Re: A Hardware and Software Firewall Combination (I got Hacked!)



Sebastian Gottschalk wrote:

Ron Lopshire wrote:

Sebastian Gottschalk wrote:

Ron Lopshire wrote:

It doesn't matter whether you have the latest version of Java/JRE or not. What matters is that you have removed the previous versions known to be vulnerable. The Java installers will not do that for you. You have to do it manually.

Firefox uses only the most recent version of Java by default, so it doesn't
care about any old versions installed.

It is my understanding, Sebastian, that that is not the point. Vulnerable versions of Java/JDK/JRE _must_ be removed in order to mitigate the vulnerability, irrespective of which versions are actually used. As I said, I am relying on the advice of Java aficionados. I don't use it.

Could it be that you're twisting the JVM being used in general and the
embedding as for browsers? Of course, a single user on the machine can
launch an old JVM, run an application of his choice, this one gets broken
in and then the attacker can break out of the sandbox due to the
vulnerabilities. That doesn't mean that any webbrowser will allow you to
start any different JVM then the one he already selected - which is the
most recent one.

As I said, I don't know. I would be interested in whether this is a POC, or someone has actually been exploited by keeping an older, vulnerable version around.

IIUC, at some point this scenario is/was supposed to change. Whether it has or not, I do not know.

Rather not. It's good to be able to have multiple versions of Java (f.e.
1.5, 1.4.2 and 1.6 Beta) running in parallel.

I don't understand that at all. Perhaps an official release and a Beta version for testing purposes, but other than that, why?

There are still some software packages that have problems with Java 1.5,
and this is due to some problems with backward compatibility. (F.e.
semantics of the 'volatile' keyword).

After all, as long as 1.4 gets supported, it's not bad.

I see. Once Sun stops supporting 1.4, it's out of here. [g]

I haven't tried OOo since I have Office 2003 installed.

Ok, then we should stop talking about security. Or serious software.

I told you that I rue the day. ;)

Excel 5-7 were great apps. And then the idiots added ActiveX, HTML help, VBIDE and whole bunch of other crap that I haven't even found yet. Why I need access to my internet connection from a spreadsheet only the marketing clowns in Redmond know. I try to keep it (the Office Suite) locked down, but you never know. BTW, I wouldn't even consider using Outlook. And IE only to update the OS and Office Suite.

I have spent over 10 years developing my Excel apps, and by the time I ported them into another app and/or platform, I would be dead anyway. I rue the day that I ever decided to use Excel, but that is neither here nor there. I am stuck with it.

Well, but that's not it. As long as the MS pseudo-Office suite doesn't
support OpenDocument, you need an additional word processor who does
support it. On Windows, OpenOffice ist the only usable free alternative
(not gonna talk about AbiWord, it sucks).

IMNSHO, Notepad Editor is a better word processing app than any version of MS Word that has ever been or ever will be released. I use MS Word only when absolutely necessary, and that usually involves kicking and screaming.

BTW, I never understood what all of the MS-bashing was about until I bought a WinXP box and installed Office 2003 Professional. Now I know.

Ron :)
.