firefox blocks java
Tommy Trussell
tommy.trussell at gmail.com
Sat Dec 21 16:42:23 UTC 2013
On Sat, Dec 21, 2013 at 10:38 AM, Tommy Trussell
<tommy.trussell at gmail.com>wrote:
> On Sat, Dec 21, 2013 at 2:34 AM, thufir <hawat.thufir at gmail.com> wrote:
>
>> On Fri, 20 Dec 2013 12:55:45 -0600, Tommy Trussell wrote:
>>
>> >> http://www.securelist.com/en/analysis/204792310/
>>
>> Kaspersky_Lab_Report_Java_under_attack_the_evolution_of_exploits_in_2012_2013
>> >>
>> >>
>> >>
>> >>
>> > On closer inspection that article is somewhat of an advertisement.
>> > However I think you can glean from it that the major threat is not Java
>> > alone, but Java embedded in web sites that exploit vulnerabilities --
>> > the places you can jump OUT of the sandbox, essentially.
>>
>>
>> It's not just an advertisement, it's misinformed:
>>
>> "...and the software was not built with security in mind." This is just
>> flat-out wrong, Java, from the get-go, has been a sandbox. That was one
>> of its selling points.
>>
>> In all honesty, I haven't looked into it. However, Kaspersky is selling
>> software for a different OS, an OS known to have security problems.
>> They're not likely to say that the problem is inherent to the OS.
>>
>> I have no idea how it really works, but I'm wondering if it's not that the
>> sandbox per se is compromised, but perhaps it's just not really possible
>> to sandbox a VM on Windows?
>>
>> I've never seen, to my knowledge, and I haven't looked into it, a known
>> case of the JVM sandbox, not sure of the technical term, not working on
>> Linux.
>>
>> That is, is there an actual case of a program which can break out of the
>> sandbox on Linux JVM? I've never heard of one, and a cursory glance of
>> the security mailing list, nothing popped out.
>>
>
> I will be the first to admit I don't know. All I know is what I have read,
> and some of the articles specifically mention linux. For example:
>
> http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
>
>
> http://www.oit.umass.edu/news/2013-01-14/serious-java-vulnerability-targets-windows-macintosh-linux-computers-0
>
> I don't understand what exact proof you are looking for. Could it be that
> these security breaches are ALL essentially violations of the "sandbox"
> concept? Since the fundamental idea is that Java should run the same way on
> all platforms, if it's a security problem on one, I might assume it could
> be on another platform, too.
>
> My impression is that the general attitude in recent years has been to
> mistrust Java security because there have been so many alarms. You may very
> well be OK for your application.
>
>
I found those articles -- and there are some that might more directly
answer your question -- with a Google search "do java exploits affect linux"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20131221/33e850ec/attachment.html>
More information about the ubuntu-users
mailing list