So what's the deal with the warnings about JAVA ??? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: So what's the deal with the warnings about JAVA ???

FromTheRafters wrote:
 
Quoted text here. Click to load it


I don't see the point of inventing and using the term "zero-day" instead
of simply saying that a given vulnerability is patched or unpatched (or
can be "neutralized" through a change in system settings).  

If we're talking about an exploit, then again why isin't appropriate to
simply say "a new exploit was discovered" which means that a
corresponding vulnerability must exist - a vulnerability which may or
may not be new (previously known) and which may or may not be patched.

The whole "zero-day" identifier is just horse-shit verbiage with no
coherent reasoning behind it.

An exploit is ALWAYS an exploit - because there will always be
vulnerable (unpatched) systems REGARDLESS if a patch exists.

Re: So what's the deal with the warnings about JAVA ???

After serious thinking Virus Guy wrote :
Quoted text here. Click to load it

Like it or not, there it is.  I don't like it when everything gets
called a virus. :)
Quoted text here. Click to load it

Vulnerabilities and exploits do not share a one-to-one correspondence.
One exploit, for instance, may be thwarted by settings while another
exploit for the same vulnerability may not. As an example the old
DCOM-RPC vulnerability might have been addressed by snort signature
detection at the firewall while a privilege escalation exploit done
locally through a local RPC call might still be viable. While the
signatures to detect and filter bad input may be distributed
(addressing the remote "exploit") the vulnerability might still be
zero-day and workable for the local "exploit". Exploits can be
addressed by signature detection and filtering, but vulnerabilities
must be "patched" and in either case it ends the zero-day vulnerability
window for that exploit or vulnerability.
Quoted text here. Click to load it

It just lets everyone know that it hasn't been addressed yet no matter
how old it might actually be.
Quoted text here. Click to load it

BlackHole exploit kit ran for quite a long time without any zero-day
exploits. The new version I heard has a provision for adding any as
they come to light.



Re: So what's the deal with the warnings about JAVA ???

FromTheRafters wrote:
 
Quoted text here. Click to load it

Sure the do.

Quoted text here. Click to load it

That is not a patch.

An exploit that is detected by AV software on the vulnerable machine, or
that is detected by the firewall on a network appliance is not a patch
to the vulnerable system.  The vulnerability on the system still
exists.  It's a level of abstraction to be talking about how your
surround or protect the vulnerable system using external methods.

Quoted text here. Click to load it

Then we have two different vulnerabilities.

Quoted text here. Click to load it

That would be another (different) vulnerability.

Quoted text here. Click to load it

AV/AM software is a level of abstraction beyond the fundamental
discussion of whether or not one or more vulnerabilities exist on a
given system.  The solution to a vulnerability is to patch the offending
system files or make changes to key system settings.

Quoted text here. Click to load it

So the point of using the "zero-day" terminology is to obfuscate the
known history of the vulnerability?

In other words, if we are talking about an old / previously known
vulnerability, then the "powers that be" do not want the general public
to know that this is an old / previously-known vulnerability that HAS
NOT BEEN (but should have been) PATCHED?  

So instead of saying "a previously known, but unpatched vulnerability,
is being targeted by a currently-circulating exploit..." we have "a
zero-day exploit has been discovered..."

The intent would clearly seem to be to deflect attention and critical
blame away from those that are responsible for providing TIMELY patchs
to known vulnerabilities by using the term "zero-day".  

The motive for inventing and using that terminology does not serve the
academic or scientific interests of the virus/trojan/malware community
as much as it serves the commercial interests of those that own the
vulnerable software.  Therefor the virus/trojan/malware community should
reject the use of the term "zero-day" lest they be seen playing into
these corporate interests.

Re: So what's the deal with the warnings about JAVA ???

Virus Guy presented the following explanation :
Quoted text here. Click to load it

Whatever.

Correct, it may thwart a particular exploit but not address the
underlying vulnerability. The malware may be addressed in this manner,
but a new exploit of this same vulnerability would remain unaddressed.
Quoted text here. Click to load it

Correct.


