Re: [FD] Java 8u40 released: why?
Nick, Nowhere in the quoted text or my comments did it say it was a forced option, only that it “appeared” in the update; this thread started with questions as to whether there was any actual changes with the version bump, and I was offering a possibility. James On 8 March 2015 at 9:07:41 am, Nick FitzGerald (n...@virus-l.demon.co.uk) wrote: James Hodgkinson wrote: Maybe the major change is that they're including the Ask toolbar in all releases now, not just the windows one? :) Indeed! The unwelcome Ask extension shows up as part of the installer if a Mac user downloads Java 8 Update 40 for the Mac. In my tests on a Mac running that latest release of OS X, the installer added an app to the current browser, Chrome version 41... So you did not notice the explanation that this would happen, right there on the continue the install permission dialog? The one we can see a screenshot of at, say: https://grahamcluley.com/2015/03/oracle-java-mac/ Your description rather strongly implies that you have no choice in getting the Ask toolbar, which is untrue. I understand that Mac users will likely not be _accustomed_ to such permissions for _additional_ software, over and above the actual software that they thought they were installing, being requested, BUT unlike your description above and Ed Bott's at ZDNet (referenced in another post in this thread), the user is actually given the choice to not install the extra offer. Of course, questions as to the desirability of the option being pre-selected, and the possibly less than fully transparent directions about the necessity of the offer are much the same with the Mac version and the Windows version, whose permission dialog you can see here: http://i.imgur.com/82Tp2pp.png?1 Regards, Nick FitzGerald ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
On 2015-03-07 15:00, Nick FitzGerald wrote: So you did not notice the explanation that this would happen, right there on the continue the install permission dialog? The one we can see a screenshot of at, say: https://grahamcluley.com/2015/03/oracle-java-mac/ Your description rather strongly implies that you have no choice in getting the Ask toolbar, which is untrue. I understand that Mac users will likely not be _accustomed_ to such permissions for _additional_ software, over and above the actual software that they thought they were installing, being requested, BUT unlike your description above and Ed Bott's at ZDNet (referenced in another post in this thread), the user is actually given the choice to not install the extra offer. Of course, questions as to the desirability of the option being pre-selected, and the possibly less than fully transparent directions about the necessity of the offer are much the same with the Mac version and the Windows version, whose permission dialog you can see here: Unfortunately for Apple and for Mac users in general, Mac users are going to have to learn that the main security issue on Windows exists in OSX too: The user. The only real thing that has kept OSX safe from user-installed malware until now is the relative obscurity of OSX; as OSX gains enough market share to be worth malware author's time, we'll see more and more malware, ranging from bundleware that replaces user preference with a particular corporate interest, right up to full on trojans. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
Java 8u40 includes adware on OS X for the first time ever: http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/ Sorry for the poor quality of the link; I don't have time to find a better one. — Alex El 06/03/2015, a les 21:02, paul.sz...@sydney.edu.au va escriure: I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says this release includes important security fixes ... My reading of the first WWW page is that only Java SE 7 u75/76 contains security fixes and that there are no security fixes in Java SE 8 u40. Yes, they changed the wording since I wrote that! Noting that 7u75/76 are not new now, but were released in January. Seems that 8u40 is simply a useability release; previous must have been very bad, unusual that Oracle would release out-of-band. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
On 03/ 6/15 12:02 PM, paul.sz...@sydney.edu.au wrote: I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says this release includes important security fixes ... My reading of the first WWW page is that only Java SE 7 u75/76 contains security fixes and that there are no security fixes in Java SE 8 u40. Yes, they changed the wording since I wrote that! Noting that 7u75/76 are not new now, but were released in January. Seems that 8u40 is simply a useability release; previous must have been very bad, unusual that Oracle would release out-of-band. Java 8u40 is a feature release that's been planned for almost a year, not a special out of band bug fix release. http://openjdk.java.net/projects/jdk8u/releases/8u40.html https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
