Open Source Adapted Bicycle Pedal Comes to the Rescue
Accessibility has always been important to designers of open source software. Now that open source has come to design, that's more true than ever, as demonstrated with this open source bicycle
Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.

Media



Jupiter Broadcasting's long-running
Dealing With Real-Life, Everyday Security Threats
No one has ever been shot by a hacker who was breaking into their computer through the Internet. Not so for thieves coming in through the back door.

Roblimo's Hideaway



I wrote a piece
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
The Future of Desktop Ubuntu
With all the changes happening at Canonical, you might wonder what this means for the future of desktop Ubuntu, besides the return to the GNOME desktop.



There hasn't been this much news about a single Linux distro
Libreboot Reorganizes: Seeks to Make Amends
It appears the people developing Libreboot have done some of the hard work necessary to fix potentially toxic personal dynamics after last year's controversy, when the project removed itself from the
It's Windows Time in Linux Land Again
Using Windows. What a horrible thing to ask a Linux user to do.
March 5th, 2013

Five, Count ‘Em, Five New Security Holes In Java

Those who thought it was safe to re-up Java on their browsers will need to go back and turn it off again.

If you listen to us, after you do you’ll never turn it back on. Browser side Java has been made pretty much obsolete by newer technologies, which means you don’t need it, especially since it’s proving to be about as easy to keep secure as ActiveX, sandbox or no. Here at FOSS Force, we haven’t had it enabled on our browsers for years, with no noticeable problems when we surf the web.

You may remember that back on January 10th it was announced that Java had a security vulnerability that was already being exploited in the wild. This security hole was serious enough to prompt the U.S. Department of Homeland Security to suggest that browser side Java be turned-off on all computers.


Since then, Oracle’s been busily trying to get it right, but having little luck. On January 13th, the company pushed an unscheduled patch to fix the most pressing security hole, but the effort failed to satisfy security experts. To make matters worse, about that time, new security problems started to be found in Java.

On February 1st, Oracle released patches addressing a total of 50 security problems, which were then bundled into Java SE 7 Update 15, released on February 19th. That was supposed to be the end of it. Guess what? It wasn’t.

Yesterday CSO Online reported that Security Explorations, the Polish security firm that discovered most of the other Java security holes, has found five new vulnerabilities in Java. This report comes only a week after the same company reported two other security flaws in the Java browser plugin.

According to CSO Online:

“The latest discovery came after Oracle rejected one of the bugs Security Explorations reported Feb. 25. ‘It made us look into Java SE 7 code and its docs once again, gathering counterargument material,’ Adam Gowdiak, chief executive of the company, said in a post on SecLists.org.”

The good news is none of these vulnerabilities can be used to cause much harm by themselves. The bad news–string them together using all five and it’s a black hat payday:

“Separately, the flaws do not pose a security problem, the company said. However, when linked together, they can enable someone to bypass the Java’s anti-exploit sandbox technology. Security Explorations said it had not seen the vulnerabilities exploited in the wild.”

Because of the Java security issues discovered earlier in the year, Oracle has vowed to release Java updates every two months instead of on a four month schedule as had been the case. The next scheduled update is on April 16. Until then, you’re free to play Java roulette, if you wish.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Latest posts by Christine Hall (see all)

Comments are closed.