Java exploit, the inevitable question
Gene Heskett
gheskett at wdtv.com
Wed Jan 16 02:32:06 UTC 2013
On Tuesday 15 January 2013 21:23:19 Steve Riley did opine:
Message additions Copyright Tuesday 15 January 2013 by Gene Heskett
> On 2013-01-15 20:03:12 Myriam Schweingruber <myriam at kde.org> wrote:
> > Not at all, the exploit is only the the Oracle Java, and only applies
> > on Windows systems. And even then, Oracle has already fixed it AFAIK.
>
> This note from US CIRT would indicate that the vulnerability is not
> restricted to Oracle Java and that it affects multiple platforms, not
> just Windows:
>
> http://www.kb.cert.org/vuls/id/625617
>
> "The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java
> applications in a browser or as standalone programs. Oracle has made the
> JRE available for multiple operating systems. OpenJDK is an open-source
> implementation of the Java platform, and the IcedTea project aims to
> make it easier to deploy OpenJDK, including a web browser plugin."
>
> "Oracle Java 7 update 10 and earlier Java 7 versions are affected.
> OpenJDK 7, and subsequently IcedTea, are also affected. The
> invokeWithArguments method was introduced with Java 7, so therefore
> Java 6 is not affected."
>
> "This vulnerability is being attacked in the wild, and is reported to be
> incorporated into exploit kits. Exploit code for this vulnerability is
> also publicly available. We have confirmed that Windows, OS X, and
> Linux platforms are affected. Other platforms that use Oracle Java 7
> may also be affected."
>
>
> And this article suggests the "fix" really doesn't do anything:
>
> http://betanews.com/2013/01/14/java-7-update-11-security-patch-fixes-not
> hing
>
>
> ...Steve
All in all, I failed to see anything in the above links that would indicate
this version:
gene at coyote:/etc/alternatives$ java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5)
(6b24-1.11.5-0ubuntu1~10.04.2)
OpenJDK Server VM (build 20.0-b12, mixed mode)
is affected. But I expect we should be suitably cautious regardless. I'll
start by making all varieties of java, including beans, "always ask" so I
can at least get an idea of what web sites are trying to use java.
Cheers, Gene
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
My views
<http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml>
But what can you do with it? -- ubiquitous cry from Linux-user partner.
(Submitted by Andy Pearce, ajp at hpopd.pwd.hp.com)
I was taught to respect my elders, but its getting
harder and harder to find any...
More information about the kubuntu-users
mailing list