Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Today, unexpectedly close on the heels of Oracle's recent (and already compromised) Java 7 updater, follow two Java 6 updaters from Apple for Snow Leopard as well as for Lion and Mountain Lion. We'll see how long these last.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
The Java 1.6 updaters Apple issued earlier this week are subject to similar caveats as affected the preceding Java 1.7 updater provided by Oracle. The Oracle patch proved to be buggy and still vulnerable to certain exploits, while Apple's 1.6 updaters apparently do not patch the 1.7 vulnerability that the Oracle updater addressed. To be sure, this vulnerability has to date only been exploited in Java 1.7, and NOT yet in Java 1.6, but it could be. Hence, all suggestions to secure your Java configuration to your needs are still valid and recommended.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
And now, a new wrinkle in the cat-and-mouse game: For PC Virus Victims, Pay or Else
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Earlier today MacInTouch noted a report from Sophos dealing with current and expected computer security threats. It may be of interest to regular readers of this thread: - Security Threat Report 2013
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
ya we've seen a recent upsurge in "ransomware" and the "fbi warning" trojans on the pc side as of lately. funny stuff. makes for entertaining phonecalls from customers.
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
For those who like this time of the year to review past issues, here's Rich Mogull's view on Apple’s Security Efforts in 2012.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
If it's entertainment that you seek, watch this video to the end.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
While the iOS world has been relatively clean of malware, it has (had) its share of privacy issues, and so it appears again today. AppleInsider reports that an iOS 6 bug reenables JavaScript in Safari without user consent. Even though this privacy and security vulnerability doesn't appear to be actively exploited at the moment, it could allow browser fingerprinting of those users who thought they'd stopped that by disabling JavaScript. Not!
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Here is some background information about the latest Java 7 exploit * of vulnerability CVE-2013-0422, and the Java 7 Update 11 that patches it. The article also addresses potential issues with the (unrelated) JavaScript and suggests a 'best practice' approach. *) mentioned elsewhere in this forum.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems"
I dunno. I generally put Java and Flash in pretty much the same boat that way.
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems" I behave as if that were true, by keeping Java turned off and and Flash blocked until I choose to allow it for specific tasks or web sites. But that 'best practice' comment really was about how to deal with JavaScript and its vulnerabilities. I suppose I could have been more clear about that.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
Either Apple's Anti-malware system does not work or the article is inaccurate and misleading. I suspect the latter to be the case. There are three major Java implementation categories, each with its own characteristics and limitations… - applications — stand alone programs that run on the computer such as NeoOffice
- applets — that run only within a browser and are not at all the same thing as javascript
- Servlets — that run on a server to provide various functionalities
I have several Java applications on my Macs including OpenOffice, NeoOffice, MoneyDance, and others used to access specific devices. All of them are working perfectly and I am scrupulous about installing every update that comes along. Therefore, it would appear that although the referenced article is easily interpreted as applying to all three Java implementations the only ones effected by the OS X anti-malware system are applets. (Thank goodness, because it would take me literally hundreds of hours of work to reconstruct all my financial records to pay last year's taxes if Java were unilaterally cut off, not to mention all my documents that are in ODF format.) As to alternaut's concern about Javascript insecurity goes that becomes an even more difficult problem to solve as each browser has its own unique implementation of ECMAScript. (Although Mozilla's JavaScript was the original both it and Microsoft's JScript are officially two of the many dialects encompassed by the the ECMAScript standard.) So a vulnerability may exist in the dialect, the standard or, perhaps even more likely, in the particular browser's implementation of the standard. I still run across the occasional web sites that only work if you are using a specific version of Internet Explorer or maybe a Mozilla browser.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Oracle patches security issues with Java 7 Update 13, and I believe whatever the groundhog says tomorrow.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
Much to my surprise I was installing Adobe Creative Suite CS 6 on my son's computer today and when I launched the first application, Dreamweaver, the first thing it did was install Java. So here is another case where at least Java applications are unaffected by Apple's anti-malware. Whether there are Java applications embedded in DW or the JVM is there for site development, I have no idea.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Here's a real-world exploit of Java vulnerabilities: Twitter Hacked: Data for 250,000 Users May Be Stolen.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
It looks like "damage control" and attempted cover-ups are not restricted to governments. Google asks journalists to tone down story of "massive" Google Play security flaw. Fortunately for me, I don't have a cell phone of any description but now I know that I will never trust Google. I ditched Chrome awhile back because of my doubts about privacy.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Take your pick from Chrome's lack of privacy to Safari's sellout to the "trackers"...
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Adobe has issued critical updates for both Reader and Acrobat versions 9, 10 and 11. Until the updates are installed, it is advisable to disable JavaScript in Reader and (when optional) enable protected view before accessing PDFs on the internet.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
seeing as there'll just be another critical security hole next month/week/tomorrow, it's probably smarter to just leave java off.
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
Absolutely, but note that in my previous post I was referring specifically to Java Script in Reader. For many users, that may not be too onerous, but we'd be really hurting if that should ever extend to browsers.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
well THAT didn't take long... http://thenextweb.com/insider/2013/03/01...urity-settings/You'd think the hackers would have the common courtesy to wait until the most recent 0-day is patched before announcing another one. ya... I think I'll just leave that OFF.
I work for the Department of Redundancy Department
|
|
|
|