Update on the Java update
Locked
 
|
Update on the update:
U.S. says Java still risky, even after security update-tj |
|
|
My understanding is, the problem is with the 1.7 version plugin for
the browsers. Standalone JRE is ok. OTOH, many folks have trouble
with the disable java buttons or aren't clear on the distinction
between the plugin and the runtime, so they're getting advice to
uninstall it completely. Which they may be unsuccessful at if they
don't understand why they are getting the advice in the first
place.
I suspect there's a whole lot of background procurement politics and marketing FUD going on here as well. Once you've raised an alert to orange, nobody wants to take responsibility for going back to yellow. Carl On 1/14/13 5:33 PM, Tom Johnson wrote:
Update on the update: ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
Re: Update on the Java update
|
|
In reply to this post by Tom Johnson
On 1/14/13 5:33 PM, Tom Johnson wrote:
Update on the update:Microsoft CLR has had similar problems.. http://technet.microsoft.com/en-us/security/bulletin/MS10-060 http://www.dhses.ny.gov/ocs/advisories/2011/2011-040.cfm In practice Microsoft and Apple have a streamlined and automated update system. Other than that (that JVMs and Java libraries are comparatively stale), I don't see any reason to think that the JVM ought to be more or less porous than the .NET CLR. For example, I take scheduled operating system updates (whether it is Linux or Mac or Windows) right away, as well as browser updates (Firefox is pretty fast and basically automatic), but I am annoyed when Java wants to update, esp. on Windows where it is decoupled from O.S. updates, and sits in the notification area generally nagging me to take 10 minutes to do a heavy upgrade that I mostly don't need. So I claim that Sun/Oracle/Java is mostly guilty of failing to tightly integrate with desktop operating systems. (Android not being desktop and it was not done directly by Oracle.) Also Oracle is a victim of Java's success. It's a successful platform for portable code deployment. It's great that DHS and security companies just define that away as insignificant and gratuitous. And this in contrast to C++ and C native code ABIs that can suffer buffer overrun exploits all over the place..? Marcus ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
Re: Update on the Java update
|
|
Yes, of course. But what do you really think, Marcus? On Jan 14, 2013 9:47 PM, "Marcus G. Daniels" <[hidden email]> wrote:
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
Shouldn't Javascript be the most insecure language .. simply due to it's ubiquity and different implementations in the various browsers and their versions?
Of course, from a complex systems standpoint, that could actually contribute to a kind of robustness!? I suppose Java is a bit of a monoculture. -- Owen
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
Re: Update on the Java update
|
|
In reply to this post by Douglas Roberts-2
On 1/14/13 9:51 PM, Douglas Roberts wrote:
> > Yes, of course. But what do you really think, Marcus? > The only thing that makes software safe in practice is a relentless effort to fix bugs. If bugs fail to come to light, software just won't become secure. If important packages aren't being talked about, they are surely just waiting to be exploited once that packages gains the fancy of security researchers (white or black hat). Be glad that something is good enough to be criticized. If we did things right, we'd prove aspects of important software to be correct in the first place. But that's believed to be too expensive and hard, so we get the Tom Ridge thing instead. Fun in its own way, I suppose. Remember, the only `important thing' is that people perceive they are or can be made safe. Put some sirens on some cars and arrest a few people and call it good. Marcus ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
«
Return to Friam
|
1 view|%1 views
| Free forum by Nabble | Edit this page |