Spacenexus
Reading articles around the Java Zero Day Flaw (http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/), it would be useful to hear from The Brain team what their recommendations are.

There are recommendations to disable Java until this is fixed, but that would clearly put a hold on Brain usage.

Any thoughts?

Jim

@200229:
TB8022 32bit
Java 32bit Version 8 Update 141

Testing 11.0.60.0

Firefox, Office 2013 Pro Plus 32bit
64bit Win10Pro
64bit Primary Laptop, 8GB RAM, Intel Core i7
64bit Secondary Laptop, 64GB RAM, Intel Xeon E3
Brain user since 1997
Quote
zenrain
The solution is to disable Java plug-ins in our web browsers: http://www.kb.cert.org/vuls/id/625617
Not Java running on the computer. Unfortunately most media outlets don't seem to know there's a difference so I had to go to the source to figure that out. /sigh

Also, for those of us running OS X, you may have seen this and worried that it affects using TheBrain. It doesn't, Apple has just disabled the plugins.
It would have affected WebBrains, had they not made the change to HTML 5. As it is, WebBrains work just fine also.
macOS 10.14.6
TheBrain 11.0.119
Quote
Visnet
Zenrain,

I trust your answer is the right answer.

What worries me is that no statement or answer to this thread by TheBrain personnel about this to clarify their point of view here.

As if they do not really care about this security issue.

Regards,

Wim
Quote
Pinky
Visnet wrote:
Zenrain,

I trust your answer is the right answer.

What worries me is that no statement or answer to this thread by TheBrain personnel about this to clarify their point of view here.

As if they do not really care about this security issue.

Regards,

Wim


----------------
=> Harlan <=

Harlan are you out there ???

Can you address this important issue for your users?

------
Pinky



Quote
pthompson
Hello All,

I have checked with our engineers and developers (including Harlan) and, just as the article zenrain linked to explains: http://www.kb.cert.org/vuls/id/625617. This "issue" does not affect standalone Java applications.

From the article: 

Quote:

Description

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Solution

Apply an update

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

This issue has also been addressed in IcedTea versions 2.1.4, 2.2.4, and 2.3.4.

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executingjavacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.

 
Quote

Newsletter Signup  Newsletter        Visit TheBrain Blog   Blog       Follow us on Twitter   Twitter       Like Us on Facebook   Facebook         Watch Us on Youtube  YouTube       

TheBrain Mind Map & Mindmapping Software     Download TheBrain Mind Mapping Software