Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18455 > unrolled thread

JDK 1.7.0_07 and JDK 1.6.0_35 are out

Back to article view | Back to comp.lang.java.programmer

Contents

  JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 16:44 -0700
    Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:41 -0400
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 17:45 -0700
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:52 -0400
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 19:16 -0700
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 06:02 +0000
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 23:29 -0700
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:38 -0400
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 20:20 +0000
                Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-09-01 06:38 +0000
                  Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-09-02 02:15 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-31 15:21 -0700
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 19:53 -0400
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:36 -0400

#18455 — JDK 1.7.0_07 and JDK 1.6.0_35 are out

JDK 1.7.0_07 and JDK 1.6.0_35 are out

See http://mindprod.com/jgloss/jdk.html if you are having trouble
installing.  Page won't be updated until about 7 PM PDT.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04 

[toc] | [next] | [standalone]

#18457

On 8/30/2012 7:44 PM, Roedy Green wrote:
 > JDK 1.7.0_07 and JDK 1.6.0_35 are out

And people using Java in web browsers should update ASAP
as the update contains fixes for several nasty
security issues that are actively being exploited
in the wild.

Arne

[toc] | [prev] | [next] | [standalone]

#18458

On 8/30/2012 5:41 PM, Arne Vajhøj wrote:
> On 8/30/2012 7:44 PM, Roedy Green wrote:
>  > JDK 1.7.0_07 and JDK 1.6.0_35 are out
>
> And people using Java in web browsers should update ASAP
> as the update contains fixes for several nasty
> security issues that are actively being exploited
> in the wild.


There was an article on Slate about Java recently.  Does this fix 
address the issues it mentions?

<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>

[toc] | [prev] | [next] | [standalone]

#18459

On 8/30/2012 8:45 PM, markspace wrote:> On 8/30/2012 5:41 PM, Arne 
Vajhøj wrote:
 >> On 8/30/2012 7:44 PM, Roedy Green wrote:
 >>  > JDK 1.7.0_07 and JDK 1.6.0_35 are out
 >>
 >> And people using Java in web browsers should update ASAP
 >> as the update contains fixes for several nasty
 >> security issues that are actively being exploited
 >> in the wild.
 >
 > There was an article on Slate about Java recently.  Does this fix
 > address the issues it mentions?
 >
 > 
<http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html> 


I think so.

Arne

[toc] | [prev] | [next] | [standalone]

#18462

On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
indirectly quoted someone who said :

>There was an article on Slate about Java recently.  Does this fix 
>address the issues it mentions?
>http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>


The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why. I have
heard so much BS about the danger of Java.  Crying wolf on that scale
should be a criminal offence, or at least get you sued.

On the other paw, this update follows fast on the heels of the
previous one.  That would only normally happen if there were a very
important security fix.  

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters.  It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

"zero day" does not tell us much about the vulnerability. 
A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of awareness
of the vulnerability.[1] This means that the developers have had zero
days to address and patch the vulnerability. Zero-day exploits (actual
software that uses a security hole to carry out an attack) are used or
shared by attackers before the developer of the target software knows
about the vulnerability.

This article claims Oracle knew about this but sat on their thumbs. It
also says the attack came from China and allows any code at all to be
run.
http://www.informationweek.com/security/attacks/java-zero-day-malware-attack-6-facts/240006535

This article says 1.7.0_07 fixes the vulnerability.
http://www.macobserver.com/tmo/article/oracle_patches_java_zero-day_vulnerability/
-- 
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04 

[toc] | [prev] | [next] | [standalone]

#18465

In <ei604819trie2avefhs4punmav31tmibuo@4ax.com> Roedy Green wrote:

>  I have heard so much BS about the danger of Java. Crying wolf on that
>  scale should be a criminal offence, or at least get you sued.

On the other hand raising doubt about a acknowledged and severe security
vunerability isn't very wise either.

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

So lets not play this one down. This time it is for real.

>  On the other paw, this update follows fast on the heels of the
>  previous one. That would only normally happen if there were a very
>  important security fix.

Indeed.

>  But they are unusually vague about what the security vulnerability is,
>  ostensibly to avoid giving hints to exploiters. It sounds like it
>  applies only to unsigned applets on malicious websites. It is probably
>  1000 times easier for a malicious website to use JavaScript than this
>  exploit.

Unfortunately I think Oracle are normally vague. If anything, they are less
vague than usual in describing the severity and consequences. I quote:

  "To be successfully exploited, an unsuspecting user running an affected
   release in a browser will need to visit a malicious web page that
   leverages this vulnerability. Successful exploits can impact the
   availability, integrity, and confidentiality of the user's system."

All you have to do is load the wrong web page in your browser. That's it.

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

Further this Java vunerability in it self wouldn't become any less serious
if any javascript engine would have a similar vunerability. Two wrongs does
not make a right.

--
Fredrik Jonson

[toc] | [prev] | [next] | [standalone]

#18466

On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> Without pointing you to the source code of the exploit, which is widely
> available this time, when reading the code it becomes trivially clear to
> anyone that it allows the attacker to execute _any_ code on the target
> machine. It evades the normal java sandbox completely.


But only for Java 7.  Java 6 is fine.

I'm really appreciating Firefox right now.  Earlier this year Firefox 
forced me to do an upgrade of itself, then it invalidated my Java 
plug-in and forced a re-installation of that as well.  Yes, OK, whatever 
Firefox;  I didn't think too much about it afterwards even though it 
annoyed me at the time.

Now I just double-checked and realized that I've had the 1.6 version of 
the plug-in this whole time, even though I know I've had Java 7 since it 
first came out.  Bravo for Firefox keeping the secure version instead of 
using the latest version.

