JDK 1.7.0_07 and JDK 1.6.0_35 are out

Discussion in 'Java' started by Roedy Green, Aug 31, 2012.

  1. Roedy Green

    Roedy Green Guest

    JDK 1.7.0_07 and JDK 1.6.0_35 are out

    See http://mindprod.com/jgloss/jdk.html if you are having trouble
    installing. Page won't be updated until about 7 PM PDT.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    A new scientific truth does not triumph by convincing its opponents and making them see the light,
    but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
    ~ Max Planck 1858-04-23 1947-10-04
     
    Roedy Green, Aug 31, 2012
    #1
    1. Advertising

  2. Roedy Green

    Arne Vajhøj Guest

    On 8/30/2012 7:44 PM, Roedy Green wrote:
    > JDK 1.7.0_07 and JDK 1.6.0_35 are out


    And people using Java in web browsers should update ASAP
    as the update contains fixes for several nasty
    security issues that are actively being exploited
    in the wild.

    Arne
     
    Arne Vajhøj, Aug 31, 2012
    #2
    1. Advertising

  3. Roedy Green

    markspace Guest

    On 8/30/2012 5:41 PM, Arne Vajhøj wrote:
    > On 8/30/2012 7:44 PM, Roedy Green wrote:
    > > JDK 1.7.0_07 and JDK 1.6.0_35 are out

    >
    > And people using Java in web browsers should update ASAP
    > as the update contains fixes for several nasty
    > security issues that are actively being exploited
    > in the wild.



    There was an article on Slate about Java recently. Does this fix
    address the issues it mentions?

    <http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>
     
    markspace, Aug 31, 2012
    #3
  4. Roedy Green

    Arne Vajhøj Guest

    On 8/30/2012 8:45 PM, markspace wrote:> On 8/30/2012 5:41 PM, Arne
    Vajhøj wrote:
    >> On 8/30/2012 7:44 PM, Roedy Green wrote:
    >> > JDK 1.7.0_07 and JDK 1.6.0_35 are out

    >>
    >> And people using Java in web browsers should update ASAP
    >> as the update contains fixes for several nasty
    >> security issues that are actively being exploited
    >> in the wild.

    >
    > There was an article on Slate about Java recently. Does this fix
    > address the issues it mentions?
    >
    >

    <http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>


    I think so.

    Arne
     
    Arne Vajhøj, Aug 31, 2012
    #4
  5. Roedy Green

    Roedy Green Guest

    On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
    indirectly quoted someone who said :

    >There was an article on Slate about Java recently. Does this fix
    >address the issues it mentions?
    >http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>



    The tone of the article made me suspicious. The author seems all to
    eager to tell people to uninstall Java without explaining why. I have
    heard so much BS about the danger of Java. Crying wolf on that scale
    should be a criminal offence, or at least get you sued.

    On the other paw, this update follows fast on the heels of the
    previous one. That would only normally happen if there were a very
    important security fix.

    Oracle say that 1.7.0_07 fixes
    http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

    But they are unusually vague about what the security vulnerability is,
    ostensibly to avoid giving hints to exploiters. It sounds like it
    applies only to unsigned applets on malicious websites. It is probably
    1000 times easier for a malicious website to use JavaScript than this
    exploit.

    "zero day" does not tell us much about the vulnerability.
    A zero-day (or zero-hour or day zero) attack or threat is an attack
    that exploits a previously unknown vulnerability in a computer
    application, meaning that the attack occurs on "day zero" of awareness
    of the vulnerability.[1] This means that the developers have had zero
    days to address and patch the vulnerability. Zero-day exploits (actual
    software that uses a security hole to carry out an attack) are used or
    shared by attackers before the developer of the target software knows
    about the vulnerability.

    This article claims Oracle knew about this but sat on their thumbs. It
    also says the attack came from China and allows any code at all to be
    run.
    http://www.informationweek.com/security/attacks/java-zero-day-malware-attack-6-facts/240006535

    This article says 1.7.0_07 fixes the vulnerability.
    http://www.macobserver.com/tmo/article/oracle_patches_java_zero-day_vulnerability/
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    A new scientific truth does not triumph by convincing its opponents and making them see the light,
    but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
    ~ Max Planck 1858-04-23 1947-10-04
     
    Roedy Green, Aug 31, 2012
    #5
  6. In <> Roedy Green wrote:

    > I have heard so much BS about the danger of Java. Crying wolf on that
    > scale should be a criminal offence, or at least get you sued.


    On the other hand raising doubt about a acknowledged and severe security
    vunerability isn't very wise either.

    Without pointing you to the source code of the exploit, which is widely
    available this time, when reading the code it becomes trivially clear to
    anyone that it allows the attacker to execute _any_ code on the target
    machine. It evades the normal java sandbox completely.

    So lets not play this one down. This time it is for real.

    > On the other paw, this update follows fast on the heels of the
    > previous one. That would only normally happen if there were a very
    > important security fix.


