“Sun’s JRE has a security flaw, so turn off Javascript” says the security expert

I’ve listened to “Security Now”, TWiT’s “security” oriented podcast, which is hosted by Steve Gibson who is apparently a big internet security guru – so says the website. If the title doesn’t make it very clear why I quoted “security” above, then here is the scoop from Security Now episode 222 (starting at 14:50):

The latest Java Runtime Edition, in the latest version, has multiple vulnerabilities and no updates available. It acknowledged multiple problems. There is enough disclosed for exploits to be created on the net. Unfortunately, the only workaround is the workaround we all know to well – which is to disable Javascript to prevent the Java Runtime Edition components from being exploited until Sun updates themselves.

[The emphasis is mine]1

Well, obviously the guy is a security expert and not a programming expert so its OK that he doesn’t know that Java has nothing to do with Javascript and disabling Javascript will not affect the Java plugin. No, wait, what?

I’ve heard from several others that Security Now sucks (I think also on the Linux Outlaws podcast, which is a great podcast) but I decided to give it a try anyway and it completely failed. I don’t think I’m going to ever manage to hear the rest after that announcement.

Up until that item, they just talked about some “security patches” to MS-Windows applications, which has about as much relation to internet security as telling someone that is worried that people will break into his home to plant some bushes behind his picket fence – i.e. not much except in lay-people’s minds.2.

  1. P.S. here’s another workaround – uninstall Java []
  2. P.P.S this post is categorized under “Funny”, though a more correct categorization might be “Tragic” []

3 Responses to ““Sun’s JRE has a security flaw, so turn off Javascript” says the security expert”

  1. Yaniv:

    He may still be a security expert, but not-so-expert in logic deductions. 🙂

    When evaluating the security of a system/framework, one item in the “checklist” is checking for the existence of periodical software/security updates.
    I’ve always argued against such ultimate “checklists”, or even close to them. All these attempts to associate some ISO-like security tags with a system are flawed in their basis and make me sick. It’s like summarizing the entire contents of a religion X in a few bullets and claiming that they are the entire X.
    I vaguely remember some old comparison of the security various systems, in which Microsoft Windows won one of the top places, mostly due to that weird item — they maintain periodical (weekly!) updates to their software.

  2. Oded:

    Regarding the mistake, well obviously everyone knows that Javascript and Java are the same. Hmm..

    I also saw one security comparison where MS-Windows was the only operating system complying with the requirements because only it has a login screen that is only accessible by pressing CTRL+ALT+DELETE. This is apparently a security measure.

    I believe the above mentioned security show is geared towards average people and aims to raise their awareness of security, though it may do a piss poor job of that. I’ve eventually heard it all the way to the end and they did discuss some more interesting things like the jailbroken iPhone SSH issue (default password that everyone knows), port knocking (also regarding SSH) and the reuse of key-pairs in SSL certificate requests.

    I’m not sure why they start the show by listing “security updates” and discussing them – it may be similar to the reason why Linux Outlaws start the show by listing new Linux releases of obscure distros and making fun of them: its something that you can do in the context of the show and it kills time. But at least with Linux Outlaws its often funny.

  3. Oded:

    I’ve been listening to some more Security Now lately and Gibson is good about explaining security issues for the (almost) layman, but:
    – He talks very very very very slow to the point that I would have pulled my hair out had I had hair to pull out. Explaining out a simple concept like a client connecting to a server to send HTTP requests can take about 5 minutes.
    – Even when talking about general security problems, like the recent SSL renegotiation attack, he is still very Microsoft oriented: “I’m pretty sure Microsoft will issue an update for that this month”. Its not like he isn’t acknowledging the fact that there are other systems, its just that his primary concern is always that Microsoft will issue an update and its never was my concern.

    All in all, I think I will unsubscribe.

Leave a Reply



Spam prevention powered by Akismet