Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Soulskill posted about 2 years ago | from the it-just-goes-on-and-on-my-friends dept.

Java 223

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

Sorry! There are no comments related to the filter you selected.

Enough Already (5, Insightful)

Anonymous Coward | about 2 years ago | (#42627637)

Someone, please put Java in the browser out of our misery.

Re:Enough Already (2, Informative)

arth1 (260657) | about 2 years ago | (#42627743)

Someone, please put Java in the browser out of our misery.

As a sysadmin, I say someone please put Java outside the browser out of my misery.
"Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

Re:Enough Already (3, Informative)

CodeReign (2426810) | about 2 years ago | (#42627871)

That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

Re:Enough Already (3, Insightful)

Anonymous Coward | about 2 years ago | (#42628693)

From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.

Re:Enough Already (1)

Anonymous Coward | about 2 years ago | (#42627875)

anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

What about the anguish from sysadmins who neither understands virtual memory nor how to interpret the results from top and free and makes their cgroup restrictions too strict?

Re:Enough Already (4, Informative)

Anonymous Coward | about 2 years ago | (#42628453)

in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none

Re:Enough Already (0)

Anonymous Coward | about 2 years ago | (#42628347)

And I say as someone who had done both the job of sysadmin, and developer, that you are a fucking idiot and have no idea what the fuck you're doing. I have never seen a java app ask for that much ram; ever. Not even WebLogic Portal.

Re:Enough Already (0)

Anonymous Coward | about 2 years ago | (#42627859)

Someone, please put Java in the browser out of our misery.

Said by someone that hasn't installed the latest update.

Re:Enough Already (2, Interesting)

Anonymous Coward | about 2 years ago | (#42627937)

Someone, please put Java in the browser out of our misery.

Said by someone that hasn't installed the latest update.

Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

Re:Enough Already (3, Interesting)

Anonymous Coward | about 2 years ago | (#42628033)

Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.

Re:Enough Already (3, Informative)

Above (100351) | about 2 years ago | (#42628141)

I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....

There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.

If someone had a good solution for those sorts of things I would dump Java in a heartbeat.

Re:Enough Already (1)

mrops (927562) | about 2 years ago | (#42628799)

At this point there is no reason why HTML5 canvas can't do what WebEx is doing with Java. Java is great for server side development, it shouldn't be on any end user machines.

Disclaimer: 10+ year Java developer, so I am biased in favor of Java for web/server development.

Re:Enough Already (3, Funny)

datavirtue (1104259) | about 2 years ago | (#42628319)

Why, after all this it will be unbreakable. Look at Windows and how it has improved. Hold on, Windows Store, locked down application environment....uh.

Re:Enough Already (3, Insightful)

robmv (855035) | about 2 years ago | (#42628851)

Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.

Note: The Java plugin code was never open sourced to OpenJDK, people from IcedTea project developed a new plugin and JNLP engine for Linux. I am starting to think that Sun already knew the bad security quality of the plugin and they decided to never release that code

first (-1)

Anonymous Coward | about 2 years ago | (#42627647)

first

first (-1)

Anonymous Coward | about 2 years ago | (#42627669)

post

The same old story (1, Insightful)

Synerg1y (2169962) | about 2 years ago | (#42627673)

Java's had issues with reflection before: http://stackoverflow.com/questions/3002904/what-is-the-security-risk-of-object-reflection [stackoverflow.com] .

Considering that reflection is basically injecting code at runtime, I'd say most things in the Java world don't need it, not sure if it's on or off by default, but in 99% of scenarios I believe it should be set to off.

Re:The same old story (4, Interesting)

K. S. Kyosuke (729550) | about 2 years ago | (#42627795)

Considering that reflection is basically injecting code at runtime

That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)

Re:The same old story (1)

Synerg1y (2169962) | about 2 years ago | (#42627947)

Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook. Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.

Potential Reflection scenarios: http://stackoverflow.com/questions/2488531/what-is-the-use-of-reflection-in-java-c-etc [stackoverflow.com]

Re:The same old story (3, Insightful)

Anonymous Coward | about 2 years ago | (#42628029)

Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...

Re:The same old story (4, Informative)

sjames (1099) | about 2 years ago | (#42628035)

Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.

