If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
Beware of the *opt-out* behavior of Sun's java automatic updater. In the
US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== |
Ads |
#2
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
I don't like pre-checked opt-in boxes any more than you, but I wonder
why you happen to pick on Java, when this practice is widespread among software providers, and why particularly Java-employing websites, especially financial websites. Sounds like you have a bone to pick with an unnamed Java-employing financial website, and because of that I should avoid software that has served me well for years? --- Leonard Grey Errare humanum est MowGreen [MVP] wrote: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== |
#3
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]
pounded out on the keyboard: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== Hi Mow, Is that MS's fault? When I downloaded Java 6.11 the day it was released, I had the Yahoo toolbar option. When I downloaded it again the day after (on another network), the Open Office option was presented. It appears Sun is bundling these toolbars only on some install files. On both of my downloads, I downloaded the offline (full) version. -- Terry R. ***Reply Note*** Anti-spam measures are included in my email address. Delete NOSPAM from the email address after clicking Reply. |
#4
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
Ah, Steve:
Many hardware firewalls, such as Cisco, require Java to log into them. Tom : As to Sun's java, who needs it ? : If a site requires java, then avoid it like the plague. : *Especially* any site that does financial transactions. : : : MowGreen [MVP 2003-2009] : =============== : *-343-* FDNY : Never Forgotten : =============== : : : : : |
#5
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
On Tue, 09 Dec 2008 13:36:40 -0800, "MowGreen [MVP]"
wrote: If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. That would eliminate a LOT of websites. Given that, I'd say your advice is relatively worthless here. |
#6
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
On Tue, 9 Dec 2008 16:48:48 -0600, "Tom [Pepper] Willett"
wrote: Ah, Steve: Many hardware firewalls, such as Cisco, require Java to log into them. Tom Just tell him in plain English that he's fulla crap on this. |
#7
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "Terry R."
| The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP] | pounded out on the keyboard: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== | Hi Mow, | Is that MS's fault? When I downloaded Java 6.11 the day it was | released, I had the Yahoo toolbar option. When I downloaded it again | the day after (on another network), the Open Office option was | presented. It appears Sun is bundling these toolbars only on some | install files. On both of my downloads, I downloaded the offline (full) | version. A better place to download is... http://java.sun.com/javase/downloads/index.jsp Then you won't download the version with the Yahoo Toolbar. jre-6u11-windows-i586-p-s.exe -- contains the toolbar jre-6u11-windows-i586-p.exe -- does not contain the toolbar -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#8
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "MowGreen [MVP]"
| Beware of the *opt-out* behavior of Sun's java automatic updater. In the | US, at least, the MSN toolbar comes PREchecked [opt-out] and will | install along with purported java 'security' updates. Said 'security' | updates are presented as the latest version of Sun's java runtime. | Including crappy toolbars with security updates as an opt-out is a | REALLY dumb, shortsighted decision. | Shame on MS for doing so. | As to Sun's java, who needs it ? | If a site requires java, then avoid it like the plague. | *Especially* any site that does financial transactions. | MowGreen [MVP 2003-2009] | =============== | *-343-* FDNY | Never Forgotten | =============== There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#9
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
The date and time was 12/9/2008 5:13 PM, and on a whim, David H. Lipman
pounded out on the keyboard: From: "Terry R." | The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP] | pounded out on the keyboard: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== | Hi Mow, | Is that MS's fault? When I downloaded Java 6.11 the day it was | released, I had the Yahoo toolbar option. When I downloaded it again | the day after (on another network), the Open Office option was | presented. It appears Sun is bundling these toolbars only on some | install files. On both of my downloads, I downloaded the offline (full) | version. A better place to download is... http://java.sun.com/javase/downloads/index.jsp Then you won't download the version with the Yahoo Toolbar. jre-6u11-windows-i586-p-s.exe -- contains the toolbar jre-6u11-windows-i586-p.exe -- does not contain the toolbar I only download from the Java site, and the Yahoo toolbar was included the first day it was released. -- Terry R. ***Reply Note*** Anti-spam measures are included in my email address. Delete NOSPAM from the email address after clicking Reply. |
#10
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "Terry R."
