Oracle releases updates for 270 vulnerabilities, including Java and Virtualbox

DoMiN8ToR · 2017-01-19 11:14:55 UTC

We’ve just posted the following news: Oracle releases updates for 270 vulnerabilities, including Java and Virtualbox[newsimage]http://www.myce.com/wp-content/images_posts/2017/01/myce-java-logo-95x75.png[/newsimage]
[quote][/quote]
Read the full article here: http://www.myce.com/news/oracle-releases-updates-270-vulnerabilities-including-java-virtualbox-81262/

            Please note that the reactions from the complete site will be synched below.

coolcolors · 2017-01-19 16:32:30 UTC

That’s the nature of the Beast you will always update if you want to stay in the game and keep the bots out.

aztekk · 2017-01-19 19:05:32 UTC

[QUOTE=coolcolors;2787184]That’s the nature of the Beast you will always update if you want to stay in the game and keep the bots out.[/QUOTE]

Flawed concept. Updating software only keeps some specific malware out but won’t help you against all other types which are the ones actively being developed and used today. The only way to protect your computer and network is to research and establish alternative methods of protection, in the case of an individual home user that would be blocking and using good judgement and in the case of a large corporate network blocking more and hiring real security specialists to maintain and monitor your network professionally. Too many companies these days rely on their main IT admin guy, who finished school a year ago and has no cybersec credentials whatsoever and who believes the adequate way of protecting the network is installing the latest security updates… it’s very sad but true. What’s even worse is this mentality has now trickled down to the average consumer. I mean it’s great that consumers are more concerned with their security these days than in the past (when they didn’t give it any thought at all) but I am upset that they think the answer is to install updates.

Security updates are primarily a marketing gimmick these days, serving to bring the software companies profit without actually having to add new features to their programs or in the case of freeware to add various spyware of their own, essentially making your data the product. The fact is that software companies are not required to patch any vulnerabilities in their software unless they specifically advertised lifetime security updates (in which case not doing so would be false advertising). But yet people expect them to do that anyway without a profit motive? That’s not how the world works - companies are not interested in throwing money at it unless it is going to generate profit directly or indirectly (as is the case with Oracle, extremely bad press for years started decreasing revenue). In other words security updates are never intended for your safety, but rather to protect their own bottom line. And there is absolutely nothing wrong with that, it is how it should be - security should be [B]your[/B] responsibility as an end user and not theirs at all unless otherwise stated, that is not only logical but also much more effective in that in this way malware protection becomes more personalized to your unique situation and therefore effectiveness increases. There is no one single fix for security, every single situation is different and should be tackled as such.

Now I am not necessarily saying that you should never update your software, that’s not my point. What I am trying to get across is that it is not an adequate security measure at all. By itself, it is meaningless and hardly adds protection against malware. Blocking, monitoring and changes to user behavior should be your primary protection whether you are one person, a corporation or a governmental organization. Even antivirus companies fully admit that signature based (ie. focused on malware with certain characteristics) antivirus solutions are dead. Security updates fall in the exact same category, they are engineered to prevent malicious code with a certain pre-programmed signature from running. This may have been fine 15 years ago when the majority of malware was based on rBot/rXBot clones but today the malware landscape has evolved so much that this type of protection is essentially useless.

