This article already explains it:
"Those who need Java to run applications such as Open Office or Freemind can
still protect themselves by disabling Java in their browser to prevent drive-
by attacks on booby-trapped websites."
Until patch is provided, it might be wise to not open office documents from
uncertain source (that is: all but your own). Most likely it is not needed,
but it won't harm.
AFAIK Java is primarily used by the embedded Base engine and possibly
some extensions. If you use a non-Java database (MySQL, Postgres,
MariaDB, etc) that does not use Java you do not need Java.
The security problems are Java problems and are not OS or app related
and can affect any computer running the unpatched Java version(s). My
understanding is the transmission is likely via rogue or corrupted
websites that use Java rather than via a downloaded Java app.
I do not know if this issue affects the openJRE project.
"All this has happened before and will happen again" (any Battlestar Galactica fans out there?).
Oracle tell us all that their new version of java is ultra safe and really is safe this time and that all their previous versions are horribly flawed and likely to cause widespread plagues and death etc to anyone that continues to use them. Then their new "ultra safe" one is found to also have horrible flaws in it.
As it happens it seems very few people actually seem to suffer or at least we never hear of it. Still we keep advising people to update to the most recent possible version but to try avoiding it completely if they can. For us the 1.6_32 is currently the most usable as the 1.7 has never really worked well with LO.
As time goes on it seems that java is compromised faster and faster. Each new release lasting less and less time until some horror story emerges. Their 1.7 branch was supposed to be their best ever taking the whole thing to a new plateau of rock solid stability and sfaety but the 1st 4 versions got compromised even before release!
Meanwhile the TDF devs working on LO have removed just about all dependancy on java. There are still a few Wizards and Extensions that need it and, of course, the database program (but only if you use the internal embedded back-end) and all the Accessibility stuff.
So, the User List stance is to try to get people to try not using Java at all but if they do need it to use the one that does work with LO - which i don't think has been compromised just yet although that's probably just because it hasn't reached the mainstream media yet because it's considered an 'old' version even though it was released after the latest in the 1.7 branch.
Re: What is the status of Java security vs. LibreOffice?
Even though both openJRE and standard java are both run by Oracle it seems that openJRE tends to be a bit safer. Possibly something to do with running it through a community in a more OpenSource way.
I asked about this to Canonical support. Here is their reply with
regards to Ubuntu:
"OpenJDK 7 is affected too. Please note that in Precise and Oneiric,
openjdk-7 is in universe, so updating it is not a priority [ for
Canonical]. So in the meantime use OpenJDK 6."
Knowing Oracle's strict updates schedule, version 7 won't have updates
before next month, which may then take some time to reach the proper
This echoes the recommendations I've seen here to user version 6 as its
more stable with LibO.
On the NA-DVD site and [media version], I tell the users to use/install
6u34 as the preferred version and 7u06 after the "6u" file is installed,
if the want that series. But I do say the "6u" file name series is the
preferred one to use for Windows. I also tell then to use the
repository version of "JRE/OpenJDK" for Linux users. I use "OpenJDK
6.x" for my Ubuntu systems.
> On 08/30/2012 02:14 PM, Fabian Rodriguez wrote:
>> Hi all
>> I saw this a few days ago, I'd like to know what should I make of it?:
> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/ >
>> I never install Java when I install LibreOffice, but a few people end up
>> installing it.
> I asked about this to Canonical support. Here is their reply with
> regards to Ubuntu:
> "OpenJDK 7 is affected too. Please note that in Precise and Oneiric,
> openjdk-7 is in universe, so updating it is not a priority [ for
> Canonical]. So in the meantime use OpenJDK 6."
This Security Alert addresses security issues CVE-2012-4681 (US-CERT
Alert TA12-240A and Vulnerability Note VU#636312) and two other
vulnerabilities affecting Java running in web browsers on desktops.
These vulnerabilities are not applicable to Java running on servers or
standalone Java desktop applications. They also do not affect Oracle
Re: [Don't] Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?
Really the only way to void potential problems with Java is to NOT use it at all. Sadly that means all our Accessibility stuff would be completely wrecked. A few Wizards, Extensions, embedded Base backends would also be affected but almost all of that has work-arounds that improve the quality of the LO experience anyway. The only thing that has no work-around is Accessibility.
Btw anyone enjoying the paralympics?
On 8/30/2012 2:33 PM, Jay Lozier <[hidden email]> wrote:
> The security problems are Java problems and are not OS or app related
> and can affect any computer running the unpatched Java version(s). My
> understanding is the transmission is likely via rogue or corrupted
> websites that use Java rather than via a downloaded Java app.
Or you can use Firefox+NoScript, and only selectively allow java for