Re:The same old story (1)

cusco (717999) | about 2 years ago | (#42628395)

OK, I'm not a programmer and never will be but the phrase 'duck typing' is so off-the-wall that I just have to ask what the hell it means.

Re:The same old story (1)

Cinder6 (894572) | about 2 years ago | (#42628567)

You know, mallard, stifftail, goldeneye...

Okay, fine, it's a type of dynamic typing: http://en.wikipedia.org/wiki/Duck_typing [wikipedia.org]

Re:The same old story (1)

Sique (173459) | about 2 years ago | (#42628887)

So this is something we were using in LPC 20 years ago without knowing it had to have a special name. We just said, we were calling the method in the object - all objects being from the same type object anyway.

Re:The same old story (1)

HFXPro (581079) | about 2 years ago | (#42628821)

When I see a bird that walks like a duck and swims like a duck and quacks like a duck, I call that bird a duck. http://en.wikipedia.org/wiki/Duck_typing [wikipedia.org]

Re:The same old story (2)

barjam (37372) | about 2 years ago | (#42628071)

Reflection in C# is used all the time. If you have written anything more complicated than hello world you have definitely used it. Not directly but the APIs you call use it.

Re:The same old story (3, Informative)

AuMatar (183847) | about 2 years ago | (#42628073)

Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.

Re:The same old story (1)

K. S. Kyosuke (729550) | about 2 years ago | (#42628079)

Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook.

If that's possible and not intended, you have a bug in your platform.

Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.

Yes, in a decade, perhaps, these two platforms will reach the reflective maturity of Self-93 and its successors. Until then, they're half-botched.

Re:The same old story (5, Insightful)

Bob9113 (14996) | about 2 years ago | (#42628069)

If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.

Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.

The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.

Re:The same old story (1)

petermgreen (876956) | about 2 years ago | (#42628307)

AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.

Re:The same old story (1)

K. S. Kyosuke (729550) | about 2 years ago | (#42628643)

and in the notion of executing untrusted code in a language that has system access

Actually, that notion is perfectly fine. In a proper object-based runtime, the untrusted code should only get those references ("capabilities", from security POV) that it's supposed to have access to in order to accomplish its tasks, and nothing more. It can't get anywhere else in any other way then by pointer chasing or querying the provided objects/capabilities and invoking their methods, using the API it's been given access to. Basically, it's the same principle that MS is trying to employ in the development of Singularity-like systems. The notion is perfectly fine, that is, when the API isn't botched.

Re:The same old story (0)

Anonymous Coward | about 2 years ago | (#42628539)

... reification ... mutable ... metaobjects ...
BINGO! [wikipedia.org]

Re:The same old story (0)

Anonymous Coward | about 2 years ago | (#42628471)

the whole java enterprise specification is built over reflection and code injection, also quite a lot of frameworks out there are (hibernate and spring, just to say some)

now, why did they leave reflection enabled by default on applet instead of placing it behind a user policy is beyond me.

Just let it die already (1)

Billly Gates (198444) | about 2 years ago | (#42627683)

Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE.

Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

Re:Just let it die already (5, Funny)

Antipater (2053064) | about 2 years ago | (#42627863)

To be fair, coding your way out of a paper bag sounds pretty difficult.

Unless you have a robot with poking capabilities inside the bag with you, of course.

Re:Just let it die already (2)

arth1 (260657) | about 2 years ago | (#42627869)

Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE .

Run that by me, again?

Re:Just let it die already (1)

CodeReign (2426810) | about 2 years ago | (#42627897)

He said if you are running peoplesoft allow Java to run only on your peopleosoft site. Was that so hard to understand?

Re:Just let it die already (1)

icebike (68054) | about 2 years ago | (#42628219)

Why Yes, Yes it was.
One wonders to what extent we should take advice from a guy who can't form a conversant sentence.

Re:Just let it die already (0)

Anonymous Coward | about 2 years ago | (#42628425)

I don't think that word means what you think it means.

People are conversant, sentences aren't.

Re:Just let it die already (0)

icebike (68054) | about 2 years ago | (#42628583)

Actually what I wrote was a perfect example of Muphry's law [wikipedia.org] and I really meant to say coherent, but auto-correct jumped in and bitchslapped me yet again.

