Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18462

Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out

Path csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!news.stack.nl!aioe.org!.POSTED!not-for-mail
From Roedy Green <see_website@mindprod.com.invalid>
Newsgroups comp.lang.java.programmer
Subject Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out
Date Thu, 30 Aug 2012 19:16:28 -0700
Organization Canadian Mind Products
Lines 50
Message-ID <ei604819trie2avefhs4punmav31tmibuo@4ax.com> (permalink)
References <6luv38htl4ve3ldqv0pd1pmu876gddq2v6@4ax.com> <50400827$0$289$14726298@news.sunsite.dk> <k1p1fp$24v$1@dont-email.me>
Reply-To Roedy Green <see_website@mindprod.com.invalid>
NNTP-Posting-Host K2Qzzs3EAqXk5RLzfhxcSw.user.speranza.aioe.org
Mime-Version 1.0
Content-Type text/plain; charset=us-ascii
Content-Transfer-Encoding 7bit
X-Complaints-To abuse@aioe.org
X-Notice Filtered by postfilter v. 0.8.2
X-Newsreader Forte Agent 6.00/32.1186
Xref csiph.com comp.lang.java.programmer:18462

Show key headers only | View raw

On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
indirectly quoted someone who said :

>There was an article on Slate about Java recently.  Does this fix 
>address the issues it mentions?
>http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>


The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why. I have
heard so much BS about the danger of Java.  Crying wolf on that scale
should be a criminal offence, or at least get you sued.

On the other paw, this update follows fast on the heels of the
previous one.  That would only normally happen if there were a very
important security fix.  

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters.  It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

"zero day" does not tell us much about the vulnerability. 
A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of awareness
of the vulnerability.[1] This means that the developers have had zero
days to address and patch the vulnerability. Zero-day exploits (actual
software that uses a security hole to carry out an attack) are used or
shared by attackers before the developer of the target software knows
about the vulnerability.

This article claims Oracle knew about this but sat on their thumbs. It
also says the attack came from China and allows any code at all to be
run.
http://www.informationweek.com/security/attacks/java-zero-day-malware-attack-6-facts/240006535

This article says 1.7.0_07 fixes the vulnerability.
http://www.macobserver.com/tmo/article/oracle_patches_java_zero-day_vulnerability/
-- 
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 16:44 -0700
  Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:41 -0400
    Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 17:45 -0700
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:52 -0400
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 19:16 -0700
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 06:02 +0000
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 23:29 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:38 -0400
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 20:20 +0000
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-09-01 06:38 +0000
                Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-09-02 02:15 -0700
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-31 15:21 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 19:53 -0400
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:36 -0400

csiph-web