Embedded Java

classic Classic list List threaded Threaded
24 messages Options
Next » 12
George R. Crossman George R. Crossman
Reply | Threaded
Open this post in threaded view
|

Embedded Java

I'm seeing warnings saying that one should disable embedded Java to
avoid hacking. Does this apply to linux users? If so, what is the procedure?

George Crossman

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Jay Lozier Jay Lozier
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

On 01/12/2013 10:42 PM, George R. Crossman wrote:
> I'm seeing warnings saying that one should disable embedded Java to
> avoid hacking. Does this apply to linux users? If so, what is the
> procedure?
>
> George Crossman
>
George,

Yes, all OS's are affected because Java is cross platform. I am not sure
if any of the previous version are affected or if only the current
release is affected.

The primary concern is Java applets run by your browser. The
vulnerability allows a zero-day browser exploit that as yet is not
patched by Oracle. The primary concerns I have heard of are installation
of keyloggers and installation of ransomware. I would assume the malware
will use the JVM to run and would be cross platform. AFAIK, Oracle has
not yet announced when a patch will be available.

It is highly recommended that Java be disabled in your browser(s)
regardless of the version. Note JavaScript is not affected, it is
entirely different than Java. Currently this warning does not cover
non-browser applications that use the JVM.

--
Jay Lozier
[hidden email]


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Dan Lewis Dan Lewis
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

On 01/13/2013 03:28 AM, Jay Lozier wrote:

> On 01/12/2013 10:42 PM, George R. Crossman wrote:
>> I'm seeing warnings saying that one should disable embedded Java to
>> avoid hacking. Does this apply to linux users? If so, what is the
>> procedure?
>>
>> George Crossman
>>
> George,
>
> Yes, all OS's are affected because Java is cross platform. I am not
> sure if any of the previous version are affected or if only the
> current release is affected.
>
> The primary concern is Java applets run by your browser. The
> vulnerability allows a zero-day browser exploit that as yet is not
> patched by Oracle. The primary concerns I have heard of are
> installation of keyloggers and installation of ransomware. I would
> assume the malware will use the JVM to run and would be cross
> platform. AFAIK, Oracle has not yet announced when a patch will be
> available.
>
> It is highly recommended that Java be disabled in your browser(s)
> regardless of the version. Note JavaScript is not affected, it is
> entirely different than Java. Currently this warning does not cover
> non-browser applications that use the JVM.
          If you use Firefox and update your operating system regularly,
Firefox should have already disabled the  JVM add-on. Check Tools ->
Add-ons for it if you use Firefox. Also check the Help section for
specific information about how to disable Java in your browser.

--Dan

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

Hi :)
It's not so much the exploits, attackers and vulnerability to malware that worry me (especially on a unix-based platform such as a Gnu&Linux or Mac).  Mostly the problem is that it creates problems and just seems to fall over or go wonky on it's own without any help from outsiders.  I'm sure it wasn't this bad a few years ago. 

Luckily the devs have been doing 2 things along with everything else they do; 
 *  removing dependence on java
 *  removing old comments that don't make much sense any more
Unfortunately most of the Accessibility stuff is still almost totally dependant on Java although i think a couple of people are working on that. 

I think many of the Extensions have also removed dependence on java and most of the wizards have been done (apparently) (although i hope that when they get to the Base wizards  they consider just removing entire wizards to save time) 
Regards from
Tom :) 





>________________________________
> From: Dan Lewis <[hidden email]>
>To: [hidden email]
>Sent: Sunday, 13 January 2013, 11:35
>Subject: Re: [libreoffice-users] Embedded Java
>
>On 01/13/2013 03:28 AM, Jay Lozier wrote:
>> On 01/12/2013 10:42 PM, George R. Crossman wrote:
>>> I'm seeing warnings saying that one should disable embedded Java to avoid hacking. Does this apply to linux users? If so, what is the procedure?
>>>
>>> George Crossman
>>>
>> George,
>>
>> Yes, all OS's are affected because Java is cross platform. I am not sure if any of the previous version are affected or if only the current release is affected.
>>
>> The primary concern is Java applets run by your browser. The vulnerability allows a zero-day browser exploit that as yet is not patched by Oracle. The primary concerns I have heard of are installation of keyloggers and installation of ransomware. I would assume the malware will use the JVM to run and would be cross platform. AFAIK, Oracle has not yet announced when a patch will be available.
>>
>> It is highly recommended that Java be disabled in your browser(s) regardless of the version. Note JavaScript is not affected, it is entirely different than Java. Currently this warning does not cover non-browser applications that use the JVM.
>         If you use Firefox and update your operating system regularly, Firefox should have already disabled the  JVM add-on. Check Tools -> Add-ons for it if you use Firefox. Also check the Help section for specific information about how to disable Java in your browser.
>
>--Dan
>
>-- For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

James Knott James Knott
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by George R. Crossman
George R. Crossman wrote:
> I'm seeing warnings saying that one should disable embedded Java to
> avoid hacking. Does this apply to linux users? If so, what is the
> procedure?

