Java security is in the news!

hello all (first time posting)
i see that java has been in the news lately, and its NOT exactly the kind of news that endears people to java.
is Oracle listening to any of this? what is oracles response? i would think somebody would take this seriously.
we all know not to believe everything you read, but some of this stuff sounds pretty bad.

i see some official word:
facebook
twitter
"Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly"
they dont sound too terribly concerned!

Similar Messages

  • HT1338 There is a lot of talk about the Java security issues and the ability to download a patch fix, do i need to do this or will software update pick this up for me?

    There is a lot of talk about the Java security issues and the ability to download an apple patch fix, do i need to do this or will software update pick this up for me?

    Thanks for that, how do I establish if I have Java installed as on Safari preferences it indicates the following
    Web content - Enable Java
                        - Enable JavaScript

  • So why did Apple decide not to put a Kensington Security Slot on the new MBP?

    So, I went to the Apple Strore today to prove I wasnt crazy. There is no
    Kensington Security Slot on the new MacBook Pro. I work in the Production and Audio Visual Industry and there are times when we need to lock down our walkables MACS. Now at $3,700 maxed out, why in the world Apple leave off a
    Kensington Security Slot?

    Rather than insult other users or the names they chose, you might want to re-read my post in which I said that this is a user to user forum. Apple does not comment here. We are not here to do business. We are here to offer technical support, and your question was not one requiring tech support. We simply are not allowed to discuss Apple decisions here.

  • What is the best security lock for the new 21 inch imac?

    I want to know what is the best security lock for the new 21 inch imac?

    Most computers refer to the locking attachment in some relationship to the name "Kensington", and that might be a useful clue.
    Following that, be sure to avoid counterfeit products. A well-known computer vendor (not Apple), was approached by a large purchaser (several tens of thousands of laptops) who insisted on using a counterfeit locking product that had a larger than normal locking tab. The vendor modified the tooling to accept the counterfeit product and, wouldn't you know it, the genuine product would no longer secure the computer properly.

  • HT201303 I reset my iTunes Security Questions and when I go into the Apple Store to buy a TV Show it is still asking me the old security questions, not the new ones... How do I make iTunes ask me the new security questions?

    I reset my iTunes Security Questions and when I go into the Apple Store to buy a TV Show it is still asking me the old security questions, not the new ones... How do I make iTunes ask me the new security questions?

    Get prepared for some bad news, then contact iTS.
    iTunes Store Support
    http://www.apple.com/emea/support/itunes/contact.html

  • Java security? shellcode, the different overflows ect...

    I am under the impression that pretty much all exploiting, shellcoding, the overflows and related terms are pretty much C, C++ and assembly. maybe a couple other really old languages i forgot to add.
    i read that the new languages including java has massive protection from this as it is an interpreted language, making exploitation with those languages near impossible. am i to believe once the older languages are phased out, all the security holes will be phased out as well? I really find that hard to believe, can someone give me some insight to that theory?
    with the faster hardware speeds hitting the market every day, the best reasons for keeping C I believe was speed. when will the old languages like C / C++ or assembly be completely phased out? will that eliminate exploiting?

    You are wasting peoples time here because:
    a) you're asking someone to help you achieve something unethical (gimme >teh codez so i can hack teh jav)
    b) didn't take the time necesry to research this yourself.a) i am not a script kiddie (anymore :P). I also never asked for something unethical like an exploit to a java program that can be loaded into metasploit or whatever. i simply asked the difference between java and the older languages in regards to exploiting. also asked where the security in that regard might go if the older languages got phased out. (did not expect a full apa style paper). paraphrasing the l33t talk is completely false. I never asked for 'code to hack java'. Sorry for being curious about the topic though. (sarcasm not sorry)
    b) i looked in many different places and even watched full videos on the topic but all had to do with C... java might be a little new for that. (you guys even posted stories about it being a new thing proving that point). Ive downloaded docs, books, and many other ways all mainly saying c assembly and so on. i think the two simple questions were justified along with the duke points.
    I would like to thank DrClap for not complaining and answering perfectly. If you take a look at his answer, youll find he gave me no info to get the garbage file. I will also look into that cached ip page that seems to have what I was looking for. Once again sorry for missing a cached google page. (not sorry) :) I do plan on becoming a hacker (im aware not yet, and I mean real hacker not cracker).
    i do believe 'learn how to use google 'java exploit' seems like sarcasm and / or mockery. especially when the results were simple news stories that didnt really help. might just be me though. i have been known to be too sensitive. :P
    Thanks again DrClap

  • I can't access this secure website with the new fireforx upgrade but I could before the upgrade.

