Is this (http://www.guardian.co.uk/technology/2012/aug/29/java-exploit-security-malware-flaw?CMP=twt_fd) something users of Open JDK Java 7 need to beware of?

Thanks for the heads-up.just checked Firefox plugins,says to disable java plugins, vulnerable no fix!
something users of Open JDK Java 7 need to beware of?I don't know.

Hurray for Java.

Could this malware possibly affect a Linux OS ?

a number of hacked websites were using the exploit to install malware on Windows users' machines – although Apple Mac machines could also be targeted.

Since OpenJDK is the open source reference implementation of Oracle Java 7 and usually lags behind Oracle Java, we might as well assume that it is vulnerable not only to this exploit, but also to the previous "escape" exploit that caused Oracle to put out Oracle Java 7 Update 6.

So, yes. OpenJDK is suspect as well.

Could it affect Linux? Modified, yes. The last exploit was cross-platform.

Edit: After some perusal of the security community scuttlebutt, it turns out that within the last few hours it has been determined that the vulnerability takes advantage of a two-pronged method, is 100% effective and does endanger Linux systems although it is currently targeted at Windows.

Edit 2. Red Hat testing confirms the vulnerability exists in OpenJDK 7, Oracle Java 7 and IBM Java 7.

I don't allow OpenJava 6 to store any cache on my system, since i heard of this, thats probably not enough- is it? I turned off the extension in Aurora for now though.
Thanks for heads up!

Here's another concern

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

I notice on windows that firefox had disabled the Java plugin with a link to this:

https://addons.mozilla.org/en-US/firefox/blocked/p125

Good work by Mozilla.

Could this malware possibly affect a Linux OS ?
It can affect any OS that runs a tainted Java version. But needs the attacker to specifically target Linux. (You know the code that they inject into your java needs to do something before it is called an exploit. If the black hat trying to use exploit codes it to find c:\windows and alter explorer.exe, it will not hurt Linux. Now if the black hat makes the code do something with windows and exploit a certain nvidia-curret exploit that gives root to code running under Linux systems that have that driver, then he can destroy your Linux system.

I would disable the java plugin just in case. (Are there any sites that still need that? I mean, really?)

In my case, I didn't even notice I don't have the plugin installed. (I did install openjdk and jre, I just never installed the plugin and didn't notice).

I notice on windows that firefox had disabled the Java plugin with a link to this:

https://addons.mozilla.org/en-US/firefox/blocked/p125

Good work by Mozilla.

It has on my Mac/Book Pro as well.

Please forgive me in advance for a (probably) dumb question... ;)

So, is it enough if you disable the IcedTea plugin in Firefox and in Chrome/Chromium, or should you uninstall OpenJDK and IcedTea altogether for the time being?

In firefox you simply go into extentions, and click on disable.

In Chrome i assume would be the same..?

In firefox you simply go into extentions, and click on disable.

In Chrome i assume would be the same..?

I assume that you were answering me - I edited my post at the same time as I was perusing around in the Firefox and Chrome settings, and found the appropriate options myself... Sorry about that :)

In Firefox it is in Add-ons -> Etensions -> IcedTea-Web Plugin (enable/disable).

In Chrome/Chromium the option is hidden much better :)

It is in the Settings -> Show Advanced Settings -> Privacy Section -> Content Settings -> Plugins -> Disable plugins individually... -> IcedTea.

I assume this all you have to do for now. Am I right? Or should the OpenJDK/IcedTea be uninstalled entirely for now?

Looks like this exploit will only work with the oracle version of Java.

http://erratasec.blogspot.kr/2012/08/new-java-0day.html

Looks like this exploit will only work with the oracle version of Java.

http://erratasec.blogspot.kr/2012/08/new-java-0day.html

See post #5 by QIII... It appears that the OpenJDK/IcedTea could be in the danger zone as well.

I would think just disabling the plugin would keep us safe (dont quote me), unless this bit of malicious code somehow found its way into a java based app you are using.

It seems only java 7 is vulnerable, so if you need Java apps and they don't need java 7, you have the option to install the 1.6 packages.

Red Hat's testing shows that the vulnerability exists in Oracle Java 7, OpenJDK 7 and IBM Java 7 for all distributions of Linux. They are recommending that their enterprise customers not use a plugin for the time being.

They do not recommend the use of Java 6 because it is vulnerable to other known attacks. This vulnerability does not affect Java 6 but others do, so downgrading only changes to other threats.

If I have a chance today, I'll find the URL again indicating the results of the Red Hat tests.


Edit: Here are the URLs regarding test results:

https://access.redhat.com/knowledge/articles/197363

https://access.redhat.com/security/cve/CVE-2012-4681

All information on the web indicates that 1.7.0 - 1.7.6 are affected, thus it must be assumed that all three Javas through update 6 are affected.

Oracle reportedly knew of critical Java bugs under attack for 4 months.
After reading this i can assume that we will be waiting a while for the fix.
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

Oracle reportedly knew of critical Java bugs under attack for 4 months.
After reading this i can assume that we will be waiting a while for the fix.
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

The fix has been released and I'm running since earlier today. 7u7 is out and working good.