I wondered about that too.  It might be an issue with the Oracle Java,
but I'm using OpenJDK.

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

Hi :)
OpenJDK is also owned by Oracle.  (it shocked me when i found that out too! lol)

It tends to be a lot less likely to run into problems because the strong community involved seems to take the edge off it a lot but ultimately it is still owned by Oracle.  Many such community run but owned projects have broken free of Oracle over the past couple of years but if OpenJdk did that then they would have problems maintaining their position of being a drop-in replacement for the proprietary version.
Regards from
Tom :) 





>________________________________
> From: James Knott <[hidden email]>
>To: LibreOffice <[hidden email]>
>Sent: Sunday, 13 January 2013, 13:07
>Subject: Re: [libreoffice-users] Embedded Java
>
>George R. Crossman wrote:
>> I'm seeing warnings saying that one should disable embedded Java to avoid hacking. Does this apply to linux users? If so, what is the procedure?
>
>I wondered about that too.  It might be an issue with the Oracle Java, but I'm using OpenJDK.
>
>-- For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

James Knott James Knott
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by Jay Lozier
Jay Lozier wrote:

> Yes, all OS's are affected because Java is cross platform. I am not
> sure if any of the previous version are affected or if only the
> current release is affected.
>
> The primary concern is Java applets run by your browser. The
> vulnerability allows a zero-day browser exploit that as yet is not
> patched by Oracle. The primary concerns I have heard of are
> installation of keyloggers and installation of ransomware. I would
> assume the malware will use the JVM to run and would be cross
> platform. AFAIK, Oracle has not yet announced when a patch will be
> available.

As I mentioned in another note, I'm running OpenJDK, not Oracle Java.  
So the question becomes is it a problem in general with Java or just
Oracle's.


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

Hi :)
I think it's less of a problem on any unix-based platform even using Oracle's main versions.  Mac had a problem with 2 old versions but generally the main problems are on Windows because it's much easier for a remote attacker to escalate their privileges.  In Mac but even more so in Gnu&Linux it's quite normal to run things as a normal user without Superuser privileges.  The whole Windows culture is for users to set their normal/only user as SuperUser otherwise stuff just doesn't work. 

Notice that Oracle's main version of java keeps getting upgraded.  Typically at least 1/month.  It's always about security and they always advise people to upgrade to their newest version because of security problems with their older one (last month's).  Then the month later they say there was a problem with the one they said was safe last month.  The 1st 4 or 5 versions in their newer branch weren't even released apparently because they got compromised even before they got released. 

OpenJdk doesn't seem to be so perpetually troubled.  Personally i think that's due to the community taking notice of their bug-reports and being more careful about their coding.  "More eyes on the code" surely helps 'obvious' troublesome areas. 

Regards from
Tom :) 





>________________________________
> From: James Knott <[hidden email]>
>To: LibreOffice <[hidden email]>
>Sent: Sunday, 13 January 2013, 13:35
>Subject: Re: [libreoffice-users] Embedded Java
>
>Jay Lozier wrote:
>> Yes, all OS's are affected because Java is cross platform. I am not sure if any of the previous version are affected or if only the current release is affected.
>>
>> The primary concern is Java applets run by your browser. The vulnerability allows a zero-day browser exploit that as yet is not patched by Oracle. The primary concerns I have heard of are installation of keyloggers and installation of ransomware. I would assume the malware will use the JVM to run and would be cross platform. AFAIK, Oracle has not yet announced when a patch will be available.
>
>As I mentioned in another note, I'm running OpenJDK, not Oracle Java.  So the question becomes is it a problem in general with Java or just Oracle's.
>
>
>-- For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

James Knott James Knott
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by Tom
Tom Davies wrote:
> OpenJDK is also owned by Oracle.  (it shocked me when i found that out too! lol)
>
> It tends to be a lot less likely to run into problems because the strong community involved seems to take the edge off it a lot but ultimately it is still owned by Oracle.  Many such community run but owned projects have broken free of Oracle over the past couple of years but if OpenJdk did that then they would have problems maintaining their position of being a drop-in replacement for the proprietary version.

