Very Important Security Update for Java

[tvbcof]

...
Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).
...

"0% risk".  Hmmmm.

[CIYAM]

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)

[justusranvier]

Unless the programs that read the QR codes provably free from any flaws that could allow a specially-crafted image to trigger an exploit you can't call the risk 0%.

[CIYAM]

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?

[justusranvier]

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?

The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Image processing libraries, like any other kind of software that processes arbitrary input, can fail in ways that allow arbitrary code execution. A few years ago it was possible to take over Windows computers if you could convince the user to load a web site containing a malicious JPEG image.

There are ways to reduce this risk by auditing code audits, fuzz testing, and other techniques but those don't completely eliminate the risk.

[Driice]

Just uninstalled java. Thanks for the headsup

[CIYAM]

The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Understand that you can do a "decoderawtransaction" on the "offline computer" before you bother to sign it and create the final QR code (and understand that the particular QR code being used is only big enough to hold a couple of hundred bytes).

So unless we are talking about your *offline* computer being compromised then we are not seriously talking about a possible "attack vector" are we (and okay I am happy to change 0% to let's say 0.00001%)?

[tvbcof]

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)

Mostly it's just that the term 'zero risk' tends to set off alarm bells in my mind.  Generally speaking, TEMPEST and Cold Disk are two risks that I see as non-zero.  Particularly if someone knows you have potentially hundreds of thousands of USD's worth of BTC (or anything else) kicking around.  I'd be inclined to at least encrypt the HDD by way of making security suggestions.

[phelix]

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

What about deactivating java in the browser? Should that not be enough?

I highly recommend noscript.

[grantbdev]

How at risk am I with OpenJDKs installed for development (no web plug-in) on GNU/Linux?