I have personally witnessed the security measures taken in different types of organizations and I believe there is a disconnect between how the private sector and governmental agencies handle their networks’ security. The difference is that private companies have a vested financial interest in their security whereas the public sector does not. And I think this is the reason that private companies keep up with time, and have given up on signature-based antivirus strategies (including security updates to OS and software) and instead focus their efforts to doing what I discussed about (blocking, monitoring and employing cybersec professionals to manage the network). The governmental agencies, I especially have experience in public education facilities, have not done so and continue to rely on the old ways of antivirus+software updates. Guess which one generates more calls to investigate hacking attempts (and has a higher amount of successful ones)? Then you wonder why our government constantly gets hacked by various third world countries who themselves do not seem to have such problems (Russia, China etc). You see they are employing their own version of the functional security measures I talked about. For example, the Russian government uses typewriters in governmental organizations handling sensitive data. This is the ultimate way of blocking, the typewriters cannot physically connect to any network or even have any USB ports so they can’t be penetrated physically. Of course this is not a suitable measure for a developed nation like the United States, as our society is much more complex and handling everything in paper form would pretty much cause chaos. However we can and should take less drastic and reasonable measures in making sure that even if there is a software exploit, it cannot be taken advantage of by malicious entities. Some ways to do this are even free or require very low cost, such as we stop connecting governmental computers on to the internet. Also this may include software updates but in a slightly different sense, for example I remember when public schools in the US were using Windows 98 until the very last day of “support”/security updates from Microsoft. By that time even with the security updates that system was so old that it simply lacked the available TCP/IP functionality found in Windows 2000 and XP which meant that you had less control over blocking outside machines from connecting to your network which made that system substantially less safe even with the latest security updates than something like XP RTM would have been without any updates installed. There have been no significant changes to the network stack since Windows 2000 however so nowadays the situation is very different, it’s just one example I thought to share.

I just realized I’ve been rambling on again… Anyway let me conclude by making an analogy. You can think of security updates a bit like dietary supplements, if you’ve ever taken vitamins for example then you know the small print on the bottle says something like “not to be used as substitute to a healthy diet” or in other words taking them by themselves does not make you any healthier and many studies have proven that a natural diet full of fruits and vegetables is the only way to go (ie. having a bad diet + taking vitamins has no positive effect). Not only that but a recent study by the University of Colorado has found a link between dietary supplements and cancer so if anything, you’d be worse off… Now same goes for security updates, which by themselves do not protect you from malware except specific versions which are by now too old and of which there are updated and unmitigated versions available, so you’re basically no less at risk than before. Not only that but a lot of security updates come with their own “cancer risk” referring to either the cost of buying them or having to give up your own privacy to advertisers spyware. The only effective method is to do the smarter choice, the “healthy diet” which in this case refers to the ways I described you can be responsible for your own security, and you can include software updates [B]on top[/B] of that if you want but you cannot have them act as [B]substitute[/B] for being cautious yourself.

coolcolors · 2017-01-20 15:41:19 UTC

[QUOTE=aztekk;2787189]Flawed concept. Updating software only keeps some specific malware out but won’t help you against all other types which are the ones actively being developed and used today.[/QUOTE]This is the exactly kinda thinking that hackers want those like you that would think hackers are going to say oh I am going to use this one you here is my source code Please block me. This mindset is the reason malware can spread.

[QUOTE=aztekk;2787189]The only way to protect your computer and network is to research and establish alternative methods of protection, in the case of an individual home user that would be blocking and using good judgement and in the case of a large corporate network blocking more and hiring real security specialists to maintain and monitor your network professionally. Too many companies these days rely on their main IT admin guy, who finished school a year ago and has no cybersec credentials whatsoever and who believes the adequate way of protecting the network is installing the latest security updates… it’s very sad but true. What’s even worse is this mentality has now trickled down to the average consumer.[/QUOTE]No the really good protections is to not visit Porn site or Black sites or open unknown email attachments or Nigeria Money emails. Also unless you are in IT putting down those people does no service to their efforts. One should refrain from making disparaging remarks unless they can prove otherwise.

[QUOTE=aztekk;2787189]I mean it’s great that consumers are more concerned with their security these days than in the past (when they didn’t give it any thought at all) but I am upset that they think the answer is to install updates.[/QUOTE]Your the mindset of the hackers and how they think.

[QUOTE=aztekk;2787189]Security updates are primarily a marketing gimmick these days, serving to bring the software companies profit without actually having to add new features to their programs or in the case of freeware to add various spyware of their own, essentially making your data the product.[/QUOTE]This is laughable since you don’t see what security updates are really meant for.

[QUOTE=aztekk;2787189]The fact is that software companies are not required to patch any vulnerabilities in their software unless they specifically advertised lifetime security updates (in which case not doing so would be false advertising). But yet people expect them to do that anyway without a profit motive? That’s not how the world works - companies are not interested in throwing money at it unless it is going to generate profit directly or indirectly (as is the case with Oracle, extremely bad press for years started decreasing revenue).[/QUOTE]Really not required well you want to go ask their share holds and investment banks would they like their personal info put out for all to see.