Is it owned by Oracle?  Or do they just contribute to it?  Other
companies, such as IBM and Apple also contribute.  Also, from what I've
been reading, this is a problem with using Java with browsers. Linux
uses something called "IcedTea" to replace Oracle components that are
not open source.  Might the difference in their avoid the problem?  
Also, as for a drop in replacement, it only has to function as the
original, that is same APIs etc.  It does not mean the same source
code.  So, if the problem is with the way Oracle's version was
implemented, that may mean other versions do not have the same problem.

<https://en.wikipedia.org/wiki/Openjdk>

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Jay Lozier Jay Lozier
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by James Knott
On 01/13/2013 08:35 AM, James Knott wrote:

> Jay Lozier wrote:
>> Yes, all OS's are affected because Java is cross platform. I am not
>> sure if any of the previous version are affected or if only the
>> current release is affected.
>>
>> The primary concern is Java applets run by your browser. The
>> vulnerability allows a zero-day browser exploit that as yet is not
>> patched by Oracle. The primary concerns I have heard of are
>> installation of keyloggers and installation of ransomware. I would
>> assume the malware will use the JVM to run and would be cross
>> platform. AFAIK, Oracle has not yet announced when a patch will be
>> available.
>
> As I mentioned in another note, I'm running OpenJDK, not Oracle Java.  
> So the question becomes is it a problem in general with Java or just
> Oracle's.
>
>
The warnings were specific to Oracle's implementation not any other
version. I do not know if this a simplification by the writers/editors
or if only Oracle's implementation is affected. Being cautious, I would
assume if an implementation is not specifically cleared I assume it is
also vulnerable. Apparently this vulnerability can lead to some very
nasty malware exploiting the system.

To be safe I would disable Java (not JavaScript) in all web browsers
until patches are issued. From what I understand disabling Java will
have a minimal impact for most users on the Web.

--
Jay Lozier
[hidden email]


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Jay Lozier Jay Lozier
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by Tom
On 01/13/2013 08:57 AM, Tom Davies wrote:

> Hi :)
> I think it's less of a problem on any unix-based platform even using Oracle's main versions.  Mac had a problem with 2 old versions but generally the main problems are on Windows because it's much easier for a remote attacker to escalate their privileges.  In Mac but even more so in Gnu&Linux it's quite normal to run things as a normal user without Superuser privileges.  The whole Windows culture is for users to set their normal/only user as SuperUser otherwise stuff just doesn't work.
>
> Notice that Oracle's main version of java keeps getting upgraded.  Typically at least 1/month.  It's always about security and they always advise people to upgrade to their newest version because of security problems with their older one (last month's).  Then the month later they say there was a problem with the one they said was safe last month.  The 1st 4 or 5 versions in their newer branch weren't even released apparently because they got compromised even before they got released.
>
> OpenJdk doesn't seem to be so perpetually troubled.  Personally i think that's due to the community taking notice of their bug-reports and being more careful about their coding.  "More eyes on the code" surely helps 'obvious' troublesome areas.
>
> Regards from
> Tom :)
>
I do not know if any other implementations are vulnerable. The reports
have been silent on that point so I would assume they are to be safe.

This appears to be OS independent and requires the Java applet plugin to
be enabled to work. I understand the exploits are written in Java so
they should run on any OS .

>
>
>> ________________________________
>> From: James Knott <[hidden email]>
>> To: LibreOffice <[hidden email]>
>> Sent: Sunday, 13 January 2013, 13:35
>> Subject: Re: [libreoffice-users] Embedded Java
>>
>> Jay Lozier wrote:
>>> Yes, all OS's are affected because Java is cross platform. I am not sure if any of the previous version are affected or if only the current release is affected.
>>>
>>> The primary concern is Java applets run by your browser. The vulnerability allows a zero-day browser exploit that as yet is not patched by Oracle. The primary concerns I have heard of are installation of keyloggers and installation of ransomware. I would assume the malware will use the JVM to run and would be cross platform. AFAIK, Oracle has not yet announced when a patch will be available.
>> As I mentioned in another note, I'm running OpenJDK, not Oracle Java.  So the question becomes is it a problem in general with Java or just Oracle's.
>>
>>
>> -- For unsubscribe instructions e-mail to: [hidden email]
>> Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>> List archive: http://listarchives.libreoffice.org/global/users/
>> All messages sent to this list will be publicly archived and cannot be deleted
>>
>>
>>
>>