    As above. What can I say-I have tried everything listed on the support forum website. I had no problem accessing this secure website, which is my work email, before I upgraded to Firefox 4.0. I would prefer not have to go back to the previous version if possible. I don't like IE because it is just too slow, but right now I have to use it to access this website. I have windows firewall and have allowed firefox.exe as an exception. Any suggestions as this is very frustrating. Thanks

    You should be able to use the OpenVPN Connect app running on your iPad to connect your iPad to the VPN directly. It is an official OpenVPN client for iOS devices.
    In what way is it "not compatible"? Have you tried it? Tunnelblick is an OpenVPN client, so your school's VPN is using the OpenVPN protocol. That means any OpenVPN client should be able to access it. (It is possible, but unlikely, that your school uses encryption that is not available on the iPad, but that would be very unusual.)
    Otherwise, a remote control app on your iPad would let you control your Mac at home. "Back to My Mac", for example, would allow you to control your Mac remotely. The tricky part of this is that usually a VPN is set up to send all Internet traffic via the VPN server, and I'm not sure how that would work with "Back to My Mac".

  • Does the new ipad use java?

    Hi,
    About the failure in Java, would it affect the new Ipad?
    Thanks

    No iPad runs Java. It is not supported.

  • Java Security Configuration Assistant fails to install

    Hello,
    I have a problem because Oracle Application Server 10g for Windows doesnt install. I have tried several times on various systems, but every time I have the same error when the installer comes to the "Java Security Configuration Assistant"
    The command being spawned is:
    C:\oracle2\product\10.1.0\Db_1/jdk/bin/javaw -Djava.net.preferIPv4Stack=true -classpath C:\oracle2\product\10.1.0\Db_1\dcm\lib\dcm.jar;C:\oracle2\product\10.1.0\Db_1\j2ee\home\jazn.jar;C:\oracle2\product\10.1.0\Db_1\j2ee\home\lib\jaas.jar;C:\oracle2\product\10.1.0\Db_1\j2ee\home\oc4j.jar;C:\oracle2\product\10.1.0\Db_1\jlib\ojmisc.jar -Doracle.security.jazn.config=C:\oracle2\product\10.1.0\Db_1\j2ee\home\jazn\install\jazn.xml oracle.security.jazn.util.JAZNInstallHelper -log C:\oracle2\product\10.1.0\Db_1\cfgtoollogs\jaznca.log -realm jazn.com -user admin -oldpwd welcome -newpwd 05f2d5c792fb24147255fbe8169f54594b -oh C:\oracle2\product\10.1.0\Db_1 -clearpwd false
    Only the first parameter is interesting :
    C:\oracle2\product\10.1.0\Db_1/jdk/bin/javaw
    It has a mixture of slahes (/) and backslashes (\), the first half C:\oracle2\product\10.1.0\ is ok but the second half Db_1/jdk/bin/javaw is not compatible with windows (slahes are for unix path only), so it obviously doesnt work because this path with a mixture of / and \ is not correct. At this point, the installation of Oracle AS fails.
    Does anybody know a cause for this, or a workaround to get AS installed ? Thanks

    The mixture of slashes and backslashes isn't an issue for Windows. I have examined the failure of the assistant, but with the new release of AS10g (release 2), I would like to know if you still have the problem you describe.

  • Java.security.AccessControlException when accessing user documents

    Hello there,
    I'm a student programmer. I'm trying to write a desktop application which will read all of the user's documents folder and add it to a ZIP file. I am coding on Windows Vista but my code should be platform independent.
    The problem I have is that whenever I try to access the user documents, I get a java.security.AccessControlException. The code I'm using follows:
    //Find out the user's "My Documents" folder
    javax.swing.JFileChooser fr = new javax.swing.JFileChooser();
    javax.swing.filechooser.FileSystemView fw=fr.getFileSystemView();
    //Zip the contents of "My Documents" to the current working directory
    zip(fw.getDefaultDirectory().toString() + "\\", "JemsFrom.zip")
    //Checking for permissions for reading source       
    FilePermission perm = new FilePermission(source, "read");
    AccessController.checkPermission(perm);I Googled and apparently I need to add a policy file allowing my program access to the documents folder. I created the following policy file:
    grant {
          permission java.io.FilePermission "C:\\Users\\keith\\Documents", "read";
    };I saved this file as 'perms' and then added the following to Netbeans' Argument list for this project:
    -Djava.security.manager -Djava.security.policy=permsHowever, I am still getting this error and am totally stumped. I've also tried running this project outside Netbeans with those arguments but I get the same result.
    Would greatly appreciate any help.

