OmegaT on LinuxMint - is Java Zero Day vulnerability a concern?
Thread poster: Ronja Addams-Moring

Ronja Addams-Moring  Identity Verified
Finland
Local time: 11:11
Finnish to Swedish
+ ...
Aug 28, 2012

I use locally installed OmegaT on a LinuxMint 13 laptop. OmegaT requires Java, and for about the last 48 hours various usually reliably sources have been spreading the message "Uninstall Java - dangerous security vulnerability!" (see link list at the end)

However, when reading the news more carefully, it appears that the malware that exploits this vulnerability AT LEAST THUS FAR has:

a) only been able to exploit Java 7 (not e.g. Java 6)
b) only? been able to exploit Oracle's Java 7 (not OpenJRE - ?)
c) only targeted web browsers with Java enabled, and none of my web browser settings allow Java
d) only? attempted to install Windows rootkits/viruses, which naturally would not harm Linux systems

However, as the vulnerability is in (Oracle's ?) Java 7 itself, both Windows, Mac OS/X and Linux systems are vulnerable, and at least on Ubuntu the vulnerability has been tested to be exploitable.

Does anyone here know any deeper details about this particular Zero Day vulnerability and whether anyone has reported that it would be able to infect a system through any other means than through a browser (clicking on a contaminated link while having Java 7 enabled)? Also, how certain is the information that this bug only exists in Oracle's Java, and not in OpenJRE?


Further information:

A fairly good summary, with lots of links: http://www.zdnet.com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/

Fairly understandable, longer blog post: http://www.informationweek.com/security/attacks/java-zero-day-attack-could-hit-enterpris/240006341

The most technically thorough description of this bug I have found thus far: http://erratasec.blogspot.co.uk/2012/08/new-java-0day.html


Direct link Reply with quote
 

Didier Briel  Identity Verified
France
Local time: 10:11
Member (2007)
English to French
+ ...
Unlikely Aug 28, 2012

Ronja Addams-Moring wrote:
I use locally installed OmegaT on a LinuxMint 13 laptop. OmegaT requires Java, and for about the last 48 hours various usually reliably sources have been spreading the message "Uninstall Java - dangerous security vulnerability!" (see link list at the end)

However, when reading the news more carefully, it appears that the malware that exploits this vulnerability AT LEAST THUS FAR has:

a) only been able to exploit Java 7 (not e.g. Java 6)

The embedded Java provided with OmegaT is Java 1.6.

You can disable your system-wide Java, and still use OmegaT.


b) only? been able to exploit Oracle's Java 7 (not OpenJRE - ?)
c) only targeted web browsers with Java enabled, and none of my web browser settings allow Java
d) only? attempted to install Windows rootkits/viruses, which naturally would not harm Linux systems

However, as the vulnerability is in (Oracle's ?) Java 7 itself, both Windows, Mac OS/X and Linux systems are vulnerable, and at least on Ubuntu the vulnerability has been tested to be exploitable.

Does anyone here know any deeper details about this particular Zero Day vulnerability and whether anyone has reported that it would be able to infect a system through any other means than through a browser (clicking on a contaminated link while having Java 7 enabled)?

To get Java compromised through OmegaT, OmegaT would have to connect to a corrupted server. The only way I can think it could happen is if the user would voluntarily enter the URL in Options > Spell Checking. And even then, I don't think it would work, since OmegaT wouldn't download any .jar from that location.

Didier


Direct link Reply with quote
 


There is no moderator assigned specifically to this forum.
To report site rules violations or get help, please contact site staff »


OmegaT on LinuxMint - is Java Zero Day vulnerability a concern?

Advanced search






memoQ translator pro
Kilgray's memoQ is the world's fastest developing integrated localization & translation environment rendering you more productive and efficient.

With our advanced file filters, unlimited language and advanced file support, memoQ translator pro has been designed for translators and reviewers who work on their own, with other translators or in team-based translation projects.

More info »
Déjà Vu X3
Try it, Love it

Find out why Déjà Vu is today the most flexible, customizable and user-friendly tool on the market. See the brand new features in action: *Completely redesigned user interface *Live Preview *Inline spell checking *Inline

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search