I haven't suggested that it is a "patch".
Quoted text here. Click to load it

No, the same vulnerability with two different attack vectors.
Quoted text here. Click to load it

No, it wouldn't.
Quoted text here. Click to load it

No, it's just a way to say it is "fresh" and thus is likely more
dangerous than some malware still using an already patched
vulnerability.

[...]



Re: So what's the deal with the warnings about JAVA ???

On Wednesday, January 16, 2013 11:55:32 AM UTC-5, Virus Guy wrote:
Quoted text here. Click to load it

umm, what?=20

go back to school. do not pass go. do not collect $200.

a vulnerability can potentially be exploited in multiple ways, thus a 1-to-=
1 relationship cannot exist.

[snip]
Quoted text here. Click to load it

only in so far as any and all jargon terms obfuscate the meaning they are m=
eant to encode.

Quoted text here. Click to load it

<sarcasm>
yes, that's exactly it. we should all think about your wise words while we =
ride around in our horseless carriages
</sarcasm>

Quoted text here. Click to load it

you seem to be putting an unreasonable focus on the age of the vulnerabilit=
y.=20

a vulnerability exists from the moment the vulnerable software was released=
, but it isn't necessarily known at that moment. if it takes 10 years for a=
nyone to discover the vulnerability, and then 10 days after that to issue a=
 patch, are you going to blame the vendor for taking over 10 years to issue=
 a patch?=20

any exploit created before that 10 year and 10 day time frame is up is a ze=
ro-day exploit.

Quoted text here. Click to load it

yeah, right. good luck getting the community to work towards what you think=
 their interests are or should be.

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> Sure the do.

nope... look at the various exploits for the same vulnerability... in many
cases, there's more than one method of exploiting one vulnerability...

Quoted text here. Click to load it

 VG> That is not a patch.

agreed... but it is a method of detecting and blocking the exploit... after
that, one can only wait on the manufacturer to release a fix for the problem...
oracle and adobe are finding this out as m$ has in the past and is still
finding out today...

 VG> An exploit that is detected by AV software on the vulnerable
 VG> machine, or that is detected by the firewall on a network appliance
 VG> is not a patch to the vulnerable system.  The vulnerability on the
 VG> system still exists.  It's a level of abstraction to be talking
 VG> about how your surround or protect the vulnerable system using
 VG> external methods.

agreed...

Quoted text here. Click to load it

 VG> Then we have two different vulnerabilities.

not always... the same exploit may exist on two different platforms... one
platform has the ability to prevent the exploit via settings whereas the other
platform may not... let's not get too myopic about these things ;)

Quoted text here. Click to load it

 VG> That would be another (different) vulnerability.

yes and it may have more than one vector that ends up in the same place... all
of them can... especially with today's sharing of library code... look at the
network stack vulnerabilities that have propogated from the *nix/*bsd world to
the winwhatever world... much of that comes from code that has been used on
both sides even though the operation and implementation is somewhat
different...

Quoted text here. Click to load it

 VG> AV/AM software is a level of abstraction beyond the fundamental
 VG> discussion of whether or not one or more vulnerabilities exist on a
 VG> given system.  The solution to a vulnerability is to patch the
 VG> offending system files or make changes to key system settings.

here you are mixing things as you noted above... making changes to system
settings does not negate the vulnerability... they may only prevent access to
it... but they may also open another door to accessing that or another
vulnerability...

Quoted text here. Click to load it

 VG> So the point of using the "zero-day" terminology is to obfuscate
 VG> the known history of the vulnerability?

it is a zero day because no one outside of the exploiters knows about it...
there is no obfuscation about the history... an unknown exploit is a zero day
exploit... once it is known then it is no longer a zero day and those who
purchase such find that their purchase is no longer as valuable as it once
was...

 VG> In other words, if we are talking about an old / previously known
 VG> vulnerability, then the "powers that be" do not want the general
 VG> public to know that this is an old / previously-known vulnerability
 VG> that HAS NOT BEEN (but should have been) PATCHED?  

the PTB are as ignorant of the exploit as everyone else outside of the
exploiters...

as for patching... if things were written and tested properly in the first
place, we wouldn't be in this barrel of fecal material... the blame resides
directly on the heads of the project managers and the corporations...

