If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. Et tu, David w ORGANIZATIONS know how to deal with securing Sun's JSE, their networks, workstations, and servers. Does the Average User know that, too ? Hardly. Sorry, Sun is NOT needed by *most* Average Users. BTW, now that Sun's auto updating mechanism now removes older, vulnerable versions, are you using the Static configuration method to retain them ? http://java.sun.com/javase/6/docs/te...e_install.html MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== |
Ads |
#17
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
Perhaps MS will allow Sun to use their updating pipeline to push out
JSEs issued to address vulns in the previous JSE. Then they'll be offering purported security updates via AU|MU|WU that include the MSN toolbar and the blame can be laid on Sun. Think of the revenue from that ... and then think about how the Justice Dept. would react. eg MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== Vadim Rapp wrote: Is that MS's fault? yes, it is - second after Sun. Any advertiser does have control on the places where their ads appear. If Microsoft ads suddenly showed up on low-quality sites, Microsoft most likely would take steps to protect their image. Though, if those were MSN ads, maybe they would not. |
#18
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "MowGreen [MVP]"
There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. | Et tu, David w | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks, | workstations, and servers. | Does the Average User know that, too ? Hardly. | Sorry, Sun is NOT needed by *most* Average Users. | BTW, now that Sun's auto updating mechanism now removes older, | vulnerable versions, are you using the Static configuration method to | retain them ? | http://java.sun.com/javase/6/docs/te...e_install.html | MowGreen [MVP 2003-2009] | =============== | *-343-* FDNY | Never Forgotten | =============== Our situation is complex and we are not using any static configuration method. From periodic and required training to web systems to JInitiator, Sun Java is required. I too have seen as many as eight versions of Sun Java on our platforms. I manually remove them all and install the latest version. I limit the cache to 50MB (1GB is the default, are they joking ?) and I will disable the Quick Start service. We can't have additional open ports lowering the IA level of our systems. All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now downloading bundled toolbars that is a *big* problem! On another note... Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ? "C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe" Why can't they just rely on SUN JRE installed on the OS ? Why do they bundle a KNOWN vulnerable version ? I have opened a case number with Adobe on this issue. They NEVER responded. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#19
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "MowGreen [MVP]"
| Perhaps MS will allow Sun to use their updating pipeline to push out | JSEs issued to address vulns in the previous JSE. Then they'll be | offering purported security updates via AU|MU|WU that include the MSN | toolbar and the blame can be laid on Sun. | Think of the revenue from that ... and then think about how the Justice | Dept. would react. eg | MowGreen [MVP 2003-2009] | =============== | *-343-* FDNY | Never Forgotten | =============== Think about how SUN had an agreement with Microsoft for SUN Java to be be provided to Microsoft and Microsoft violated the terms of the agreement and SUN sued Microsoft and MS lost ! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#20
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
"David H. Lipman" wrote in message ... From: "MowGreen [MVP]" There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. | Et tu, David w | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks, | workstations, and servers. | Does the Average User know that, too ? Hardly. | Sorry, Sun is NOT needed by *most* Average Users. | BTW, now that Sun's auto updating mechanism now removes older, | vulnerable versions, are you using the Static configuration method to | retain them ? | http://java.sun.com/javase/6/docs/te...e_install.html | MowGreen [MVP 2003-2009] | =============== | *-343-* FDNY | Never Forgotten | =============== Our situation is complex and we are not using any static configuration method. From periodic and required training to web systems to JInitiator, Sun Java is required. I too have seen as many as eight versions of Sun Java on our platforms. I manually remove them all and install the latest version. I limit the cache to 50MB (1GB is the default, are they joking ?) and I will disable the Quick Start service. We can't have additional open ports lowering the IA level of our systems. All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now downloading bundled toolbars that is a *big* problem! On another note... Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ? "C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe" Why can't they just rely on SUN JRE installed on the OS ? Why do they bundle a KNOWN vulnerable version ? I have opened a case number with Adobe on this issue. They NEVER responded. Thanks for mentioning this again, I was wondering if there was any response. A vulnerable program in a known location is a very bad thing securitywise. |
#21
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
The date and time was 12/10/2008 4:10 PM, and on a whim, David H. Lipman
pounded out on the keyboard: From: "MowGreen [MVP]" There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. | Et tu, David w | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks, | workstations, and servers. | Does the Average User know that, too ? Hardly. | Sorry, Sun is NOT needed by *most* Average Users. | BTW, now that Sun's auto updating mechanism now removes older, | vulnerable versions, are you using the Static configuration method to | retain them ? | http://java.sun.com/javase/6/docs/te...e_install.html | MowGreen [MVP 2003-2009] | =============== | *-343-* FDNY | Never Forgotten | =============== Our situation is complex and we are not using any static configuration method. From periodic and required training to web systems to JInitiator, Sun Java is required. I too have seen as many as eight versions of Sun Java on our platforms. I manually remove them all and install the latest version. I limit the cache to 50MB (1GB is the default, are they joking ?) and I will disable the Quick Start service. We can't have additional open ports lowering the IA level of our systems. All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now downloading bundled toolbars that is a *big* problem! On another note... Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ? "C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe" Why can't they just rely on SUN JRE installed on the OS ? Why do they bundle a KNOWN vulnerable version ? I have opened a case number with Adobe on this issue. They NEVER responded. Blackberry Professional for Exchange was installed on a server at a network I admin. Java 5.11 was also installed. I updated to 6.11 and the software wouldn't work! Why are they using versions so old? -- Terry R. ***Reply Note*** Anti-spam measures are included in my email address. Delete NOSPAM from the email address after clicking Reply. |
#22
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "FromTheRafters"
| Thanks for mentioning this again, I was wondering if there was any | response. A vulnerable program in a known location is a very bad | thing securitywise. I brought it up on the semi-private Adobeforums and they were more interested in the URLs in my signature calling them spam and my quoting those I responded to. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#23
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "Terry R."
