Windows OneCare Firewall Hole

    February 1, 2006
  reports that the firewall in the Windows OneCare beta comes with blanket default rules for the Java Virtual Machine, creating a security hole that would be a major exploit point if OneCare were in wide use.

As is, its something that needs to be changed by the time the product goes gold.

Like any blanket security-bypass rule, these default settings are a bad idea, said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee.

“Any firewall, any security device should have a default deny,” Curphey said in an interview Tuesday. “Any door should always be closed.”

Note the company the “source” works for. Not to say he isn’t right, although my install of OneCare has no rules for the VM, as I don’t have one installed. Just that a reporter can find a better primary source than a VP at a competitor.

Nathan Weinberg writes the popular InsideGoogle blog, offering the latest news and insights about Google and search engines.

Visit the InsideGoogle blog.