    I have changed my permissions file as david_david suggested, but I am still having the same problem... AccessControlException
    Any other helpful suggestions would be welcome.

  • Help : java.security.UnrecoverableKeyException: excess private key

    Hi,
    I require help for the exception "java.security.UnrecoverableKeyException: excess private key"
    When i am trying to generate digital signature using PKCS7 format using bouncyCastle API, it gives the "java.security.UnrecoverableKeyException: excess private key" exception.
    The full stack trace is as follows
    ------------------------------------------------------------------------java.security.UnrecoverableKeyException: excess private key
         at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
         at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)
         at java.security.KeyStore.getKey(KeyStore.java:289)
         at com.security.Security.generatePKCS7Signature(Security.java:122)
         at com.ibm._jsp._SendSecureDetail._jspService(_SendSecureDetail.java:2282)
         at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:93)
    I had tested the program under following scenarios...
    The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file) I have tested this independently on Sun's JDK 1.4, 1.6
    For IBM JDK 1.4 on Windows machine for WAS(Webshere Application Server) 6.0, The Program for generating the digital signature using PKCS7 works fine, but it required IBM Policy files(local_policy.jar, US_export_policy.jar) and updation in java.security file
    But the problem occurs in Solaris 5.10, WAS 6.0 where Sun JDK 1.4.2_6 is used.
    I copied the unlimited strength policy files for JDK 1.4.2 from Sun's site(because the WAS 6.0 is running on Sun's JDK intead of IBM JDK)...
    I changed the java.security file as follows(only changed content)
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.6=com.ibm.jsse.IBMJSSEProvider
    security.provider.7=com.ibm.security.cert.IBMCertPath
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    I have used PKCS12(PFX) file for digital signature
    which is same for all environment(i have described as above)
    I copied the PFX file from windows to solaris using WinSCP in binary format so the content of certificate won't get currupted.
    I can not change the certificate because it's given by the company and which is working in other enviroments absolutely fine(just i have described above)
    I have gone though the "http://forums.sun.com/thread.jspa?threadID=408066" and other URLs too. but none of them helped...
    So what could be the problem for such exception?????
    I am on this issue since last one month...
    I know very little about security.
    Thanks in advance
    PLEASE HELP ME(URGENT)
    Edited by: user10935179 on Sep 27, 2010 2:47 AM
    Edited by: user10935179 on Sep 27, 2010 2:54 AM

    user10935179 wrote:
    The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file) If the program was working fine without changing the java.security policy file, why have you changed it to put the IBM Providers ahead of the SunRsaSign provider?
    While I cannot be sure (because I don't have an IBM provider to test this), the error is more than likely related to the fact that the IBM Provider implementations for handling RSA keys internally are different from the SunRsaSign provider. Since you've now forced the IBM provider ahead of the original Sun provider, you're probably running into interpretation issues of the encoded objects inside the keystore.
    Change your java.security policy back to the default order, and put your IBM Providers at the end of the original list and run your application to see what happens.
    Arshad Noor
    StrongAuth, Inc.

  • Java.security.ProviderException: unable to parse algorithm params.

    java.security.ProviderException: unable to parse algorithm params.
    Anyone any idea how to get around this problem? Is it something to do with the java.security file?

    i may or may not be very helpful depending on your setup.
    1. when you say "this works fine for sun plugins, but not for the MS JVM", what do you mean? where is the Sun VM used (client or server side) and where is the MS VM used (client or server side)?
    2. how are you obtaining the binary key encoding (that is then BASE64-encoded)? i assume you are calling java.security.Key.getEncoded. are you getting a standard PKCS8Encoding for a private key? you can check via Key.getFormat. make sure if you are switching between VM's, that both VM's are encoding the key in a format that you expect. in particular, if they both claim to export into PKCS8, then make sure the encoded bytes are identical.
    3. how are you re-constituting the key? are you using the java.security.spec.KeySpec APIs? i believe these were added in J2SE 1.2, which means i don't believe they are available in the MS VM (which is only 1.1.X-compliant if i recall correctly).
    based on all of the above, i don't think the java.security file is the culprit - but perhaps incompatible key encodings between different vendor VM's.

