Questões de Concurso

mostrar texto associado

OpenOffice Installs Insecure Java Version
By Brian Krebs
February 4, 2009; 5:30 PM ET

    An alert reader let me know that the latest version of OpenOffice, the open source alternative to the Microsoft Office productivity suite, also installs a very old, insecure version of Java.
    Users who accept the default installation options for OpenOffice 3.0.1 also will get Java 6 Update 7, a version of Java that Sun Microsystems released last spring (the latest version is Java 6 Update 12).
    This is notable because not only could attackers target security vulnerabilities that were fixed in subsequent versions of Java, but Java 6 Update 7 was released prior to Sun's inclusion of a feature known as "secure static versioning," which is intended to prevent Web sites from invoking even older versions of Java that may be present on the user's system.
    Starting with Java 6 Update 11, Sun included a feature that uninstalls older versions, but that functionality for whatever reason did not automatically remove versions prior to Java 6 Update 10.
    It's not clear why OpenOffice ships with this outdated version. For what it's worth, the latest version of OpenOffice appears to work just fine with the latest, Java 6 Update 12. I've sent a note to the OpenOffice security team to find out, and will post an update if I hear back from them.
    Finally, I should note that Sun only released Java 6 Update 12 a few days ago. However, Sun says there are no security updates in this latest version, so there is no need to update if all you care about is having the most secure version of Java.
    Update, Feb. 11, 3:09 p.m. ET: The OpenOffice.org security team responded that the newest version of Java caused installation problems with the latest version of OpenOffice. The group plans to ship the latest Java version with the next version of OpenOffice, due to be released at the end of March. In the meantime, a version of Open Office without the older Java version can be downloaded here

(Adapted from http://voices.washingtonpost.com.securityfix/2009/02/openoffice_installs_insecure_j.html)

According to the text,

(a)

the latest version of OpenOffice did not work with Java 6, Update 12 because it did not uninstall previous versions.

(b)

OpenOffice ships with Java 6, Update 7 because it is safer than later versions.

(c)

Java 6, Update 12 has been widely tested and presented no security problems.

(d)

all users with a Java 6 version prior to Update 12 should update to the latest version.

(e)

in terms of security, Java 6, Update 11 is as secure as Java 6, Update 12.