    Indeed.

    > But they are unusually vague about what the security vulnerability is,
    > ostensibly to avoid giving hints to exploiters. It sounds like it
    > applies only to unsigned applets on malicious websites. It is probably
    > 1000 times easier for a malicious website to use JavaScript than this
    > exploit.


    Unfortunately I think Oracle are normally vague. If anything, they are less
    vague than usual in describing the severity and consequences. I quote:

    "To be successfully exploited, an unsuspecting user running an affected
    release in a browser will need to visit a malicious web page that
    leverages this vulnerability. Successful exploits can impact the
    availability, integrity, and confidentiality of the user's system."

    All you have to do is load the wrong web page in your browser. That's it.

    That an attacking applet has to be unsigned doesn't limit the severety of
    this vunerability. If the vunerability was only exploitable by signed
    applets, the risk would be somewhat more limited. As it stands right now,
    any script kiddie can compile and publish exploiting code.

    Further this Java vunerability in it self wouldn't become any less serious
    if any javascript engine would have a similar vunerability. Two wrongs does
    not make a right.

    --
    Fredrik Jonson
     
    Fredrik Jonson, Aug 31, 2012
    #6
  7. Roedy Green

    markspace Guest

    On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
    >
    > Without pointing you to the source code of the exploit, which is widely
    > available this time, when reading the code it becomes trivially clear to
    > anyone that it allows the attacker to execute _any_ code on the target
    > machine. It evades the normal java sandbox completely.



    But only for Java 7. Java 6 is fine.

    I'm really appreciating Firefox right now. Earlier this year Firefox
    forced me to do an upgrade of itself, then it invalidated my Java
    plug-in and forced a re-installation of that as well. Yes, OK, whatever
    Firefox; I didn't think too much about it afterwards even though it
    annoyed me at the time.

    Now I just double-checked and realized that I've had the 1.6 version of
    the plug-in this whole time, even though I know I've had Java 7 since it
    first came out. Bravo for Firefox keeping the secure version instead of
    using the latest version.
     
    markspace, Aug 31, 2012
    #7
  8. Roedy Green

    Arne Vajhøj Guest

    On 8/30/2012 10:16 PM, Roedy Green wrote:
    > On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
    > indirectly quoted someone who said :
    >
    >> There was an article on Slate about Java recently. Does this fix
    >> address the issues it mentions?
    >> http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>

    >
    >
    > The tone of the article made me suspicious. The author seems all to
    > eager to tell people to uninstall Java without explaining why.


    The technical problem is known in details.

    GIYF

    And until Oracle got the fix out then not using Java was a
    viable recommendation.

    > Oracle say that 1.7.0_07 fixes
    > http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
    >
    > But they are unusually vague about what the security vulnerability is,
    > ostensibly to avoid giving hints to exploiters.


    Apparently Google is not your friend.

    > It sounds like it
    > applies only to unsigned applets on malicious websites.


    That is correct.

    But surfing the web on not that well known web sites is done
    by a billion people every day (or something in that magnitude).

    > It is probably
    > 1000 times easier for a malicious website to use JavaScript than this
    > exploit.


    Given that you have not bothered finding out what the problem is
    then you wild guesses about the risk are not credible in any way.

    Arne
     
    Arne Vajhøj, Aug 31, 2012
    #8
  9. Roedy Green

    Arne Vajhøj Guest

    On 8/31/2012 2:29 AM, markspace wrote:> On 8/30/2012 11:02 PM, Fredrik
    Jonson wrote:
    >>
    >> Without pointing you to the source code of the exploit, which is widely
    >> available this time, when reading the code it becomes trivially clear to
    >> anyone that it allows the attacker to execute _any_ code on the target
    >> machine. It evades the normal java sandbox completely.

    >
    >
    > But only for Java 7. Java 6 is fine.
    >
    > I'm really appreciating Firefox right now. Earlier this year Firefox
    > forced me to do an upgrade of itself, then it invalidated my Java
    > plug-in and forced a re-installation of that as well. Yes, OK, whatever
    > Firefox; I didn't think too much about it afterwards even though it
    > annoyed me at the time.
    >
    > Now I just double-checked and realized that I've had the 1.6 version of
    > the plug-in this whole time, even though I know I've had Java 7 since it
    > first came out. Bravo for Firefox keeping the secure version instead of
    > using the latest version.


    Note that Oracle fixed 4 problems.

    3 that affected only Java 7.

    1 that affected both Java 6 and 7.

    So the presumed security of using Java 6 was non existing.

    Arne
     
    Arne Vajhøj, Aug 31, 2012
    #9
  10. markspace wrote:
    > On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
    >
    > > Without pointing you to the source code of the exploit [...] it becomes
    > > trivially clear to anyone that it allows the attacker to execute _any_
    > > code on the target machine. It evades the normal java sandbox completely.

    >
    > But only for Java 7. Java 6 is fine.