| Blackberry Professional for Exchange was installed on a server at a | network I admin. Java 5.11 was also installed. I updated to 6.11 and | the software wouldn't work! Why are they using versions so old? | -- | Terry R. The idiots of these companies need to work off a centralized version of SUN Java and NOT the concept of installing old versions modified to their needs. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#24
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
In the first place, I believe the word is /capisce/ but I'll defer to
the Italians in the group. However you describe it, you have a bone to pick. No big deal...everyone has a bone to pick. But I don't post (or cross-post) to a public newsgroup to tell people to stop using any and all Zone Alarm products just because I disagree with the way Zone Alarm conducts its business. And even if I were so inclined, I would do it in a newsgroup for Zone Alarm. --- Leonard Grey Errare humanum est MowGreen [MVP] wrote: No bone to pick with any financial site that is intelligent enough to understand the risk involved when using java. My financial sites do NOT use java. None of my systems have any java runtimes installed. For some history on why I refuse to allow java on my systems ... in February 05 I contacted Sun and inquired as to the security risk of leaving older, vulnerable versions on a system when a 'new' runtime was pushed out. They admitted that it was a security risk and did NOTHING about it until just recently. Do the math. How many systems were exposed to a vulnerability that Sun KNEW existed for over 3 years ? Every one of their Security bulletins has this at the end of them, neatly hidden from Users who visit java.com that were totally unaware of WHY the older, vulnerable versions should be uninstalled: http://sunsolve.sun.com/search/docum...=1-26-244987-1 Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://java.com/en/download/help/uninstall_java.xml I've seen 6 or more JSE's installed on clients' systems. Heck, on one client's system there were 10 RUNTIMES installed. At 115 MB each, that's a HUGE amount of disk space being wasted, isn't it ? I'm not the only one that has been ranting about Sun and their updating mechanism: Ghosts of Java Haunt Users http://blog.washingtonpost.com/secur..._again_po.html Check out that article, please. Brian Krebs has been on this for as long as I have. If another vendor ignored their own SECURITY suggestions, refused to fix their auto updating mechanism, then I'd be flaming them, too ... trust me. Now, as to Microsoft's decision to include the MSN toolbar with newer versions of Sun's java runtime ... MS has made a tremendous improvement as to security in their software and OS'. It appears that they are willing to go backwards in regards to security when they include the MSN toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality, is a SECURITY update that addresses known vulnerabilities in the previous runtimes. I'd venture an educated guess that 99% of newer runtimes came out to address Critical vulns. This will affect Users who are under the impression that anything MS offers 'should be installed'. I've seen this first hand on clients' systems when they installed what was purported to be a security update from a 3rd party vendor that included unnecessary crap ... like Adobe trying to sneak the Google toolbar along with Shockwave security updates. The clients' were more then annoyed and became reticent to install subsquent updates for Flash and Shockwave. Guess what happened to them eventually ? All it will take is for Users to get peeved about the installation of an unnecessary toolbar, or, for something to go wrong during installation of a JSE that causes serious issues. Then Users will become reticent when their systems are offered Security updates from Automatic or Windows Update. There's enough FUD concerning updating already; does MS really need to stoke the 'tin foil' crowd ? So, in effect, MS is stating that ad revenue trumps security. Sorry, that irks me to no end. I've made my feelings known to them but ... I have a strong suspicion that Marketing trumps Security these days. So, I'm not keeping my thoughts to myself any longer and want others to know WHY including toolbars and other crap along with SECURITY updates is a shortsighted and counterproductive practice. Cabiche, Leonard ? MowGreen [MVP 2003-2009] =============== *343-* FDNY Never Forgotten ================ Leonard Grey wrote: I don't like pre-checked opt-in boxes any more than you, but I wonder why you happen to pick on Java, when this practice is widespread among software providers, and why particularly Java-employing websites, especially financial websites. Sounds like you have a bone to pick with an unnamed Java-employing financial website, and because of that I should avoid software that has served me well for years? --- Leonard Grey Errare humanum est MowGreen [MVP] wrote: Beware of the *opt-out* behavior of Sun's java automatic updater. In the US, at least, the MSN toolbar comes PREchecked [opt-out] and will install along with purported java 'security' updates. Said 'security' updates are presented as the latest version of Sun's java runtime. Including crappy toolbars with security updates as an opt-out is a REALLY dumb, shortsighted decision. Shame on MS for doing so. As to Sun's java, who needs it ? If a site requires java, then avoid it like the plague. *Especially* any site that does financial transactions. MowGreen [MVP 2003-2009] =============== *-343-* FDNY Never Forgotten =============== |