--
Jay Lozier
[hidden email]


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

steveedmonds steveedmonds
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java


On 14/01/13 6:59 AM, Jay Lozier wrote:

> On 01/13/2013 08:57 AM, Tom Davies wrote:
>> Hi :)
>> I think it's less of a problem on any unix-based platform even using
>> Oracle's main versions.  Mac had a problem with 2 old versions but
>> generally the main problems are on Windows because it's much easier
>> for a remote attacker to escalate their privileges.  In Mac but even
>> more so in Gnu&Linux it's quite normal to run things as a normal user
>> without Superuser privileges.  The whole Windows culture is for users
>> to set their normal/only user as SuperUser otherwise stuff just
>> doesn't work.
>>
>> Notice that Oracle's main version of java keeps getting upgraded.  
>> Typically at least 1/month.  It's always about security and they
>> always advise people to upgrade to their newest version because of
>> security problems with their older one (last month's).  Then the
>> month later they say there was a problem with the one they said was
>> safe last month.  The 1st 4 or 5 versions in their newer branch
>> weren't even released apparently because they got compromised even
>> before they got released.
>>
>> OpenJdk doesn't seem to be so perpetually troubled.  Personally i
>> think that's due to the community taking notice of their bug-reports
>> and being more careful about their coding.  "More eyes on the code"
>> surely helps 'obvious' troublesome areas.
>>
>> Regards from
>> Tom :)
>>
> I do not know if any other implementations are vulnerable. The reports
> have been silent on that point so I would assume they are to be safe.
>
> This appears to be OS independent and requires the Java applet plugin
> to be enabled to work. I understand the exploits are written in Java
> so they should run on any OS .
>>
>>
>>> ________________________________
>>> From: James Knott <[hidden email]>
>>> To: LibreOffice <[hidden email]>
>>> Sent: Sunday, 13 January 2013, 13:35
>>> Subject: Re: [libreoffice-users] Embedded Java
>>>
>>> Jay Lozier wrote:
>>>> Yes, all OS's are affected because Java is cross platform. I am not
>>>> sure if any of the previous version are affected or if only the
>>>> current release is affected.
>>>>
>>>> The primary concern is Java applets run by your browser. The
>>>> vulnerability allows a zero-day browser exploit that as yet is not
>>>> patched by Oracle. The primary concerns I have heard of are
>>>> installation of keyloggers and installation of ransomware. I would
>>>> assume the malware will use the JVM to run and would be cross
>>>> platform. AFAIK, Oracle has not yet announced when a patch will be
>>>> available.
>>> As I mentioned in another note, I'm running OpenJDK, not Oracle
>>> Java.  So the question becomes is it a problem in general with Java
>>> or just Oracle's.
>>>
>>>
>>> -- For unsubscribe instructions e-mail to:
>>> [hidden email]
>>> Problems?
>>> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>>> Posting guidelines + more:
>>> http://wiki.documentfoundation.org/Netiquette
>>> List archive: http://listarchives.libreoffice.org/global/users/
>>> All messages sent to this list will be publicly archived and cannot
>>> be deleted
>>>
I see statements in reports that this only affects Java 7. So hopefully
other variants are ok.
Steve


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

steveedmonds steveedmonds
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by Jay Lozier

On 14/01/13 6:59 AM, Jay Lozier wrote:

