It's definitely the latter. It's pretty easy to find bugs in Gnash. However due to the obscurity of Gnash itself combined with the diversity of the platforms that Gnash runs on, Flash is a much more interesting target for attackers.
1) I don't know why people keep perpetuating this silly made-up quote. 2) I don't know why Slashdot mods don't understand the difference between "funny" and "joke." Or perhaps they just have bad senses of humor.
Set up the smartd.conf file to do the example short-test daily and long-test weekly, and email you when something is fishy. It's a trivial amount of effort, resulting in a significant amount of peace of mind. (In many cases, you'll have some amount of warning before your drive kicks the bucket and it's too late)
I don't think the quote is right. The technique used to gain access is not to guess the password, but to guess the answers to the password recovery questions. The password itself can be strong, but when you've got a site that provides recovery questions like "Where were you born?", what are we to do? The clever approach would be to have an answer scheme that isn't guessable via public knowledge, but also something you can remember if you need to use it. There's a difference between "fucking dumb" and not being aware of weaknesses in web service authentication schemes.
It works quite well in 512MB in a VM. Try it on a hypervisor that can do dynamic memory some time (Hyper-V and ESX can). Set it to 512MB minimum and a plenty high max.
So what you're saying is that it does not work with 512MB?
As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)
CVE-2012-4681 is a vulnerability that affects Java 7. Apple has only ever provided Java 6 with OS X, and with recent OS X versions, it's not even included by default. So it's pretty silly to make a sensational story that calls out Apple for not addressing CVE-2012-4681 in their update to Java, since they're not even affected by it.
Apparently Qubes can't be installed in VMware Fusion. This occurs with both the default boot mode and the "failsafe" VESA mode. I supposed that does indeed make it the most secure operating system possible.
Ear buds never stay in my ears. These are hooks, so they stay put. They stay comfortable in my ears even after extended listening. They isolate noise well, and they have a great sound. For the price, they can't be beat!
One could argue that Java had a place in the horrible 1997 web, with its ridiculous fphover.class FrontPage sites. Everything was awful there, and it fit in nicely. However, it's only a liability these days with respect to browsing.
Java can be quite useful in other forms, like stand-alone applications, but stay the F away from my web browser!
What qualifies that statement? Any FileVault user that upgraded to Lion would be affected, which I would think would be more than a few. FileVault is not upgraded to FileVault 2 automatically. The user would need to manually disable FileVault and then re-enable it to get the whole disk encryption feature.
As for your "ASLR and DEP bypass", it's not bypassing ASLR. It's taking advantage of a vendor's product (Java) that doesn't opt in to ASLR. But you don't need to be at the mercy of your vendors. You can force DEP and ASLR to be on with EMET: http://www.microsoft.com/download/en/details.aspx?id=1677
If you're still on XP, then you get none of that protection.
Tell me what Win7 does for me* that XP can't, and we can have a more meaningful discussion
Windows XP does not support ASLR, which is a powerful exploit mitigation feature. That is, given a vulnerability (which are pretty abundant in the software that we use), ASLR does a good job of preventing a large class of them from being able to be leveraged to run code (like install malware, keylogger, etc.).
Windows 7 does ASLR, which makes you less likely to get exploited by vulnerabilities.
Slashdot Mirror
It's definitely the latter. It's pretty easy to find bugs in Gnash. However due to the obscurity of Gnash itself combined with the diversity of the platforms that Gnash runs on, Flash is a much more interesting target for attackers.
1) I don't know why people keep perpetuating this silly made-up quote.
2) I don't know why Slashdot mods don't understand the difference between "funny" and "joke." Or perhaps they just have bad senses of humor.
Apples and oranges. That's an internal, full-size, SATA drive. This is talking about a USB stick.
