Monday, February 18, 2013

ForSec/Sysadmin Super Linkfest

Yes indeed. I have been super-busy at home and work of late. Though the material keeps rolling in daily, my ability to get it out has been hampered a bit with “real-life” commitments.

So I’m taking advantage of a lull in the storm to dump my link hopper for your enjoyment and my reference.

Grab some snacks, make sure your wireless mouse is fed up on batteries and cheese, and settle in for some serious linkage dumping.

The Java/Flash Patch Cycle

In a sign of just how long it has been since I posted (and the activity that has transpired since mid-January) I submit the following. Note sarcasm attached.

Java SE 6 End of Public Updates
After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download

So where does that leave us?

Remove Java? I doubt it. - Malware Analysis Blog. I did!

I actually have decided to remove Java SE from our home systems. I do like to run some Java apps but that is pretty rare so I will install, run, de-install Java as needed. Small price for system security.

In a bit of irony, shortly before drafting this blog-post statement, Lavie brought me her iPhone and iPod and told me she sent me a link to a band she follows. As a hard-core fan, she was treated to a free download of some tracks from the artist’s portfolio. She needed these added to her devices. When I followed the link to download the tracks on our system, I was presented with a dialog box to install Java SE. Turns out their download manager app uses Java SE. Nice.  Install, download files, de-install Java again. I did notice it linked to the Java 7.13 bits. That’s something.

Sadly, I can’t get away with doing the same at work. We run a non-current release version of Java 6 “standard” at work. If you are running Java 7 automated auditing reports tattle on you and you either have to justify your use of Java 7 or it will be auto-uninstalled and roll-back to the standard level of Java 6.

Sweet baby Jebus.

For home users who are non-technical (or are and just don’t have the time to follow the web-browser plugin patching game) I recommend popping in once a week to the Qualys BrowserCheck on each of their installed web-browsers. Maybe that way you can catch and patch dated versions fairly easily.

Why the Patching Fuss?

Failure to patch and run current versions of Java/Flash/<insert plugin-here> (not to mention your OS) could lead the following headaches and pubic shame and liability.

And you thought having someone guess your Yahoo password and use it to send spam was a headache.

Not software-based, but Amazon users are exploited also…

Saw these links this past week. Fascinating.

For the ForSec Crew

OMG! What an amazing number of posts and material from our ForSec experts! Especially timely after all these latest Java patching dramas we have been enjoying lately.

We pause for a PSA…

Network News of Late

Tools, Utilities and Treats for the SysAdmins

Bits and Pieces

Enjoy.

-- Claus Valca

2 comments:

FF Extension Guru said...

I have removed Java off my main computer at home. Need to keep it on the laptop though if I want to access our virtual network lab which uses Java. Finding plugin locations use to be fairly easy in Firefox, but that is about to change. You use to able to go into about:config and set plugin.expose_full_path to true. The go to about:plugins and the full path would be displayed. But starting with Firefox 21 changing this preference will not display the full path see Bug 835969 for more info.

Bozo said...

Haven't completely uninstalled Java at home (we play a lot of Minecraft), but I have completely disabled Java browser plugins in FF/IE, etc. And we're up to Java 7.15 now.

At work, we have a lot of applications that use Java, including some browser-based. But at least they don't yell at us if we apply a more-recent, non-standard version. OTOH, if we use a non-standard version and the corporate application breaks, support consists of "please downgrade to the standard version".

Have you tried using "corporate security risk of outdated Java version" as the business justification for requesting an upgrade? Even if it's rejected, it seems like that would at least get the ball rolling on a "standard" version upgrade. Especially with the examples from FB, NYT, etc.