Re: So whats up with the 11.2 java security hole?
Date: Sun, 07 Feb 2010 13:24:17 +0100
Message-ID: <4B6EB0F1.4070404_at_gmail.com>
On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
> On Feb 7, 2:47 am, John Hurley<johnbhur..._at_sbcglobal.net> wrote:
>> Based on David Litchfield ...
>>
>> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
>
> He also suggests the workaround (revoking EXECUTE from PUBLIC
> on certain Java-related packages.) Actually, I'd check the privileges
> on these packages and revoke EXECUTE from everyone else, too. SYS is
> just enough.
>
> Regards,
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
> http://www.dynamicpsp.com
>
Taking in account the complexity of underlying code, it seems to be
*not* a straightforward action - i would rather share the Gary Myers
thoughts on this subject -
http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revoking.html
For sure only Oracle can confirm (or deny), such revoke won't break
anything in provided functionality. Even Oracle would have probably
difficulties to test against all usual scenarios in context of such
revoke - much easier will be probably to remove vulnerability in the
underlying packages. On the other side, the vulnerability is so
dangerous, that i hope, Oracle's fix should follow rather sooner ( at
least for those, who get lucky to login into MOS).
Best regards
Maxim Received on Sun Feb 07 2010 - 06:24:17 CST