[LINK] Security problems with Java in browsers

Fernando Cassia fcassia at gmail.com
Tue Sep 18 13:34:56 AEST 2012


First of all let me repeat that

1. Yes, Oracle was slow in patching that vulnerability.

2. My message was not about denying the existence of the bug, but rather
decry the media coverage it got. More below

On Mon, Sep 17, 2012 at 11:35 PM, Robin Whittle <rw at firstpr.com.au> wrote:

>
> I don't accept what I think you are implying -


Of course, it´s only a personal opinion. I have seen too many articles full
of FUD or wishful thinking over the years trumpeting the impending death
and/or irrelevance of Java, that one gets overly suspicious about hidden
agendas when you see another one...

...specially when reports about one security vulnerability in Java gets
disproportionatelly higher exposure than Microsoft´s own. (ActiveX has been
repeatedly exploited that´s why the latter gets regularly updated "ActiveX
killbits" as part of WindowsUpdate)

see:
http://goo.gl/3X2gd

That Microsoft and its employees have engaged in the past in disinformation
campaigns is a known fact. Starting with the "barkto incident" (Google it)
to the fake grassroots campaign where dead people wrote in support of the
firm in its legal fight with the US DOJ, and to the "fake security
consultant" who turned out being a MS employee, writing to say AOL´s AIM
had an AOL-installed security hole that put users at risk.

Barkto incident
http://www.isham-research.co.uk/barkto.html

Even dead people write in support of MS
http://community.seattletimes.nwsource.com/archive/?date=20010823&slug=microlob23

Fake security consultant turns out being MS employee
http://www.net4tv.com/voice/Story.cfm?storyID=1335
http://www.nytimes.com/1999/08/13/business/microsoft-says-worker-wrote-smear-of-rival.html?pagewanted=all&src=pm

BM outed as Microsoft´s sock puppet
http://www.catchingflack.com/2007/09/burson-marsteller-outed-as-microsofts-sock-puppet/

So, does this mean that the Java bug did not exist?. No, the bug was/is
real.

What blew my mind was the tons of scaremongering articles telling everyone
to UNINSTALL JAVA completely, rather than advising to: updating it to the
latest version (on my system the auto-updater kicked in all by itself the
same day 1.7_07 was released and downloaded and installed the latest), and,
2 as a precaution, "disable the browser plug-in" to avoid further risks
until all these exploits are plugged.

A far more sensible recommendation than "you don´t need it, it´s awful,
time to get rid of it", without telling users that by doing so, they would
also cripple popular desktop apps installed on their systems that use Java,
like OpenOffice´s database module.

Give me the right to be suspicious about the motives behind such extreme
headlines and wide circulation of the news...

For instance HowtoGeek´s headline
"Java is insecure and awful, time to get rid of it"

Illustrated by this well-spirited image of the Java logo
http://www.howtogeek.com/wp-content/uploads/2012/08/image366.png

or betanews "You don´t need Java"

compare with:

Be prepared: ActiveX attacks will persist
http://www.infoworld.com/d/application-development/be-prepared-activex-attacks-will-persist-459

call it just gut feeling. And no, I don´t have any actual videotaped proof
of any MSFT employee rejoicing over the news and circulating the news
stories so that the snowball grows...

Just my $0.02
FC



More information about the Link mailing list