Re:Just let it die already (3, Informative)

The Moof (859402) | about 2 years ago | (#42628045)

It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.

Like I said, it's screwy.

Re:Just let it die already (1)

Billly Gates (198444) | about 2 years ago | (#42628083)

Old IE may suck for rendering websites properly compared to new IE, but what it does do right is come with corporate oriented tools including this, called security zones [microsoft.com] .

Just go under Internet Options in control panel and disable java in the internet zone and set it up in the intranet zone. Fairly easy stuff. You can push this through Acitive Directory as well if you are at work to protect your users.

I assume no one but a few minecraft users use it at home so uninstall it. Chrome and FIrefox should have it disabled by default.

Re:Just let it die already (4, Interesting)

icebike (68054) | about 2 years ago | (#42628163)

Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.

The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."

First, that is very short period of time to find these new flaws, and write a proof of concept.
Were these flaws in the prior release, or introduced by the Sunday release?
Did these guys have them in hand prior to the work on sunday's release and hold them back?
Were they using "research" methods that they refused to share? Fuzzers, code inspection?
If the researchers didn't find these new flaws until after sunday, why not?

Just sayin....

Re:Just let it die already (1)

Billly Gates (198444) | about 2 years ago | (#42628217)

I was under the impression it utilized the same exploit from what I read. It just used the same attack vector utilizing a different method that the fix doesn't mitigate.

Dalvik virtual machine (1)

perpenso (1613749) | about 2 years ago | (#42627691)

Is Google's Dalvik virtual machine available for PC or just Android? Perhaps a little competition is needed.

Re:Dalvik virtual machine (0)

Anonymous Coward | about 2 years ago | (#42627791)

The problem is that most applets are coded to use a gui that was never implemented in Android, so I don't think it would help.

Re:Dalvik virtual machine (-1)

Anonymous Coward | about 2 years ago | (#42627865)

You know those "Rooting" tricks? Same premise on a Dalvik VM vs an Oracle JVM. The principal difference is that on android the only thing people are doing right now is flipping a bit that says "turn on su" vs on oracle where bad actors are loading ransomware. Same door.

So Android is just a ticking malware timebomb that no one has set off yet (says the man with a Nexus 4 in his pocket).

Re:Dalvik virtual machine (1)

sjames (1099) | about 2 years ago | (#42628287)

The rooting hacks I've seen don't seem to attack the VM. They generally either rely on linked in C libraries where the exploit is actually implemented or they are attacks on the bootloader to get it to load something in kernel mode to set flags in hardware.

The more difficult case is the ones that attack the kernel through permitted system calls.

Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side roll back when the applet exits.

blaaaaaaaaaa (0)

Anonymous Coward | about 2 years ago | (#42627711)

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

Re:blaaaaaaaaaa (1)

arth1 (260657) | about 2 years ago | (#42627811)

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.

Re:blaaaaaaaaaa (1)

Anonymous Coward | about 2 years ago | (#42627887)

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.

No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.

Chapter 5: Javascript does not belong in the browser, either.
Chapter 6: Images do not belong in the browser.
Chapter 7: The only thing that belongs in the browser is ASCII text. None of this Unicode crap.
Chapter 8: And ONLY if that text has been sanitized to hell and back.
Chapter 9: Waaaaaaah, why don't we just use Gopher like we used to? The world made so much sense back then, and that was good enough for us!
Chapter 10: Screw you guys, I'm just going to pass floppy disks among my Media Lab friends at MIT like in the old days.
Chapter 11: 1.44MB is enough for anything.
Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!

Re:blaaaaaaaaaa (1)

AliasMarlowe (1042386) | about 2 years ago | (#42628121)

Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!

Who are you calling "old", sonny?
I'm not that old (far from retirement age), and worked with brand new 140kB and 160kB 5.25" floppy disks on a brand new PC, several years after graduating. Earlier I worked with PDP-8, PDP-11, IBM-360, and DEC-20, which were floppy-free, and cassette-tape systems such as the PET. Even those who recall 80kB 8" floppies, or subsequent 100kB and 110kB 5.25" ones might not be retired yet.

