Linux - NewsThis forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Any system using Oracle Java 7 (1.7, 1.7.0) including
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
All versions of Java 7 through update 10 are affected. Web
browsers using the Java 7 plug-in are at high risk.
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary code. An attacker
could use social engineering techniques to entice a user to visit a
link to a website hosting a malicious Java applet. An attacker
could also compromise a legitimate web site and upload a malicious
Java applet (a "drive-by download" attack).
Any web browser using the Java 7 plug-in is affected. The Java
Deployment Toolkit plug-in and Java Web Start can also be used as
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
Further technical details are available in Vulnerability Note
By convincing a user to load a malicious Java applet or Java
Network Launching Protocol (JNLP) file, an attacker could execute
arbitrary code on a vulnerable system with the privileges of the
Java plug-in process.
Disable Java in web browsers
This and previous Java vulnerabilities have been widely targeted by
attackers, and new Java vulnerabilities are likely to be
discovered. To defend against this and future Java vulnerabilities,
disable Java in web browsers.
Starting with Java 7 Update 10, it is possible to disable Java
content in web browsers through the Java control panel applet. From
Setting the Security Level of the Java Client:
For installations where the highest level of security is required,
it is possible to entirely prevent any Java apps (signed or
unsigned) from running in a browser by de-selecting Enable Java
content in the browser in the Java Control Panel under the Security
If you are unable to update to Java 7 Update 10 please see the
solution section of Vulnerability Note VU#636312 for instructions
on how to disable Java on a per browser basis.
"ATM"? Judging by its history I don't think it would be unreasonable to say that java lives in a perpetual state of vulnerability.
I'm just glad I have no need of it.
On one hand, I don't it's fair to single out Java for every vulnerability since pretty much every piece of software suffers from 0-day exploits. The Ruby on Rails vulnerability that happened last week is a good example. Whereas with Java, the vulnerability is on the applet, not the application part of Java (server-side development).
On the other hand, Oracle seems to be rather slow in addressing these issues. Their obtuseness doesn't give me much comfort either.
I observe that there are no vulnerability statements from the OPENJDK developers. The reason being, that OpenJDK does not inherit the browser plugin from Oracle's JDK... it was Oracle's decision not to open-source that plugin.
Therefore OpenJDK can use a separate browser plugin (if you compile it using the icedtea framework) called icedtea-web which has been developed independently from JDK and apparently there is no vulnerability in there.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Java SE 7u11 JDK and JRE are available at http://www.oracle.com/technetwork/ja...ads/index.html. I've upgraded using jdk-7u11-linux-x64.tar.gz with no discernible problems with Java applications or with the browser plug-in but, for now, I'm keeping the plug-in disabled in Firefox and Seamonkey (although the problems seems to have been fixed, I'll give it a week or two and see what might turn up -- YMMV).
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.