[QUOTE=aztekk;2787189]In other words security updates are never intended for your safety, but rather to protect their own bottom line.[/QUOTE]Couldn’t be more misleading then fake news.

[QUOTE=aztekk;2787189]And there is absolutely nothing wrong with that, it is how it should be - security should be [B]your[/B] responsibility as an end user and not theirs at all unless otherwise stated, that is not only logical but also much more effective in that in this way malware protection becomes more personalized to your unique situation and therefore effectiveness increases.[/QUOTE]Responsibility is everyone problem not just the users. Not everyone is up to your snuff so stop with being high handed about those whom are less inclined.

[QUOTE=aztekk;2787189]There is no one single fix for security, every single situation is different and should be tackled as such.[/QUOTE]No they are the same and come from the same problem.

[QUOTE=aztekk;2787189]Now I am not necessarily saying that you should never update your software, that’s not my point. What I am trying to get across is that it is not an adequate security measure at all.[/QUOTE]Actually the reasoning you used would seem to indicate otherwise.

[QUOTE=aztekk;2787189]By itself, it is meaningless and hardly adds protection against malware. Blocking, monitoring and changes to user behavior should be your primary protection whether you are one person, a corporation or a governmental organization. Even antivirus companies fully admit that signature based (ie. focused on malware with certain characteristics) antivirus solutions are dead. Security updates fall in the exact same category, they are engineered to prevent malicious code with a certain pre-programmed signature from running. This may have been fine 15 years ago when the majority of malware was based on rBot/rXBot clones but today the malware landscape has evolved so much that this type of protection is essentially useless.[/QUOTE]And you expect the malware makers to give out their code/source so they can stop or block it? Let’s be realistic here.

[QUOTE=aztekk;2787189]I have personally witnessed the security measures taken in different types of organizations and I believe there is a disconnect between how the private sector and governmental agencies handle their networks’ security.[/QUOTE]My witness for security is far more different then yours.

[QUOTE=aztekk;2787189]The difference is that private companies have a vested financial interest in their security whereas the public sector does not. [/QUOTE]More misleading story lines that fits right in with Hackers and malware makers.

[QUOTE=aztekk;2787189]And I think this is the reason that private companies keep up with time, and have given up on signature-based antivirus strategies (including security updates to OS and software) and instead focus their efforts to doing what I discussed about (blocking, monitoring and employing cybersec professionals to manage the network). [/QUOTE]That what IT departs are there for and yet you still disparage them maybe take a look at Snowden he was cybersec professional and look what happened.

[QUOTE=aztekk;2787189]The governmental agencies, I especially have experience in public education facilities, have not done so and continue to rely on the old ways of antivirus+software updates. [/QUOTE]If you don’t like the internet then go offline and never connect that way you will never get DOS or malware. I think this would fit your mindset just fine you will have no more worries.

[QUOTE=aztekk;2787189]Guess which one generates more calls to investigate hacking attempts (and has a higher amount of successful ones)? Then you wonder why our government constantly gets hacked by various third world countries who themselves do not seem to have such problems (Russia, China etc). [/QUOTE]And you think China, Russia is going to advertise oh we got hacked ops my bad…NOT.

[QUOTE=aztekk;2787189]You see they are employing their own version of the functional security measures I talked about. For example, the Russian government uses typewriters in governmental organizations handling sensitive data. This is the ultimate way of blocking, the typewriters cannot physically connect to any network or even have any USB ports so they can’t be penetrated physically. Of course this is not a suitable measure for a developed nation like the United States, as our society is much more complex and handling everything in paper form would pretty much cause chaos. [/QUOTE]You see nothing and know nothing here to make such claims of those other entities and what y they do. They give you the story lines they want you to hear and you took the bait.

[QUOTE=aztekk;2787189]However we can and should take less drastic and reasonable measures in making sure that even if there is a software exploit, it cannot be taken advantage of by malicious entities. [/QUOTE]You really think malware is going to wait not going to happen. Either you update your security updates and O/S or become a botnet. You don’t get to pick and choose anymore.