Set up the smartd.conf file to do the example short-test daily and long-test weekly, and email you when something is fishy. It's a trivial amount of effort, resulting in a significant amount of peace of mind. (In many cases, you'll have some amount of warning before your drive kicks the bucket and it's too late)
I don't think the quote is right. The technique used to gain access is not to guess the password, but to guess the answers to the password recovery questions. The password itself can be strong, but when you've got a site that provides recovery questions like "Where were you born?", what are we to do? The clever approach would be to have an answer scheme that isn't guessable via public knowledge, but also something you can remember if you need to use it. There's a difference between "fucking dumb" and not being aware of weaknesses in web service authentication schemes.
It works quite well in 512MB in a VM. Try it on a hypervisor that can do dynamic memory some time (Hyper-V and ESX can). Set it to 512MB minimum and a plenty high max.
So what you're saying is that it does not work with 512MB?
One has to wonder if the Sophos targeting was spite-driven in any way. Back in 2010, Sophos kind of trashed Tavis for disclosing a vul in Windows: http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/
As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)
1) Why are you using the Adobe Reader web browser plug-in? Downloading and opening PDFs is much safer.
2) Why are you using a version of Adobe Reader that has known security vulnerabilities? If Reader doesn't do what you want, there are alternatives.
Keeping software up to date is important for staying safe. But perhaps this is not a concern for you.
Yes, IE9-64 is affected by the vulnerability. Whether exploits in the wild will succeed against it is another question...
Maybe my eyes need to be checked, but it looks brown to me.
CVE-2012-4681 is a vulnerability that affects Java 7. Apple has only ever provided Java 6 with OS X, and with recent OS X versions, it's not even included by default. So it's pretty silly to make a sensational story that calls out Apple for not addressing CVE-2012-4681 in their update to Java, since they're not even affected by it.
For more details, see: http://www.kb.cert.org/vuls/id/636312
Possibly. In this case, however, it failed due to not having video drivers. It appears to require an Intel GPU. (or nVidia with some trickery)
Thanks. That's good to know. But it surely eliminates the majority of people who may wish to try it out.
Apparently Qubes can't be installed in VMware Fusion. This occurs with both the default boot mode and the "failsafe" VESA mode. I supposed that does indeed make it the most secure operating system possible.
Ear buds never stay in my ears. These are hooks, so they stay put. They stay comfortable in my ears even after extended listening. They isolate noise well, and they have a great sound. For the price, they can't be beat!
http://www.usa.philips.com/c/headphones/shs8100_28/prd/
"One of the richest people in the world gets married."
FTFY
Am I the only one who thought of Windows RG upon seeing the headline?
http://www.deanliou.com/WinRG/WinRG2.htm
One could argue that Java had a place in the horrible 1997 web, with its ridiculous fphover.class FrontPage sites. Everything was awful there, and it fit in nicely. However, it's only a liability these days with respect to browsing.
Java can be quite useful in other forms, like stand-alone applications, but stay the F away from my web browser!
What qualifies that statement? Any FileVault user that upgraded to Lion would be affected, which I would think would be more than a few. FileVault is not upgraded to FileVault 2 automatically. The user would need to manually disable FileVault and then re-enable it to get the whole disk encryption feature.
I can't decide which is slower: The website or the software itself?
The question is whether you're from western Pennsylvania.
DEP is nearly worthless without ASLR. (and vice-versa) See:
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
As for your "ASLR and DEP bypass", it's not bypassing ASLR. It's taking advantage of a vendor's product (Java) that doesn't opt in to ASLR. But you don't need to be at the mercy of your vendors. You can force DEP and ASLR to be on with EMET:
http://www.microsoft.com/download/en/details.aspx?id=1677
If you're still on XP, then you get none of that protection.
Tell me what Win7 does for me* that XP can't, and we can have a more meaningful discussion
Windows XP does not support ASLR, which is a powerful exploit mitigation feature. That is, given a vulnerability (which are pretty abundant in the software that we use), ASLR does a good job of preventing a large class of them from being able to be leveraged to run code (like install malware, keylogger, etc.).
Windows 7 does ASLR, which makes you less likely to get exploited by vulnerabilities.
Interesting. I wonder what percentage of the Adobe Reader install base uses the 3D capabilities?