Re: [libreoffice-users] Embedded Java

On 14/01/13 6:59 AM, Jay Lozier wrote:
> On 01/13/2013 08:57 AM, Tom Davies wrote:
> > Hi :)
> > I think it's less of a problem on any unix-based platform even using 
> > Oracle's main versions.  Mac had a problem with 2 old versions but 
> > generally the main problems are on Windows because it's much easier 
> > for a remote attacker to escalate their privileges.  In Mac but even 
> > more so in Gnu&Linux it's quite normal to run things as a normal user 
> > without Superuser privileges.  The whole Windows culture is for users 
> > to set their normal/only user as SuperUser otherwise stuff just 
> > doesn't work.
> >
> > Notice that Oracle's main version of java keeps getting upgraded.  
> > Typically at least 1/month.  It's always about security and they 
> > always advise people to upgrade to their newest version because of 
> > security problems with their older one (last month's).  Then the 
> > month later they say there was a problem with the one they said was 
> > safe last month.  The 1st 4 or 5 versions in their newer branch 
> > weren't even released apparently because they got compromised even 
> > before they got released.
> >
> > OpenJdk doesn't seem to be so perpetually troubled.  Personally i 
> > think that's due to the community taking notice of their bug-reports 
> > and being more careful about their coding.  "More eyes on the code" 
> > surely helps 'obvious' troublesome areas.
> >
> > Regards from
> > Tom :)
> I do not know if any other implementations are vulnerable. The reports 
> have been silent on that point so I would assume they are to be safe.
>
> This appears to be OS independent and requires the Java applet plugin 
> to be enabled to work. I understand the exploits are written in Java 
> so they should run on any OS .
> > > ________________________________
> > > From: James Knott <james.knott@rogers.com>
> > > To: LibreOffice <users@global.libreoffice.org>
> > > Sent: Sunday, 13 January 2013, 13:35
> > > Subject: Re: [libreoffice-users] Embedded Java
> > >
> > > Jay Lozier wrote:
> > > > Yes, all OS's are affected because Java is cross platform. I am not 
> > > > sure if any of the previous version are affected or if only the 
> > > > current release is affected.
> > > >
> > > > The primary concern is Java applets run by your browser. The 
> > > > vulnerability allows a zero-day browser exploit that as yet is not 
> > > > patched by Oracle. The primary concerns I have heard of are 
> > > > installation of keyloggers and installation of ransomware. I would 
> > > > assume the malware will use the JVM to run and would be cross 
> > > > platform. AFAIK, Oracle has not yet announced when a patch will be 
> > > > available.
> > > As I mentioned in another note, I'm running OpenJDK, not Oracle 
> > > Java.  So the question becomes is it a problem in general with Java 
> > > or just Oracle's.
> > >
> > >
> > > -- For unsubscribe instructions e-mail to: 
> > > users+help@global.libreoffice.org
> > > Problems? 
> > > http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> > > Posting guidelines + more: 
> > > http://wiki.documentfoundation.org/Netiquette
> > > List archive: http://listarchives.libreoffice.org/global/users/
> > > All messages sent to this list will be publicly archived and cannot 
> > > be deleted
I see statements in reports that this only affects Java 7. So hopefully 
other variants are ok.
Steve


--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted