Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out

From:

=?ISO-8859-1?Q?Arne_Vajh=F8j?= <arne@vajhoej.dk>

Newsgroups:

comp.lang.java.programmer

Date:

Fri, 31 Aug 2012 15:36:03 -0400

Message-ID:

<50411228$0$283$14726298@news.sunsite.dk>

On 8/30/2012 10:16 PM, Roedy Green wrote:

On Thu, 30 Aug 2012 17:45:42 -0700, markspace <-@.> wrote, quoted or
indirectly quoted someone who said :

There was an article on Slate about Java recently. Does this fix
address the issues it mentions?
http://www.slate.com/blogs/future_tense/2012/08/29/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html>

The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why.

The technical problem is known in details.

GIYF

And until Oracle got the fix out then not using Java was a
viable recommendation.

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters.

Apparently Google is not your friend.

It sounds like it
applies only to unsigned applets on malicious websites.

That is correct.

But surfing the web on not that well known web sites is done
by a billion people every day (or something in that magnitude).

It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

Given that you have not bothered finding out what the problem is
then you wild guesses about the risk are not credible in any way.

Arne