Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out

From:

=?ISO-8859-1?Q?Arne_Vajh=F8j?= <arne@vajhoej.dk>

Newsgroups:

comp.lang.java.programmer

Date:

Fri, 31 Aug 2012 15:38:12 -0400

Message-ID:

<504112a7$0$283$14726298@news.sunsite.dk>

On 8/31/2012 2:29 AM, markspace wrote:> On 8/30/2012 11:02 PM, Fredrik
Jonson wrote:
>>
>> Without pointing you to the source code of the exploit, which is widely
>> available this time, when reading the code it becomes trivially clear to
>> anyone that it allows the attacker to execute _any_ code on the target
>> machine. It evades the normal java sandbox completely.
>
>
> But only for Java 7. Java 6 is fine.
>
> I'm really appreciating Firefox right now. Earlier this year Firefox
> forced me to do an upgrade of itself, then it invalidated my Java
> plug-in and forced a re-installation of that as well. Yes, OK, whatever
> Firefox; I didn't think too much about it afterwards even though it
> annoyed me at the time.
>
> Now I just double-checked and realized that I've had the 1.6 version of
> the plug-in this whole time, even though I know I've had Java 7 since it
> first came out. Bravo for Firefox keeping the secure version instead of
> using the latest version.

Note that Oracle fixed 4 problems.

3 that affected only Java 7.

1 that affected both Java 6 and 7.

So the presumed security of using Java 6 was non existing.

Arne