my point was more that if people can run programs on your computer, your screwed regardless of what the programming language tries to do to protect you. The only thing this vulnerability allows, if for java programmers to break out of the Java Virtual Machine, and run code directly on your computer. For other languages, there isn't a virtual machine in the first place, so there is no protection to break out from. This issue only stands to make Java more like other programming languages in terms of what a programmer can do to your computer. This is only a big deal because many browsers let Java programs run without asking the user, which is a bad idea in the first place.

Simply put, don't run programs on your computer that you don't know where they came from. The problem is that Java programs can be set up to run automatically. Shame on the browsers for that.

It doesn't matter if the site is trusted. The exploit is being deployed through ad networks. If the trusted site uses an ad network that has been compromised with the exploit, and you view that site, and you have a vulnerable version of Java, arbitrary code can be executed on your processor. This doesn't affect the downloaded KGS client, nor does it affect the applet version of KGS, since KGS does not use an ad network.

It's a good idea to disable Java in your browser until you're on a site on which you actually need it (like playing a game).

I think i agree with the principles from which you speak, but perhaps analogous to the jvm, the clr utilized by .net provides security, and c# code isnt run directly, but is constructed into il. So i personally agree that java is not the root problem at times, but it may be a generalization to say its security is superior to. Net's.

I personally find java's power in its portability. Security isnt obviously superior to. Net's imho.

_________________
be immersed

To put this another way -- It's not that Java has bigger security problems than other languages, it's that security problems are a bigger issue when you operate under the trust model that Java does. If the model intends for you to have untrusted sources running code, then a security issue is a larger potential vulnerability than if you expect all code to be trusted prior to execution.

I thought that C# worked more similar to C or C++ than java. please forgive my confusion, you are correct.


yeah basically.



The solution is to treat Java applets like downloading an executable file. That's basically what it is. Have browsers trust different applets separately based on what the user tells it to do. Don't remember trust

Maybe another stupid question. Does my antivirus protection ( f-secure, up to date ) offers any protection against the java vulnerabilities? And how to detect whether you are hacked already? No, I am not paranoia, but I don't want to compromise my wife's laptop. She needs it for her work.

@cyclops:

The general answer is NO, but it really depends on what the bug is and what the attackers wants to do with it.



Generally speaking, the most serious bugs are the ones that "allow root access" or "allow remote arbitrary code execution".

So to speak, they can do anything you can do, if the attacker wants to execute a virus... well the antivirus can detect it... but if the attacker wants to switch off the antivirus, he can (or even be more sutile and add and exeption just to the virus that he want to use).

Usually this kind of bugs are used to install "root kits" to become your pc part of a zombie network or to install "keyloggers" to get passwords, creditcars, etc...

Thanks for your information. Quite alarming though.

So if wms gets rootkitted all kgs players must pray.
How does KGS work at the server side? Is it a servlet? Is it run on a computer which is controlled by WMS? How does wms protect it?
But wait, probably it is not the server that we need to fear but the applet cq client we are downloading everytime we connect to kgs.
I instructed my browser to trust anything that comes from kgs so I forgot how the authentication and verification is done. Is there a certificate? Well, I am not an expert so some questions may not be to the point.
Has wms a document around about how he provides safety to us?
Well, next thing now for me is to login to KGS to play a game

unless you are worried about wms hacking your computer, you should be fine. Just use the desktop client.

This vulnerability was patched yesterday by Oracle (update 11).