«

JDK 1.7.0_07 and JDK 1.6.0_35 are out

See http://mindprod.com/jgloss/jdk.html if you are having trouble
installing. Page won't be updated until about 7 PM PDT.
--
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04

On 8/30/2012 7:44 PM, Roedy Green wrote:
> JDK 1.7.0_07 and JDK 1.6.0_35 are out

And people using Java in web browsers should update ASAP
as the update contains fixes for several nasty
security issues that are actively being exploited
in the wild.

Arne

On 8/30/2012 5:41 PM, Arne Vajhøj wrote:
> On 8/30/2012 7:44 PM, Roedy Green wrote:
> > JDK 1.7.0_07 and JDK 1.6.0_35 are out
>
> And people using Java in web browsers should update ASAP
> as the update contains fixes for several nasty
> security issues that are actively being exploited
> in the wild.


There was an article on Slate about Java recently. Does this fix
address the issues it mentions?

<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>

On 8/30/2012 8:45 PM, markspace wrote:> On 8/30/2012 5:41 PM, Arne
Vajhøj wrote:
>> On 8/30/2012 7:44 PM, Roedy Green wrote:
>> > JDK 1.7.0_07 and JDK 1.6.0_35 are out
>>
>> And people using Java in web browsers should update ASAP
>> as the update contains fixes for several nasty
>> security issues that are actively being exploited
>> in the wild.
>
> There was an article on Slate about Java recently. Does this fix
> address the issues it mentions?
>
>
<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>


I think so.

Arne

On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
indirectly quoted someone who said :

>There was an article on Slate about Java recently. Does this fix
>address the issues it mentions?
>http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>


The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why. I have
heard so much BS about the danger of Java. Crying wolf on that scale
should be a criminal offence, or at least get you sued.

On the other paw, this update follows fast on the heels of the
previous one. That would only normally happen if there were a very
important security fix.

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/to...1-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters. It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

"zero day" does not tell us much about the vulnerability.
A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of awareness
of the vulnerability.[1] This means that the developers have had zero
days to address and patch the vulnerability. Zero-day exploits (actual
software that uses a security hole to carry out an attack) are used or
shared by attackers before the developer of the target software knows
about the vulnerability.

This article claims Oracle knew about this but sat on their thumbs. It
also says the attack came from China and allows any code at all to be
run.
http://www.informationweek.com/secur...acts/240006535

This article says 1.7.0_07 fixes the vulnerability.
http://www.macobserver.com/tmo/artic...vulnerability/
--
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04

In <> Roedy Green wrote:

> I have heard so much BS about the danger of Java. Crying wolf on that
> scale should be a criminal offence, or at least get you sued.

On the other hand raising doubt about a acknowledged and severe security
vunerability isn't very wise either.

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

So lets not play this one down. This time it is for real.

> On the other paw, this update follows fast on the heels of the
> previous one. That would only normally happen if there were a very
> important security fix.

Indeed.

> But they are unusually vague about what the security vulnerability is,
> ostensibly to avoid giving hints to exploiters. It sounds like it
> applies only to unsigned applets on malicious websites. It is probably
> 1000 times easier for a malicious website to use JavaScript than this
> exploit.

Unfortunately I think Oracle are normally vague. If anything, they are less
vague than usual in describing the severity and consequences. I quote:

"To be successfully exploited, an unsuspecting user running an affected
release in a browser will need to visit a malicious web page that
leverages this vulnerability. Successful exploits can impact the
availability, integrity, and confidentiality of the user's system."

All you have to do is load the wrong web page in your browser. That's it.

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

Further this Java vunerability in it self wouldn't become any less serious
if any javascript engine would have a similar vunerability. Two wrongs does
not make a right.

--
Fredrik Jonson

On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> Without pointing you to the source code of the exploit, which is widely
> available this time, when reading the code it becomes trivially clear to
> anyone that it allows the attacker to execute _any_ code on the target
> machine. It evades the normal java sandbox completely.


But only for Java 7. Java 6 is fine.

I'm really appreciating Firefox right now. Earlier this year Firefox
forced me to do an upgrade of itself, then it invalidated my Java
plug-in and forced a re-installation of that as well. Yes, OK, whatever
Firefox; I didn't think too much about it afterwards even though it
annoyed me at the time.

Now I just double-checked and realized that I've had the 1.6 version of
the plug-in this whole time, even though I know I've had Java 7 since it
first came out. Bravo for Firefox keeping the secure version instead of
using the latest version.

On 8/30/2012 10:16 PM, Roedy Green wrote:
> On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
> indirectly quoted someone who said :
>
>> There was an article on Slate about Java recently. Does this fix
>> address the issues it mentions?
>> http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable _java_on_your_browser_right_now_.html>
>
>
> The tone of the article made me suspicious. The author seems all to
> eager to tell people to uninstall Java without explaining why.

The technical problem is known in details.

GIYF

And until Oracle got the fix out then not using Java was a
viable recommendation.

> Oracle say that 1.7.0_07 fixes
> http://www.oracle.com/technetwork/to...1-1835715.html
>
> But they are unusually vague about what the security vulnerability is,
> ostensibly to avoid giving hints to exploiters.

Apparently Google is not your friend.

> It sounds like it
> applies only to unsigned applets on malicious websites.

That is correct.

But surfing the web on not that well known web sites is done
by a billion people every day (or something in that magnitude).

> It is probably
> 1000 times easier for a malicious website to use JavaScript than this
> exploit.

Given that you have not bothered finding out what the problem is
then you wild guesses about the risk are not credible in any way.

Arne

On 8/31/2012 2:29 AM, markspace wrote:> On 8/30/2012 11:02 PM, Fredrik
Jonson wrote:
>>
>> Without pointing you to the source code of the exploit, which is widely
>> available this time, when reading the code it becomes trivially clear to
>> anyone that it allows the attacker to execute _any_ code on the target
>> machine. It evades the normal java sandbox completely.
>
>
> But only for Java 7. Java 6 is fine.
>
> I'm really appreciating Firefox right now. Earlier this year Firefox
> forced me to do an upgrade of itself, then it invalidated my Java
> plug-in and forced a re-installation of that as well. Yes, OK, whatever
> Firefox; I didn't think too much about it afterwards even though it
> annoyed me at the time.
>
> Now I just double-checked and realized that I've had the 1.6 version of
> the plug-in this whole time, even though I know I've had Java 7 since it
> first came out. Bravo for Firefox keeping the secure version instead of
> using the latest version.

Note that Oracle fixed 4 problems.

3 that affected only Java 7.

1 that affected both Java 6 and 7.

So the presumed security of using Java 6 was non existing.

Arne

markspace wrote:
> On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> > Without pointing you to the source code of the exploit [...] it becomes
> > trivially clear to anyone that it allows the attacker to execute _any_
> > code on the target machine. It evades the normal java sandbox completely.
>
> But only for Java 7. Java 6 is fine.

Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/ja...s-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/ja...s-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

--
Fredrik Jonson