java security hole

[michaa7]

In short:
There was found a java security hole with existing exploits. It is strongly recommended to *deactivate* the java plugin (ice-tea).  

German IT magazine:
http://www.heise.de/newsticker/meldung/Warnung-vor-kritischer-Java-Luecke-1675454.html

english edition:
http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html

[ralul]

Gibt es eigentlich www-Seiten, die Java benutzen?
Ich habe das Java plugin schon Jahre disabled und nichts gemerkt ...

PS, merke: Java und Javascript sind sehr verschiedenen Dinge!

[musca]

Im eGovernmentbereich gibt es einige Javalösungen. Der Grund dürfte die Plattformunabhängigkeit sein. Die verwendeten Applets ermöglichen z.B. die EID mit dem nPA oder die qualifizierte elektronische Signatur nach dem Signaturgesetz mit einer Signaturkarte und einem SmartCard-Reader der Klasse 3.

http://www.ebuergersafe.de  (Online-Speicherplatz mit dem NPA nutzen)
https://www.seccommerce.de/de/products/secsigner/secsigner-online
http://www.zks-abfall.de  (elektronisches AbfallNachweisVerfahren)
http://www.egvp.de  (Elektronischen Gerichts- und Verwaltungspostfach)

ebuergersafe und SecSigner sind privat nutzbar.
Das eANV der ZKS-Abfall ist für Firmen gesetzlich vorgeschrieben.
Das EGVP ist wohl eher etwas für Anwälte und Notare.

Im krassen Gegensatz dazu gibt es bei elsterformular.de nur eine schnöde EXE-Datei zum Herunterladen.

ralul,
was gefällt Dir nun besser: Java-Applets oder EXE-Dateien?
Und Ja, ich deaktiviere mein Java-Plugin nach jeder Benutzung.

greetings
musca

[ralul]

Ja Java natürlich. Und wenn ich das brauche auf einer Bundesbehördenseite, schalte ich das Plugin sofort wieder ein, auch wenn es Sicherheitslöcher gibt.
Ich werde es bestimmt auslassen auf der Seite
www.gibmirdeinmoney.tuvalu.tv

Musca, danke für das Aufzeigen der Anwendungsfälle!

[cryptosteve]

Der Elster-Zertifikatskram braucht imho auch Java. Ist bei mir schon zwei Jahre her, dass ich mein Zertifikat angefordert habe, aber damals hat's gefühlt dreimal so lange gedauert, mit Linux ein gültiges Zertifikat zu bekommen, wie die ganze Steuererklärung auszufüllen und abzusenden.

Ich mag Java nicht!

[michaa7]

Anyone knows whether this secutity hole affects OpenJDK as well?

[GoinEasy9]

From what I've read it does affect OpenJDK.  I also read that the fix has been made, and, will be available soon.

[devil]

Oracle really knows what they are doing:
http://www.golem.de/news/java-7-update-7-update-oeffnet-neue-kritische-sicherheitsluecke-1209-94274.html

in EN:
http://www.pcworld.com/article/261788/researchers_find_critical_vulnerability_in_java_7_patch_hours_after_release.html

greetz
devil

[spacepenguin]

And in Sun Java 6 this security hole will persist?

I'm asking because for the Elsteronline website (not only for generating certificates but also for accessing your account) you need Sun Java 6 when you use Linux. They are so stubborn... they refuse to let linux users use OpenJDK because "it has errors" and refuse to let them use Orace Java 7 too, instead force users to deal with an outdated buggy Sun version (apart from forcing the user to use firefox as only possible browser whereas Windows users are allowed to also use Chrome).

[yossarian]

Some may consider downgrading to Java 6 to avoid the problem but this is unwise for a number of reasons. Firstly, although the vulnerability has been exposed on Java 7, there is always a possibility that a malicious developer will work out how to make use of it on Java 6. Secondly, Java 6 already has numerous security holes which have been closed in Java 7, so switching to it would merely expose users to a range of better known vulnerabilities.

http://www.h-online.com/open/news/item/Java-0Day-Turn-off-Java-applets-now-1678618.html

OpenJDK:

This 2.3.1 release includes a fix for the zero-day issue that arose this week:

* RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks
removed in 6788531.

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html

[spacepenguin]

Thanks yossarian, so it seems Sun Java 6 is at least not affected by *this* security hole...

[DeepDayze]

Thanks yossarian, so it seems Sun Java 6 is at least not affected by *this* security hole...

You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7

[GoinEasy9]

Well, it's nice to see they've created new holes, plugging old ones.  It keeps the black hats busy.  Seriously, if I had a misson critical server, I'd be concerned, but, as a user, I don't think my home box is going to be exploited.  Besides, once these exploits are made public, they're patched quickly.  I think Oracle is sort of the exception.  Although, if it's public, and it'll cost them client service problems, or just cost them, they get off of their asses and fix the problem fast.

[spacepenguin]

You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7

I'm not happy with that either but need to have it installed for that mentioned website. I also have OpenJDK installed.

[DeepDayze]

You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7

I'm not happy with that either but need to have it installed for that mentioned website. I also have OpenJDK installed.

If you still need Java 6 then maybe you should inform the site's admin of the need to upgrade Java