JDK 1.7.0_11 is out.

Discussion in 'Java' started by Roedy Green, Jan 14, 2013.

  1. Roedy Green

    Roedy Green Guest

    Presumably will fix the 0-day exploit.
    I will find out after I get it myself.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Jan 14, 2013
    #1
    1. Advertising

  2. Roedy Green

    Arne Vajhøj Guest

    On 1/13/2013 9:24 PM, Roedy Green wrote:
    > Presumably will fix the 0-day exploit.


    It does.

    Arne
    Arne Vajhøj, Jan 14, 2013
    #2
    1. Advertising

  3. Roedy Green

    Roedy Green Guest

    On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green
    <> wrote, quoted or indirectly quoted
    someone who said :

    >Presumably will fix the 0-day exploit.
    >I will find out after I get it myself.


    the release notes are at
    http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

    As I read them the "fix" is just to turn off Applets entirely, by
    default -- hardly a fix. Perhaps one of the group's language lawyers
    could see if I interpreted that correctly.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    The first 90% of the code accounts for the first 90% of the development time.
    The remaining 10% of the code accounts for the other 90% of the development
    time.
    ~ Tom Cargill Ninety-ninety Law
    Roedy Green, Jan 15, 2013
    #3
  4. Roedy Green

    Arne Vajhøj Guest

    On 1/14/2013 11:01 PM, Roedy Green wrote:
    > On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green
    > <> wrote, quoted or indirectly quoted
    > someone who said :
    >
    >> Presumably will fix the 0-day exploit.
    >> I will find out after I get it myself.

    >
    > the release notes are at
    > http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
    >
    > As I read them the "fix" is just to turn off Applets entirely, by
    > default -- hardly a fix. Perhaps one of the group's language lawyers
    > could see if I interpreted that correctly.


    I don't read it that way.

    <quote>
    This release contains fixes for security vulnerabilities. For more
    information, see Oracle Security Alert for CVE-2013-0422.

    In addition, the following change has been made:

    Area: deploy
    Synopsis: Default Security Level Setting Changed to High
    The default security level for Java applets and web start applications
    has been increased from "Medium" to "High".
    </quote>

    .... contains fixes ... in addition ... security level
    setting changed ...

    I can not interpret that other than there are both a fix
    and a change in default security level.

    Arne
    Arne Vajhøj, Jan 16, 2013
    #4
  5. Roedy Green

    Eric Sosman Guest

    On 1/15/2013 9:03 PM, Arne Vajhøj wrote:
    >[...]
    > <quote>
    > This release contains fixes for security vulnerabilities. For more
    > information, see Oracle Security Alert for CVE-2013-0422.


    CERT's advice is

    "Immunity has indicated that only the reflection
    vulnerability has been fixed and that the JMX MBean
    vulnerability remains. [...] Unless it is absolutely
    necessary to run Java in web browsers, disable it as
    described below, even after updating to 7u11. [...]"
    --from <http://www.kb.cert.org/vuls/id/625617>

    Write once, pwn anywhere ...

    --
    Eric Sosman
    d
    Eric Sosman, Jan 16, 2013
    #5
  6. Roedy Green

    Arne Vajhøj Guest

    On 1/15/2013 10:03 PM, Eric Sosman wrote:
    > On 1/15/2013 9:03 PM, Arne Vajhøj wrote:
    >> [...]
    >> <quote>
    >> This release contains fixes for security vulnerabilities. For more
    >> information, see Oracle Security Alert for CVE-2013-0422.

    >
    > CERT's advice is
    >
    > "Immunity has indicated that only the reflection
    > vulnerability has been fixed and that the JMX MBean
    > vulnerability remains. [...] Unless it is absolutely
    > necessary to run Java in web browsers, disable it as
    > described below, even after updating to 7u11. [...]"
    > --from <http://www.kb.cert.org/vuls/id/625617>
    >
    > Write once, pwn anywhere ...


    According to the link then the exploits require both
    vulnerabilities.

    But obviously the unfixed problem could be part of new
    exploits as well.

    So it definitely should be fixed. And hopefully it
    will be.

    Arne
    Arne Vajhøj, Jan 17, 2013
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Babar
    Replies:
    1
    Views:
    411
    Chris Smith
    May 20, 2004
  2. Thomas G. Marshall
    Replies:
    5
    Views:
    785
    Thomas G. Marshall
    Aug 6, 2004
  3. Ulf Meinhardt
    Replies:
    0
    Views:
    6,395
    Ulf Meinhardt
    Aug 10, 2006
  4. Replies:
    0
    Views:
    1,064
  5. Roedy Green
    Replies:
    13
    Views:
    2,440
    Roedy Green
    Sep 2, 2012
Loading...

Share This Page