 VG> So instead of saying "a previously known, but unpatched
 VG> vulnerability, is being targeted by a currently-circulating
 VG> exploit..." we have "a zero-day exploit has been discovered..."

 VG> The intent would clearly seem to be to deflect attention and
 VG> critical blame away from those that are responsible for providing
 VG> TIMELY patchs to known vulnerabilities by using the term
 VG> "zero-day".  

no, i see what you are saying but too many things are so interwoven these days
that a fix for an exploit could easily knock out the functionality of other
required processes...

 VG> The motive for inventing and using that terminology does not serve
 VG> the academic or scientific interests of the virus/trojan/malware
 VG> community as much as it serves the commercial interests of those
 VG> that own the vulnerable software.  Therefor the
 VG> virus/trojan/malware community should reject the use of the term
 VG> "zero-day" lest they be seen playing into these corporate
 VG> interests.

the terminology was invented by the academics and scientific interests... the
community can no more reject them than real old-school hackers can reject
today's use and definition of "hacker"... what are, today, called "hackers" are
what used to be called "crackers" and then there's the proliferation of all
those running scripts and code that they have no deep understanding of and
didn't create themselves... those are the ones known as "skiddies" or "script
kiddies"...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???


Quoted text here. Click to load it

So, did everyone update IE to the newly released Java Update?  If so,
how is it working?

charliec

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
 ce> From: charliec@email.com

[TRIM 140+ lines]

 ce> So, did everyone update IE to the newly released Java Update?  If
 ce> so, how is it working?

1. you don't update IE... you update your total JAVA installation...
2. you should ensure that /all/ previous JAVA installations are uninstalled...
3. PLEASE trim your quotes to only those that pertain to your post...

i'm not a moderator here... indeed, the alt.* groups don't have moderators...
but common netiquite dictates that one trims the quotes... please and thank
you... my use of a fidonet gateway not withstanding...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> Like it or not, there it is.  I don't like it when everything gets
 F> called a virus. :)

agreed... or even today's bastardization of "hacked" when they plainly left
their account logged in on facebook and someone else just sat down and started
using it ;)

and the same thing with the devices known as "modems" :)

Quoted text here. Click to load it
  
 F> Vulnerabilities and exploits do not share a one-to-one
 F> correspondence.  One exploit, for instance, may be thwarted by
 F> settings while another  exploit for the same vulnerability may not.
 F> As an example the old  DCOM-RPC vulnerability might have been
 F> addressed by snort signature  detection at the firewall while a
 F> privilege escalation exploit done  locally through a local RPC call
 F> might still be viable. While the  signatures to detect and filter
 F> bad input may be distributed  (addressing the remote "exploit") the
 F> vulnerability might still be  zero-day and workable for the local
 F> "exploit". Exploits can be  addressed by signature detection and
 F> filtering, but vulnerabilities  must be "patched" and in either case
 F> it ends the zero-day vulnerability  window for that exploit or
 F> vulnerability.

exactly!

Quoted text here. Click to load it

 F> It just lets everyone know that it hasn't been addressed yet no
 F> matter  how old it might actually be.

pretty much spot on :)

Quoted text here. Click to load it

 F> BlackHole exploit kit ran for quite a long time without any
 F> zero-day exploits. The new version I heard has a provision for
 F> adding any as they come to light.

that wouldn't surprise me in the least... look at metasploit and how quickly
they add exploits to their library for penetration testing ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
 VG> The whole "zero-day" identifier is just horse-#### verbiage with no
 VG> coherent reasoning behind it.

zero-day is no different than the medical term of "patient zero" which
effectively means "the first one with the illness who is/was spreading it to
others"... the terms are similar and not worth arguing about since others
before us with a lot more sheepskin on their walls created these terms ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???

On Wednesday, January 16, 2013 9:09:32 AM UTC-5, Virus Guy wrote:
Quoted text here. Click to load it

none. that phraseology simply isn't used after that point.

[snip]
Quoted text here. Click to load it

all vulnerabilities start as zero-day vulnerabilities, but only some exploits
do, thus using zero-day in conjunction with vulnerability has no meaning.


