On 01/13/2013 08:57 AM, Tom Davies wrote:
Hi :)
I think it's less of a problem on any unix-based platform even using Oracle's main
versions. Mac had a problem with 2 old versions but generally the main problems
are on Windows because it's much easier for a remote attacker to escalate their
privileges. In Mac but even more so in Gnu&Linux it's quite normal to run
things as a normal user without Superuser privileges. The whole Windows culture is
for users to set their normal/only user as SuperUser otherwise stuff just doesn't
work.
Notice that Oracle's main version of java keeps getting upgraded. Typically at
least 1/month. It's always about security and they always advise people to
upgrade to their newest version because of security problems with their older
one (last month's). Then the month later they say there was a problem with the
one they said was safe last month. The 1st 4 or 5 versions in their newer
branch weren't even released apparently because they got compromised even
before they got released.
OpenJdk doesn't seem to be so perpetually troubled. Personally i think that's due to the
community taking notice of their bug-reports and being more careful about their coding.
"More eyes on the code" surely helps 'obvious' troublesome areas.
Regards from
Tom :)
I do not know if any other implementations are vulnerable. The reports
have been silent on that point so I would assume they are to be safe.
This appears to be OS independent and requires the Java applet plugin to
be enabled to work. I understand the exploits are written in Java so
they should run on any OS .
________________________________
From: James Knott <[email protected]>
To: LibreOffice <[email protected]>
Sent: Sunday, 13 January 2013, 13:35
Subject: Re: [libreoffice-users] Embedded Java
Jay Lozier wrote:
Yes, all OS's are affected because Java is cross platform. I am not sure if any
of the previous version are affected or if only the current release is affected.
The primary concern is Java applets run by your browser. The vulnerability
allows a zero-day browser exploit that as yet is not patched by Oracle. The
primary concerns I have heard of are installation of keyloggers and
installation of ransomware. I would assume the malware will use the JVM to run
and would be cross platform. AFAIK, Oracle has not yet announced when a patch
will be available.
As I mentioned in another note, I'm running OpenJDK, not Oracle Java. So the
question becomes is it a problem in general with Java or just Oracle's.
-- For unsubscribe instructions e-mail to: [email protected]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
--
Jay Lozier
[email protected]
--
For unsubscribe instructions e-mail to: [email protected]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
