Maybe not the correct platform for a question such as this, but does anyone know where (or if) you can find out detailed information regarding the current Java 7 SE security issues, like these ones?
I presume these are not published, as this would essentially document how to exploit the vulnerabilities, but just thought I would ask in case there is somewhere you can get some more information that expands upon “complete Java security sandbox bypass”. I found Alex Millers blog but it doesn’t appear to have been updated for a couple of years.
Thanks.
It’s been my experience that moving to the latest version is generally less of a security risk than keeping with an older one. Reason being that security researchers generally jump on the latest releases pretty quick to point out the issues. Typically those will be resolved fairly soon. Whereas devs rarely go back to older releases unless the problem is really widespread AND they can code a solution that doesn’t break lots of apps.
The reality is that we mere mortals aren’t privy to outstanding security issues for two reasons.
The first being that companies don’t want to publish issues that have yet to be resolved. The second being that black hat hackers have zero interest in publishing issues that they know about.
Quite frankly it’s a given that even Oracle doesn’t know all of the outstanding security issues on Java 6.. They just know the ones that the good guys have told them about, and they’ll never publicly release that to us until they have released a patch for it. Even then patch descriptions tend to obfuscate exactly what it is they are fixing.
If I was a security auditor I’d try to plug myself into those forums and sites that discuss hacking java for fun and profit and simply watch what comes across.