Quoted text here. Click to load it

let go of the counting metaphor. it simply doesn't apply here.

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> It doesn't matter, it either is or it isn't. If they have issued a
 F> patch, it is no longer zero-day.

on the contrary... once it was discovered and made public, it was no longer a
zero-day exploit... zero-day exploits are ones that are not known by anyone
other than the exploiters...

 F> My machine should seem vulnerable to  the exploit, and the work
 F> computers are administered by an outsourced  IT company - not my
 F> responsibility.

many operate in the same walled garden atmosphere ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???

Virus Guy submitted this idea :
Quoted text here. Click to load it

Not really. The patch (if hurried) may only thwart the current exploit
and not address the underlying vulnerability at all. If that is the
case, another exploit will be along shortly. Only if they have
addressed the vulnerability will they have truly ended the zero-day
aspect.
Quoted text here. Click to load it

Yes, it was good info.



Re: So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> Why?

why not? it behooves you to make the effort in the first place ;)

 VG> You've apparently taken out the guesswork by doing the research for
 VG> us.

i did no research... i simply read the security notices sent to me on a daily
basis...

 VG> And by posting it, you've helped usenet perform it's main
 VG> information-dissemination function.

 ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???

mark lewis wrote:
 
Quoted text here. Click to load it

So you don't even follow your own advice.

Quoted text here. Click to load it

Why do you use a fidonet gateway?

Don't you have a real internet connection?

And why do you end all your sentences with 3 periods?  Don't you know
that one is the usual convention?

Re: So what's the deal with the warnings about JAVA ???


Quoted text here. Click to load it

LOL! Do you even know what fidonet is?
 
Quoted text here. Click to load it

hahahahahaha...
 
Quoted text here. Click to load it

:)... lol!
 



--
My take home pay isn't enough to take me home!

So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> So you don't even follow your own advice.

because i did not need to... much of these notifications are delivered to my
system as part of my participation in network security related tasks...

Quoted text here. Click to load it

 VG> Why do you use a fidonet gateway?

because i want to for one thing... for another, i read this area in fidonet via
fidonet software... is that a problem for you?

 VG> Don't you have a real internet connection?

of course i do but many (still) do not...

 VG> And why do you end all your sentences with 3 periods?  Don't you
 VG> know that one is the usual convention?

of course i do... so what? this is my style... it is quite unique and well
known for those who know me... i've been using this style for some 30+ years...
the problem is?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 ce> I received a notice to update Java, but did not after seeing notes
 ce> here.  

you should always update, if possible, to new versions specifically to get the
fixes contained in the update... i'd rather loose the known existing bugs and
possibly gain new ones than to keep the old ones, know that they are in my
installation and then get hammered by some site that i thought was OK...

 ce> When you say "ensure all previous Java installations are
 ce> uninstalled" where and how do you do that.  

in the control panel... it used to be called "add/remove programs"... vista
calls it "programs and features"...

 ce> I'm assuming only the current version of Java is installed?

never assume... in the past, updates left the old versions installed,
operational and accessible... this was changed some time back but it is still a
possibility... i recommend to always check...

 ce> I'm running Win7 and IE9.

i don't know what win7 or win8 would call the applet in the control panel...
i've not seen either one and don't know if i will any time soon ;)

PS: thank you for trimming your quotes... if more folks would do it, the 'net
wouldn't be so clogged up transporting it all around the world requiring more
storage and faster speeds :)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???


Quoted text here. Click to load it

Where can I get the latest update to Java?

Re: So what's the deal with the warnings about JAVA ???

charliec@email.com wrote:
 
Quoted text here. Click to load it

Because Oracle seems to be having "teething" problems with some of the
new "technologies" that it has incorporated into java 7, I suggest that
you use the still-supported Java 6, which can be downloaded from here:

http://www.java.com/en/download/manual_v6.jsp

Direct link to Java 6 update 38 offline installer for Windoze:

http://sdlc-esd.sun.com/ESD6/JSCDL/jdk/6u38-b05/jre-6u38-windows-i586.exe

If you want to continue to roll the dice with shiny new version 7, you
can get it here:

http://java.com/en/download/manual.jsp

Site Timeline