Re:blaaaaaaaaaa (0)

CFBMoo1 (157453) | about 2 years ago | (#42628129)

Chapter 13: Punch cards, the new ninja throwing stars!

Re:blaaaaaaaaaa (1)

CodeReign (2426810) | about 2 years ago | (#42627925)

Can you paste chapter 4 for me. I'm somewhat curious what you mean, is there privilege escalation that can occur or what's going on in that chapter?

Re:blaaaaaaaaaa (1)

Bill_the_Engineer (772575) | about 2 years ago | (#42627991)

Chapter 4: Java does not belong on servers also used for non-java.

Please cite some evidence that the above is true.

Oracle should deprecated the broswer plugin (0)

Anonymous Coward | about 2 years ago | (#42627749)

Oracle should deprecated the browser plugin. It is the new ie6+ActiveX... Let the vendors repackage theirs applets into jnlp application were you have to accept before allowing execution.

Re:Oracle should deprecated the broswer plugin (0)

sjames (1099) | about 2 years ago | (#42628315)

I'm really wondering if the industry just needs to deprecate Oracle.

I just have to say... (2)

cyberjock1980 (1131059) | about 2 years ago | (#42627777)

Whoops!

I wonder how many of these vulnerabilities will be found and identified before the top brass at Oracle starts questioning the logic in buying Sun. Could Oracle realistically just come out and say "you know what.. we're done with Java"? Is Oracle really this inept at making stuff secure?

I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature. Not to mention you aren't going to sell your product by saying 'We fixed XYZ vulnerabilities in the last 2 years". Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.

When the last topic about these vulnerabilites was posted I mentioned how I don't trust companies with my security any more than I have to and mentioned that my firewall is now pfsense since Linksys, Netgear, and Dlink don't seem to be interested in security without buying a new router every 2 years. Naturally I got modded down. Let's see how this goes this time...

Re:I just have to say... (2)

c (8461) | about 2 years ago | (#42627931)

Is Oracle really this inept at making stuff secure?

Ask David Litchfield [davidlitchfield.com] . You might also want to read up on their Unbreakable [cnet.com] campaign a few years prior to purchasing Sun.

Re:I just have to say... (1)

lecithin (745575) | about 2 years ago | (#42627935)

"Is Oracle really this inept at making stuff secure?"

Aside from their database, Oracle is inept at pretty much everything.

Re:I just have to say... (1, Insightful)

Anonymous Coward | about 2 years ago | (#42627985)

Oracle is inept at pretty much everything.

FTFY

Re:I just have to say... (1)

Scutter (18425) | about 2 years ago | (#42627961)

Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.

True, but it's amazingly easy to deal with that by adding the phrase "But they have a history of fixing vulnerabilities quickly whenever they are discovered." Unfortunately, Oracle can't seem to do this.

Re:I just have to say... (2)

organgtool (966989) | about 2 years ago | (#42628703)

I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature.

Have you used Java lately? It hasn't had any killer new features in quite a long time and that stagnation has been there for a period even before Oracle bought Sun. That stagnation looks even worse when you compare it to .Net languages like C# which have surpassed most of Java's language features and is now ahead. And before everyone jumps down my throat for advocating a Microsoft technology, I use absolutely none of their technologies for software development. I'm just objective enough to recognize that they're putting a lot of effort into creating new features for their languages and as a Java developer, I have to say that I'm a bit jealous (but not jealous enough to switch to Microsoft's single-platform development environment).

Re:I just have to say... (0)

Anonymous Coward | about 2 years ago | (#42628727)

It might have something to do with Oracle's management style and decisions running off most of the top talent... Take a look at the who's who list from Sun pre-Oracle, and look how many have bailed.

Interesting (4, Interesting)

jones_supa (887896) | about 2 years ago | (#42627793)

I still find it odd how Java suddenly caught all the attention regarding security.

Re:Interesting (1)

Bill_the_Engineer (772575) | about 2 years ago | (#42627827)

Smear campaign. I always wondered why a "mega" exploit package was reportedly offered up for sell yet only the Java exploit contained in the package was the one getting the media attention.

