JRE 1.7漏洞 [英] JRE 1.7 Vulnerability
问题描述
今天,我们的企业架构师提到在JRE 1.7中发现了一个最近的漏洞.我发现了一篇 JRE 1.7漏洞,建议禁用Java .
Today, our Enterprise Architect mentioned that a recent vulnerability was discovered in the JRE 1.7. I found an article the JRE 1.7 vulnerability recommending disabling Java.
我正在工作中运行JDK 1.5和1.6(像许多组织一样,我们不是最新的技术),所以那里没有问题.
I am running JDK 1.5 and 1.6 at work (like many organizations, we're not on the latest of technologies), so no problems there.
在家里,我正在使用Java SE 7u6进行开发.我正在与Spring Security的Grails一起玩,试图继续学习.
At home I am doing development with Java SE 7u6. I'm playing with Grails, Spring Security, trying to keep learning.
我已经离开并在家庭开发机器上的所有浏览器中禁用了Java插件.但是,有谁知道我的家用开发机是否仍然由于安装了JDK 7而容易受到攻击?我确实在US-CERT上找到了这篇文章,宣布了漏洞通知: Oracle Java JRE 1.7 Expression.execute ()无法限制对特权代码的访问.
I have already gone and disabled the Java Plug-in in all my browsers on my home development machine. However, does anyone know if my home dev machine is still vulnerable by virtue of having the JDK 7 installed? I did find this article on US-CERT declaring the vulnerability notice: Oracle Java JRE 1.7 Expression.execute() fails to restrict access to privileged code.
听起来好像只要浏览器无法运行Applets,我就可以了(应该不要禁用Java Plug-in).但是,关于Java Web Start/JNLP呢?可以调用吗?除了Applets,这是我唯一想到的其他可能要关注的问题.
It sounded like as long as the browser is not able to run Applets, I should be fine (it should not with the Java Plug-in disabled). However, what about Java Web Start/JNLP? Could that get invoked? That's the only other thing I could think of, other than Applets, that might be of concern.
只是想知道我是否需要完成卸载Java SE 7并返回到JDK6的工作.
Just wondering if I need to go through the efforts of uninstalling my Java SE 7 and dropping back to a JDK6.
通过JRE 1.7了解此安全问题后,其他人做了些什么?
What have others done upon learning of this security issue with JRE 1.7?
推荐答案
最新漏洞的详细信息尚未公开.但是,我的理解是,它仅影响Java浏览器插件.建议的缓解措施是禁用Java浏览器插件.没有提及非插件Java,因此我认为可以肯定地说,仅由于安装了Java 7,您的开发机就不会受到攻击.
The details of the latest vulnerability have not been made public. However, my understanding is that it only affects Java browser plugins. The recommended mitigation is to disable the Java browser plugins. No mention is made of non-plugin Java, so I think it is safe to assume that your dev machine is not vulnerable simply by virtue of having Java 7 installed.
但是,Java Web Start/JNLP呢?可以调用吗?
However, what about Java Web Start/JNLP? Could that get invoked?
我不这么认为.我认为可以肯定地发现问题的人会想到这种潜在的攻击媒介. (但简单的常识表明,您一开始就不想启动随机的JNLP程序...)
I don't think so. I think it is safe to assume that the people who found the problem would have thought of that potential attack vector. (But simple common sense says that you wouldn't want to be launching random JNLP programs in the first place ...)
这篇关于JRE 1.7漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
