kgs and java security hole

cyclops · #1

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online. It seems quite risky but I cannot decide whether KGS players are affected as well.

Mef · #2

Java 7 just can't catch a break. This is the...third time(?) this has happened...

tj86430 · #3

Mef wrote:

Java 7 just can't catch a break. This is the...third time(?) this has happened...

Does anyone see any correlation with the recent problems and Oracle acquiring Sun?

Bonobo · #4

cyclops wrote:

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online [..]

Uhm, forgive the vanity, but are you referring to me? Did you read me on FB or G+? Mind to identify yourself to me there? ;-)

Groeten van Tom in Duitsland

Marcus · #5

Bonobo wrote:

cyclops wrote:

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online [..]

Uhm, forgive the vanity, but are you referring to me? Did you read me on FB or G+? Mind to identify yourself to me there? ;-)

Groeten van Tom in Duitsland

I just realized you had those links in your sig ... I just added you to my Go circle on G+.

Reading the security link now ...

xed_over · #6

cyclops wrote:

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online. It seems quite risky but I cannot decide whether KGS players are affected as well.

In my opinion, this is mostly just fear, uncertainty and doubt.

Sure, if you go around visiting every random website then you might find some that have either written their java app to exploit this security hole and take advantage of you, or maybe their site was hacked and their otherwise save java app replaced with a hacked version.

KGS has been around for a long time and is actively used and maintained. I trust that site and their app.

hyperpape · #7

The real issue is that browsers need better tools for managing plugins. I use java for KGS, and a handful of older go sites that have applets. If any other site I used had a java applet, I would be very suspicious (because modern web design and development is so strongly against it). I would love built in click to activate and/or whitelisting of plugins.

cyclops · #8

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile. I guess I had nothing better to do that time. There I found a link to your website and there was the link I copied in my opening post.
I have no idea how to identify myself on your site without joining google. Otherwise I would happpily comply to your request without seeing the use.

schüss

cyclops · #9

So if you trust wms you can safely play on kgs without fearing the java hole. Nothing else but kgs creeps through the hole while playing your daily game.

Bonobo · **#10**

cyclops wrote:

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes. OTOH sometimes it’s not so easy, e.g. when people write stuff I agree with together with stuff I don’t. Then I’d love to have some more fine-tuning for liking, like “I especially like your last sentence” :-D

Quote:

I guess I had nothing better to do that time. There I found a link to your website

Ah, I understand. That’s not my “site” but just a shortcut to my Google+ profile.

Quote:

and there was the link I copied in my opening post.
I have no idea how to identify myself on your site without joining google. Otherwise I would happpily comply to your request without seeing the use.

Yeah, that would only make sense if you were on Google+, too.

Quote:

schüss

:-)

Greetz, Tom

cyclops · **#11**

Bonobo wrote:

cyclops wrote:

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes.

That is why you are a Bonobo!

Bonobo · **#12**

cyclops wrote:

Bonobo wrote:

cyclops wrote:

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes.

That is why you are a Bonobo!

:-D thx

Actually I chose the Bonobo as my Avatar/domain/etc. exactly because I believe it’s better actively to spread the love than to wait that it rains down on one :-)

speedchase · **#13**

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

Ellyster · **#14**

speedchase wrote:

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

Is not about the quantity of bugs in C, C++ C# vs quantity of bugs on Java or even the severity of the bug it self... is about the potential attackability.

Java is everywhere, and specially used in webs a lot... so a Java aplication (applet, servlet,...) have the "special privilege" of being executed instantaneously when the website is visited (meanwhile .exe need to be manually executed), so any significant bug sees its severity powered to the infinity.

It's the same of diseases... you don't mind a mortal disease if its very unlikely to get spread (agrirism) or a common disease that is not severe (flu)... but if you create the new spanish flu... men, that's major words.

Dusk Eagle · **#15**

ActiveX being indescribably terrible does not excuse vulnerabilities in Java. Most people know that you shouldn't use ActiveX (and most browsers, and all Operating Systems other than Windows, don't have support for it). If zero-day Java vulnerabilities keep being found, then people are going to stop trusting Java applications on the web.

C and C++ aren't really relevant, as no browser grants a website the ability to run C or C++ code on the user's end. Since Java code can be run from a website on a user's machine (as long as they have the plugin installed), security is crucial.

My browser prompts me before running any Java code, so I should be safe (unless I allow it for a site I shouldn't). If your browser doesn't, then just visiting a malicious site could get you infected.

hyperpape · **#16**

Macs seem to be covered right now: http://www.macrumors.com/2013/01/11/app ... ty-threat/ (I won't comment about whether this is a good idea or not).

speedchase · **#17**

You guys seem to have misunderstood my point. It wasn't that This isn't a problem, It is. I wasn't that they shouldn't fix it, they should and they will. My point was that people blow problems with Java out of proportion because they are much harder to find then problems with other platforms, or because they just don't like Java. Most browsers as well as anything running on Mac OS X blocked Java, so the average user shouldn't worry too much about this.

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised. This Java issue is just another easier way to do something that anyone can already do.

xed_over · **#18**

speedchase wrote:

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised.

this is true of almost all security vulnerabilities regardless of core technology used.

just don't go to those bad sites, and you won't have to worry.

Ellyster · **#19**

xed_over wrote:

speedchase wrote:

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised.

this is true of almost all security vulnerabilities regardless of core technology used.

just don't go to those bad sites, and you won't have to worry.

Is not that easy... good sites are constantly being hacked, so the people who want to attack the vulnerability can upload his code to a popular web and get as many infected visitors as possible.

Feeling safe because you don't go to "bad sites" is extremely naive. If that were the case, 0 days vulnerabilities would not be a big deal, to start with.

Kirby · **#20**

speedchase wrote:

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

Is C#'s security that bad (wih the latest .net framework)? Can you elaborate?

Fwiw, I'm a java fan, too, but i also like C#. (Well, on that note, I like C++, too... I don't really dislike many languages...)

kgs and java security hole

Who is online