Re:Interesting (5, Insightful)

dalias (1978986) | about 2 years ago | (#42627987)

Yes, in some ways I agree it is a "smear campaign", but I don't think it's an unjustified one. When a product has had vulns this serious this many times, yet maintains huge deployment due to market dominance and user lock-in, a huge smear campaign is needed to destroy it. This was the case in the past with products like BIND, Sendmail, WU-FTPD, IIS, IE, etc. and Java is just the latest necessary target.

Re:Interesting (1)

Bill_the_Engineer (772575) | about 2 years ago | (#42628183)

I didn't say it was unjustified just unfair. In fact, depending how Oracle responds, it may actually make Java more secure than other options/languages.

What I am suspicious of is the lack of coverage for the other exploits. Which unfairly diminishes Java's image while elevating the status of similar products that may have the similar vulnerabilities.

Re:Interesting (1)

w_dragon (1802458) | about 2 years ago | (#42628623)

This is about Java in the browser. The main competitors in this space are Flash and (if you're in an outdated, IE-loving enterprise) ActiveX. Do you really have that high an opinion of Flash?

Re:Interesting (2)

DMUTPeregrine (612791) | about 2 years ago | (#42628097)

Windows got better, and fixed most of the easy exploits. Flash got a bit better, and fixed most of the easy exploits. Java and Acrobat Reader are still easy to find exploits in.We'll see what comes next.

Re:Interesting (1)

Nimey (114278) | about 2 years ago | (#42628399)

Acrobat Reader got a lot better with version 10's secure mode. I don't remember reading of any exploits that were able to get past that.

Re:Interesting (2)

Bob9113 (14996) | about 2 years ago | (#42628185)

I still find it odd how Java suddenly caught all the attention regarding security.

I think this is largely due to the bad reporting. Ignorant reporters keep referring to this as a Java exploit. It is not. It is a Java sandbox exploit. A Java exploit of this nature would be catastrophic, since there are millions of servers out there running Java. A Java sandbox exploit, on the other hand, is little more than a reminder: Hey, everybody: Disable the Java plugin in your browser, like everyone else did ten years ago.

Re:Interesting (0)

Tridus (79566) | about 2 years ago | (#42628245)

Java's on a lot of machines, and hasn't been hardened that well. Windows itself used to be the favored target, but Microsoft spent a lot of money in that area and it's much harder to find exploits in Windows 7 (and 8) than it used to be in XP. Flash was a target for a while, as was Acrobat reader.

Re:Interesting (1)

sjames (1099) | about 2 years ago | (#42628779)

It started with a serious security flaw that the vendor (Oracle) tried hard to ignore. The publicity was turned up to shame them into fixing the flaw with an out-of-cycle patch. The vendor half-assed the patch and so the cycle of 'all clear' press was interrupted for a new round of drubbing. Then an attempt was made to re-habillitate Java's image and so now we're at the 'not so fast' rebuttal.

Meanwhile, it never really lived up to most of it's promises anyway (especially as a browser plug-in) and so it naturally leads people to wonder if it's time to stick a fork in it.

That Java is Oracle's second big software acquisition from Sun that seems to be flaming out under the new management and that Oracle is not really well liked as an entity anyway just adds to the dogpile.

Bad stewardship of Java (4, Insightful)

benjfowler (239527) | about 2 years ago | (#42627885)

Oracle need to be called out on what appears to be an open-and-shut case of negligence.

Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it. Their approach so far has been unbelievably reckless.

I certainly hope they don't take that attitude to Oracle Database, which is very expensive indeed, and running inside companies with lots of well paid lawyers.

Re:Bad stewardship of Java (0)

Anonymous Coward | about 2 years ago | (#42628059)

oracle doesn't give a damn about java. all they really wanted when they bought sun was to get their paws on mysql.

Re:Bad stewardship of Java (2)

sdnoob (917382) | about 2 years ago | (#42628169)

Perhaps the best course of action would be for Oracle to donate Java to Apache Foundation... but then, the question to ask is: would they even want it?

Re:Bad stewardship of Java (1)

medv4380 (1604309) | about 2 years ago | (#42628421)

Apache would probably kill to have full control over Java.

