Oracle Java 7 Security Manager Bypass Vulnerability
US-CERT Alert TA13-010A (10 Jan 2013, 18:07) (http://www.kb.cert.org/vuls/id/625617):
Quote:
Hope this helps some. |
u10 is vulnerable too, there are no official safe releases from Oracle ATM.
the only solution for now is to disable it in the browser/uninstall it. |
Quote:
I'm just glad I have no need of it. |
Quote:
On the other hand, Oracle seems to be rather slow in addressing these issues. Their obtuseness doesn't give me much comfort either. |
FYI.
I observe that there are no vulnerability statements from the OPENJDK developers. The reason being, that OpenJDK does not inherit the browser plugin from Oracle's JDK... it was Oracle's decision not to open-source that plugin. Therefore OpenJDK can use a separate browser plugin (if you compile it using the icedtea framework) called icedtea-web which has been developed independently from JDK and apparently there is no vulnerability in there. Slackware packages for OpenJDK: http://slackware.com/~alien/slackbuilds/openjdk/ Eric |
fix is out
u11 |
Java SE 7u11 JDK and JRE are available at http://www.oracle.com/technetwork/ja...ads/index.html. I've upgraded using jdk-7u11-linux-x64.tar.gz with no discernible problems with Java applications or with the browser plug-in but, for now, I'm keeping the plug-in disabled in Firefox and Seamonkey (although the problems seems to have been fixed, I'll give it a week or two and see what might turn up -- YMMV).
Hope this helps some. |
also CERT is suggesting to keep the browser plugin still disabled, even after updating to u11:
http://www.kb.cert.org/vuls/id/625617 in that advisory it says that also openjdk is affected. |
Quote:
|
another exploit being sold for $5000 (considering what you can do with it, it's pretty cheap!).
That put me in discomfort also because it makes me recall that Limahl guy ( http://www.youtube.com/watch?v=3khTntOxX-k ). |
All times are GMT -5. The time now is 06:17 AM. |