jpeps wrote:The present security threat is related to enabled browser plugins, mostly with Internet Explorer. Regarding downloading malicious viruses that effects anything else, just how serious do you think that really is on your puppy linux computer?
There will never be a completely secure programming language that cant be exploited, so dont surf the web. Also, avoid beautiful women.
jpeps wrote:Semme wrote:As I doubt many even run a
Java plugin (visit JS enabled), this is merely info. No need to panic..
In fact its not even available for a linux Firefox browser.
Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts'? Because everything I've read online so far says nothing about it being for 'Internet Explorer' only. If you have access to information that the rest of the security community does not, PLEASE pass it along. I'd love to read it, as I'm sure, would many others.
This issue isnt just IE based, it can affect Mozilla Browsers as well. If you bothered to even read the page Semme listed, youd see that the release that RedHat put out is vulnerable.
[sarcasm] And we all know that Red Hat builds Internet Explorer releases.
[/sarcasm]
The first example I saw was explained using
sun.org.mozilla.javascript.internal.DefiningClassLoader
It still exists even after Oracle patched for CVE-2013-0422. Im not going to waste time explaining an implementation of how this would work, becuase A) I dont think anyone cares, and B) if someone does care they can find examples online.
So since this can work in mozilla based browsers... isnt it relevant to us? Afterall, most of the broswers that puppy linux users use are mozilla based. (Firefox, Opera, SeaMonkey, etc) Some of those people might want to know.
But even if they didnt... I still dont see how your argument against this thread is valid. Just because the 'latest' threat may be Browser based does not invalidate having a single source for Java issues. You have stated that there are browser threads out there. Well why have broswer threads? Because when people are wondering about their browser they go there. If your logic were applied to that thread, issues with broswers shouldnt have their own thread and only be in the seperate threads for each puppy version. This is obviously nonsense, as having a single broswer thread makes information easier to find.
The same goes for Java... just because this most recent exploit is browser based does not mean that Java shouldnt have its own thread. As I mentioned before, previous java exploits were not browser based. So they cant be discussed in the 'browser thread' becuase they have nothing to do with the browser. So should we have a seperate thread for java threats that are not browser based? One thread for Java is simple and consolidated. Itll have java related information about all the exploits. People in the broswer thread can link to this if they want, when something gets posted here. Or not, what people do in that thread is up to them.
jpeps wrote:gcmartin wrote:
The Homeland Security Announcement is an interesting one to say the least. It does NOT say that where the exploits have occurred or from whence it comes, just that it has been found. I dont remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.
Rather, it raises questions regarding the purpose. In the past, exploiting public fear served the purpose of more big government restrictions and access...i.e, loss of personal freedom. Big government is very interested in controlling the internet.
Well if we are going to put on our tinfoil hats... shouldnt you also consider the possibility of governments using existing known flaws to infiltrate computers and networks? Stuxnet and Flame are examples of State Sponsored exploitation. (doesnt matter what country you think is responsible) With the speed of the takedown of the 'Red October' network thats made news recently... some think it too was state sponsored.
I dont know if it was or wasnt, and I dont know enough to make a comment on that. But cyber criminals are not the only ones who are utilizing exploits for gain. Google got nailed when they were accessing wifi networks. Do you think google wasnt puting all that data into their database? And since Google has no problem supplying the gov with information, if you are anti-gov, you wouldnt want anyone to have your data.
To re-iterate. This thread (or at least the first post) was intended to be a single spot where people can quickly check the most recent java release which they may have running on their system. It was not intended to be a thread about the evils of Java or how Java will kill your first born (obvious sarcasm), or how Java is the greatest thing since sliced bread. Although people can use this thread to discuss any aspect of Java Security... the intention of this thread is not to be a
Java-fan thread nor a
Java-bashing thread. This thread (or at least the first post) was intended to be a
Java-security-information thread.