Java security problem

[kibi]

I'm surprised that no one has asked or commented about the Java security problem that people seem to be worried about. And surprised to see that traffic on Java-based servers hasn't really changed all that much. They say people should actually uninstall Java from their systems, is this another Y2K or what?

[Li Kao]

Uninstalling Java is a bit of an overreaction. Disable the Java browser plugins.

[quantumf]

Oracle have released a patch, so just make sure you install the latest version.

[SoDesuNe]

7_11 is the latest version I can get and Firefox still disables it due to security reasons.

[quantumf]

7_11 is the latest version I can get and Firefox still disables it due to security reasons.

Is this on Windows or Linux?

[SoDesuNe]

Windows.

[Li Kao]

I think there were two sandbox breaking vulnerabilities. The second one was published about a day after the first was fixed. I'm not sure if the second one is already fixed.

IMO the best solution, regardless of the patch is to deactivate java plugins(sandbox breaking is a big deal there) but to keep java installed so you can run desktop applications like KGS. Sandbox breaking doesn't matter there.

[SoDesuNe]

I only use it for goproblems.com anyway :o

[macelee]

Basically because of security concern, Mozilla Firefox by default disables the Java plugin. In most cases you can still run those Java applets by clicking on it, if you trust the website hosting the Java code. If you don't like to do this again and again, look at the address bar of your browser and you can see a small lego looking icon, click on it and select "Always activate plugins for this site" and you won't be bothered again. Hopefully another patch from Oracle will be available soon to fix this problem.

[RobertJasiek]

It would be the best if go software did not use Java Runtime Environment so that there would be simply no related security problem! I have said so many years ago and will say so many years later. Security gaps must never be allowed at all.

Disabling JRE in one's browser(s) can be insufficient WRT to the browser(s). It can be necessary to deactivate it again and again every time the browsers are updated and for every Windows user's browser instances. Check twice if you are using two JREs for 32b and 64b.

[speedchase]

I have said so many years ago and will say so many years later. Security gaps must never be allowed at all.

this is a joke. You are using the internet. There are security gaps.

I'm surprised that no one has asked or commented about the Java security problem that people seem to be worried about.

there was a thread in the kgs subfourum

[RobertJasiek]

Ok, let me state it more precisely: the big and relevant security gaps that can be closed must be closed.

[oren]

Ok, let me state it more precisely: the big and relevant security gaps that can be closed must be closed.

Because binaries on operating systems don't have security holes?

[RobertJasiek]

OS binaries' security holes can or cannot affect security of internet communication, depending on whether and how such binaries are involved. Let us concentrate on those involved. Until OS upgrades, they can provide 0-day-exploits. Such can be big and relevant security gaps. The OS meets this danger also by regular OS updates.

Now let us compare Java Runtime Environment gaps. Updated relatively infrequently, typically still leaving a few big and relevant known gaps. JRE tends to be used also by a few internet programs, so the remaining danger is real.

(Both can be restricted by various security means.)

[oren]

I'm not sure you understand security exploits as well as you think you do, Robert. The JRE has exploits that are being fixed, and you can decide which programs you wish to execute. If you think you would be safer installing binary go clients from every server, then you need to think about this a bit more.