If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Great news everyone: there's ANOTHER zero-day exploit for Java that wasn't patched in their latestest fix, and it's being sold online to hackers for a mere $5k   (arstechnica.com) divider line 70
    More: Scary, Java, Brian Krebs, Trend Micro, Oracle, code base  
•       •       •

3107 clicks; posted to Geek » on 16 Jan 2013 at 2:53 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



70 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2013-01-16 08:32:35 PM
StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.
 
2013-01-16 08:47:03 PM

lordargent: the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address


And since most email clients actually use an embedded web browser to display HTML, it can also set and retrieve tracking cookies.
 
2013-01-16 09:00:31 PM

lordargent: StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.


Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

using SMTP and POP3 to do my gmail stuff starting to look better and better.
 
2013-01-16 09:28:04 PM
I'm keeping Java installed; I'm just disabling the web plugin for it. I need to run Java standalone applications, but I have no need for Java web applications. And that's the security concern.
 
2013-01-16 10:03:06 PM
Vlad_the_Inaner : Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

Bingo,

// Then they can tie that ID into an IP address. Sure the IP address might eventually change, so ... they would have to send you another e-mail with image (using the same ID in the SRC as before).
 
2013-01-16 10:28:13 PM
The next 'Religious War' will be over which programming language is superior.

Many a geek will die to improvised broomstick lightsabers painted dayglow red.
 
2013-01-16 10:36:59 PM
I disabled Java in Google Chrome (my primary browser), but kept it in IE, which I only open to play games in Pogo. I'm giving EA a month to come up with a solution before canceling my subscription.
 
2013-01-16 10:56:01 PM

nmemkha: The next 'Religious War' will be over which programming language is superior.


That war will have an obvious conclusion: (= (> LISP (all-other-languages)) true).
 
2013-01-16 11:14:28 PM

t3knomanser: nmemkha: The next 'Religious War' will be over which programming language is superior.

That war will have an obvious conclusion: (= (> LISP (all-other-languages)) true).


I see your nefarious scheme there
 
2013-01-17 12:15:53 AM
JAVA - Just Another Vulnerability Announced.
 
2013-01-17 12:29:46 AM
I have to use Java at work for our soft-proofing and PDF upload system. Not too thrilled about that.
 
2013-01-17 12:55:52 AM

Vlad_the_Inaner: lordargent: StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.

Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

using SMTP and POP3 to do my gmail stuff starting to look better and better.


thanks, guys, I learned something new today.
 
2013-01-17 02:17:42 AM

Generation_D: Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I was told repeatedly by Java developers that the sandbox is secure.


And I was told there'd be no math. Lying bastards
 
2013-01-17 08:39:44 AM
i.qkme.me
 
2013-01-17 10:08:50 AM

StopLurkListen: Vlad_the_Inaner: lordargent: StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.

Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

using SMTP and POP3 to do my gmail stuff starting to look better and better.

thanks, guys, I learned something new today.


I would'nt go running SMTP myself anymore.
 
2013-01-17 10:10:34 AM

gingerjet: Because there are no security issues with .NET. Absolutely none whatsoever.


But at least your framework will have been designed with large data sets in mind and not natively leak memory like sperm from a $5 hooker.
 
2013-01-17 10:46:50 AM

StoPPeRmobile: using SMTP and POP3 to do my gmail stuff starting to look better and better.

thanks, guys, I learned something new today.

I would'nt go running SMTP myself anymore


It's not that bad, I use a SMTP server to forward my linux email to an ISP server via a smarthost route.

Your big problem would be that most blacklists list the subnets that most ISP allocate dynamic IP addresses out of. So many mail receivers would reject you as a probable spammer.

In any case, I was referring to accessing Gmail via means other than its web interface. It supports that at the moment. ( I suppose google could wreck that too)

Enabling POP in Gmail

/hmm, Gmail's help system seems to be pushing IMAP more than SMTP. I hope that's not a bad omen
 
2013-01-17 12:59:50 PM

lordargent: Shazam999: Java is so much more than a "programming language", it is an actual platform where you can do all sorts of things.

Ahh "What is Java" That's an age old question.

Well, you've got your JDK, your JRE, your JVM and your JIT compiler. Throw in some Java cards, some Java Beans, some Java applets and things get a little ME,SE,EE.


It's nice you have your own reply method, but that means that when you reply to us, we don't get the handy notification email.
 
2013-01-17 02:21:31 PM

uncoveror: Are there any websites or programs that still need Java? Uninstall it already.


My gf is in grad school and one of her courses is an online night course - a lot of the students were grousing because the blackboard system requires Java. She just enables it for 2 hours once a week and disables the rest of the time, but I wish they had an alternative.

Stories like this make me more worried for my tech-illiterate family members who click stupid shiat in emails.
 
2013-01-17 06:06:03 PM

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.


C# on top of ASP.NET 4.0, with client side JavaScript here and there, is my code nirvana... after 20 solid years in C, C++, and the STL.

There's no going back, it's like buying a microwave oven for the first time.
 
Displayed 20 of 70 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report