[LINK] Time to disable Java again? "Fixing zero-day exploit could take 'two years'"

[Fernando Cassia]

On Mon, Jan 14, 2013 at 12:51 PM, Robin Whittle <rw at firstpr.com.au> wrote:
> I ruffled some Link feathers on 2012-09-18 by reporting that maybe Java
> should be disabled on PCs in general, at least in terms of it being able
> to run in web browsers.

Dear Robin,

Did you miss the message I sent earlier to the list. Java 7 update 11
fixes the alluded flaws, PLUS it includes a new security mechanism
that DOES NOT run unsigned or self-signed applets, unless the user
explicitelly clicks. This makes "zero click" attacks impossible, even
if new vulnerabilities are discovered.

Plus, Firefox 18 includes a new security mechanism that DENIES running
any plug-in content (not only Java plug-in but also the PDF plug-in
etc) on a per-site basis until you authorize it (just like what
happens with Active-X, you get a dialog asking for permission to run
Plug-in content.

So, in effect this gives you TWO user permission requests before
running untrusted, unsigned or self-signed applets. Now tell me how
any untrusted code is going to run now?. Hackers will have to crack
the web browser... and if they crack the browser, you have bigger
issues to worry about.

Some of the "security experts" have their own agendas...

I run Java since 1999 on all my browsers and have never been hacked,
just by keeping the JRE up to date and disabling the browser plug-int
with a single click when visiting unknown sites.

Or, you can disable the browser plug-in altogether if you don´t use
applets. That is a whole different story from disabling the Java
runtime, which is used to run Java apps, system-wide, and not related
at all with web browsing...

Just my $0.02
FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary act
Durante épocas de Engaño Universal, decir la verdad se convierte en un
Acto Revolucionario
- George Orwell