is OpenJDK Vulnerable to 0-Day Exploit?

I was curious to know if OpenJDK is also vulnerable to the Zero-Day Exploit that is currently afflicting Java 7 because of which experts are telling people to disable Java until a solution is found on all operating systems.


Solution 1:

update: see Ubuntu Security Notice USN-1693-1

It was discovered that OpenJDK 7's security mechanism could be bypassed via Java applets. If a user were tricked into opening a malicious website, a remote attacker could exploit this to perform arbitrary code execution as the user invoking the program.


Probably not for the specific exploit being used in the wild for Oracle's Java 7 plugin. These exploits are usually specifically crafted to run with a specific set of software.

However, OpenJDK can be vulnerable in a similar way, if it's because of a design/architecture error in the way Java works in a browser. I could not find any details on it (at the time of writing) to support that statement with facts, but previous vulnerabilities were specifically for Oracle's JRE/JDK while OpenJDK has its own.

Please note the difference between an exploit and a vulnerability in this context.

Also note that you are probably affected to some extent if you're running Oracle's JRE/JDK on Ubuntu. However, the exploits are probably targeted for Windows hosts, and Oracle's JRE/JDK is no longer distributed by Ubuntu, due to licensing issues (Oracle doesn't allow redistribution anymore).

Solution 2:

I wouldnt take it lightly. OpenJDK shares most code with Oracle Java. Most apps written in Java work on both implementations. Naturally, the malware is just another application. If the vulnerability is a common one, you might get a surprise.

Now, it might be trickier to crack open (I mean root) Linux than Windows (and probably not worth the effort of researching and trying to defeat all possible Linux variants' security models, patches and so on) - but, they can work in the userspace stealing data or even deleting it or something. If the application is launched succesfully with even the current users rights, it might reach any data that is available to the user for reading. I dont think its that complicated to implement a cross platform data miner. I suppose your passwords stored in the browser (not to talk about other personal data like pictures) might get some Russian bot herders happy.

So. Caution. This might happen to you regardless of the OS you use. The simplest solution is to enable click to play (all major browsers support it) and not being click-happy. Although Java plugins (do not mistake it for Java script, that is NOT Java) arent that widespread nowadays, i personally have the plugin disabled for ages and never needed it.