> On 01/13/2013 08:57 AM, Tom Davies wrote:
>> Hi :)
>> I think it's less of a problem on any unix-based platform even using
>> Oracle's main versions.  Mac had a problem with 2 old versions but
>> generally the main problems are on Windows because it's much easier
>> for a remote attacker to escalate their privileges.  In Mac but even
>> more so in Gnu&Linux it's quite normal to run things as a normal user
>> without Superuser privileges.  The whole Windows culture is for users
>> to set their normal/only user as SuperUser otherwise stuff just
>> doesn't work.
>>
>> Notice that Oracle's main version of java keeps getting upgraded.  
>> Typically at least 1/month.  It's always about security and they
>> always advise people to upgrade to their newest version because of
>> security problems with their older one (last month's).  Then the
>> month later they say there was a problem with the one they said was
>> safe last month.  The 1st 4 or 5 versions in their newer branch
>> weren't even released apparently because they got compromised even
>> before they got released.
>>
>> OpenJdk doesn't seem to be so perpetually troubled.  Personally i
>> think that's due to the community taking notice of their bug-reports
>> and being more careful about their coding.  "More eyes on the code"
>> surely helps 'obvious' troublesome areas.
>>
>> Regards from
>> Tom :)
>>
> I do not know if any other implementations are vulnerable. The reports
> have been silent on that point so I would assume they are to be safe.
>
> This appears to be OS independent and requires the Java applet plugin
> to be enabled to work. I understand the exploits are written in Java
> so they should run on any OS .
>>
>>
>>> ________________________________
>>> From: James Knott <[hidden email]>
>>> To: LibreOffice <[hidden email]>
>>> Sent: Sunday, 13 January 2013, 13:35
>>> Subject: Re: [libreoffice-users] Embedded Java
>>>
>>> Jay Lozier wrote:
>>>> Yes, all OS's are affected because Java is cross platform. I am not
>>>> sure if any of the previous version are affected or if only the
>>>> current release is affected.
>>>>
>>>> The primary concern is Java applets run by your browser. The
>>>> vulnerability allows a zero-day browser exploit that as yet is not
>>>> patched by Oracle. The primary concerns I have heard of are
>>>> installation of keyloggers and installation of ransomware. I would
>>>> assume the malware will use the JVM to run and would be cross
>>>> platform. AFAIK, Oracle has not yet announced when a patch will be
>>>> available.
>>> As I mentioned in another note, I'm running OpenJDK, not Oracle
>>> Java.  So the question becomes is it a problem in general with Java
>>> or just Oracle's.
>>>
>>>
>>> -- For unsubscribe instructions e-mail to:
>>> [hidden email]
>>> Problems?
>>> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>>> Posting guidelines + more:
>>> http://wiki.documentfoundation.org/Netiquette
>>> List archive: http://listarchives.libreoffice.org/global/users/
>>> All messages sent to this list will be publicly archived and cannot
>>> be deleted
>>>
But now I just see warnings about any version from 1.4??
But the temporary solution seems only to require disabling Java applets
in the browser.
steve


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

NoOp NoOp
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by George R. Crossman
On 01/12/2013 07:42 PM, George R. Crossman wrote:
> I'm seeing warnings saying that one should disable embedded Java to
> avoid hacking. Does this apply to linux users? If so, what is the procedure?

Yes. If you are using your distributions version of Oracle Java 7, then
they will (eventually) issue a security update. If you have installed on
your own, Java7u11 is now available:

<https://www.java.com/en/download/manual.jsp>

<http://www.oracle.com/technetwork/java/javase/downloads/index.html>
<http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>





--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Paul Schwartz Paul Schwartz
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

Does this update fix the Java plugin for Firefox?





>________________________________
> From: NoOp <[hidden email]>
>To: [hidden email]
>Sent: Sunday, January 13, 2013 7:48 PM
>Subject: [libreoffice-users] Re: Embedded Java
>
>On 01/12/2013 07:42 PM, George R. Crossman wrote:
>> I'm seeing warnings saying that one should disable embedded Java to
>> avoid hacking. Does this apply to linux users? If so, what is the procedure?
>
>Yes. If you are using your distributions version of Oracle Java 7, then
>they will (eventually) issue a security update. If you have installed on
>your own, Java7u11 is now available:
>
><https://www.java.com/en/download/manual.jsp>
>
><http://www.oracle.com/technetwork/java/javase/downloads/index.html>
><http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
>
>
>
>
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

NoOp NoOp
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

On 01/13/2013 07:44 PM, Paul Schwartz wrote:
> Does this update fix the Java plugin for Firefox?

Don't know. Ask them:
https://support.mozilla.org/en-US/kb/get-community-support
...
>>
>>Yes. If you are using your distributions version of Oracle Java 7, then
>>they will (eventually) issue a security update. If you have installed on
>>your own, Java7u11 is now available:
>>
>><https://www.java.com/en/download/manual.jsp>
>>
>><http://www.oracle.com/technetwork/java/javase/downloads/index.html>
>><http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>



--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Dan Lewis Dan Lewis
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by Paul Schwartz
On 01/13/2013 10:44 PM, Paul Schwartz wrote:
> Does this update fix the Java plugin for Firefox?
       No it does not. A recent update for Firefox disabled the Java
plugin as explained in the Firefox Help. I suggest you read what Firefox
Help has to say about the Java plugin.