[QUOTE=aztekk;2787189]Some ways to do this are even free or require very low cost, such as we stop connecting governmental computers on to the internet. [/QUOTE]This is laughable - here something stop using your smart phone because they know where your at and what your doing. I doubt you will do that.

[QUOTE=aztekk;2787189]I just realized I’ve been rambling on again… Anyway let me conclude by making an analogy. You can think of security updates a bit like dietary supplements.[/QUOTE]Couldn’t disagree more with this analogy is so wrong in many ways to go into depth.

[QUOTE=aztekk;2787189]Not only that but a recent study by the University of Colorado has found a link between dietary supplements and cancer so if anything, you’d be worse off… Now same goes for security updates, which by themselves do not protect you from malware except specific versions which are by now too old and of which there are updated and unmitigated versions available, so you’re basically no less at risk than before. Not only that but a lot of security updates come with their own “cancer risk” referring to either the cost of buying them or having to give up your own privacy to advertisers spyware. [/QUOTE]This is the mindset of malware/hackers want users to have.

[QUOTE=aztekk;2787189]The only effective method is to do the smarter choice, the “healthy diet” which in this case refers to the ways I described you can be responsible for your own security, and you can include software updates [B]on top[/B] of that if you want but you cannot have them act as [B]substitute[/B] for being cautious yourself.[/QUOTE]The only think I actually agree with here. User need to know their habits and where not to go but this only works if the site doesn’t force you to another location.

aztekk · 2017-01-20 19:03:32 UTC

If your imaginary hacker wants people to be cautious on the internet and to give thought to the websites they visit (ie. no random porn sites or other malware hubs) and instead of relying on AV solutions and security updates that can be bypassed easily to block internet address ranges and entire active content plugins/scripting languages (flash, java, javascript etc.) then I would have the mindset of such a “hacker”. However I have a feeling your hacker wouldn’t be a very successful one.

I wonder what makes you think you know what goes on in a hackers mind anyway? Well if you’re calling me one, you’d be right. I am a white hat hacker. In my work I also have directly communicated with blackhat hackers, I have seen their source codes (and have reversed binaries of the ones we couldn’t get in contact with) and I can tell you what they would like the average joe to do. They would very much appreciate if you continued to rely on these signature-based antivirus solutions such as specific vulnerability patches as distributed in software updates because they are so easy to bypass.

In the old days it used to be a cat-and-mouse game where the moment that an AV or security update patched some exploit they simply created a new crypter with a new updated [B]runtime PE[/B] (look it up) and a new encoding scheme for scantime detections and that would allow the exact same code to run even with the new signature-based detection/patch. If I had written my previous post in those days I would have called such detection schemes “largely ineffective”. But today I described them as “essentially useless”. Why is that? Because malware has evolved. Specifically what has become the norm in the last decade or so is [B]polymorphism[/B] (another word for you to google) in either malware code directly or the “crypter stub” that hides the original executable. Polymorphism has one goal: to eradicate all signature-based detection of malware. The easiest way to explain it to a non-programmer is that it generates machine code on the fly and at every instance of execution the code will look different but achieves the same effect of the original assembly. This has been effective, and this is the reason behind the article I linked and you did not read, which was that AV companies as large as Symantec (creator of Norton Antivirus, among others) have entirely given up on signature-based detection schemes. So the consensus in the industry is that it is an old and now ineffective way of preventing malicious code from running, however this knowledge has not trickled down to the general public yet which is what I am trying to get across and you are up in arms trying to defend. In a simple sense, your knowledge is plain outdated.

I am amazed that you did not understand that I was speaking from a legal point of view, especially since I mentioned the false advertising charge, that should have been an easy deduction… As I stated companies will do what it takes to keep their bottom line intact, and if that demands pushing out security updates they will do so. They won’t do it to please the end users unless it actually affects them monetarily though. And they do not have such an obligation.

And what exactly did you think I was speaking about when I talked of “changes to user behavior” having to be the primary focus of security protection? You really ought to read more carefully before repeating my own ideas in a supposed rebuttal… So I agree with this statement.