[toc] | [prev] | [next] | [standalone]

#18484

On 8/31/2012 2:29 AM, markspace wrote:> On 8/30/2012 11:02 PM, Fredrik 
Jonson wrote:
 >>
 >> Without pointing you to the source code of the exploit, which is widely
 >> available this time, when reading the code it becomes trivially clear to
 >> anyone that it allows the attacker to execute _any_ code on the target
 >> machine. It evades the normal java sandbox completely.
 >
 >
 > But only for Java 7.  Java 6 is fine.
 >
 > I'm really appreciating Firefox right now.  Earlier this year Firefox
 > forced me to do an upgrade of itself, then it invalidated my Java
 > plug-in and forced a re-installation of that as well.  Yes, OK, whatever
 > Firefox;  I didn't think too much about it afterwards even though it
 > annoyed me at the time.
 >
 > Now I just double-checked and realized that I've had the 1.6 version of
 > the plug-in this whole time, even though I know I've had Java 7 since it
 > first came out.  Bravo for Firefox keeping the secure version instead of
 > using the latest version.

Note that Oracle fixed 4 problems.

3 that affected only Java 7.

1 that affected both Java 6 and 7.

So the presumed security of using Java 6 was non existing.

Arne

[toc] | [prev] | [next] | [standalone]

#18485

markspace wrote:
> On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> > Without pointing you to the source code of the exploit [...] it becomes
> > trivially clear to anyone that it allows the attacker to execute _any_
> > code on the target machine. It evades the normal java sandbox completely.
>
>  But only for Java 7. Java 6 is fine.

Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

--
Fredrik Jonson

[toc] | [prev] | [next] | [standalone]

#18495

Hmm,

There are now reports of another sandbox-breaking exploit, that has not been
patched in the Java 7u7 release.

  "As in the case of the earlier vulnerabilities, Gowdiak says, this flaw
   allows an attacker to bypass the Java security sandbox completely [...]

   Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet
   been found in the wild, but Gowdiak says he included proof-of-concept code
   with the report to demonstrate that an exploit is indeed possible.

   Oracle has not acknowledged that the new vulnerability actually exists, but
   it has confirmed that it has received Security Explorations' vulnerability
   report and is analyzing it."

http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

--
Fredrik Jonson

[toc] | [prev] | [next] | [standalone]

#18507

On 1 Sep 2012 06:38:25 GMT, Fredrik Jonson <fredrik@jonson.org> wrote,
quoted or indirectly quoted someone who said :

>   Oracle has not acknowledged that the new vulnerability actually exists, but
>   it has confirmed that it has received Security Explorations' vulnerability
>   report and is analyzing it."

In the discussion of Stuxnet, I discovered that knowledge of an
unrevelealed flaw goes for about $200K.   

There have been so many flaws, I suspect people on the inside are
putting them there on purpose.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04 

[toc] | [prev] | [next] | [standalone]

#18487

On 31 Aug 2012 06:02:43 GMT, Fredrik Jonson <fredrik@jonson.org>
wrote, quoted or indirectly quoted someone who said :

>That an attacking applet has to be unsigned doesn't limit the severety of
>this vunerability. If the vunerability was only exploitable by signed
>applets, the risk would be somewhat more limited. As it stands right now,
>any script kiddie can compile and publish exploiting code.

A signed applet is by definition dangerous. It is typically allowed to
read/write any files it pleases. Normally unsigned applets are the
safest things going, though I have heard so many false claims they are
not.  That is why I was initially suspicious.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
A new scientific truth does not triumph by convincing its opponents and making them see the light,
but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
~ Max Planck 1858-04-23 1947-10-04 

[toc] | [prev] | [next] | [standalone]

#18492

On 8/31/2012 6:21 PM, Roedy Green wrote:
 > On 31 Aug 2012 06:02:43 GMT, Fredrik Jonson <fredrik@jonson.org>
 > wrote, quoted or indirectly quoted someone who said :
 >
 >> That an attacking applet has to be unsigned doesn't limit the 
severety of
 >> this vunerability. If the vunerability was only exploitable by signed
 >> applets, the risk would be somewhat more limited. As it stands right 
now,
 >> any script kiddie can compile and publish exploiting code.
 >
 > A signed applet is by definition dangerous. It is typically allowed to
 > read/write any files it pleases. Normally unsigned applets are the
 > safest things going, though I have heard so many false claims they are
 > not.

They are supposed to be safe.

But the security comes from software. And sometimes
software has bugs.

There were bugs in this case.

There had been bugs before.

And I will be surprised if we do not see bugs in the
future as well.

Arne

[toc] | [prev] | [next] | [standalone]

#18483

On 8/30/2012 10:16 PM, Roedy Green wrote:
> On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
> indirectly quoted someone who said :
>
>> There was an article on Slate about Java recently.  Does this fix
>> address the issues it mentions?
>> http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>
>
>
> The tone of the article made me suspicious. The author seems all to
> eager to tell people to uninstall Java without explaining why.

The technical problem is known in details.

GIYF

And until Oracle got the fix out then not using Java was a
viable recommendation.

> Oracle say that 1.7.0_07 fixes
> http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
>
> But they are unusually vague about what the security vulnerability is,
> ostensibly to avoid giving hints to exploiters.

Apparently Google is not your friend.

>                                                      It sounds like it
> applies only to unsigned applets on malicious websites.

That is correct.

But surfing the web on not that well known web sites is done
by a billion people every day (or something in that magnitude).

>                                                        It is probably
> 1000 times easier for a malicious website to use JavaScript than this
> exploit.

Given that you have not bothered finding out what the problem is
then you wild guesses about the risk are not credible in any way.

Arne

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.java.programmer

csiph-web