On Sat, Sep 8, 2012 at 9:44 PM, Toth, Csaba <[email protected]> wrote: > That's not a straight forward scenario either. > Some OS-X Java vulnerabilities were exploited because the release of the OS-X > version of JVM lags behind. > > I don't have an android phone, so I'm wondering how vulnerability patching > works with Android.
http://immunityproducts.blogspot.com.es/2012/08/java-0day-analysis-cve-2012-4681.html I don't think the exploit would even work on Android. The reason is because this depends on java and sun namespaces. Also, be warned that there is now a metasploit module to exercise this: https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day Some time before my next class I'll look into if this does impact android at all. When that happens, I'll report back. Again my money is on this being a non issue for Android. > Because the cell phone service providers usually modify the Android a little, > so does Dalvik VM patch needs to go through the providers too, > or it can go directly from Google onto the device. I have a feeling that the > providers hold back patches and there's a lag, > which creates opportunities for attack vectors. > > Not even talking about upgrading to new versions of Android in case of > devices: in that case I certainly know that this > is seriously hold back by the cell phone service providers. (Ok, I had a > dead-battery HTC for a while for play, and I needed > to install Cyanogen to get Android 2.2 on it instead of the 1.6). > > Csaba > ________________________________________ > From: [email protected] [[email protected]] On Behalf Of > Tilghman Lesher [[email protected]] > Sent: Saturday, September 08, 2012 7:33 PM > To: [email protected] > Subject: Re: [nlug] Java security issue? > > On Sat, Sep 8, 2012 at 9:14 PM, John R. Dennison <[email protected]> wrote: >> On Sat, Sep 08, 2012 at 08:39:51PM -0500, Toth, Csaba wrote: >>> I'm involved with Java, and it's sad to see that some big technology >>> sites advise to uninstall Java completely. >> >> Oracle sat on at least 2 root-able vectors for a long time. Disabling >> or uninstalling in the face of their security mismanagement is prudent >> considering that at least one 0-day in the wild was dropping root kits. > > Google's decision to build it's own virtual machine looks smarter all > the time. I wonder when we can expect to see Dalvik packaged for > desktop use. > > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
