Since installing this, for IE8, I've noticed numerous locked files of the form REGxx.TMP, mostly of zero length, in the Win TEMP folder, that were never there before. Upon investigation they are being locked by IE8 and, after unlocking, the latest one contains:

Latest JRE version: 1.7.0_11

Is Java forming them & why?

I think if a user was clueless then they probably wouldnt be using Firefox in the first place and just stick to the default of IE.

and banger is also I assume.

Are you really condoning silently blocking the app? the same sort of behaviour as what the IWF do.

If someone has java installed, then its probably for a reason. Most people wont even have java installed, but obviously if someone has it installed then they probably have an app that needs it.

I am not an exception, corporate remote management of servers 90% of the software is web java based. But then again I guess this is why firefox isnt used too much in corp environments as its developed for the residential desktop user in mind and now copying the chrome mindset of dumbing down the app.

eg. would you like it if windows blocked firefox and chrome silently everytime they had a open vuln? microsoft would get sued for anti competitive behaviour

yep.

The really dumbed down users will be on IE (maybe another browser if supplied with OEM setup).
Next slightly dumb user probably be using chrome, as chrome is bundled with tons of apps and has download links splattered in various places including the google home page. chrome was designed dumbed down from the start.
Firefox traditionally has been used by power users, is highly tweakable as a result but lately the devs have gone into a panic and started blindly copying chrome policies such as the rapid updates, silent upgrades, silent blocking and also they have started to remove tunables under the pretence the dev knows better.

Blocking a vulnerable plug-in to protect users is a little different to blocking an entire IP address (maybe even more than just a single address).

Like I said earlier, Java is often bundled with other applications, even if the application doesn't require it. Oracle receive money from the Ask Toolbar that is bundled with Java (opt-in by default). When people install Java because they want to play Minecraft & use Openoffice, they do not need the web plug-in.

We manage a few hundred servers, none of the remote access solutions require Java. Alternatives do exist, no need to use nasty Java dependant solutions such as GotoAssist.

Not sure why you're picking on Chrome. It's a flexible browser and added advanced features such as click-to-play plug-in mode, automatic background updates and auto-block of out-of-date way before Firefox.

Microsoft would probably block their own browser before Chrome & FF, since IE has had the most activate zero-days, with FF in second. http://krebsonsecurity.com/2012/10/in-a-zero-day-wor...

I manage over 400 servers, all of these have a built in remote kvm functions, 70-80% of these servers requires java to use and they not all the same vendor either, some are HP, some are different and some also use a 3rd party kvm device.

I picked on chrome as I see rapid updates, automatic background updating and auto silently block out of date pkugins as bad features, chrome also isnt very tunable (unless I am missing something) eg. cant tune the connection limits, timeouts, keepalive etc. Its hard to even install it to a non standard location, use a ramdisk for temp files and so on. In that respect its a very dumbed down app compared to firefox, after chrome started getting a good userbase firefox dev's have very clearly been copying it on policies, and I consider firefox to have gone downhill since then.

The latest java even on IE now needs click approval, IE supports click to play by itself as well (just not enabled by default) by removing the * from approved sites, then that will generate a prompt for every site not yet approved, as well as IE10 on windows 8 supporting a higher security mode.

There is security and then there is going too far silently blocking apps that can be crucial without warning and then with no working upgrade/workaround path in place is just silly and it shows that firefox devs have lost touch with their userbase. If you googled the issue you will find dozens and dozens of hits of people making posts on various sites complaining of the same issue, its one of those things where they scared of some bad PR so took draconian measures.

You of all people should know security is a layered approach, just because someone might have a slightly vulnerable piece in place it doesnt mean they are then suddenly likely to get compromised.

Edited by Chrysalis (Wed 30-Jan-13 18:21:39)

KVM management is an incredibly small percentage of the Java market. As web technologies progress, the industry will move away from Java. Here is a good example, http://yle.fi/uutiset/danske_bank_plans_new_java-fre...

If the industry were to follow your line of thinking regarding browser security, we would be in a very bad place. Microsoft, Google & Mozilla all have a similar vision and are implementing worthwhile security features. Chrome has been a market leader in terms of security for sometime, which is why Mozilla is playing catchup. You should probably use an old version of Linux & Firefox, if you want an insecure environment.

The Chrome UI is kept simple to make it user-friendly, but it is still considerably tweakable under the hood. As always, Google is your friend.

The recent security changes to Java is a step in the right direction, but it desperately lacks automatic background update. Users are click happy and will always click OK, Accept, Run, etc.

It is better to inconvenience an incredibly small amount of the userbase, while protecting the majority at the same time.

Java has always been massively vulnerable because there are so many out-of-date installations of it in the wild that do not have the latest security features introduced by Oracle. This is why it is targeted by the bad guys. Java accounted for 50 percent of all cyberattacks last year, according to Kaspersky. This is not a slightly vulnerable piece of software. http://www.kaspersky.com/about/news/virus/2012/Oracl...

Edited by Zadeks (Wed 30-Jan-13 19:05:39)

Well got caught by Exploit:JS/Blacole.kh today. Even though picked up by Antivirus and cleaned. Restart brought up new Rundll.exe on restart
Not worth risk, reinstalled from backup.
Funny but Adaware showing site as safe.

Keep your system patched. AV is useless. Secunia PSI is your friend.

http://www.microsoft.com/security/portal/threat/ency...

Typically, the Blackhole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader

may have got it from other places than Java exploit