DuckDuckGo Ups Ante: Gives $300K to 'Raise the Standard of Trust'
For the seventh year in a row, the search engine that promises not to stalk your online moves puts its money where its mouth is, this year by donating $300,000 to organizations that
System76 Saying Goodbye to Bland Design
Considering that System76 chose to unveil its new design plans to The Linux Gamer -- no invite went to FOSS Force, BTW -- we can't help but wonder if a System76 Steam Machine isn't in the works.

The Screening
The Great Debian Iceweasel/Icedove Saga Comes to an End
Now that Thunderbird is back in the Debian repositories, the decade long dispute that led to all Mozilla products in Debian being rebranded has ended.

The hatchet is finally completely
Back Yard Linux
It's not as lonely being a Linux user as it once was. These days you're liable to find people throughout your neighborhood using Linux.

My how times have changed.

It wasn't long ago that Linux
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
March 5th, 2013

Five, Count ‘Em, Five New Security Holes In Java

Those who thought it was safe to re-up Java on their browsers will need to go back and turn it off again.

If you listen to us, after you do you’ll never turn it back on. Browser side Java has been made pretty much obsolete by newer technologies, which means you don’t need it, especially since it’s proving to be about as easy to keep secure as ActiveX, sandbox or no. Here at FOSS Force, we haven’t had it enabled on our browsers for years, with no noticeable problems when we surf the web.

You may remember that back on January 10th it was announced that Java had a security vulnerability that was already being exploited in the wild. This security hole was serious enough to prompt the U.S. Department of Homeland Security to suggest that browser side Java be turned-off on all computers.

Since then, Oracle’s been busily trying to get it right, but having little luck. On January 13th, the company pushed an unscheduled patch to fix the most pressing security hole, but the effort failed to satisfy security experts. To make matters worse, about that time, new security problems started to be found in Java.

On February 1st, Oracle released patches addressing a total of 50 security problems, which were then bundled into Java SE 7 Update 15, released on February 19th. That was supposed to be the end of it. Guess what? It wasn’t.

Yesterday CSO Online reported that Security Explorations, the Polish security firm that discovered most of the other Java security holes, has found five new vulnerabilities in Java. This report comes only a week after the same company reported two other security flaws in the Java browser plugin.

According to CSO Online:

“The latest discovery came after Oracle rejected one of the bugs Security Explorations reported Feb. 25. ‘It made us look into Java SE 7 code and its docs once again, gathering counterargument material,’ Adam Gowdiak, chief executive of the company, said in a post on”

The good news is none of these vulnerabilities can be used to cause much harm by themselves. The bad news–string them together using all five and it’s a black hat payday:

“Separately, the flaws do not pose a security problem, the company said. However, when linked together, they can enable someone to bypass the Java’s anti-exploit sandbox technology. Security Explorations said it had not seen the vulnerabilities exploited in the wild.”

Because of the Java security issues discovered earlier in the year, Oracle has vowed to release Java updates every two months instead of on a four month schedule as had been the case. The next scheduled update is on April 16. Until then, you’re free to play Java roulette, if you wish.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Comments are closed.