Java exploit, the inevitable question
Steve Riley
steve at rileyz.net
Tue Jan 15 23:25:12 UTC 2013
On 2013-01-15 20:03:12 Myriam Schweingruber <myriam at kde.org> wrote:
>
> Not at all, the exploit is only the the Oracle Java, and only applies
> on Windows systems. And even then, Oracle has already fixed it AFAIK.
This note from US CIRT would indicate that the vulnerability is not
restricted to Oracle Java and that it affects multiple platforms, not just
Windows:
http://www.kb.cert.org/vuls/id/625617
"The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java
applications in a browser or as standalone programs. Oracle has made the
JRE available for multiple operating systems. OpenJDK is an open-source
implementation of the Java platform, and the IcedTea project aims to make
it easier to deploy OpenJDK, including a web browser plugin."
"Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK
7, and subsequently IcedTea, are also affected. The invokeWithArguments
method was introduced with Java 7, so therefore Java 6 is not affected."
"This vulnerability is being attacked in the wild, and is reported to be
incorporated into exploit kits. Exploit code for this vulnerability is also
publicly available. We have confirmed that Windows, OS X, and Linux
platforms are affected. Other platforms that use Oracle Java 7 may also be
affected."
And this article suggests the "fix" really doesn't do anything:
http://betanews.com/2013/01/14/java-7-update-11-security-patch-fixes-nothing
...Steve
More information about the kubuntu-users
mailing list