On Sat, 12 Jan 2013, Paul Gilmartin wrote: > There's considerable chatter on the Net about recent Java security > exploits: > > http://www.kb.cert.org/vuls/id/625617 > > > http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html > > I note that the CERT page thwarts IBM's policy of security-by-obscurity > by publishing considerable detail. But is z/OS vulnerable? I suppose > IBM won't say. We must just until and if IBM issues an APAR with > conspicuously insufficient information. What is the provenance of z/OS > Java? Is it maintained by Oracle (I suspect not), or by IBM from source > code obtained from Oracle (on what terms?)
My very wild guess is, only if you run Java in a browser you should turn it off. In case of apps written in Java, I don't see a problem as long as they don't make contact with problematic places on the net, and even then exploiting such app is something very different from exploiting a browser. Well, um, yes and no, depending how we look at it - the principles stay unchanged but the exploit code would rather have to be different. So it would have required another CERT message or I would expect them to say it explicitly that both applets and apps are vulnerable. Just MHO. > I wonder what happens if a JavaScript exposure requires browser > suppliers to disable all JavaScript, and users are uable to get to > PayPal? No. I run with Javascript turned off all the time. I only turn it on when I suppose it is ok (like, I don't think paypal is very likely to hack on me) and the page would not work otherwise. There are browser add-ons that allow me to manage JS permissions per website - like NotScripts for Opera I like Opera, because I can easily turn various extra functions on and off by quick menu. So, when I want to watch video on y-tube, I turn plugins on, when I stop watching I turn them off and browse somewhere else. When I am very suspicious I check selected pages with text browsers, like lynx and w3m and elinks (usually only one of them). Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:[email protected] ** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