The issue of responsibility… Much of this is a political issue, depending on which side of that aisle you are on. As a citizen of a free country I believe you ought to get what you ask for. Therefore if you browse porno sites and click on those “You won 1 million $$” ads then you were asking for trouble as you did not use your own common sense to determine what you click on. In those cases the blame lies solely on you and not Oracle for not providing a fix to a vulnerability. Your second example implies the user is visiting a trusted site (USAtoday, NYtimes, Google.com etc.) where it’s [I]reasonable [/I] to assume lack of malware and gets hacked because the trusted site is taken over by hackers. In this case the moral responsibility lies on that trusted site to not get infected by malware, that’s how I see that situation. Legally they probably won’t be held liable, it could be considered an “act of God”. But in most cases users who do limit themselves to web addresses they trust have a very low likelihood of getting hacked in general, so it’s a valid recommendation especially combined with the other two I promoted (blocking and professional monitoring).

Now I’ll get to the offtopic things:

Best you got? Well I explained a better solution to the problem of government organizations security, that would be doing the same that the private sector has done which is filtering malicious places on the internet, and yes, taking certain sensitive computers offline. This is already what is done by the NSA (that’s why it took Snowden, an inside man to produce a leak) and it is a genuine solution in some situations. I can’t think why you would think otherwise, but I’m glad the CIA, NSA and FBI agrees…

And as for Snowden, well that’s beyond the topic of cyber security. If you have a rat inside your organization it doesn’t really matter what security measures you take against malware. You have a much bigger problem.

Lately I haven’t used my smartphone at all. In fact I’ve been considering just selling the thing, I thought it could be useful for work but I guess I’m a PC or nothing kind of guy… anyway smartphone security and use by consumers has nothing to do with the security of governmental computers and has no relevance to that debate. Totally separate issue.

No one advertises such things… and if you were to go down that argument then if anything, I’d say our US government should be much better equipped to keep such issues out of the public eye than those countries? In any case it’s kind of difficult to do that when WikiLeaks releases hacked (by their own admission) documents for the public to see. I think you and I would agree that it’s a shame WikiLeaks and other organizations focus on the US but largely ignore the stuff Russia, China, Iran etc. do. Those countries are the ones doing the worst human rights violations in the world and yet we hear more about Hillary’s emails than we do about Chinese prison camps… but that’s a topic for another day too.

So you decided to just disagree for the sake of disagreeing?

This is the most childish thing I’ve read today. You are seriously telling me you have an all-in-one fix, a magic pill that works for all security situations across the spectrum? I can’t help you with that…

So I am going to conclude now. I think the following quote explains where our main disagreement lies in.

I do agree you don’t get to pick and choose anymore. You don’t get to choose to be irresponsible on the internet and rely on Antivirus and software updates to save your computer from being infected with malware. Thanks to the death of signature based antivirus methods that is no longer an option and until we find a better solution to tackle malware the best guidance that can be given is you eliminate running exploit code to begin with, by using the 3 tools I keep referring to, that is smart user behavior, network and software/plugin level blocking and professional monitoring of the network. If you disagree and have ideas of your own then you are free to suggest those, but AV’s and software updates are no longer an appropriate fix, don’t take my word for it just ask any major antivirus company.

And the purpose of my posts is not to convince Mr. Coolcolors the software updates evangelist about switching his habits. You clearly are not interested in hearing me or Symantec or Avira or anyone who is in the cybersec profession tell you about the reality so you don’t have to change your habits. I understand it is psychologically difficult to accept change, but the fact is what I am saying is echoed by my colleagues and it will eventually trickle down to general public knowledge as well. Give it 5-10 years and I bet your opinion will be very different.

But until then, I ask you if you still have the need to differ with me to actually provide some proof and facts to back up your statements, as I did in my original post and here. I came up with explanations and links to articles. You came up with a post mainly comprised of offtopic hostility towards me and no real new information, if it were a debate over what color the sky is and you were saying its green and I came up with a color palette card showing you green and blue to prove it’s in fact blue, you’d just be saying “it’s green anyway”. That’s really not a valid argument. And I have no hostility toward you either but I’m not going to waste more of my time if it’s just a pissing contest for you. So I expect you to come up with verifiable proof and links to show how exactly you counter the fact that signature-based solutions to malware are infact still adequate despite large cybersec industry figures stating the exact opposite.

Otherwise I wish you a nice weekend and rest of the year.