LISTSERV - BLIND-HAMS Archives - LISTSERV.ICORS.ORG

BLIND-HAMS Archives

For blind ham radio operators

BLIND-HAMS@LISTSERV.ICORS.ORG

	LISTSERV Archives
	BLIND-HAMS Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: more info on Java
From:	Steve <[log in to unmask]>
Reply To:	For blind ham radio operators <[log in to unmask]>
Date:	Tue, 15 Jan 2013 12:49:42 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (183 lines)
I don't think that is correct.  The sites that discussed the Java flaws 
state it affects Java Version 7 update 10 and below.  These articles were 
written prior to the latest update, which the Reuters article claims hasn't 
really addressed the security flaws.  But, if it says these flaws are 
present in Java 7 version 10 and below, then one would have to think that 
version 6, 5, etc. are also just as vulnerable.  In this article on the 
recent 0-day vulnerability
http://krebsonsecurity.com/tag/java/
Brian Krebs says that one security firm claims that the vulnerability 
extends to previous versions like Java 6, while another firm claims it only 
affects version 7.  However, Oracle is slated to stop supporting version 6 
in another month, and will migrate users to version 7.  Due to the constant 
and growing vulnerabilities in Java releases, the fact that Oracle has 
pretty much ignored these security holes until they were pretty much 
threatened by Apple and Mozilla to address it, and the fact that their 
software has a wide appeal for hackers because it is multi-platform, 
personally, I am not ready to put Java back on my system, or to use any 
software that relies on that software.

Steve, K8SP
Lansing, MI
Steve, K8SP

----- Original Message ----- 
From: "John J. Boyer" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, January 14, 2013 9:23 AM
Subject: Re: more info on Java


> Very good article. Note that only browsers are involved and only if they
> use Java 7. Other programs, especially those using Java 6 are not
> affected. That is the case with BrailleBlaster
> http://www.brailleblaster.org .
> John
>
> On Mon, Jan 14, 2013 at 08:48:30AM -0500, Bob, K8LR wrote:
>> Hi,
>>
>> Here is more info on the Java security problems.  This just appeared on 
>> the
>> Chicago Tribune web site.  I don't think that the government is trying to
>> scare us on this one.  I've known two people whose idenity was stolen and
>> its not fun at all!
>>
>> Bob, K8LR, [log in to unmask]
>> Reuters
>> 6:48 a.m. CST, January 14, 2013
>> Oracle Corp. released an emergency update to its Java software for 
>> surfing
>> the Web
>> on Sunday, but security experts said the update fails to protect PCs from
>> attack
>> by hackers intent on committing cyber crimes.
>> The software maker released the update just days after the U.S. 
>> Department
>> of Homeland
>> Security urged PC users to disable the program because of bugs in the
>> software that
>> were being exploited to commit identity theft and other crimes.
>> Oracle's failure to quickly secure the software means that PCs running 
>> Java
>> in their
>> browsers remain vulnerable to attack by criminals seeking to steal
>> credit-card numbers,
>> banking credentials, passwords and commit other types of computer crimes.
>> Adam Gowdiak, a researcher with Poland's Security Explorations who has
>> discovered
>> several bugs in the software over the past year, said that the update 
>> from
>> Oracle
>> leaves unfixed several critical security flaws.
>> "We don't dare to tell users that it's safe to enable Java again," said
>> Gowdiak.
>> Some security consultants are advising businesses to remove Java from the
>> browsers
>> of all employees except for those who absolutely need to use the 
>> technology
>> for critical
>> business purposes.
>> HD Moore, chief security officer with Rapid7, a company that helps
>> businesses identify
>> critical security vulnerabilities in their networks, said it could take 
>> two
>> years
>> for Oracle to fix all the security bugs that have currently been 
>> identified
>> in the
>> version of Java that is used for surfing the Web.
>> "The safest thing to do at this point is just assume that Java is always
>> going to
>> be vulnerable. Folks don't really need Java on their desktop," Moore 
>> said.
>> An Oracle spokeswoman declined to comment.
>> ORACLE'S UPDATE
>> Oracle said on its security blog on Sunday that its update fixed two
>> vulnerabilities
>> in the version of Java 7 for Web browsers.
>> It said that it also switched Java's security settings to "high" by 
>> default,
>> making
>> it more difficult for suspicious programs to run on a personal computer
>> without the
>> knowledge of the user.
>> Java is a computer language that enables programmers to write software
>> utilizing
>> just one set of code that will run on virtually any type of computer,
>> including ones
>> that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an 
>> operating
>> system
>> widely employed by corporations.
>> One version is installed in Internet browsers to access web content.
>> Separate versions
>> are installed directly on PCs, server computers and other devices 
>> including
>> phones,
>> webcams, and Blu-ray players.
>> The Department of Homeland Security and computer security experts said on
>> Thursday
>> that hackers figured out how to exploit the bug in a version of Java used
>> with Internet
>> browsers to install malicious software on PCs. That has enabled them to
>> commit crimes
>> from identity theft to making infected computers part of an ad-hoc 
>> networks
>> that
>> used to attack websites.
>> Oracle said that the flaws only affect Java 7, the program's most-recent
>> version,
>> and versions of Java software designed to run on browsers.
>> Java is so widely used that the software has become a prime target for
>> hackers. Last
>> year, Java surpassed Adobe Systems Inc's Reader software as the most
>> frequently attacked
>> piece of software, according to security software maker Kaspersky Lab.
>> Java was responsible for 50 percent of all cyberattacks last year in 
>> which
>> hackers
>> broke into computers by exploiting software bugs, according to Kaspersky.
>> That was
>> followed by Adobe Reader, which was involved in 28 percent of all 
>> incidents.
>> Microsoft
>> Windows and Internet Explorer were involved in about 3 percent of 
>> incidents,
>> according
>> to the survey.
>> The Department of Homeland Security said attackers could trick targets 
>> into
>> visiting
>> malicious websites that would infect their PCs with software capable of
>> exploiting
>> the bug in Java.
>> It said an attacker could also infect a legitimate website by uploading
>> malicious
>> software that would infect machines of computer users who trust that site
>> because
>> they have previously visited it without experiencing any problems.
>> Security experts have been scrutinizing the safety of Java since a 
>> similar
>> security
>> scare in August, which prompted some of them to advise using the software
>> only on
>> an as-needed basis.
>> Meanwhile, Microsoft said on Sunday that would it release an update on
>> Monday to
>> fix a previously disclosed flaw in Internet Explorer versions 6, 7 and 8
>> that made
>> PCs vulnerable to attacks in which hackers can gain remote control of the
>> machines.
>> Microsoft previously released a temporary fix to prevent such attacks.
>> Copyright � 2013, Reuters
>>
>> Bob, K8LR, [log in to unmask]
>
> -- 
> John J. Boyer; President, Chief Software Developer
> Abilitiessoft, Inc.
> http://www.abilitiessoft.com
> Madison, Wisconsin USA
> Developing software for people with disabilities
ATOM RSS1 RSS2
LISTSERV.ICORS.ORG