How is JAVA-in-the-browser being remotely disabled? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> This *new* vulnerability was because of the somewhat rushed update
 F> 11  retrograding the level and giving new life to an older flaw.

ahhh yes... ok...

 F> My supposition that a rushed patch may not have actually addressed
 F> the  vulnerability and left us with update 11 *not* addressing the
 F> vulnerabiity (by addressing only the currently ITW exploit instead)
 F> did  not actually come to fruition, but another somewhat often
 F> problem of  retrogaded patch level did.

true... but there are two sides to the coin :)

 F> No amount of my doing my own research (as you suggested) would have
 F> answered my original question regarding whether or not update 11
 F> actually meant I was no longer susceptible to CVE-2013-0422. As it
 F> turns out, it did indeed address *that* flaw, created another
 F> vulnerability in the process.

my comment was directed at the statement by virus guy about who was disabling
java in the mozilla browser and not much more than that... mozilla's plugins
validation site explicitly stated that they were disabling java in the browser
and why...

 F> The best thing to do IMO is to have your Java plug-in for your
 F> browser  "prompt" the user and have the user deny launching it
 F> unless absolutely  necessary. One shouldn't assume that an
 F> out-of-band patch has been  thoroughly vetted.

on the prompting, i agree on the one hand... however, i fear that it may come
out like winwhatever's UAC and folks will just go turn it off... much like the
horses and water, ya know?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it
 F> Yeah, there's always that, but even as with the UAC prompt - at
 F> least  it gives the user another chance *not* to do something
 F> stupid.

you mean like not paying attention and clicking "Yes" every time the thing
comes up? ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> http://www.informationweek.com/security/attacks/another-java-zero-da
 F> y-vulnerability-hits/240146416

 ml> java 7U11 is out now ;)

following up to my previous...

http://www.theregister.co.uk/2013/01/15/avoid_java_in_browsers /

"The database giant issued an emergency out-of-band patch on Sunday, but
despite this the US Department of Homeland Security continues to warn citizens
to disable Java plugins.

"Unless it is absolutely necessary to run Java in web browsers, disable it even
after updating to [Java 7 update 11]," the US-CERT team said in an update
yesterday. "This will help mitigate other Java vulnerabilities that may be
discovered in the future."

The security flaw (CVE-2013-0422) was weaponised last week and bundled into
popular cyber-crook toolkits, such as the Blackhole Exploit Kit. These
toolboxes plant malicious scripts on compromised websites that exploit security
holes in passing visitors' computers to infect them with malware."

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site Timeline