Re:Bad stewardship of Java (1)

Tridus (79566) | about 2 years ago | (#42628271)

Oracle has a lot of stuff that uses Java, so I doubt their plan was "totally screw Java up so we can ditch it."

Clearly they need to devote serious expertise to hardening it though, or just take the easy route and kill Java in the browser entirely. That's where these problems are all coming from. It wouldn't even be that hard for them, since it's basically a dying method of doing things in the browser anyway.

Re:Bad stewardship of Java (0)

Anonymous Coward | about 2 years ago | (#42628519)

He's not an idiot, he's Larry "Lanai" Ellison. How complete he is, as an idiot, is still open for debate?

Who's to say he every had any real intention of keeping Java alive? As a profit center within Oracle, it's hardly noticeable. And so far, there's no downside to fiddling ineptly with Java since there's no competition to replace it.

You're new to Oracle, I can tell. (0)

Anonymous Coward | about 2 years ago | (#42628685)

Oracle need to be called out on what appears to be an open-and-shut case of negligence.

Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it.

Have you seen how Oracle supports its other products? Or more importantly, how much it charges for support for its other products?

Dear Lary Ellison (1)

Anonymous Coward | about 2 years ago | (#42627889)

Since your programmers can't seem to code their way out of a wet paper bag, perhaps you should spend less time on your yacht and more time actually running your company.

Sincerely, everyone who's time you waste with shit software.

sigh.... (-1)

Anonymous Coward | about 2 years ago | (#42627901)

heavy sigh.....

Enough already (3, Funny)

mark-t (151149) | about 2 years ago | (#42627915)

While admittedly this could reasonably qualify as news for nerds, the exploits that are being discovered in Java these days are happening with such rapidity now that it truly seems like a complete waste of time and effort to report them all individually. They are so frequent now as to border on spam.

Why is this so difficult? (1)

istartedi (132515) | about 2 years ago | (#42627933)

I'm not familiar with the architecture, so I have a hard time understanding why this is so difficult. Many C programmers including myself have written simple stack machines that have an "instruction set". It's trivial to separate safe instructions from dangerous ones

One instruction might be 32-bit unsigned addition that rolls over without throwing an exception. Perfectly safe, as long as you can live with the results.

Another instruction might be "open file". Lots of opportunity for mischief there.

So. If the code came from the 'net, you just scan the code after you've compiled it onto your VM and reject anything that has "open file" unless the user has granted permission for the software to access files.

Sure, I'm glossing over the details; but that's the basic idea. If you have a huge library, you might have to have staff review a lot of API calls to make sure you're classifying them properly as safe or dangerous; but the fundamental idea of the sandbox itself seems really, Really, REALLY hard to mess up.

It sounds like they have calls to a "cause the scanner to ignore dangerous functions" API scattered throughout their code, which seems highly unlikely. Library code shouldn't even know it's running after a scan, let alone have the ability to shut off the thing that scans it.

So. I have to conclude that the sandbox architecture is something more complicated than "compile, scan for restricted system calls, run if none found"; but I have no idea what it is. Can anybody enlighten me?

Re:Why is this so difficult? (1)

Billly Gates (198444) | about 2 years ago | (#42628171)

THe flaw is in the reflections. Since metadata changes unmutable things like strings you can have safety but this hack goes around it and manipulates it. Get rid of that feature?

THen you break applications and mission critical business apps. Of course from what I see they all use older versions of the language where this feature is not used but neverless it is the joys of supporting a large complex thing where the users have a psychotic episode if anything changes and want it frozen yet demand to get security patches.

This is the reason many programs will not run on Windows 7 as MS had to make it secure starting with Vista. Corporate users just kept using XP and ignoring all the security issues.

Re:Why is this so difficult? (1)

Tridus (79566) | about 2 years ago | (#42628309)

I'd surmise (since I'm nothing resembling a sandbox expert) that one of the problems is that the sandbox is built to allow a lot of those "dangerous" activities if the applet is signed and asks for permission to do them. It's not a total block.

When the code to do it is in there somewhere, apparently there's a lot of edge cases to find ways to get to it.

Why isn't OS ACL preventing the damage? (0)

Anonymous Coward | about 2 years ago | (#42627969)

I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?

