Ronja Addams-Moring wrote:
I use locally installed OmegaT on a LinuxMint 13 laptop. OmegaT requires Java, and for about the last 48 hours various usually reliably sources have been spreading the message "Uninstall Java - dangerous security vulnerability!" (see link list at the end)
However, when reading the news more carefully, it appears that the malware that exploits this vulnerability AT LEAST THUS FAR has:
a) only been able to exploit Java 7 (not e.g. Java 6)
The embedded Java provided with OmegaT is Java 1.6.
You can disable your system-wide Java, and still use OmegaT.
b) only? been able to exploit Oracle's Java 7 (not OpenJRE - ?)
c) only targeted web browsers with Java enabled, and none of my web browser settings allow Java
d) only? attempted to install Windows rootkits/viruses, which naturally would not harm Linux systems
However, as the vulnerability is in (Oracle's ?) Java 7 itself, both Windows, Mac OS/X and Linux systems are vulnerable, and at least on Ubuntu the vulnerability has been tested to be exploitable.
Does anyone here know any deeper details about this particular Zero Day vulnerability and whether anyone has reported that it would be able to infect a system through any other means than through a browser (clicking on a contaminated link while having Java 7 enabled)?
To get Java compromised through OmegaT, OmegaT would have to connect to a corrupted server. The only way I can think it could happen is if the user would voluntarily enter the URL in Options > Spell Checking. And even then, I don't think it would work, since OmegaT wouldn't download any .jar from that location.
Didier