<div dir="ltr">Hi Bill & everyone,<div><div><br></div><div><div>> what is the likelihood that oracle does something drastic with Java as</div><div>> a result of the scare?</div></div><div><br></div><div style>I am confident that Oracle will do their best to patch such vulnerabilities, and take steps to mitigate future ones. Two days ago Oracle released a patch for the current issue [1]. Unfortunately, security experts say the fix does not fully address the bug [2].</div>
<div style><br></div><div style>Still, of particular note is that fact the default behavior now always prompts users to confirm execution of the applet:</div><div style><br></div><div style><div>"The fixes in this Alert include a change to the default Java Security Level setting from 'Medium' to 'High'. With the 'High' setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run."</div>
<div><br></div><div style>This means that while there may be more zero-day exploits discovered in Java in the future, they will have much less impact than before because attackers can no longer exploit them to silently install malware. It may still be possible to trick users into clicking OK to a malicious applet. But if you can trick a user into clicking OK to such a dialog box, you may as well sign your malicious applet (which presents a similar dialog box) to grant it full user privileges straight away, rather than relying on a Java bug.</div>
<div style><br></div><div style>In other words, I expect zero-day Java exploits to be largely impotent from now on.</div><div><br></div></div><div>> Maybe this situation is more run-of-the-mill than my gut is feeling</div>
<div>> right now.</div></div><div><br></div><div style>Actually, I agree it is quite unusual for the local news to be widely reporting such things, and also rare for the U.S. government to recommend actually uninstalling the affected software. Adobe Flash (which I think has a larger install base than Java does) has chronically suffered from similar issues (e.g., [3]), but to my knowledge, it was not as widely covered nor recommended to uninstall it. Similarly, Internet Explorer itself has had similar remote code execution exploits, one of which was fixed just yesterday [4].</div>
<div style><br></div><div style>The point is that software is buggy, browsing the net is inherently insecure, and people should make a strong effort to avoid malicious web sites. (In particular, don't click links in spam emails!) It is best to assume your system *always* has at least one remote code execution exploit which could be used against you if you browse the wrong web page.</div>
<div style><br></div><div style>Regards,</div><div style>Curtis</div><div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">[1] <a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html</a></div>
<div class="gmail_extra">[2] <a href="http://www.independent.ie/business/technology/emergency-patch-for-java-fails-to-fix-cybercrime-holes-warn-experts-3351321.html">http://www.independent.ie/business/technology/emergency-patch-for-java-fails-to-fix-cybercrime-holes-warn-experts-3351321.html</a></div>
<div class="gmail_extra">[3] <a href="http://msisac.cisecurity.org/advisories/2012/2012-077.cfm">http://msisac.cisecurity.org/advisories/2012/2012-077.cfm</a></div><div class="gmail_extra">[4] <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-008">http://technet.microsoft.com/en-us/security/bulletin/ms13-008</a></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Jan 12, 2013 at 7:35 AM, Mohler,William <span dir="ltr"><<a href="mailto:WMohler@neuron.uchc.edu" target="_blank">WMohler@neuron.uchc.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Yes, thanks. What I'm worried about is society's tendencies to be blind to sensible approaches. Eg, what is the likelihood that oracle does something drastic with Java as a result of the scare? Maybe this situation is more run-of-the-mill than my gut is feeling right now.<br>
<br>
Bill<br>
<div class="im"><br>
<br>
<br>
<br>
Jason Swedlow <<a href="mailto:j.r.swedlow@dundee.ac.uk">j.r.swedlow@dundee.ac.uk</a>> wrote:<br>
<br>
Hi Bill-<br>
<br>
Curtis and Johannes suggested very sensible approaches.<br>
<br>
I believe this is what you are referring to, and this clearly says to disable Java in your web browser:<br>
<br>
<a href="http://www.kb.cert.org/vuls/id/625617" target="_blank">http://www.kb.cert.org/vuls/id/625617</a><br>
<br>
</div><div class="im">Cheers,<br>
<br>
Jason<br>
<br>
--------------------<br>
Centre for Gene Regulation & Expression | Open Microscopy Environment | University of Dundee<br>
<br>
Phone: <a href="tel:%2B44%20%280%29%201382%20385819" value="+441382385819">+44 (0) 1382 385819</a><br>
