«

Presumably will fix the 0-day exploit.
I will find out after I get it myself.
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

On 1/13/2013 9:24 PM, Roedy Green wrote:
> Presumably will fix the 0-day exploit.

It does.

Arne

On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green
<> wrote, quoted or indirectly quoted
someone who said :

>Presumably will fix the 0-day exploit.
>I will find out after I get it myself.

the release notes are at
http://www.oracle.com/technetwork/ja...s-1896856.html

As I read them the "fix" is just to turn off Applets entirely, by
default -- hardly a fix. Perhaps one of the group's language lawyers
could see if I interpreted that correctly.
--
Roedy Green Canadian Mind Products http://mindprod.com
The first 90% of the code accounts for the first 90% of the development time.
The remaining 10% of the code accounts for the other 90% of the development
time.
~ Tom Cargill Ninety-ninety Law

On 1/14/2013 11:01 PM, Roedy Green wrote:
> On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green
> <> wrote, quoted or indirectly quoted
> someone who said :
>
>> Presumably will fix the 0-day exploit.
>> I will find out after I get it myself.
>
> the release notes are at
> http://www.oracle.com/technetwork/ja...s-1896856.html
>
> As I read them the "fix" is just to turn off Applets entirely, by
> default -- hardly a fix. Perhaps one of the group's language lawyers
> could see if I interpreted that correctly.

I don't read it that way.

<quote>
This release contains fixes for security vulnerabilities. For more
information, see Oracle Security Alert for CVE-2013-0422.

In addition, the following change has been made:

Area: deploy
Synopsis: Default Security Level Setting Changed to High
The default security level for Java applets and web start applications
has been increased from "Medium" to "High".
</quote>

.... contains fixes ... in addition ... security level
setting changed ...

I can not interpret that other than there are both a fix
and a change in default security level.

Arne

On 1/15/2013 9:03 PM, Arne Vajhøj wrote:
>[...]
> <quote>
> This release contains fixes for security vulnerabilities. For more
> information, see Oracle Security Alert for CVE-2013-0422.

CERT's advice is

"Immunity has indicated that only the reflection
vulnerability has been fixed and that the JMX MBean
vulnerability remains. [...] Unless it is absolutely
necessary to run Java in web browsers, disable it as
described below, even after updating to 7u11. [...]"
--from <http://www.kb.cert.org/vuls/id/625617>

Write once, pwn anywhere ...

--
Eric Sosman
d

On 1/15/2013 10:03 PM, Eric Sosman wrote:
> On 1/15/2013 9:03 PM, Arne Vajhøj wrote:
>> [...]
>> <quote>
>> This release contains fixes for security vulnerabilities. For more
>> information, see Oracle Security Alert for CVE-2013-0422.
>
> CERT's advice is
>
> "Immunity has indicated that only the reflection
> vulnerability has been fixed and that the JMX MBean
> vulnerability remains. [...] Unless it is absolutely
> necessary to run Java in web browsers, disable it as
> described below, even after updating to 7u11. [...]"
> --from <http://www.kb.cert.org/vuls/id/625617>
>
> Write once, pwn anywhere ...

According to the link then the exploits require both
vulnerabilities.

But obviously the unfixed problem could be part of new
exploits as well.

So it definitely should be fixed. And hopefully it
will be.

Arne