<http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089440.html>
It appears that the particular reflection feature in Java 7 is the security-exploit gift that just keeps on giving. The answer is still to disable Java plug-ins in browsers and have Java installed only if you depend on it for something (certain LibreOffice extensions, Base, other Java-based applications, etc.). -----Original Message----- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Wednesday, January 16, 2013 09:10 To: 'Simon Phipps' Cc: 'lj'; 'Libreoffice Discussion List' Subject: RE: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability Simon has just provided a superb account of the Java security problem in an InfoWorld blog post today: <http://www.infoworld.com/t/java-programming/why-fixing-the-java-flaw-will-take-so-long-210946>. I find this more-technical analysis to be plausible as well, and Simon's report provides context that makes it a bit more understandable: <http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089375.html>. [ ... ] For users of openoffice-lineage software, I am not sure what the concern should be. Disabling java browser plugins seems prudent. It may be inevitable that web sites will cease depending on users employing such plugins with the famed Java Applet disappearing into history. [ ... ] -----Original Message----- From: Simon Phipps [mailto:si...@webmink.com] Sent: Tuesday, January 15, 2013 19:29 To: Dennis Hamilton Cc: lj; Libreoffice Discussion List Subject: Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability I'm investigating, but the issue is a sandbox security manager bypass using unauthorised reflection and that's exploited using Rhino Javascript. So the context has to be a browser for there to be an issue even if OpenJDK is affected. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0422 for lots of data... S. [ ... ] -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