Maybe the major change is that they’re including the Ask toolbar in all releases now, not just the windows one? :) The unwelcome Ask extension shows up as part of the installer if a Mac user downloads Java 8 Update 40 for the Mac. In my tests on a Mac running that latest release of OS X, the installer added an app to the current browser, Chrome version 41 … James On 7 March 2015 at 7:39:32 am, Guy Dawson (g.daw...@crossflight.com) wrote: My reading of the first WWW page is that only Java SE 7 u75/76 contains security fixes and that there are no security fixes in Java SE 8 u40. On 4 March 2015 at 01:23, paul.sz...@sydney.edu.au wrote: I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says this release includes important security fixes, the release notes http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html says the security baseline is 1.8.0_31 (unchanged). I do not notice any major useability issues fixed. So: why this out-of-band release? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ -- *Guy Dawson* IT Operations Manager Crossflight Limited, Calder Way, Colnbrook, SL3 0BQ *T* +44 (0) 1753 776104 | *W* crossflight.com [Terms and Conditions] http://www.crossflight.co.uk/Crossflight/aboutUs/legal.html -- All business is conducted according to Crossflight Limited's Standard Trading Conditions, copies of which are available on request or via our website at www.crossflight.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
James Hodgkinson wrote: Maybe the major change is that they're including the Ask toolbar in all releases now, not just the windows one? :) Indeed! The unwelcome Ask extension shows up as part of the installer if a Mac user downloads Java 8 Update 40 for the Mac. In my tests on a Mac running that latest release of OS X, the installer added an app to the current browser, Chrome version 41... So you did not notice the explanation that this would happen, right there on the continue the install permission dialog? The one we can see a screenshot of at, say: https://grahamcluley.com/2015/03/oracle-java-mac/ Your description rather strongly implies that you have no choice in getting the Ask toolbar, which is untrue. I understand that Mac users will likely not be _accustomed_ to such permissions for _additional_ software, over and above the actual software that they thought they were installing, being requested, BUT unlike your description above and Ed Bott's at ZDNet (referenced in another post in this thread), the user is actually given the choice to not install the extra offer. Of course, questions as to the desirability of the option being pre-selected, and the possibly less than fully transparent directions about the necessity of the offer are much the same with the Mac version and the Windows version, whose permission dialog you can see here: http://i.imgur.com/82Tp2pp.png?1 Regards, Nick FitzGerald ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
Alan Coopersmith alan.coopersm...@oracle.com wrote (and he should know!): Java 8u40 is a feature release that's been planned for almost a year, not a special out of band bug fix release. http://openjdk.java.net/projects/jdk8u/releases/8u40.html https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released My observation in the past was that Java updates came with the rest of the quarterly CPU cycle. Was that wrong, has something changed? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says this release includes important security fixes ... My reading of the first WWW page is that only Java SE 7 u75/76 contains security fixes and that there are no security fixes in Java SE 8 u40. Yes, they changed the wording since I wrote that! Noting that 7u75/76 are not new now, but were released in January. Seems that 8u40 is simply a useability release; previous must have been very bad, unusual that Oracle would release out-of-band. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Java 8u40 released: why?
I'd be interested in that, too. In case this out-of-band release is about an important security fix, then either this is something new (details still to be disclosed). Or it is associated with CVE-2014-6593 (e.g. incomplete or buggy fix in the January release)? The detais (named as SKIP-TLS) had been disclosed just this week along with the FREAK attack (see https://www.smacktls.com/#skip). Former descriptions of CVE-2014-6593 only indicated a failure to properly check the ChangeCipherSpec in the TLS connection handshake; but apparently - esp. on client side - much more could go wrong in former JSSE implemenations. Maybe someone involved in openJDK could tell more... Gsunde On 04.03.2015, 02:23 paul.sz...@sydney.edu.au wrote: I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says this release includes important security fixes, the release notes http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html says the security baseline is 1.8.0_31 (unchanged). I do not notice any major useability issues fixed. So: why this out-of-band release? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/