protected]<mailto:[email protected]><mailto: > [email protected]> > > Web: http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow > Open Microscopy Environment: http://openmicroscopy.org< > http://openmicroscopy.org/> > > > From: <Mohler>, William <[email protected]<mailto: > [email protected]><mailto:[email protected]>> > Date: Friday, 11 January 2013 20:15 > To: "[email protected]<mailto:[email protected]><mailto: > [email protected]>" <[email protected]<mailto: > [email protected]><mailto:[email protected]>> > Subject: [ImageJ-devel] What about this huge Java security issue?? How do > we keep ImageJ users both safe and satisfied with a Java platform? > > > Sent from my Verizon Wireless 4G LTE DROID > _______________________________________________ > ImageJ-devel mailing list > [email protected]<mailto:[email protected]><mailto: > [email protected]> > http://imagej.net/mailman/listinfo/imagej-devel > > > > The University of Dundee is a registered Scottish Charity, No: SC015096 > > > > The University of Dundee is a registered Scottish Charity, No: SC015096 > > _______________________________________________ > ImageJ-devel mailing list > [email protected] > http://imagej.net/mailman/listinfo/imagej-devel >
_______________________________________________ ImageJ-devel mailing list [email protected] http://imagej.net/mailman/listinfo/imagej-devel