A better place to download is... http://java.sun.com/javase/downloads/index.jsp Then you won't download the version with the Yahoo Toolbar. jre-6u11-windows-i586-p-s.exe -- contains the toolbar jre-6u11-windows-i586-p.exe -- does not contain the toolbar | I only download from the Java site, and the Yahoo toolbar was included | the first day it was released. I noted at least two download sites. The URL cited will provide the offline installation file "jre-6u11-windows-i586-p.exe" which doesn't bundle the toolbar(s) while the other site offers "jre-6u11-windows-i586-p-s.exe" which does bundle the toolbar. This isn't new and I have seen that for many versons. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#11
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
The date and time was 12/10/2008 3:33 AM, and on a whim, David H. Lipman
pounded out on the keyboard: From: "Terry R." A better place to download is... http://java.sun.com/javase/downloads/index.jsp Then you won't download the version with the Yahoo Toolbar. jre-6u11-windows-i586-p-s.exe -- contains the toolbar jre-6u11-windows-i586-p.exe -- does not contain the toolbar | I only download from the Java site, and the Yahoo toolbar was included | the first day it was released. I noted at least two download sites. The URL cited will provide the offline installation file "jre-6u11-windows-i586-p.exe" which doesn't bundle the toolbar(s) while the other site offers "jre-6u11-windows-i586-p-s.exe" which does bundle the toolbar. This isn't new and I have seen that for many versons. As I said, I also downloaded the offline install, both days, both from the Java site. They were different. Just the messenger. -- Terry R. ***Reply Note*** Anti-spam measures are included in my email address. Delete NOSPAM from the email address after clicking Reply. |
#12
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
Including crappy toolbars with security updates as an opt-out is a REALLY
dumb, shortsighted decision. Shame on MS for doing so. It's amazing though how many people apparently don't see any problem with this. In the "service" economy increasingly based on brainwashing and deception rather than competence and functionality, advertising is sacred cow and is welcome in any clothes, isn't it. |
#13
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
Is that MS's fault?
yes, it is - second after Sun. Any advertiser does have control on the places where their ads appear. If Microsoft ads suddenly showed up on low-quality sites, Microsoft most likely would take steps to protect their image. Though, if those were MSN ads, maybe they would not. |
#14
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
A lot of people confuse Sun Java and Javascript.
The two are unrelated, other than in their sharing a C-like syntax. They are sufficiently different that Javascript code will generally not run in Java, or vice versa. Having cleared that one up... Javascript is generally a function of the browser itself. It requires no plugin. It is not accessible outside of the webpage environment. Java is a 'runtime environment' which becomes part of the operating system, not unlike the .NET environment. Hence it is not strictly speaking a browser plugin, but an OS extension. A browser-plugin DLL allows this OS extension to be accessed from within webpages. Hopefully, with 'sandboxing' to prevent other off-limits parts of the computer being accessed by the webpage code. Most websites don't actually require either. Some site that use dynamic menus (mine included) require Javascript. BUT, many websites use CSS to control layout, and on these the layout will go to pieces if Javascript is turned off. They still don't need Sun Java, though. ;-) The proportion of websites which use Sun Java is miniscule. At a very rough guess, one in ten thousand. I don't as a rule install Sun Java - it isn't on this machine- and I cannot even recall when I last encountered a site which complained about its absence. Yet, Java represents a considerable security risk for two reasons: Until recently, Sun Java updates failed to remove old, vulnerable versions. Since a Java program can specify which version to use, this meant that even fully-patched computers were STILL VULNERABLE to Java-coded malware. Several exploits using buffer-overflows in other software, e.g. Flash, Quicktime, rely on Java to actually execute the malware. Thus even if Java isn't at fault per se, its presence still reduces your computer's security. As for Cisco routers, yes, they use a Java-based GUI known as IOS. Only thing is, this GUI interface is so unbelievably slow and unstable that no-one worthy of the title of Cisco engineer uses it, preferring to write a text config-file and upload it to the router manually. I reckon that Cisco would drastically expand their userbase if they got rid of this hopeless software and used a conventional HTTP config-page, as does almost every other router manufacturer on the planet. The other time you need Java, of coure, is for scripting in Open Office. "Eddie Hyde" wrote: If a site requires java, then avoid it like the plague. That would eliminate a LOT of websites. |
