Disable Java? think about it.

Search
Go

Discussion Topic

Return to Forum List
Post a Reply
Messages 21 - 40 of total 54 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
khanom

Trad climber
Greeley Hill
Jan 13, 2013 - 01:34am PT
IOW, carefully triple lock your back door while leaving the front door wide open.
NoTokeRedKneck

climber
Jan 13, 2013 - 02:17am PT
What does the language matter when fractions of a cent
have been redirected from a banks customers to a programmers account?
Of course they were finally caught and I think it was before java and
gettree();.
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 13, 2013 - 03:35am PT
What does the language matter when fractions of a cent
have been redirected from a banks customers to a programmers account?
Of course they were finally caught and I think it was before java and
gettree();.

What does this have to do with java vulnerabilities?
NoTokeRedKneck

climber
Jan 13, 2013 - 10:20am PT
The first article link seems to be committing a fallacy commonly known
as missing the point. What is the vulnerability to begin with?

java works with floating point numbers though random access using
seek() maybe used for monetary changes incrementing int"s" instead
of floats. Im not certain exactly how the programmer took fractions
of a cent code wise as I did not see the code nor was I paid to write
a simulation to figure it out, but 1000's if not millions of customers
were loosing about a 1/4 of cent off each automated transaction. This
was discussed in a C++ class in college and I don't think java was used
though it could certainly do the same. However it was criminal coding not a
language error. Something to think about, in the 70's under US law it
was ruled wages may not be waged electronically.
TwistedCrank

climber
Dingleberry Gulch, Ideeho
Jan 13, 2013 - 10:35am PT
Java programmers make big bucks. Especially if its bolted to Oracle.

Somebody's making out, and its not the consumer.

I was at Hidden Valley and Larry Ellison was there, and he got all bitchy when I urinated on his campfire. I told him to take a chill pill.
NoTokeRedKneck

climber
Jan 13, 2013 - 10:01pm PT
What do they do? Other than applets which can be shut off in browsers
I haven't seen yet that java controls operating systems. Fedora/Red Hat
looks to have transitioned from C at level 3 computer architecture to
Python. The last Sun system I installed almost 10 years ago I think
was still GUI controlled with C?
Malemute

Ice climber
the ghost
Jan 13, 2013 - 11:34pm PT
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 01:21am PT
The first article link seems to be committing a fallacy commonly known
as missing the point. What is the vulnerability to begin with?

This is a fallacy commonly known as being uninformed.
TrundleBum

Trad climber
Las Vegas
Jan 14, 2013 - 01:39am PT

Well you've got to be careful how you get 'tubed'

it's not true:
"only a surfer knows the feeling"

http://www.youtube.com/watch?v=f99PcP0aFNE
Shack

Big Wall climber
Reno NV
Jan 14, 2013 - 02:27am PT
The vulnerability allows serious access to your computer...
and all the experts are still scratching their heads apparently not sure what to do.

http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/?s_cid=e589
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 09:41am PT
They think they do


http://www.foxnews.com/tech/2013/01/14/java-flaw-homeland-security-warning-fixed/

http://java.com/en/download/java_update.jsp

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, told Reuters that the update leaves unfixed several other, notable security issues

Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 11:06am PT
I would like some straight up honest advice from a non-paranoid. Is there
really anything to this? I have to have Java on my machine so the wife can
access her work system from home, otherwise she never comes home. I thought
I saw on WindowsBBS that Oracle had fixed it.
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 11:33am PT
Agreed Reilly. I have a homework software that comes with a stats text that my students use (I clearly have to get into it). It seems it's java based.

Thoughts for the person who doesn't speak computer language? What to do?
squishy

Mountain climber
Jan 14, 2013 - 12:23pm PT
Let's hope this sounds the death knell for Oracle.

Why would we hope for that?

Besides Oracle's business is hardly java, it's many things. We gave them 25 mil this year to upgrade all our hardware and software, it's some pretty nifty stuff..
khanom

Trad climber
Greeley Hill
Jan 14, 2013 - 12:28pm PT
Read this practical advice:

http://www.zdnet.com/zero-day-paranoia-and-the-reality-of-modern-web-browsing-7000009726/
kunlun_shan

Mountain climber
SF, CA
Jan 14, 2013 - 12:40pm PT
Interesting article, khanom. Thanks!

Reilly, I don't know how technically saavy you are, or how much trouble/work you are willing to do, but Virtualbox could be a good fix. Its free and fairly easy to implement. I've found this guide straightforward, and it walks you through enough that by the end, you'd have a good understanding of this flavor of VM: http://www.packtpub.com/virtualbox-3-1-beginners-guide/book . On the machine you use now, setup one VM with what your wife needs, and another for browsing the web.

Plus its very cool and fun to be able to run the equivalent of multiple computers, each with whatever OS you want, at the same time on a single machine. Unless you have a very old, slow computer you might only need some extra RAM.
Shack

Big Wall climber
Reno NV
Jan 14, 2013 - 12:55pm PT
Nope. Not fixed by Oracle. They issued an emergency "patch" but it doesn't do enough.
They say it sould take 2 years to fix. ouch.

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/?s_cid=e539
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 01:45pm PT
Saw this too. Decent advice here?

http://blog.chron.com/techblog/2013/01/do-you-have-java-on-your-computer-update-it-now/

Will read link provided upthread now. Thanks for posting it!
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 01:53pm PT
which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.


You would think that some (all) of the security vendors should be able to update their software to detect whether a machine has been compromised, even if they can't prevent it.


EDIT:

After doing some poking around on this, it appears that this task is more difficult than you might suspect.

Here's an interesting article on using one free tool, Sysinternals Process Explorer, to detect and clean a system.

http://www.windowsecurity.com/articles/Hunt-Down-Kill-Malware-Sysinternals-Tools-Part1.html

quote from another artucle

The problem is that if you have no idea what you are looking for, it's almost impossible to find it. Suppose a process has made itself hidden to the task manager by hooking EnumProcesses. You might think this would be an easy case to detect. However, the process could be hooking EnumProcesses through a variety of different ways. For example, an unconditional hook at the start of the function, an IAT hook, causing an access violation to occur at EnumProcessesand catching that with a VEH and modifying the EIP/RIP, etc. etc. Even in this simple case, it is not possible to guarantee detection of the hook. This is all assuming that the hook has been performed at usermode on a specific API and also that the code makes no attempt to hide itself from detection.

If you are looking for general guidelines, the best method is probably to look at common detouring techniques.


Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 01:58pm PT
Khanom, good article but I still need to use Java if I ever want to see me wife.
Messages 21 - 40 of total 54 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
Return to Forum List
Post a Reply
 
Our Guidebooks
Check 'em out!
SuperTopo Guidebooks


Try a free sample topo!

 
SuperTopo on the Web

Review Categories
Recent Trip Report and Articles
Recent Route Beta
Recent Gear Reviews