--Dan

>
>> ________________________________
>> From: NoOp <[hidden email]>
>> To: [hidden email]
>> Sent: Sunday, January 13, 2013 7:48 PM
>> Subject: [libreoffice-users] Re: Embedded Java
>>
>> On 01/12/2013 07:42 PM, George R. Crossman wrote:
>>> I'm seeing warnings saying that one should disable embedded Java to
>>> avoid hacking. Does this apply to linux users? If so, what is the procedure?
>> Yes. If you are using your distributions version of Oracle Java 7, then
>> they will (eventually) issue a security update. If you have installed on
>> your own, Java7u11 is now available:
>>
>> <https://www.java.com/en/download/manual.jsp>
>>
>> <http://www.oracle.com/technetwork/java/javase/downloads/index.html>
>> <http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
>>
>>
>>
>>
>>
>> --
>> For unsubscribe instructions e-mail to: [hidden email]
>> Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>> List archive: http://listarchives.libreoffice.org/global/users/
>> All messages sent to this list will be publicly archived and cannot be deleted
>>
>>
>>


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

rosttyo rosttyo
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by NoOp
Avira Internet Security implemented today a counternmeasure to the Java 7 problem and also showed a
special notice on this topic. They state that AVIRA users are safe now. . (XP/SP3)



On 2013-01-14 12:57, NoOp wrote:

> On 01/13/2013 07:44 PM, Paul Schwartz wrote:
>> Does this update fix the Java plugin for Firefox?
> Don't know. Ask them:
> https://support.mozilla.org/en-US/kb/get-community-support
> ...
>>> Yes. If you are using your distributions version of Oracle Java 7, then
>>> they will (eventually) issue a security update. If you have installed on
>>> your own, Java7u11 is now available:
>>>
>>> <https://www.java.com/en/download/manual.jsp>
>>>
>>> <http://www.oracle.com/technetwork/java/javase/downloads/index.html>
>>> <http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
>
>


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

Hi :)
So far it seems that anything that claims to have fixed java security issues is only a temporary patch and gets compromised quite quickly or fails to address other problems with java.  Also what people typically think of as security issues are not the only problems with java. 
Regards from
Tom :) 





>________________________________
> From: rost52 <[hidden email]>
>To: [hidden email]
>Sent: Monday, 14 January 2013, 8:15
>Subject: Re: [libreoffice-users] Re: Embedded Java
>
>Avira Internet Security implemented today a counternmeasure to the Java 7 problem and also showed a
>special notice on this topic. They state that AVIRA users are safe now. . (XP/SP3)
>
>
>
>On 2013-01-14 12:57, NoOp wrote:
>> On 01/13/2013 07:44 PM, Paul Schwartz wrote:
>>> Does this update fix the Java plugin for Firefox?
>> Don't know. Ask them:
>> https://support.mozilla.org/en-US/kb/get-community-support
>> ...
>>>> Yes. If you are using your distributions version of Oracle Java 7, then
>>>> they will (eventually) issue a security update. If you have installed on
>>>> your own, Java7u11 is now available:
>>>>
>>>> <https://www.java.com/en/download/manual.jsp>
>>>>
>>>> <http://www.oracle.com/technetwork/java/javase/downloads/index.html>
>>>> <http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
>>
>>
>
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Java

In reply to this post by rosttyo
Hi :)
Oracle have just released 7u11 apparently because, yet again, their latest version has been compromised already
http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/?s_cid=e539
I think i am just going to switch off java for everything, not just for LibreOffice and the web-browsers
Regards from
Tom :) 






>________________________________
> From: rost52 <[hidden email]>
>To: [hidden email]
>Sent: Monday, 14 January 2013, 8:15
>Subject: Re: [libreoffice-users] Re: Embedded Java
>
>Avira Internet Security implemented today a counternmeasure to the Java 7 problem and also showed a
>special notice on this topic. They state that AVIRA users are safe now. . (XP/SP3)
>
>
>
>On 2013-01-14 12:57, NoOp wrote:
>> On 01/13/2013 07:44 PM, Paul Schwartz wrote:
>>> Does this update fix the Java plugin for Firefox?
>> Don't know. Ask them:
>> https://support.mozilla.org/en-US/kb/get-community-support
>> ...
>>>> Yes. If you are using your distributions version of Oracle Java 7, then
>>>> they will (eventually) issue a security update. If you have installed on
>>>> your own, Java7u11 is now available:
>>>>
>>>> <https://www.java.com/en/download/manual.jsp>
>>>>
>>>> <http://www.oracle.com/technetwork/java/javase/downloads/index.html>
>>>> <http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
>>
>>
>
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Next » 12