#15
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
No bone to pick with any financial site that is intelligent enough to
understand the risk involved when using java. My financial sites do NOT use java. None of my systems have any java runtimes installed. For some history on why I refuse to allow java on my systems ... in February 05 I contacted Sun and inquired as to the security risk of leaving older, vulnerable versions on a system when a 'new' runtime was pushed out. They admitted that it was a security risk and did NOTHING about it until just recently. Do the math. How many systems were exposed to a vulnerability that Sun KNEW existed for over 3 years ? Every one of their Security bulletins has this at the end of them, neatly hidden from Users who visit java.com that were totally unaware of WHY the older, vulnerable versions should be uninstalled: http://sunsolve.sun.com/search/docum...=1-26-244987-1 Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://java.com/en/download/help/uninstall_java.xml I've seen 6 or more JSE's installed on clients' systems. Heck, on one client's system there were 10 RUNTIMES installed. At 115 MB each, that's a HUGE amount of disk space being wasted, isn't it ? I'm not the only one that has been ranting about Sun and their updating mechanism: Ghosts of Java Haunt Users http://blog.washingtonpost.com/secur..._again_po.html Check out that article, please. Brian Krebs has been on this for as long as I have. If another vendor ignored their own SECURITY suggestions, refused to fix their auto updating mechanism, then I'd be flaming them, too ... trust me. Now, as to Microsoft's decision to include the MSN toolbar with newer versions of Sun's java runtime ... MS has made a tremendous improvement as to security in their software and OS'. It appears that they are willing to go backwards in regards to security when they include the MSN toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality, is a SECURITY update that addresses known vulnerabilities in the previous runtimes. I'd venture an educated guess that 99% of newer runtimes came out to address Critical vulns. This will affect Users who are under the impression that anything MS offers 'should be installed'. I've seen this first hand on clients' systems when they installed what was purported to be a security update from a 3rd party vendor that included unnecessary crap ... like Adobe trying to sneak the Google toolbar along with Shockwave security updates. The clients' were more then annoyed and became reticent to install subsquent updates for Flash and Shockwave. Guess what happened to them eventually ? All it will take is for Users to get peeved about the installation of an unnecessary toolbar, or, for something to go wrong during installation of a JSE that causes serious issues. Then Users will become reticent when their systems are offered Security updates from Automatic or Windows Update. There's enough FUD concerning updating already; does MS really need to stoke the 'tin foil' crowd ? So, in effect, MS is stating that ad revenue trumps security. Sorry, that irks me to no end. I've made my feelings known to them but .... I have a strong suspicion that Marketing trumps Security these days. So, I'm not keeping my thoughts to myself any longer and want others to know WHY including toolbars and other crap along with SECURITY updates is a shortsighted and counterproductive practice. Cabiche, Leonard ? MowGreen [MVP 2003-2009] =============== *343-* FDNY Never Forgotten ================ Leonard Grey wrote: I don't like pre-checked opt-in boxes any more than you, but I wonder why you happen to pick on Java, when this practice is widespread among software providers, and why particularly Java-employing websites, especially financial websites. Sounds like you have a bone to pick with an unnamed Java-employing financial website, and because of that I should avoid software that has served me well for years? --- Leonard Grey Errare humanum est MowGreen [MVP] wrote: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== |
Thread Tools | |
Display Modes | |
|
|