Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > JDK 1.7.0_07 and JDK 1.6.0_35 are out

Reply
Thread Tools

JDK 1.7.0_07 and JDK 1.6.0_35 are out

 
 
Roedy Green
Guest
Posts: n/a
 
      08-30-2012
JDK 1.7.0_07 and JDK 1.6.0_35 are out

See http://mindprod.com/jgloss/jdk.html if you are having trouble
installing. Page won't be updated until about 7 PM PDT.
--
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04


 
Reply With Quote
 
 
 
 
Arne Vajh°j
Guest
Posts: n/a
 
      08-31-2012
On 8/30/2012 7:44 PM, Roedy Green wrote:
> JDK 1.7.0_07 and JDK 1.6.0_35 are out


And people using Java in web browsers should update ASAP
as the update contains fixes for several nasty
security issues that are actively being exploited
in the wild.

Arne


 
Reply With Quote
 
 
 
 
markspace
Guest
Posts: n/a
 
      08-31-2012
On 8/30/2012 5:41 PM, Arne Vajh°j wrote:
> On 8/30/2012 7:44 PM, Roedy Green wrote:
> > JDK 1.7.0_07 and JDK 1.6.0_35 are out

>
> And people using Java in web browsers should update ASAP
> as the update contains fixes for several nasty
> security issues that are actively being exploited
> in the wild.



There was an article on Slate about Java recently. Does this fix
address the issues it mentions?

<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>



 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      08-31-2012
On 8/30/2012 8:45 PM, markspace wrote:> On 8/30/2012 5:41 PM, Arne
Vajh°j wrote:
>> On 8/30/2012 7:44 PM, Roedy Green wrote:
>> > JDK 1.7.0_07 and JDK 1.6.0_35 are out

>>
>> And people using Java in web browsers should update ASAP
>> as the update contains fixes for several nasty
>> security issues that are actively being exploited
>> in the wild.

>
> There was an article on Slate about Java recently. Does this fix
> address the issues it mentions?
>
>

<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>


I think so.

Arne


 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-31-2012
On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
indirectly quoted someone who said :

>There was an article on Slate about Java recently. Does this fix
>address the issues it mentions?
>http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>



The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why. I have
heard so much BS about the danger of Java. Crying wolf on that scale
should be a criminal offence, or at least get you sued.

On the other paw, this update follows fast on the heels of the
previous one. That would only normally happen if there were a very
important security fix.

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/to...1-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters. It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

"zero day" does not tell us much about the vulnerability.
A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of awareness
of the vulnerability.[1] This means that the developers have had zero
days to address and patch the vulnerability. Zero-day exploits (actual
software that uses a security hole to carry out an attack) are used or
shared by attackers before the developer of the target software knows
about the vulnerability.

This article claims Oracle knew about this but sat on their thumbs. It
also says the attack came from China and allows any code at all to be
run.
http://www.informationweek.com/secur...acts/240006535

This article says 1.7.0_07 fixes the vulnerability.
http://www.macobserver.com/tmo/artic...vulnerability/
--
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04


 
Reply With Quote
 
Fredrik Jonson
Guest
Posts: n/a
 
      08-31-2012
In <(E-Mail Removed)> Roedy Green wrote:

> I have heard so much BS about the danger of Java. Crying wolf on that
> scale should be a criminal offence, or at least get you sued.


On the other hand raising doubt about a acknowledged and severe security
vunerability isn't very wise either.

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

So lets not play this one down. This time it is for real.

> On the other paw, this update follows fast on the heels of the
> previous one. That would only normally happen if there were a very
> important security fix.


Indeed.

> But they are unusually vague about what the security vulnerability is,
> ostensibly to avoid giving hints to exploiters. It sounds like it
> applies only to unsigned applets on malicious websites. It is probably
> 1000 times easier for a malicious website to use JavaScript than this
> exploit.


Unfortunately I think Oracle are normally vague. If anything, they are less
vague than usual in describing the severity and consequences. I quote:

"To be successfully exploited, an unsuspecting user running an affected
release in a browser will need to visit a malicious web page that
leverages this vulnerability. Successful exploits can impact the
availability, integrity, and confidentiality of the user's system."

All you have to do is load the wrong web page in your browser. That's it.

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

Further this Java vunerability in it self wouldn't become any less serious
if any javascript engine would have a similar vunerability. Two wrongs does
not make a right.

