Page 6 of 6 FirstFirst ... 456
Results 51 to 57 of 57

Thread: Java Security Flaw

  1. #51
    Join Date
    Aug 2009
    Beans
    3,199
    Distro
    Ubuntu Development Release

    Re: Java Security Flaw

    Quote Originally Posted by QIII View Post
    Java 7u12 will likely be breached within 48 hours.

    The US Department of Homeland Security still recommends disabling the browser plugin. Some reports I have read indicate this will take two years of concerted effort to rectify, during which time the bad guys will get ready to pounce again.
    Cheese Whiz! I like the popup though and if we are going to leave it enabled, which I plan to do. I guess we should pay close attention to what that popup is asking before allowing it to run.
    Check Java Version | Install Java via WEB UPD8 PPA
    Creating a Custom Maintenance Free GRUB2 Screen Community Wiki
    Ubuntu 12.04 | 14.04 | 14.10 | Mint 13 | Mint 17 | Windows 7 | All 64 bit

  2. #52
    Join Date
    Mar 2011
    Beans
    668

    Re: Java Security Flaw

    @QIII,

    Yes, it is estimated two years. We'll see how they react when it starts getting widely distributed, which will happen in the next day or so.

    @Ms. Daisy,

    What im saying is the only way to fully protect from java exploits is to configure apparmor so that java cannot behave like java. The malicious code runs basically like native java. Hence apparmor would have to disable java completely. I'd love to hear that im wrong...
    Not really. Java applications needs access to the home directory. They need very little access otherwise, only to Java programs.

    The way most exploits work is to drop a second payload and execute it. Apparmor kills that immediately.

    Obviously that's a pseudomitigation and trivial to bypass. So what else does AppArmor provide?

    As an attacker who exploits a typical Java JRE we have access to the full user directory - home, interacting with other processes, reading the filesystem for sensitive info (for monetization or local exploitation), writing new executable files, persistence, etc.

    As an attacker who exploits a JRE running with a strict apparmor profile we can read/write to some Java files, read a few more files, and interact with no other processes. Significantly more secure, not easy to monetize at all.

    So while the Java code runs perfectly fine (of course, you need Java to run for Java to run, as you say) it's not able to do anything malicious.

    Java code running isn't scary - or not super scary - it's what it does after it runs we worry about.

  3. #53
    offgridguy's Avatar
    offgridguy is offline Grande Half-n-Half Cinnamon Ubuntu
    Join Date
    Jul 2012
    Beans
    Hidden!

    Re: Java Security Flaw

    This link deals with Java security flaw and windows.

    http://ask-leo.com/should_i_disable_...K429IRa4eZdfbL

  4. #54
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Java Security Flaw

    Hi all,

    After hours of testing with limited available Java plugins and reading the following information, I am sure that Firefox 18 with Java 6 Update 38 and Java 7 Update 10 are not affected by the vulnerability even you do not implemented the Apparmor for Firefox. It is because Firefox 17 or above disabled the vulnerability Java plugins.

    However, I have no available exploit to test Firefox 18 with Java 7 Update 11. Therefore, I strongly recommend anyone who has updated to Java 7 Update 11 need to aware of executing any Java Applet on his/her Firefox 18.

    Or, you simply to uninstall/disable the Java 7 Update 11 or disable it after use. Meanwhile, I strongly believe that Apparmor for Firefox can protect your box from being compromised by this vulnerability; however, I have no evidence at the moment.

    The following information is quoted from Add-ons Blocklist of Firefox :

    Code:
    Why was it blocked?
        The Java plugin is causing significant security problems. All users are 
        strongly recommended to keep the plugin disabled unless necessary.
    
    Who is affected?
        All users who have these versions of the plugin installed in Firefox 17 
        and above.
    
    What does this mean?
        The problematic add-on or plugin will be automatically disabled and no 
        longer usable.
    The reference links :

    All users who have the Java Plugin 6 Update 31 through 38 installed in Firefox 17 and above.

    Java Plugin 6 updates 31 through 38 (click-to-play), Linux

    Java Plugin 6 updates 38 and lower (click-to-play), Mac OS X

    Java Plugin 6 updates 31 through 38 (click-to-play), Windows


    All users who have the Java Plugin 7 Update 10 and lower installed in Firefox 17 and above.

    Java Plugin 7 update 10 and lower (click-to-play), Linux

    Java Plugin 7 update 10 and lower (click-to-play), Windows

    Java Plugin 7 update 10 and lower (click-to-play), Mac OS X

    Samiux
    Last edited by samiux; January 17th, 2013 at 04:07 AM. Reason: fix format

  5. #55
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Java Security Flaw

    Please read this link if you concern about the Java's latest update.

    Samiux

  6. #56
    Join Date
    Jun 2008
    Location
    Byron, CA, USA
    Beans
    363
    Distro
    Ubuntu 12.04 Precise Pangolin

    Question Re: Java Security Flaw

    I found this Thread after reading of a potential design flaw in the Java® Runtime Environment from as far back as Release 1.4; it was apparently uncorrected by both Sun Microsystems® and Oracle® in all of Java® SE 5 (all known Updates), 6 (through Update 39), and 7 (through Update 11) and may affect their OpenJDK and IcedTea counterparts as well. I removed Java® SE 6 Update 38 from my Asus® CM1630-06 (which runs Microsoft® Windows® 7.0.8001) and am awaiting information on a fix for the in-development (as of January 2013) Java® SE 8. (An attempt to uninstall OpenJDK 6 would break the Metapackage ubuntu-desktop in 12.04.1-LTS.)

    What source procedure in OpenJDK holds this design flaw and therefore must be fixed to resolve this issue?
    Gigabyte MA78GM-S2HP / AMD Athlon X2 5600+
    Audio: Creative Laboratoies SB0350 (PCI)
    Video: ATI Radeon HD 3200 (planar)

  7. #57
    Join Date
    Mar 2005
    Location
    Mazatlan-MX
    Beans
    126
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Java Security Flaw

    Looks like ORACLE has just released another "PATCH"
    Here: go , but not likely will show up in "Synaptic" for some time.

    Use Synaptic to check your package list, and you will see "Iced Tea" often referred to.

    Note what happens when you use Synaptic to uninstall parts of Opewnjdk, It appears to install other packages, strange.

    Did you check your virus problems with Clamscan ?
    Pay now, or pay later, there's no free lunch.

Page 6 of 6 FirstFirst ... 456

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •