On 14/01/13 6:59 AM, Jay Lozier wrote:
On 01/13/2013 08:57 AM, Tom Davies wrote:
Hi :)
I think it's less of a problem on any unix-based platform even using
Oracle's main versions. Mac had a problem with 2 old versions but
generally the main problems are on Windows because it's much easier
for a remote attacker to escalate their privileges. In Mac but even
more so in Gnu&Linux it's quite normal to run things as a normal user
without Superuser privileges. The whole Windows culture is for users
to set their normal/only user as SuperUser otherwise stuff just
doesn't work.
Notice that Oracle's main version of java keeps getting upgraded.
Typically at least 1/month. It's always about security and they
always advise people to upgrade to their newest version because of
security problems with their older one (last month's). Then the
month later they say there was a problem with the one they said was
safe last month. The 1st 4 or 5 versions in their newer branch
weren't even released apparently because they got compromised even
before they got released.
OpenJdk doesn't seem to be so perpetually troubled. Personally i
think that's due to the community taking notice of their bug-reports
and being more careful about their coding. "More eyes on the code"
surely helps 'obvious' troublesome areas.
Regards from
Tom :)
I do not know if any other implementations are vulnerable. The reports
have been silent on that point so I would assume they are to be safe.
This appears to be OS independent and requires the Java applet plugin
to be enabled to work. I understand the exploits are written in Java
so they should run on any OS .
________________________________
From: James Knott <james.knott@rogers.com>
To: LibreOffice <users@global.libreoffice.org>
Sent: Sunday, 13 January 2013, 13:35
Subject: Re: [libreoffice-users] Embedded Java
Jay Lozier wrote:
Yes, all OS's are affected because Java is cross platform. I am not
sure if any of the previous version are affected or if only the
current release is affected.
The primary concern is Java applets run by your browser. The
vulnerability allows a zero-day browser exploit that as yet is not
patched by Oracle. The primary concerns I have heard of are
installation of keyloggers and installation of ransomware. I would
assume the malware will use the JVM to run and would be cross
platform. AFAIK, Oracle has not yet announced when a patch will be
available.
As I mentioned in another note, I'm running OpenJDK, not Oracle
Java. So the question becomes is it a problem in general with Java
or just Oracle's.
-- For unsubscribe instructions e-mail to:
users+help@global.libreoffice.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more:
http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot
be deleted
But now I just see warnings about any version from 1.4??
But the temporary solution seems only to require disabling Java applets
in the browser.
steve
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.