* Posts by Ejnar

4 publicly visible posts • joined 26 Mar 2011

Latest Java patch is not enough, warns US gov: Axe plugins NOW

Ejnar
Facepalm

Why turn off?

The only solution the 'security experts' seem to be able to come up with is : "turn it off".

Of course that is a valid solution if you know you will never need Java in the browser.

However Java is still widely used in the browser, perhaps not so much on public internet (except perhaps netbanks), put is - in my experience - pretty much omnipresent on corporate intranets.

Any plugin (being it Java, Flash, .NET) that allows you to download code on-the-fly and then execute it is vulnerable, sandbox or not. Bugs will always exist. The only way forward is to educate users not to say 'yes' to execute something that they don't know what is. The real problem is that too many users have had their browsers configured in such a way so that code would be executed without any prompt or active accept from the user.

There are multiple ways to force your browser (or the plugin) to give you that prompt. The new increased default security level in Java 7 Update 11 does just that. Chrome has always had this functionality. Firefox users can use NoScript extension, etc.

Personally I'm perfectly happy with the solution resulting from the new default security level in Java 7 Update 11. I believe that will provide me all the protection I need ... also against vulnerabilities that have not yet been discovered. But as far as I understand this solution has indeed always been available to me: I could have increased the default security level myself. I could have done that last week when the reports about the vulnerability first came out. But all the 'security experts' could muster was the recommendation to 'turn it all off'.

Kill that Java plugin now! New 0-day exploit running wild online

Ejnar

Use NoScript extension for Firefox

As a follow-up to my post above "What is the problem?" I've tested out the NoScript extension for Firefox. It does the job for me so I do not have to disable Java in the browser.

Strange that these IT security organizations are unaware of such solutions ?

... and even stranger that such solutions are not part of the browser by default.

Ejnar

What is the problem?

Guys, just about all software contains security issues / bugs. This being said the error in question sounds serious.

As many have pointed out Java (as in applets) is still widely used by many websites.

What I cannot understand is why it needs to a completely binary question whether I want to use it from within the browser or not? Why can't I have a solution where the browser would prompt me before executing any applet.(the prompt would need to come regardless of the applet is trusted/signed or not). This way I could answer 'yes' for the sites I trust (e.g. my netbank) and 'no' for the ones I do not trust. Is this really not possible ? Why would I have to completely disable the plug-in ?

Adding to this functionality the browser could be configured so it would answer 'yes' by default for sites on the local intranet? That is what corporate organizations would be looking for.

Perhaps this is already possible in some browsers?

If not, then why doesn't such feature exist? What am I missing?

To me all kinds of code that does more than just HTML is potentially a security risk. This includes Java, Javascript, .Net, and what have you. I would like to be prompted every time a site tries to execute code that does more than HTML.

Oracle puts out Solaris 11 compatibility tester

Ejnar

What is a 'Solaris box' ?

not sure I'm familiar with the term.

At our site we run Solaris on IBM servers, HP servers and Sun servers (X86 and SPARC). Why do people insist on using the word 'Solaris' as a synonym for SPARC I do not know. If you are unhappy with SPARC box what has that to do with a yes/no choice on Solaris as an OS? You do realize that Solaris gives you the choice right ?

Solaris is no better, no worse than say RHEL or AIX, but one very big advantage is that it allows us to pick the right CPU arch for the job without introducing another OS. As a telco we have to span multiple use cases like very IO intensive jobs, HPC jobs, etc