"No amount of talking or smoothing over [Java's security problems] is going to make anybody happy or do anything for us. We have to fix Java." - Milton Smith, Sr. Principle Product Security Manager - Java at Oracle (conference call with worldwide Java User Group, January 25th, 2013)

....from: https://blogs.oracle.com/theaquarium/entry/oracle_speaks_up_on_java

Oracle Speaks up on Java Security By reza_rahman on Jan 25, 2013

As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability. As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue.

Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue. The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team very recently had a conference call with worlwide JUG leaders. The recordings of the meeting is available [at http://java.net/downloads/jugs/Jan24_JUGLeaderCall.mp3]. This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

We encourage you to participate in this crucial dialog and provide your feedback.

John Spragge offers his opinions on these very issues in his intelligent, insightful blog post: A passionate defence of Java's virtues. We think it is well worth a read if you are a fan of GlassFish, Java EE or Java.

= - = - = - =

How to disable the Java web plug-in in Safari: https://support.apple.com/kb/HT5241

= - = - = - =

...from: https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plu...

Mozilla Security Blog

Putting Users in Control of Plugins JAN 29 2013 Mozilla is changing the way Firefox loads third party plugins such as Flash, Java and Silverlight. This change will help increase Firefox performance and stability, and provide significant security benefits, while at the same time providing more control over plugins to our users.

Previously Firefox would automatically load any plugin requested by a website. LeveragingClick to Play Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play or the user has previously configured Click To Play to always run plugins on the particular website.

More User Control Users should have the choice of what software and plugins run on their machine. Click to Play allows users to easily choose if they wish to run a plugin on a particular site. Users can also configure sites to never run plugins or conversely always run plugins. This change puts the user in control.

Increased Performance & Stability Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins.

Significant Security Benefits One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website.

In addition to the security benefits provided by Click to Play Mozilla also strongly recommends that users keep their plugins up to date. The following website can be used to determine if plugins are current. https://www.mozilla.org/plugincheck/

Implementing this change Our plan is to enable Click to Play for all versions of all plugins except the current version of Flash. Click to Play has already been enabled for many plugins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java.

More specifically, our next steps are the following: 1. Click to Play old versions of Flash (versions <=10.2.*) and slowly add more recent insecure Flash versions to the Click to Play list. Note: The most current version of Flash will NOT have Click To Play.

After we complete final UI work: 2. Click to Play current versions of Silverlight, Java, and Acrobat Reader and all versions of all other Plugins.

During this change we will monitor the results and feedback of the new settings and UI to ensure we’re providing a quality experience and delivering the many benefits of Click to Play to Firefox users.

Michael Coates Director of Security Assurance

Wayne Billing Classroom Technology Support Audio Visual and Classroom Technology Support 130 Machray Hall Building 204-474-6649 204-807-3153 (cell) 204-474-7625 (fax) Wayne_Billing@umanitoba.ca