Another Critical Security Flaw In Java Appears Before Oracle Has Even Resolved The Last One
-
Clickety[^] [Forbes] If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Hi. It's a shame that this is passing with the "vendor standard" implementation of Java (or being more correct the JVM), but uninstall it is not necessary, what should be done is disable it by default in the web browsers (as it isn't as needed as it used to be), and enable it only on demand and only in some user approved web sites, another "fix" is to take a look at the Open Source implementations of Java and use those instead.
CEO at: - Rafaga Systems - Para Facturas - Modern Components for the moment...
-
And replace it with....? .NET? Oops, it's got the same or worse flaws, even referenced in the same article.
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java. According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java. According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Maybe not, this is what happens when you read far too many of these last week. :) The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit. With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely. So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
-
Maybe not, this is what happens when you read far too many of these last week. :) The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit. With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely. So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS! And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Clickety[^] [Forbes] If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
REMOVE IT ALTOGETHER!!! It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
-
REMOVE IT ALTOGETHER!!! It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
I think you need less coffee - I mean Java. :-D /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
I think you need less coffee - I mean Java. :-D /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
:laugh: Now that you mention it, I really hate the taste of coffee (for real) and rely on energy drinks to get my caffeine dosage. Funny coincidence :)
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
-
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS! And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
-
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC. For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user." Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC. For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user." Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
How about this one? http://www.osvdb.org/71013 (although I'll note that my system does not appear to be affected, so perhaps it's a local problem?)
OSVDB:
Location: Local Access Required
...could allow a local attacker to execute arbitrary code...
...the attacker would need to be a part of the Power or Domain user group...
So not exactly a remote-code execution vulnerability. ;P I suppose there's a possibility that an unpatched RCE could be used to get code onto the computer which could then take advantage of a local escalation of privilege vulnerability to execute further code as the system user, but that's not specific to .NET, and I'd be surprised if you couldn't do the same thing on a Mac.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
It's not news when it's a Windows box. You'd have no time to report anything else if you treated Windows vulnerabilities as news.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
