Apple to allow some iPhones to be repaired with used parts
'A strategy of half-promises and unnecessarily complicated hedges'
Personal Tech
11 Apr 2024 | 15
CORRECTION: The CVE-2012-0547 'mega-flaw' does NOT affect Apple's Java update
This article by The Register is INCORRECT. This was pointed out previously in the comments thread.
Please allow me to teach you how to discover the CORRECT information:
The 'mega-flaw' in Java 6, is described in CVE-2012-0547. You can read the CVE description HERE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0547
"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited."
Note that this security hole is specific to Java 6 Update 34 and earlier as well as Java 7 Update 6 and earlier. In response to this security hole, Oracle rushed out two patched versions of Java: Java 6 Update 35 and Java7 Update 7. Apple then forwarded Java 6 Update 35 to its OS X users.
NO further security holes have been found in Java 6 Update 35 at this time.
UNRELATED to Java 6 was the discovery of a further Java security hole described in CVE-2012-4681. This vulnerability is ONLY in Java 7 Update 6 and earlier, NOT Java 6, as is evident in the CVE report found HERE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
"Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier..."
Also UNRELATED to Java 6 was the discovery of a new security hole in Java 7 Update 7, discovered by Security Explorations. So far, it does not have a CVE report. You can read about it HERE:
http://seclists.org/fulldisclosure/2012/Aug/388
"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)."
In fact, the ONLY secure version of Java being distributed at this time is Java 6 Update 35, the version Apple is currently providing to OS X users. There is currently no secure version of Java 7.
Learning about and reading CVE reports is easy. Below are links to the Wikipedia article about CVEs as well as the link to the CVE website. You can search for any CVE report using the 'SEARCH' link at the top right of the CVE home page.
http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
http://cve.mitre.org/
Biting the hand that feeds IT