email: <a href="mailto:j.swedlow@dundee.ac.uk">j.swedlow@dundee.ac.uk</a><mailto:<a href="mailto:j.swedlow@dundee.ac.uk">j.swedlow@dundee.ac.uk</a>><br>
<br>
Web: <a href="http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow" target="_blank">http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow</a><br>
Open Microscopy Environment: <a href="http://openmicroscopy.org" target="_blank">http://openmicroscopy.org</a><<a href="http://openmicroscopy.org/" target="_blank">http://openmicroscopy.org/</a>><br>
<br>
<br>
From: <Mohler>, William <<a href="mailto:WMohler@NEURON.UCHC.EDU">WMohler@NEURON.UCHC.EDU</a><mailto:<a href="mailto:WMohler@NEURON.UCHC.EDU">WMohler@NEURON.UCHC.EDU</a>>><br>
</div><div class="im">Date: Friday, 11 January 2013 20:41<br>
</div>To: Jason Swedlow <<a href="mailto:j.r.swedlow@dundee.ac.uk">j.r.swedlow@dundee.ac.uk</a><mailto:<a href="mailto:j.r.swedlow@dundee.ac.uk">j.r.swedlow@dundee.ac.uk</a>>>, "<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>>" <<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>>><br>
Subject: Re: [ImageJ-devel] What about this huge Java security issue?? How do we keep ImageJ users both safe and satisfied with a Java platform?<br>
<div class="im"><br>
I'm hoping just what you're thinking. But the press here is telling people to "uninstall java" as the only certain way to avoid having their systems hacked. This is now backed by an announcement by US Dept of Homeland Security that there is no other recourse... Not easy stuff to deal with, right or wrong.<br>
<br>
<br>
<br>
</div><div class="im">Jason Swedlow <<a href="mailto:j.r.swedlow@dundee.ac.uk">j.r.swedlow@dundee.ac.uk</a><mailto:<a href="mailto:j.r.swedlow@dundee.ac.uk">j.r.swedlow@dundee.ac.uk</a>>> wrote:<br>
<br>
Bill-<br>
<br>
Still trying to verify this, but this is about browser plug-ins, which you can turn off.<br>
<br>
<a href="http://developers.slashdot.org/story/13/01/10/1540202/java-zero-day-vulnerability-rolled-into-exploit-packs" target="_blank">http://developers.slashdot.org/story/13/01/10/1540202/java-zero-day-vulnerability-rolled-into-exploit-packs</a><br>
<br>
Cheers,<br>
<br>
Jason<br>
<br>
--------------------<br>
Centre for Gene Regulation & Expression | Open Microscopy Environment | University of Dundee<br>
<br>
Phone: <a href="tel:%2B44%20%280%29%201382%20385819" value="+441382385819">+44 (0) 1382 385819</a><br>
</div>email: <a href="mailto:j.swedlow@dundee.ac.uk">j.swedlow@dundee.ac.uk</a><mailto:<a href="mailto:j.swedlow@dundee.ac.uk">j.swedlow@dundee.ac.uk</a>><mailto:<a href="mailto:j.swedlow@dundee.ac.uk">j.swedlow@dundee.ac.uk</a>><br>
<div class="im"><br>
Web: <a href="http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow" target="_blank">http://www.lifesci.dundee.ac.uk/gre/staff/jason-swedlow</a><br>
Open Microscopy Environment: <a href="http://openmicroscopy.org" target="_blank">http://openmicroscopy.org</a><<a href="http://openmicroscopy.org/" target="_blank">http://openmicroscopy.org/</a>><br>
<br>
<br>
</div>From: <Mohler>, William <<a href="mailto:WMohler@NEURON.UCHC.EDU">WMohler@NEURON.UCHC.EDU</a><mailto:<a href="mailto:WMohler@NEURON.UCHC.EDU">WMohler@NEURON.UCHC.EDU</a>><mailto:<a href="mailto:WMohler@NEURON.UCHC.EDU">WMohler@NEURON.UCHC.EDU</a>>><br>
<div class="im">Date: Friday, 11 January 2013 20:15<br>
</div>To: "<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>>" <<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>><mailto:<a href="mailto:imagej-devel@imagej.net">imagej-devel@imagej.net</a>>><br>
<div class="im">Subject: [ImageJ-devel] What about this huge Java security issue?? How do we keep ImageJ users both safe and satisfied with a Java platform?<br>
<br>
<br>
Sent from my Verizon Wireless 4G LTE DROID<br>
</div>_______________________________________________<br>
ImageJ-devel mailing list<br>
<a href="mailto:ImageJ-devel@imagej.net">ImageJ-devel@imagej.net</a><mailto:<a href="mailto:ImageJ-devel@imagej.net">ImageJ-devel@imagej.net</a>><mailto:<a href="mailto:ImageJ-devel@imagej.net">ImageJ-devel@imagej.net</a>><br>
<div class="im"><a href="http://imagej.net/mailman/listinfo/imagej-devel" target="_blank">http://imagej.net/mailman/listinfo/imagej-devel</a><br>
<br>
<br>
<br>
The University of Dundee is a registered Scottish Charity, No: SC015096<br>
<br>
<br>
<br>
The University of Dundee is a registered Scottish Charity, No: SC015096<br>
<br>
</div><div class=""><div class="h5">_______________________________________________<br>
ImageJ-devel mailing list<br>
<a href="mailto:ImageJ-devel@imagej.net">ImageJ-devel@imagej.net</a><br>
<a href="http://imagej.net/mailman/listinfo/imagej-devel" target="_blank">http://imagej.net/mailman/listinfo/imagej-devel</a><br>
</div></div></blockquote></div><br></div></div>