OmegaT on LinuxMint - is Java Zero Day vulnerability a concern?
Thread poster: Ronja Addams-Moring

Ronja Addams-Moring  Identity Verified
Finland
Local time: 19:22
Finnish to Swedish
+ ...
Aug 28, 2012

I use locally installed OmegaT on a LinuxMint 13 laptop. OmegaT requires Java, and for about the last 48 hours various usually reliably sources have been spreading the message "Uninstall Java - dangerous security vulnerability!" (see link list at the end)

However, when reading the news more carefully, it appears that the malware that exploits this vulnerability AT LEAST THUS FAR has:

a) only been able to exploit Java 7 (not e.g. Java 6)
b) only? been able to exploit Oracle's Java 7 (not OpenJRE - ?)
c) only targeted web browsers with Java enabled, and none of my web browser settings allow Java
d) only? attempted to install Windows rootkits/viruses, which naturally would not harm Linux systems

However, as the vulnerability is in (Oracle's ?) Java 7 itself, both Windows, Mac OS/X and Linux systems are vulnerable, and at least on Ubuntu the vulnerability has been tested to be exploitable.

Does anyone here know any deeper details about this particular Zero Day vulnerability and whether anyone has reported that it would be able to infect a system through any other means than through a browser (clicking on a contaminated link while having Java 7 enabled)? Also, how certain is the information that this bug only exists in Oracle's Java, and not in OpenJRE?


Further information:

A fairly good summary, with lots of links: http://www.zdnet.com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/

Fairly understandable, longer blog post: http://www.informationweek.com/security/attacks/java-zero-day-attack-could-hit-enterpris/240006341

The most technically thorough description of this bug I have found thus far: http://erratasec.blogspot.co.uk/2012/08/new-java-0day.html


 

Didier Briel  Identity Verified
France
Local time: 18:22
Member (2007)
English to French
+ ...
Unlikely Aug 28, 2012

Ronja Addams-Moring wrote:
I use locally installed OmegaT on a LinuxMint 13 laptop. OmegaT requires Java, and for about the last 48 hours various usually reliably sources have been spreading the message "Uninstall Java - dangerous security vulnerability!" (see link list at the end)

However, when reading the news more carefully, it appears that the malware that exploits this vulnerability AT LEAST THUS FAR has:

a) only been able to exploit Java 7 (not e.g. Java 6)

The embedded Java provided with OmegaT is Java 1.6.

You can disable your system-wide Java, and still use OmegaT.


b) only? been able to exploit Oracle's Java 7 (not OpenJRE - ?)
c) only targeted web browsers with Java enabled, and none of my web browser settings allow Java
d) only? attempted to install Windows rootkits/viruses, which naturally would not harm Linux systems

However, as the vulnerability is in (Oracle's ?) Java 7 itself, both Windows, Mac OS/X and Linux systems are vulnerable, and at least on Ubuntu the vulnerability has been tested to be exploitable.

Does anyone here know any deeper details about this particular Zero Day vulnerability and whether anyone has reported that it would be able to infect a system through any other means than through a browser (clicking on a contaminated link while having Java 7 enabled)?

To get Java compromised through OmegaT, OmegaT would have to connect to a corrupted server. The only way I can think it could happen is if the user would voluntarily enter the URL in Options > Spell Checking. And even then, I don't think it would work, since OmegaT wouldn't download any .jar from that location.

Didier


 


There is no moderator assigned specifically to this forum.
To report site rules violations or get help, please contact site staff »


OmegaT on LinuxMint - is Java Zero Day vulnerability a concern?

Advanced search






WordFinder Unlimited
For clarity and excellence

WordFinder is the leading dictionary service that gives you the words you want anywhere, anytime. Access 260+ dictionaries from the world's leading dictionary publishers in virtually any device. Find the right word anywhere, anytime - online or offline.

More info »
PerfectIt consistency checker
Faster Checking, Greater Accuracy

PerfectIt helps deliver error-free documents. It improves consistency, ensures quality and helps to enforce style guides. It’s a powerful tool for pro users, and comes with the assurance of a 30-day money back guarantee.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search