--
Fredrik Jonson
 
Reply With Quote
 
markspace
Guest
Posts: n/a
 
      08-31-2012
On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> Without pointing you to the source code of the exploit, which is widely
> available this time, when reading the code it becomes trivially clear to
> anyone that it allows the attacker to execute _any_ code on the target
> machine. It evades the normal java sandbox completely.



But only for Java 7. Java 6 is fine.

I'm really appreciating Firefox right now. Earlier this year Firefox
forced me to do an upgrade of itself, then it invalidated my Java
plug-in and forced a re-installation of that as well. Yes, OK, whatever
Firefox; I didn't think too much about it afterwards even though it
annoyed me at the time.

Now I just double-checked and realized that I've had the 1.6 version of
the plug-in this whole time, even though I know I've had Java 7 since it
first came out. Bravo for Firefox keeping the secure version instead of
using the latest version.


 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      08-31-2012
On 8/30/2012 10:16 PM, Roedy Green wrote:
> On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
> indirectly quoted someone who said :
>
>> There was an article on Slate about Java recently. Does this fix
>> address the issues it mentions?
>> http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>

>
>
> The tone of the article made me suspicious. The author seems all to
> eager to tell people to uninstall Java without explaining why.


The technical problem is known in details.

GIYF

And until Oracle got the fix out then not using Java was a
viable recommendation.

> Oracle say that 1.7.0_07 fixes
> http://www.oracle.com/technetwork/to...1-1835715.html
>
> But they are unusually vague about what the security vulnerability is,
> ostensibly to avoid giving hints to exploiters.


Apparently Google is not your friend.

> It sounds like it
> applies only to unsigned applets on malicious websites.


That is correct.

But surfing the web on not that well known web sites is done
by a billion people every day (or something in that magnitude).

> It is probably
> 1000 times easier for a malicious website to use JavaScript than this
> exploit.


Given that you have not bothered finding out what the problem is
then you wild guesses about the risk are not credible in any way.

Arne

 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      08-31-2012
On 8/31/2012 2:29 AM, markspace wrote:> On 8/30/2012 11:02 PM, Fredrik
Jonson wrote:
>>
>> Without pointing you to the source code of the exploit, which is widely
>> available this time, when reading the code it becomes trivially clear to
>> anyone that it allows the attacker to execute _any_ code on the target
>> machine. It evades the normal java sandbox completely.

>
>
> But only for Java 7. Java 6 is fine.
>
> I'm really appreciating Firefox right now. Earlier this year Firefox
> forced me to do an upgrade of itself, then it invalidated my Java
> plug-in and forced a re-installation of that as well. Yes, OK, whatever
> Firefox; I didn't think too much about it afterwards even though it
> annoyed me at the time.
>
> Now I just double-checked and realized that I've had the 1.6 version of
> the plug-in this whole time, even though I know I've had Java 7 since it
> first came out. Bravo for Firefox keeping the secure version instead of
> using the latest version.


Note that Oracle fixed 4 problems.

3 that affected only Java 7.

1 that affected both Java 6 and 7.

So the presumed security of using Java 6 was non existing.

Arne


 
Reply With Quote
 
Fredrik Jonson
Guest
Posts: n/a
 
      08-31-2012
markspace wrote:
> On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> > Without pointing you to the source code of the exploit [...] it becomes
> > trivially clear to anyone that it allows the attacker to execute _any_
> > code on the target machine. It evades the normal java sandbox completely.

>
> But only for Java 7. Java 6 is fine.


Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/ja...s-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/ja...s-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

--
Fredrik Jonson
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Diff. the JRE INSIDE the jdk folder and JRE OUTSIDE the JDK folder? Jochen Brenzlinger Java 5 09-02-2011 08:48 PM
Incompatibility between JDK 1.4 and JDK 1.6 Mike Schilling Java 2 09-27-2009 10:59 PM
JDK 1.6.0_15 and JDK 1.5.0_20 released Roedy Green Java 3 08-06-2009 02:20 AM
regarding JDk 141 and JDK 122 for linux 64 bit Platform Jaggu Java 3 01-08-2007 10:47 AM
What is the difference between J2EE, JDK, JDK-SDK, JRE and J2SE packages ? Ulf Meinhardt Java 0 08-10-2006 07:12 PM



Advertisments