JRE 7 - Does it mend JRE 6 problem?

Discussion in 'other security issues & news' started by joeyg, Jul 20, 2011.

Thread Status:
Not open for further replies.
  1. joeyg

    joeyg Registered Member

    Joined:
    Jul 20, 2011
    Posts:
    3
    Last edited: Jul 21, 2011
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  3. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    I saw that thread but, apparently, the various CPU fixes have little, actually nothing, to do with the current release version of Java. As a result, I'd say the question posed by the OP still stands (and considering Java HotSpot technology is still supported and there is no mention whatsoever of an issue, or a fix, anywhere on the beta pages I read, I would think the question would probably be answered in the negative).
     
    Last edited: Jul 20, 2011
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I've also wondered if the updated JRE 7 was going to be more secure than JRE 6. If not it will never touch my machine. I got rid of 6 months ago and haven't missed it.
     
  5. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    I sure hope so! I was able to locate the following, which relates to the previous build (b146) of JRE 7. However, I'm not at all certain whether or not the change(s) relate to the issue identified by Secunia (maybe someone else can shed some light on that).

    Build b146 changes: http://download.java.net/jdk7/changes/jdk7-b146.html

    (note "Hotspot: securely/restrictive load dlls and new API for loading system dlls")
     
  6. joeyg

    joeyg Registered Member

    Joined:
    Jul 20, 2011
    Posts:
    3
    With all due respect to the moderator, I don't see the relevance of the thread for which the link was given to my question. As the comments have indicated, the issue appears to remain open.
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    If the link I provided is of no help, accept my apologies and disregard.

    Thank you.

     
  8. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    No problem, siljaline. Actually, I was hoping you would be able to provide some insight into this issue.

    If you read the article at --> http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html --< you'll notice a link to download a package to test the exploitation of the "bug".

    I have JRE 7 (b147) installed on one of my machines, downloaded the package, and ran the test. It sure appeared to me that the (potential) exploit is alive and well, even in the new version. Of course, users need to grant permission for it to run - script blocking extensions, such as NoScript, prevent it from running in browsers like Firefox, I had to specifically allow access in IE, and clicking on the html file did nothing when I set Chrome as my default browser.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    What about Firefox or Java programs? Do you need to grant permissions on those?
     
  10. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Well, I'm running Aurora at the moment, FWIW. Regardless, when I disabled NoScript and did the test, "malicious.exe" was indeed launched (I actually found the file in my Windows Prefetch folder). At any rate, there was no opportunity to grant (or deny) permission; it simply launched after clicking the test html file.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wow, better be fixed by the time that JRE 7 is released. Does this only affect web browsers and html files?
     
  12. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Yep, we can always hope but no way I'm going to be overly optimistic in that regard.

    According to the article, it goes beyond browsers but in the article it was noted:
     
  13. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That's good, because my browser is secured by far the most.
     
Loading...
Thread Status:
Not open for further replies.