kgs and java security hole

[cyclops]

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online. It seems quite risky but I cannot decide whether KGS players are affected as well.

[Mef]

Java 7 just can't catch a break. This is the...third time(?) this has happened...

[tj86430]

Java 7 just can't catch a break. This is the...third time(?) this has happened...

Does anyone see any correlation with the recent problems and Oracle acquiring Sun?

[Bonobo]

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online [..]

Uhm, forgive the vanity, but are you referring to me? Did you read me on FB or G+? Mind to identify yourself to me there?

Groeten van Tom in Duitsland

[Marcus]

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online [..]

Uhm, forgive the vanity, but are you referring to me? Did you read me on FB or G+? Mind to identify yourself to me there?

Groeten van Tom in Duitsland

I just realized you had those links in your sig ... I just added you to my Go circle on G+.

Reading the security link now ...

[xed_over]

From Bonobo's site I got this link descibing a security hole in the Java's browser plugin that the Java Client of KGS uses to let you play online. It seems quite risky but I cannot decide whether KGS players are affected as well.

In my opinion, this is mostly just fear, uncertainty and doubt.

Sure, if you go around visiting every random website then you might find some that have either written their java app to exploit this security hole and take advantage of you, or maybe their site was hacked and their otherwise save java app replaced with a hacked version.

KGS has been around for a long time and is actively used and maintained. I trust that site and their app.

[hyperpape]

The real issue is that browsers need better tools for managing plugins. I use java for KGS, and a handful of older go sites that have applets. If any other site I used had a java applet, I would be very suspicious (because modern web design and development is so strongly against it). I would love built in click to activate and/or whitelisting of plugins.

[cyclops]

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile. I guess I had nothing better to do that time. There I found a link to your website and there was the link I copied in my opening post.
I have no idea how to identify myself on your site without joining google. Otherwise I would happpily comply to your request without seeing the use.

schüss

[cyclops]

So if you trust wms you can safely play on kgs without fearing the java hole. Nothing else but kgs creeps through the hole while playing your daily game.

[Bonobo]

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes. OTOH sometimes it’s not so easy, e.g. when people write stuff I agree with together with stuff I don’t. Then I’d love to have some more fine-tuning for liking, like “I especially like your last sentence”

I guess I had nothing better to do that time. There I found a link to your website

Ah, I understand. That’s not my “site” but just a shortcut to my Google+ profile.

and there was the link I copied in my opening post.
I have no idea how to identify myself on your site without joining google. Otherwise I would happpily comply to your request without seeing the use.

Yeah, that would only make sense if you were on Google+, too.

schüss

:-)

Greetz, Tom

[cyclops]

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes.

That is why you are a Bonobo!

[Bonobo]

@bonobo:
Because you have an even higher ratio of "likes" to "be liked" than me, I checked your profile.

Haha, OK, I like to be quite generous with my likes.

That is why you are a Bonobo!

:-D thx

Actually I chose the Bonobo as my Avatar/domain/etc. exactly because I believe it’s better actively to spread the love than to wait that it rains down on one

[speedchase]

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

[Ellyster]

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

Is not about the quantity of bugs in C, C++ C# vs quantity of bugs on Java or even the severity of the bug it self... is about the potential attackability.


Java is everywhere, and specially used in webs a lot... so a Java aplication (applet, servlet,...) have the "special privilege" of being executed instantaneously when the website is visited (meanwhile .exe need to be manually executed), so any significant bug sees its severity powered to the infinity.

It's the same of diseases... you don't mind a mortal disease if its very unlikely to get spread (agrirism) or a common disease that is not severe (flu)... but if you create the new spanish flu... men, that's major words.

[Dusk Eagle]

ActiveX being indescribably terrible does not excuse vulnerabilities in Java. Most people know that you shouldn't use ActiveX (and most browsers, and all Operating Systems other than Windows, don't have support for it). If zero-day Java vulnerabilities keep being found, then people are going to stop trusting Java applications on the web.

C and C++ aren't really relevant, as no browser grants a website the ability to run C or C++ code on the user's end. Since Java code can be run from a website on a user's machine (as long as they have the plugin installed), security is crucial.

My browser prompts me before running any Java code, so I should be safe (unless I allow it for a site I shouldn't). If your browser doesn't, then just visiting a malicious site could get you infected.