  • Java.security file

    Is the java.security file the only file that specify the default key store type?
    I am building a web services using netbeans. While an error came out saying "invalid keystore format". I think that is because I used to change the default key store type to "jceks" in the java.security file in the [java installation path]\jre\lib\security folder.
    I changed it back to "jks". However, the error still exist. I wonder if the java.security file is the only file that defines the default key store type?
    Thanks in adv!!!

    Hi Rohit,
    For more info on java security policy file, please refer
    http://java.sun.com/products/jdk/1.2/docs/guide/security/PolicyFiles.html
    Hope this helps!
    Senthil Babu J

  • Serialize java.security.Principal

    The problem is:
    I'am using IBM WebSphere Portal 5.1
    I can get current user
    request.getUser();So I get instance of such class:
    package com.ibm.wps.puma;
    public class User extends com.ibm.wps.puma.Principal
        implements Serializable, Principal, org.apache.jetspeed.portlet.User, com.ibm.portal.puma.User{
    }As you can see, I can access this object through interface java.security.Principal
    Also, this object can be serialized. That's great.
    I have a web-service.
    It needs java.security.Principal from User
    So I've tried to add parameter com.ibm.wps.puma.User to the method of web-service interface.
    I thought I can send class via SOAP to web-service and then access it through java.security.Principal on the server-side of web-service.
    User is stored in bean:
    public class WSPrincipalBean {
        private String userName;
        private String password;
        private User user;
    public WSPrincipalBean(){
    public Principal getPrincipal() {
            return (Principal)user;
         public void setUser(User user) {
              this.user = user;
    }When I generate web-service I get several warnings: some fields of User user cna't be serialized. But I don't need actually this fields.
    When I generate client based on my web-service wsdl I loose field User user.
    Web-service and web-service clint use JAX-RPC 1.0 / 1.1 and WebSphere Application Server 5.1
    Please, can you suggest me any solution?
    Is there any way to make full serialization of java.security.Principal?

    Rachman wrote:
    What is serializable..?
    How to use Serializable..?
    I'm not understanding about this.. please help me...
    Thanks for all...See simple example:
    [http://www.idevelopment.info/data/Programming/java/serialization/SimpleSerialization.java|http://www.idevelopment.info/data/Programming/java/serialization/SimpleSerialization.java]
    Read Sun FAQ
    [http://java.sun.com/javase/technologies/core/basic/serializationFAQ.jsp|http://java.sun.com/javase/technologies/core/basic/serializationFAQ.jsp]
    In common serialization allows you to store instances of classes (I mean any objects) in files.
    Then you can restore them and use in your program.
    You can specify fields which will be stored in file +(serialization)+ and which you don't want to store. So, after restoring +(deserialization)+ such fields will get default values.
    You need serialization when you are developing some network application. I am developing interaction between portlet app and web-service.
    I need serialize some objects to transfer them to web-service. I just transfer some kind of text +(xml data)+ to web-service. Web-service accepts xml-data, read it, deserialize it and get objects.
    So you don't pay attention to network stuff. You have to pay attention to serialization of your objects. If object you want to send to web-service doesn'r have proper serialization it can be corrupted and you can loss data.
    Of course there are plenty other situations when you need serialization.

  • Java.security.AccessControlException while trying to run the server app

    ok, pretty new with java and rmi, so I wanted to run the application from the sun rmi tutorial
    http://java.sun.com/docs/books/tutorial/rmi/TOC.html.
    It all builds ok, i run the rmiregistry ,but when i try to run the server i get :
    java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
         at java.security.AccessController.checkPermission(AccessController.java:546)
         at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
         at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
         at java.net.Socket.connect(Socket.java:513)
         at java.net.Socket.connect(Socket.java:469)
         at java.net.Socket.<init>(Socket.java:366)
         at java.net.Socket.<init>(Socket.java:180)
         at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:22)
         at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:128)
         at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595)
         at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
         at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
         at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
         at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
         at engine.ComputeEngine.main(ComputeEngine.java:30)
    what i noticed is that this output is similar to not running rmiregistry at all, so i guess the problem is with the way i'm running rmiregistry
    thx in advance

    You're running the server with a SecurityManager. There's no need to do that at first. Get rid of it. When you have it working, write yourself a .policy file that grants that permission, and any others you discover it needs, and name that as your security policy file, e.g.
    java -Djava.security.policy=my.policy -Djava.security.manager mypackage.MyServer ...

Maybe you are looking for