#25
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
From: "Leonard Grey"
| In the first place, I believe the word is /capisce/ but I'll defer to | the Italians in the group. | However you describe it, you have a bone to pick. No big deal...everyone | has a bone to pick. But I don't post (or cross-post) to a public | newsgroup to tell people to stop using any and all Zone Alarm products | just because I disagree with the way Zone Alarm conducts its business. | And even if I were so inclined, I would do it in a newsgroup for Zone Alarm. | --- | Leonard Grey | Errare humanum est Except for the suspicions of a backdoor in ZoneAlarm inserted by (censored), it is intended to protect a PC. On the otherhand, SUN Java is responsible for *MANY* people being infected with malware due to they're overwhelming number and consistency of vulnerabilities. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#26
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
So what? You could say the same thing about Microsoft software
("responsible for *MANY* people being infected with malware due to [their] overwhelming number and consistency of vulnerabilities.") On the other hand, I've been using and updating Java (and Microsoft software) forever and yet none of my computers have ever been infected by any type of malware. All software is riddled with vulnerabilities waiting to be exploited, so let's not focus on the villain-of-the-month. Or maybe I'll get out my soapbox for Comcast. Urrr...don't get me started. --- Leonard Grey Errare humanum est David H. Lipman wrote: From: "Leonard Grey" | In the first place, I believe the word is /capisce/ but I'll defer to | the Italians in the group. | However you describe it, you have a bone to pick. No big deal...everyone | has a bone to pick. But I don't post (or cross-post) to a public | newsgroup to tell people to stop using any and all Zone Alarm products | just because I disagree with the way Zone Alarm conducts its business. | And even if I were so inclined, I would do it in a newsgroup for Zone Alarm. | --- | Leonard Grey | Errare humanum est Except for the suspicions of a backdoor in ZoneAlarm inserted by (censored), it is intended to protect a PC. On the otherhand, SUN Java is responsible for *MANY* people being infected with malware due to they're overwhelming number and consistency of vulnerabilities. |
#27
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
On Thu, 11 Dec 2008 02:41:55 -0500, Leonard Grey
wrote: In the first place, I believe the word is /capisce/ but I'll defer to the Italians in the group. I'm not Italian, but I speak some Italian. Yes, your spelling is correct. It's the second person singular of the verb "capire." And, by the way, it's pronounced ka-PEE-shay. -- Ken Blake, Microsoft MVP - Windows Desktop Experience Please Reply to the Newsgroup |
#28
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
"David H. Lipman" wrote in message
... From: "FromTheRafters" | Thanks for mentioning this again, I was wondering if there was any | response. A vulnerable program in a known location is a very bad | thing securitywise. I brought it up on the semi-private Adobeforums and they were more interested in the URLs in my signature calling them spam and my quoting those I responded to. I suppose that is a typical response in that forum. Too bad. Good thing that sort of thing never happens here (pick one). [snipped the SPAM] D |
#29
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
"David H. Lipman" wrote in message ... There are some organizations, like ours, that REQUIRE Sun Java ! Who needs it -- We do. -- Dave -- I've snipped the SPAM too! If you were to tell us the name of the organization for which you work I might better understand your general attitude, Mr Lipman. Does it have a web site to which I, and other readers, may refer? If so, maybe you should use it as a replacement signature. What do *you* think? BDave -- |
#30
|
|||
|
|||
MSN Toolbar included with Sun Java Security 'updates'
A conformative reply in the Adobeforums would be like this one.
No quoting (or very little). -- Dave |
Thread Tools | |
Display Modes | |
|
|