Interesting comments (-1)

Anonymous Coward | about 2 years ago | (#42628025)

I enjoyed reading your blog, I have written a blog about real estate in the Okotoks and Calgary area. My website is full of great information about homes for sale, please come and visit us okotoks real estate and Calgary homes for sale [wesellrealty.ca]

If they keep this up... (4, Funny)

mandark1967 (630856) | about 2 years ago | (#42628191)

Adobe is gonna get jealous.

Re:If they keep this up... (0)

Anonymous Coward | about 2 years ago | (#42628329)

Adobe is gonna get jealous.

No it's impossible. At Adobe they have real monkeys coding Acrobat and the other applications.
As much hate as Oracle gets, they still have some competent engineers left after the great Sun exodus.

Shouldn't the OS prevent the worst of the damage? (4, Interesting)

overunder (2504886) | about 2 years ago | (#42628243)

I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?

For cripes sake... Java Plugin != Java (5, Insightful)

diarrhea-uh-uh (1373577) | about 2 years ago | (#42628327)

So sick of these headlines. Java is fine, it's the barely-used-these-days plugin that's the problem. I expect non-techy sites to omit that detail, but come on /. For those preaching that Java should be donated to Apache, give me a break. It's at the core of all "Enterprise Applications'" tech stack. Never gonna happen, nor should it. Best solution would be to decouple the plugin from the Java install and no longer shove it down people's throats.

Re:For cripes sake... Java Plugin != Java (0)

Anonymous Coward | about 2 years ago | (#42628405)

Yes thanks so much for this. Any body ever heard of Tomcat? Java is still big on the sever side. The plugin went out in like 99.

Oracle doesn't get security! (2, Insightful)

onyxruby (118189) | about 2 years ago | (#42628377)

I've said time and time again that Oracle doesn't get security, they just don't. They have been pulling things like this for a very long time. I never could have imagined saying this 10 years ago or so, but Oracle, you need to look at Microsoft for some pointers on handling security. Since you probably not willing to do that, I'll spell it out for you:

When you find out about a notable security flaw you need to have a patch ready to go within 60 days.
Meaningful notification. The everyday hacks that run IT need to have reasonable notification of security flaws.
Workarounds. If you can't fix it, that's fine, but give me a workaround or I'm going to start uninstalling your product.
How does it the flaw work? If you can't tell me how it works it means I have to reverse engineer it myself and this annoys me.
The difference between theoretical flaws and something that is broken beyond saving is typically 8-10 years.
The bad guys make a lot of money by counting on you dismissing security concerns.
You need to make it easier to administer updates to your products.
You need to make it easier to limit updates to your products. Why does Java 6 automatically update to 7? This is a bad, bad thing.

From a security standpoint I can't think of anything I would wish for more than the death of Java. Every chance I have to get rid of Java I put in my two cents to do exactly that.

Re:Oracle doesn't get security! (0)

Anonymous Coward | about 2 years ago | (#42628691)

I've said time and time again that Oracle doesn't get security, they just don't.

And yet, Oracle would often advertise their products as "unbreakable". I don't know why they haven't been sued for false advertising (or maybe they have and I haven't heard about it).

From a security standpoint I can't think of anything I would wish for more than the death of Java.

Java is an abomination upon the world (particularly for security). The sooner it dies the better. Even on the server-side, I haven't seen a java application that wasn't a slow bloated POS.

Documentum in the office here... (1)

erroneus (253617) | about 2 years ago | (#42628435)

... these updates and stuff are not fun.

How good would you be at 'C' right now? (1)

Anonymous Coward | about 2 years ago | (#42628513)

Java JDK Alpha and Beta (1995). So that puts y'all at about 35, right? Just about ready for the glue factory. Don't worry. They'll come for you dot net / C Sharp burnouts in the next load. Kids are out of diapers, there's some equity in your house and the wife is unhappy, right?

Must mean there is some new 6th generation, socially enabled, no programmers needed, wundercoding coming, along with a new silver bullet development methodology and magical management philosophy, going to pop out of nowhere in the next few months.

Java is not broken (5, Interesting)

zmooc (33175) | about 2 years ago | (#42628701)

The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?