Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Security

Mac OS X Users Vulnerable To Major Java Flaw 306

Posted by kdawson from the write-once-own-everyone dept.
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
GNU is Not Unix

Why Linux Is Not Yet Ready For the Desktop 1365

Posted by timothy from the choose-your-own-misadventure dept.
An anonymous reader writes "Every now and then a new- or old-media journalist tries to explain to everyone why Linux is not yet ready for the desktop. However all those men who graduated from their engineering universities years ago have only superficial knowledge about operating systems and their inner works. An unknown author from Russia has decided to draw up a list of technical reasons and limitations hampering Linux domination on the desktop." Some of the gripes listed here really resonate with me, having just moved to an early version of Ubuntu 9.10 on my main testing-stuff laptop; it's frustrating especially that while many seemingly more esoteric things work perfectly, sound now works only in part, and even that partial success took some fiddling.

Comment Re:Bull (Score 0) 830

by fl1ckmasterflex (#27162093) Attached to: Apps That Rely On Ext3's Commit Interval May Lose Data In Ext4

You should go read the bug again. If applications keep on re-writing the same file again and again, they will loose data. Here it is for your benefit...

"So the difference between 5 seconds and 60 seconds (the normal time if you're writing huge data sets) isn't *that* big, but for certain crappy applications that apparently write huge numbers of small files in users' home directories. This appears to be the case for both GNOME and KDE. Since these applications are rewriting existing files, and are apparently doing so *frequently*, the chances that files will be lost is high."

https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781/comments/45

And calm down !!

Comment Re:Hey, why not just steal GPL code? (Score 1) 273

by fl1ckmasterflex (#27128369) Attached to: Adobe's ADEPT DRM Broken

There was a certain pride associated with being an intellectual/creative/professorial person 300 years ago. Now, people are just out to screw each other. Blame overpopulation, blame materialism. Whatever.

Those that are not interested in money are ALREADY creating stuff and giving it away for free. A lot of times, this is like a hobby or something they do in their spare time. The number of people who are in it for the money hugely outweigh the others. Its just a fact of life.

Comment Re:UAC, what's the fuss. (Score 1) 496

by fl1ckmasterflex (#27113115) Attached to: UAC Whitelist Hole In Windows 7

Window messaging doesn't care what session a Window is in. How do I know? I've written software to do it

You cannot pass messages between sessions, otherwise you could mess with another user who was logged into ... y'now his own session. This is such a basic fact, that you probably should reevaluate how you learned windows programming.

It's a GUID for hell sakes. They could of even made UAC look up the GUID action, but no, they just give you a GUID for details. Sorry, it's not a different philosophy, it's stupidity.

Huh? GUID Action? There is no such thing. A GUID is simply a unique ID. It doesn't mean anything till someone gives it meaning. It has been used to identify COM objects, but that has nothing to do with specific actions.

Application developers can request elevation any time and windows cant know what they are going to do with that elevation. Only the user can know that because they chose to do a particular operation which lead to the popup.

Obviously any program can mislead the user. The point is UAC is different from sudo. You can still get sudo like functionality on Vista, its just that its of no use because like I mentioned it elevates the entire process. So you end up running all the current programs as admin anyway. With the UAC annoyance, MS took a huge PR hit so that app devs could fix the apps.

They added API calls that will request UAC elevation through dialogs - I am doubtful of such claims.

Its not even a claim. Its what they hope will happen. They don't know or claim to know how its going to end up.

Comment Re:UAC, what's the fuss. (Score 1) 496

by fl1ckmasterflex (#27110977) Attached to: UAC Whitelist Hole In Windows 7

UAC is exploitable via the window messaging API, making it possible for malicious software to automatically accept UAC dialogs.

This is patently false. UAC dialogs are in their own session so you cant "OK" them programatically.

UAC adds annoying dialogs for things like copy operations, one after another "You will need admini.." "needs to have admnistr.." "are you sure you want to copy to this protected syst..".

Ya, you forgot to say its only for certain folders which contain program files. Do users on linux typically copy to ~/bin or ~/sbin everyday?

When kdesudo or gksudo pops up, it tells me the command it's executing, when UAC pops up... For example, when adjusting windows update settings:

There is a difference in philosophy here. UAC doesn't define a security boundary. Even if you OK ONE admin operation you might not want to OK another operation from the same program.

sudo basically gives the entire process admin rights and you're screwed if it does anything malicious.

Ya, UAC doesnt help if you just keep on clicking yes so its two different philosophies. It seems to me that MS took a gamble on some middle ground. They hope that application devs would fix apps so they wouldnt need the UAC popups and then in the next windows release they would make everyone by default limited user and use something like sudo.

Comment Re:Why all the paranoia about executable code (Score 1) 206

by fl1ckmasterflex (#27081475) Attached to: PDF Vulnerability Now Exploitable With No Clicking

One thing I've been curious about - on x86, is it possible to use the NX flag for things like embedded code?

Huh? The NX flag is already used by all the modern operating systems. If you enable Data Execution Prevention on XPSP2+ , the OS will crash any app that tries to execute "data". (A simple Instruction pointer on heap check)

Comment Re:A DRM ban clause should be added as a constitut (Score 0, Troll) 1127

by fl1ckmasterflex (#26885559) Attached to: Draconian DRM Revealed In Windows 7

This is what the OP defined it as

To control your entire machine, you do not have to write a single line of code. You just have to be able to choose which code gets executed on it.

This is such a loose definition that it would seem each and every operating system that supports kernel mode programming would fall under this category. You have 100% raw control on any OS in kernel mode. You can do anything you want if you understand the h/w specs and how to communicate with the h/w. There is nothing that can stop you. If you encounter DRM in the display driver, its pretty simple - write your own kernel mode driver. (we already established pre-req that you know how to speak to the h/w)

I can choose to do whatever the hell I like with a linux system.

You can only do so _BECAUSE_ someone has already written the code (aka tools) necessary for you to execute certain modules/programs/patches/drivers whatever. You are still not in control. You're merely the Gate Keeper of what you let execute. This definition is very ambiguous. Unless you are in charge of the actual kernel mode process that interacts with the hardware all you're doing is handing over control to helper functions.

I have more trust in it because the code can be (and has been) seen by multiple people, I can inspect it and change it to do what I like.

Why are we heading towards a closed-open source argument? This is offtopic.

but by the sounds of it nobody is ever in control of a car (unless they built the engine, starting by smelting the iron ore)

Jeez. The engine/otehr car components are _NOT_ modifiable while the car is running. (unless you chip your car or do something out of the ordinary i.e. not what average consumers buy)

OTOH, With computers you can decide anything from which pointers go into which register or which stack variable gets loaded when and where or how much memory a particular program should be able to access, each of these decisions is possible on the fly. You can unload a shared library if you don't like its location and rebase it in memory, etc. You get the picture.

Comment Re:A DRM ban clause should be added as a constitut (Score -1, Troll) 1127

by fl1ckmasterflex (#26884295) Attached to: Draconian DRM Revealed In Windows 7

Hmm.. then you're using an awfully funny definition of control.

Under your definition of control, You just choose what executes, but you have no control over what the piece of code actually does (since you didn't write it, how are you sure it does what it says it does?). If it does what it says it does, then all is good, if not you just offloaded the trust onto a piece of code you didn't write and expect it to do the task X.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close