Java can be accessed again from XP sp3 32bit Control Panel now, after the update, which seems pretty good - it disappeared from Control Panel after the previous update when I could only access it from C:\Program Files\Common Files.

its worth noting flash is auto sandboxed on chrome and IE, the sandbox feature as far as I am aware was made specifically for mozilla browsers since for whatever reason mozilla wont implement low integrity modes and sandboxing in their browser. When I questioned on mozilla forums (which devs dont respond to but some fanboys do) I was told "its to diffilcult to rewrite firefox to support sperapting processes and priviledge levels, breaks too many plugins etc." suggesting its not going to happen.

Its also worth noting that java is the fashion of the day ultimately every software is vulnerable, but just certian software tends to get picked on from time to time depending on the ease of the exploiting and the takeup of that software (how many have installed), seems java is now the new bully victim.

The best protection for this sort of thing firstly is a default low level priviledge so eg. ideally noone should be browsing as an admin level user, after that sandboxing so the app itself is jailed in a restricted area, and after that whitelisting/approval only modes. These 3 combined with intelligent enough end users would stop exploits pretty much dead. If you cant be bothered srtting up things in such a manner eg. limited user accounts combined with SRP then just browse using a virtual machine and reload the snapshot on the machine every time you boot it up so even if exploited its reset for the new session. Perhaps microsoft should start IE in XP mode (since that uses virtual pc),

Resetting the security level to medium is not a good idea.

"Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. (The JRE version should be at or above the latest security update release of Java from Oracle.) You will be prompted if an unsigned app requests to run on an old version of Java. To download the latest version of Java"

Nobody wants unsigned java apps to run in the browser without prompting the user, even if Java is at the latest version, because it often takes Oracle forever to fix vulnerabilities. This is why Java is the #1 target.

The high setting is a start. "You will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, you will be given an option to update."

Java is picked because it has little protection in place and does not have automatic updates. As a result, a lot of the user base fail to update to the latest version when a patch is released. Other vendors have learnt from their mistakes. *cough* Adobe *cough*

Applications have been running with user privileges since Vista. This makes malware removal far easier.

In reply to a post by Zadeks:

Resetting the security level to medium is not a good idea.

It isn't that difficult to get a code signing certificate chained to a root in the Java root bundle (many common roots are not there). In other words, code signing helps, not least because rogue signing certificates can be revoked, but there is an inevitable time lag between a rogue app being published and any signing certificate used being revoked.

A signed app can go beyond the permissions sandbox of unsigned apps.


Nevertheless, I'm in support of the default now being High - as you say, it's best for users to be aware when an unsigned Java app is going to run. Hopefully this will encourage the reputable app publishers to sign their apps.

my point been if the setup itself is secure, updates wont even be needed because existing vulns wouldnt even be effective or work. Updates are always behind 0day.

Also the default account configuration in vista/win7 and win8 is not a jailed restricted user account. IE's default configuration on those OS's is far more secure than firefox. Firefox only becomes reasonably secure after some configuration and 3rd party help such as with things like noscript or sandbox software.

Its possible to put a windows XP SP0 on the internet unpatched and it wouldnt get infected.

Even if the setup is relatively secure, only an idiot would browse the web using an unpatched version of IE. Multiple steps are required to secure a box, and one of them is patching, which is usually at the top of the list, due to its effectiveness. This goes against the advice of the decent security vendors. http://blog.malwarebytes.org/intelligence/2013/01/we...

Bad guys do not waste precious 0day exploits on the average joe. These days, people usually get infected because they failed to patch a vulnerable piece of software. Again, this isn't helped by Java's lack of auto update.

User privileges have been restricted since Vista and this makes malware removal far easier. The Firefox browser is getting more secure, day by day, without the need to complicate the situation for the user by introducing complex add-ons and 3rd party sandbox software.

It "might" not get infected, there are no guarantees in the security world when you are dealing with a ticking time bomb.

Just because your approach works for you, this doesn't mean it'll work for everyone.

I can hear the clock ticking.

Updated today, and am now unable to run anything that uses Jave - including verifying the installation on the Java website. I have uninstalled, and re-installed, but it is not working

Any suggestions?.

Post deleted by Chrysalis