|
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java.
According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Maybe not, this is what happens when you read far too many of these last week. The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit.
With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely.
So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
|
|
|
|
|
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS!
And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
|
|
|
|
|
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC.
For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user."
Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
How about this one? http://www.osvdb.org/71013 (although I'll note that my system does not appear to be affected, so perhaps it's a local problem?)
|
|
|
|
|
OSVDB: Location: Local Access Required
...could allow a local attacker to execute arbitrary code... ...the attacker would need to be a part of the Power or Domain user group...
So not exactly a remote-code execution vulnerability.
I suppose there's a possibility that an unpatched RCE could be used to get code onto the computer which could then take advantage of a local escalation of privilege vulnerability to execute further code as the system user, but that's not specific to .NET, and I'd be surprised if you couldn't do the same thing on a Mac.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Hi. It's a shame that this is passing with the "vendor standard" implementation of Java (or being more correct the JVM), but uninstall it is not necessary, what should be done is disable it by default in the web browsers (as it isn't as needed as it used to be), and enable it only on demand and only in some user approved web sites, another "fix" is to take a look at the Open Source implementations of Java and use those instead.
|
|
|
|
|
REMOVE IT ALTOGETHER!!!
It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
----
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
I think you need less coffee - I mean Java.
/ravi
|
|
|
|
|
Now that you mention it, I really hate the taste of coffee (for real) and rely on energy drinks to get my caffeine dosage. Funny coincidence
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
----
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
Mobile devices are shipping with higher and higher PPI, and desktops and laptops are following the trend as well. There’s no avoiding it: High-pixel-density, or “Retina,” displays are now becoming mainstream—and, as you’d expect, our websites are beginning to look a little fuzzy in their backlit glory. But before we go off in the knee-jerk direction of supersizing all our sites, we must first identify the problems ahead and figure out the most responsible way forward—keeping our users in mind first and foremost. Progress toward enhancement: progressive enhancement.
|
|
|
|
|
I just came back from the Dreamforce conference with an epiphany – Force.com is the next Visual Basic. Some less experienced software developers might think that’s an insult, but those of us who have been around know that it’s not merely a compliment – it’s an observation that, if true, represents a potential tectonic shift to our industry. To understand why, I need to take you back over 20 years...
|
|
|
|
|
VB.Fred?????
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Bill has a wicked sense of humour (and now that he's got a Kindle, he's finding time to catch up on modern day "classics" such as 50 Shades of Grey).
|
|
|
|
|
Was this intended to be a non-sequester?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
No, it's more to give a subtle nudge to go read his blog. He's an interesting guy, and he has a very strange way of looking at the world.
|
|
|
|
|
Don Stookey knew he had botched the experiment. One day in 1952, the Corning Glass Works chemist placed a sample of photosensitive glass inside a furnace and set the temperature to 600 degrees Celsius. At some point during the run, a faulty controller let the temperature climb to 900 degrees C. Expecting a melted blob of glass and a ruined furnace, Stookey opened the door to discover that, weirdly, his lithium silicate had transformed into a milky white plate. When he tried to remove it, the sample slipped from the tongs and crashed to the floor. Instead of shattering, it bounced. Gorilla Glass: not (quite) your mother's old Pyrex.
|
|
|
|
|
One thing, I wanted to write about for sometime, is how different the views on C++ are within the C++ community. That even as we have a single standard, still there are parallel worlds using the language very differently. But instead of worlds, I'd like to refer to the term Islands, as we all live in same ocean of C++. There's so much that we share, that it's time we're aware...
|
|
|
|
|
Interesting. Even with a standard, there turns out to still not be standardized.
|
|
|
|
|
In the last few years mobile has exploded, but knowing what to do and where to start can be tricky. Mobile website design is not just a question of a mobile site or an app - there are a range of options in between and aspects to take into account. To help you out, we have gathered together 20 top tips on what to consider when defining your mobile strategy and designing for mobile. Pro code for the road.
|
|
|
|
|
As a font developer, I spend a good chunk of each day coding in a text editor and reading output messages from a terminal window, so I can appreciate the importance of a good monospaced font. Of course there is no technical limitation to using monospaced fonts when coding, but it is a very useful convention. When the Brackets team reached out to us on the Adobe type team, asking if we could develop a coding font for their open source application, we thought it made sense to adapt Source Sans, which I was working on at the time. Personally, I felt that I could use this opportunity to create a coding font that I would want to use myself. What's your favorite code editor font?
|
|
|
|
|
Basically I have not been happy with most mono spaced fonts. This one looks like it might be better than the ones I have used.
|
|
|
|
|
OK, I downloaded and installed the SourceSansPro font and tried it out.
It sucks at size 10! So I went through all the various monspaced fonts I currently had and finally found my favourite was... Consolas! The only problem with Consolas is that the l and the 1 are very similar but I can forgive that one fault.
I use a size 10 font so your results may vary. SourceSansPro appeared quite good at larger sizes where it didn't seem so cramped. As a programmer, my idents needs to be clear and with Consolas I only need 3 character tab sizes; with SourceSansPro is would need 4, 5 or even 6.
I actually designed my own fixed font for editors (from scratch) about 18 years ago and it was only a couple of years back that I finally switched to Consolas.
- Life in the fast lane is only fun if you live in a country with no speed limits.
- Of all the things I have lost, it is my mind that I miss the most.
- I vaguely remember having a good memory...
|
|
|
|
|
I definitely like it. Will need to use it for a week or so to truly get used to it.
I'm in my late 40's and need to use larger fonts. With semi-bold I can use 1 font smaller than in Courier New.
THx!
|
|
|
|