A Hardware and Software Firewall Combination (I got Hacked!)

as always:

But thanks for the hint. Release 09 was a bit strange, because via Google you could find a direct download, but nothing was stated on the website and neither visible at Sun Download Center. Then, when a release note appeared, nothing was told about the JDK download, and one really had to wait for it. And now it seems even the update database is way behind.

Gentlemen,

It doesn't matter whether you have the latest version of Java/JRE or not. What matters is that you have removed the previous versions known to be vulnerable. The Java installers will not do that for you. You have to do it manually.

IIUC, at some point this scenario is/was supposed to change. Whether it has or not, I do not know. I don't use Java. But this is how I understand the situation from posts by those supposedly in the know.

Ron :)

Firefox uses only the most recent version of Java by default, so it doesn't care about any old versions installed.

Rather not. It's good to be able to have multiple versions of Java (f.e.

1.5, 1.4.2 and 1.6 Beta) running in parallel.

Java is a quite common runtime for many applications. Even OpenOffice uses it, and this one is rather unavoidable on a typical workstation.

It is my understanding, Sebastian, that that is not the point. Vulnerable versions of Java/JDK/JRE _must_ be removed in order to mitigate the vulnerability, irrespective of which versions are actually used. As I said, I am relying on the advice of Java aficionados. I don't use it.

I don't understand that at all. Perhaps an official release and a Beta version for testing purposes, but other than that, why? It reminds me of Adobe Acrobat. Almost none of the documents produced with early versions (>I don't use Java.

None that I use. Nothing against Java, per se, but I currently don't need it. That is why I uninstalled it. Got tired of updating it every couple of months due to the incompetence of the Sun developers. If I had a need for Java, I would re-install it and keep it updated. I got rid of the .NET Framework for the same reasons.

I haven't tried OOo since I have Office 2003 installed. It is my understanding that the VBA and VBIDE support in OOo absolutely sucks, and VBA for Excel and Access are the only things that I need anyway.

I have spent over 10 years developing my Excel apps, and by the time I ported them into another app and/or platform, I would be dead anyway. I rue the day that I ever decided to use Excel, but that is neither here nor there. I am stuck with it.

Ron :)

Could it be that you're twisting the JVM being used in general and the embedding as for browsers? Of course, a single user on the machine can launch an old JVM, run an application of his choice, this one gets broken in and then the attacker can break out of the sandbox due to the vulnerabilities. That doesn't mean that any webbrowser will allow you to start any different JVM then the one he already selected - which is the most recent one.

There are still some software packages that have problems with Java 1.5, and this is due to some problems with backward compatibility. (F.e. semantics of the 'volatile' keyword).

After all, as long as 1.4 gets supported, it's not bad.

Ok, then we should stop talking about security. Or serious software.

Well, but that's not it. As long as the MS pseudo-Office suite doesn't support OpenDocument, you need an additional word processor who does support it. On Windows, OpenOffice ist the only usable free alternative (not gonna talk about AbiWord, it sucks).

As I said, I don't know. I would be interested in whether this is a POC, or someone has actually been exploited by keeping an older, vulnerable version around.

I see. Once Sun stops supporting 1.4, it's out of here. [g]

I told you that I rue the day. ;)

Excel 5-7 were great apps. And then the idiots added ActiveX, HTML help, VBIDE and whole bunch of other crap that I haven't even found yet. Why I need access to my internet connection from a spreadsheet only the marketing clowns in Redmond know. I try to keep it (the Office Suite) locked down, but you never know. BTW, I wouldn't even consider using Outlook. And IE only to update the OS and Office Suite.

IMNSHO, Notepad Editor is a better word processing app than any version of MS Word that has ever been or ever will be released. I use MS Word only when absolutely necessary, and that usually involves kicking and screaming.

BTW, I never understood what all of the MS-bashing was about until I bought a WinXP box and installed Office 2003 Professional. Now I know.

Ron :)

Just curious: which Notepad Editor are you talking about? TIA.

I assume the one which ships with Windows. The single-threaded one, that can't receive a drag-and-drop while outputting to the printer queue. The one, that stores "this app can break", but when loaded again, just outputs either Chinese chars or garbage (if no matching font is installed).

But at least it doesn't forget the text's formatting at runtime, doesn't need hours to search some few 10000 lines (still takes pretty long), and offers a non-volatile storage format by default (.doc is merely a serialized memory dump - no joke!). So it's really less broken than MS Office.

Maybe, but Ron said it was better than MS Word, so I supposed he meant some other editor.

Other than those people pointing out what software you shouldn't be using (and they're making good suggestions, most of them), I think there are some simple ideas to take away from this:

1) Most of the devices sold to home users as "firewalls" actually do very little. They may block ports, but don't have the packet inspection functionality better firewalls do. That may not mean much to you - but it does make difference

2) You can buy a Cisco PIX 506 or 501 for a bit more than $200 on e-bay, but unless someone who knows what they're doing configures it, it's about as useful as a brick. Granted, there are some "wizards" that help you configure a 506e, but you still need an understanding of your needs, network protocols, and possible attacks. Buying a fast car doesn't make you a NASCAR champ.

3) You might want to check a number of magazines/web sites for their recommendations and reviews. Their reviews might give you a better grasp of the issues in choosing a firewall, and point you to some of the manufacturers web sites. Individuals who are security professionals tend to have strong opinions about various devices, and may not give you the full picture. Magazines play favorites, too, but sampling a number of them can even out the bias a bit.

You know, much of this is the same as buying a new car or washing machine. The problem is that firewalls don't advertise on TV, so you don't know where to start.

snipped-for-privacy@mxao.com wrote:

Any of them. [g] I absolutely hate using MS Word, but obviously, I was being somewhat facetious. I do, however, quite often compose documents in the Windows Notepad Editor, and then C&P the document into MS Word for printing purposes only when formatting is required.

On the other hand, this _is_ the best ASCII/HTML editor.

And I am _not_ being, in any way whatsoever, facetious about that.

Ron :)