Nothing like in internationally embarrassing ****-whoopin' to motivate.

Hence why I believe full disclosure is always the better answer.

The fix has been released and I'm running since earlier today. 7u7 is out and working good.

:popcorn:Thanks problem solved.

The fix has been released and I'm running since earlier today. 7u7 is out and working good.

I noticed what appeared to be a java-related update come through earlier today. Having said that, it's not an excuse to dumb down the care you'd normally take while surfing.

Java needs to be binned, desperately. IIRC, early versions of Java had a documented feature where you could modify the contents of RAM - anywhere in the system - from within a Java application or applet. How dumb is that?

There have been countless Java vulnerabilities discovered on every platform that Java runs on; it's like Internet Explorer 6, except non-Windows users are also at risk.

Get rid of Java permanently.

Unfortunately, Java is ubiquitous.

Am I safe?

I disabled Iced Tea but nearly every site I visit requires some form of Java, so keep adding exceptions.

I don't have Java installed and I do not notice it at all. I also have noscript installed. Apparmor firefox profile enabled and outbound firewall rules established. Why not right?

I uninstalled Iced Tea completely under synaptic. No longer shows in chrome://plugins/ but under chrome://chrome/settings/content#java
unless Allow all sites to run JavaScript (recommended) is ticked, nearly every site complains.

I am confused.

Java needs to be binned, desperately. IIRC, early versions of Java had a documented feature where you could modify the contents of RAM - anywhere in the system - from within a Java application or applet. How dumb is that?

There have been countless Java vulnerabilities discovered on every platform that Java runs on; it's like Internet Explorer 6, except non-Windows users are also at risk.

Get rid of Java permanently.


I can see where you're coming from from the client side, but a whole lot of enterprise server-side software uses Java or some language that runs on the JVM. Really tough to eradicate that.

Another response to the same post.

The early versions of Java were for embedded applications, not anything to do with the Internet or for that matter even a normal desktop or laptop. Subsequent ones had some of the features designed around that concept for longer than they should.

In that light, having a feature to set memory anywhere in the machine would be really handy, especially if you're trying to build a driver or do something on custom hardware which has no driver support.

What should you do if you have applications like LibreOffice that require Java?

Relax and be careful.

Lots of products in the past have had serious security flaws, many of which are considered top quality products now. They'll get it straightened out. The best thing you can do as a user is to read the warnings and take recommended precautions, and use your head.

Also, just about every software product has somebody who REALLY_DOESN'T_LIKE_IT and wants to have it removed entirely. I'm one of those, but for me it's adobe flash, the entire streaming protocol and all software that reads or writes it.

Oracle is not ignoring this, no matter what it might look like from the outside. Oracle Financials and the database as well make heavy use of Java. A large number of fortune 500 companies use this software to manage their money. So do banks. They'll fix it.

If you're crazy about getting rid of Java, then go install Gentoo and put -java in your USE and remove all support for it from all your software when you compile.

Oracle ignored it for 4 months.

Oracle pushed out Java 7 JDK and JRE 7 Update 7 and I already downloaded and installed it on my System76 Lemur Ultra Thin (lemu4) and Ubuntu 12.04.1 64 bit Long Term Service. I am going to check if the Open JDK and JRE 7 have patched this security vulnerability by now. The best practice is to check your system and download and install the latest version of Oracle Java 7 JDK and JRE Update 7 as soon as possible. You will need to check all of your web browsers to make sure that you have either disabled Oracle Java (TM) JRE and JDK 7 Update 6. You can do this by launching your web browser and typing in either about:plugins or chrome://plugins. Make sure that you have Java (TM) JRE or JDK 7 Update 7 installed. Restart your web browsers to make the changes take into effect.

You can mitigate this security vulnerability by installing NoScripts or NotScripts and QuickJava version 1.8.0 to disable Java entirely or at least the affected Oracle Java (TM) 7 Update 6 when visiting unknown web sites.

Make sure that you download and install the latest version of Oracle Java (TM) JDK and JRE 7 Update 7 as soon as possible.

Make sure that you select Oracle Java (TM) JDK and JRE 7 Update 7 as your default Java:

sudo update-alternatives --config java

Furthermore, you should also download and install a reputable anti-virus scanner and making sure that you download and install the latest anti-virus definitions. As of August 30th, 2012 at 1:00 PM EST, 9 out of 22 anti-virus scanners protected its users from this specific security vulnerability. I know for certain that BitDefender for Unices Free already updated their anti-virus definitions to detect this Oracle Java (TM) JRE and JDK 7 Update 6 security vulnerability by now.

The best practice is not to have the java web plugin unless you actually need it for some web site.

I cannot find any that does. :/

Everybody has different needs. Some of the online IT certification preparation and study modules do require that I have the latest version of Oracle Java (TM) installed in order for me to access the course materials. This is why I can not completely disable Oracle Java (TM).

You have to consider the wide range of users and their unique needs before telling people to disable Oracle Java (TM) completely on a public discussion forum. In my opinion, your advice is not taking this important consideration into mind and it may cause certain users to break compatibility with certain web sites and software applications that require Java. For example, I use CrashPlan+ data backup software application and it requires Java.