    Java 6u34 and older is also partially vulnerable of "a security-in-depth
    issue that is not directly exploitable but which can be used to aggravate
    security vulnerabilities that can be directly exploited."

    http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

    Oracle has indeed release Java 6 update 35, which is a security update, and
    it cites exactly the same alert as the Java 7 update 7 release.

    http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

    Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
    have to bee too concerned if you've only deployed Java 6 in your browser.

    Still, do note that both these releases, 6u35 and 7u7, divert from the
    ordinary release schedule. Normally we've seen a new Java update every two
    months. Both 6u35 and 7u7 lands barely half a month after their previous
    releases. I'm actually positively surprised that Oracle is this responsive,
    especially for 6u34, which they claim isn't directly vulnerable today.

    It will also be interesting to see if that means that the release numbers
    just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
    7u7 was originally expected to be released. The alternative is that the
    entire schedule is shifted, and that we wont see the next update until early
    or mid November.

    --
    Fredrik Jonson
     
    Fredrik Jonson, Aug 31, 2012
    #10
  11. Roedy Green

    Roedy Green Guest

    On 31 Aug 2012 06:02:43 GMT, Fredrik Jonson <>
    wrote, quoted or indirectly quoted someone who said :

    >That an attacking applet has to be unsigned doesn't limit the severety of
    >this vunerability. If the vunerability was only exploitable by signed
    >applets, the risk would be somewhat more limited. As it stands right now,
    >any script kiddie can compile and publish exploiting code.


    A signed applet is by definition dangerous. It is typically allowed to
    read/write any files it pleases. Normally unsigned applets are the
    safest things going, though I have heard so many false claims they are
    not. That is why I was initially suspicious.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    A new scientific truth does not triumph by convincing its opponents and making them see the light,
    but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
    ~ Max Planck 1858-04-23 1947-10-04
     
    Roedy Green, Aug 31, 2012
    #11
  12. Roedy Green

    Arne Vajhøj Guest

    On 8/31/2012 6:21 PM, Roedy Green wrote:
    > On 31 Aug 2012 06:02:43 GMT, Fredrik Jonson <>
    > wrote, quoted or indirectly quoted someone who said :
    >
    >> That an attacking applet has to be unsigned doesn't limit the

    severety of
    >> this vunerability. If the vunerability was only exploitable by signed
    >> applets, the risk would be somewhat more limited. As it stands right

    now,
    >> any script kiddie can compile and publish exploiting code.

    >
    > A signed applet is by definition dangerous. It is typically allowed to
    > read/write any files it pleases. Normally unsigned applets are the
    > safest things going, though I have heard so many false claims they are
    > not.


    They are supposed to be safe.

    But the security comes from software. And sometimes
    software has bugs.

    There were bugs in this case.

    There had been bugs before.

    And I will be surprised if we do not see bugs in the
    future as well.

    Arne
     
    Arne Vajhøj, Sep 1, 2012
    #12
  13. Hmm,

    There are now reports of another sandbox-breaking exploit, that has not been
    patched in the Java 7u7 release.

    "As in the case of the earlier vulnerabilities, Gowdiak says, this flaw
    allows an attacker to bypass the Java security sandbox completely [...]

    Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet
    been found in the wild, but Gowdiak says he included proof-of-concept code
    with the report to demonstrate that an exploit is indeed possible.

    Oracle has not acknowledged that the new vulnerability actually exists, but
    it has confirmed that it has received Security Explorations' vulnerability
    report and is analyzing it."

    http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

    --
    Fredrik Jonson
     
    Fredrik Jonson, Sep 1, 2012
    #13
  14. Roedy Green

    Roedy Green Guest

    On 1 Sep 2012 06:38:25 GMT, Fredrik Jonson <> wrote,
    quoted or indirectly quoted someone who said :

    > Oracle has not acknowledged that the new vulnerability actually exists, but
    > it has confirmed that it has received Security Explorations' vulnerability
    > report and is analyzing it."


    In the discussion of Stuxnet, I discovered that knowledge of an
    unrevelealed flaw goes for about $200K.

    There have been so many flaws, I suspect people on the inside are
    putting them there on purpose.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    A new scientific truth does not triumph by convincing its opponents and making them see the light,
    but rather because its opponents eventually die, and a new generation grows up that is familiar with it.
    ~ Max Planck 1858-04-23 1947-10-04
     
    Roedy Green, Sep 2, 2012
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ulf Meinhardt
    Replies:
    0
    Views:
    6,438
    Ulf Meinhardt
    Aug 10, 2006
  2. js
    Replies:
    2
    Views:
    1,482
  3. Jaggu
    Replies:
    3
    Views:
    998
    Nigel Wade
    Jan 8, 2007
  4. Replies:
    5
    Views:
    1,686
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=
    Feb 14, 2007
  5. TsanChung
    Replies:
    0
    Views:
    600
    TsanChung
    Sep 3, 2008
Loading...

Share This Page