Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Java 0-Day Vulnerability Being Exploited In the Wild

Soulskill posted about a year and a half ago | from the once-more-unto-the-security-breach dept.

Java 193

An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

JAVA - Stands For (5, Funny)

blarkon (1712194) | about a year and a half ago | (#43053807)

JAVA - Just Another Vulnerability Alert

Re:JAVA - Stands For (1)

Anonymous Coward | about a year and a half ago | (#43053881)

Friends don't let friends do "JAVA" (Just Another Viral Affliction)!

Re:JAVA - Stands For (1)

rmdingler (1955220) | about a year and a half ago | (#43053909)

Gee, Oracles Sun language is news 'gain.

Meanwhile, Larry Ellison (2, Funny)

Anonymous Coward | about a year and a half ago | (#43053813)

...is busy colonizing Hawaii.

ORACLE (5, Funny)

Anonymous Coward | about a year and a half ago | (#43053873)

One Rich Asshole Called Larry Ellison

Re:ORACLE (1)

Anonymous Coward | about a year and a half ago | (#43053919)

One Raging Asshole Called Larry Ellison

FTFY

Time to kill Java (-1)

Anonymous Coward | about a year and a half ago | (#43053821)

When is Oracle finally going to throw in the towel with Java? They have no control over it anymore and they just can't seem to make it secure. What a joke.

Re: Time to kill Java (-1)

jadv (1437949) | about a year and a half ago | (#43054031)

i am going to fucking kill java! I destroyed l do it again! (throws chair across room)rry ellison before and i willd

why they don't (2)

etash (1907284) | about a year and a half ago | (#43053879)

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.

Re:why they don't (0)

Anonymous Coward | about a year and a half ago | (#43054041)

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

That would be the closed source model. ESR's motto is "given enough eyeballs, all bugs are shallow". Unfortunately, in terms of security, the bugs are shallow for the bad guys as well as the good guys. And the bad guys are better motivated.

Re:why they don't (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43054177)

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base. Another way of saying that is, every time you do this, you'll probably find at least one more bug and the same thing happens when the bad guys do it. Welcome to the world of an impossible task that is never the less very important.

Re:why they don't (-1)

Anonymous Coward | about a year and a half ago | (#43054235)

They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base.

Really?

The JRE installer is 16 megabytes. That really, really isn't a big complicated code base.

The real problems are:

1. Java is a steaming pile of shit.
2. Oracle doesn't care.

Re:why they don't (2, Interesting)

hairyfeet (841228) | about a year and a half ago | (#43054649)

What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you want to scream? For the love of God it was almost dead on the desktop! /walks away muttering and sobbing/

Re:why they don't (0, Troll)

Almost-Retired (637760) | about a year and a half ago | (#43055031)

Because that would cost (gasp) money, and Larry would have to put off buying the rest of Hawaii for another 3 weeks.

Seriously, from the vantage point of having first coded in assembly back in '78, (also my age now) on an RCA 1802 MPU, one of the things I learned early on was to write a small executable that called the program piece I was working on, feeding it data up to the size of the cpu's registers, and let it run long enough its all been tried, without any crashing or incorrect output.

You can't do that to the whole thing where its tied to machinery you might cause to break or injure people, but you can damned sure stick some leds on the output bus, both as an activity indicator, and as a correctness verification. That means the guy writing the code must also be capable of picking up a soldering iron and fabricating his own test tool hardware, and I don't believe for a millisecond that a coder can call himself a coder or programmer if he can't do that. The hands MUST fit the tools IOW.

Engineering at a tv station was my paycheck for 48 years, and I have played cowboys and electrons for a living since the tail end of the 40's, quitting school to go fix tv's for cigarette money at the end of the 8th grade & still do the hot soldering iron scene but more as an aid to my hobbies, one of which is cnc controlled machining tools.

Some of the code I wrote, to run on hardware I also built, has lasted as long as the technology that required it, in 2 cases in excess of a decade, and one of those 2, the decade was after I had gone on down the road to a greener pasture. Neither ever crashed except when the battery ran down because the power failure was longer than the battery's holdup time.

Yes, dependable code seems like its also secure, but that is achieved by testing that data for validity BEFORE using it to for something so mundane as detecting when someone has gotten up from the shitter and is putting himself back together, at which point you close a switch and effectively pull the flush handle.

What is so difficult about understanding that? Just because your prof in CS101 was a pompous ass and didn't do it, I mean how dare you question MY judgement?, didn't do it, what makes you think you don't need to? I have done things in a higher level language quite a few times, but AFAIAC, that higher level language just makes it that much easier to shoot your code in its one tenuous space connected to reality, aka its foot.

My 2 cents for today.
Cheers, Gene

Re:why they don't (1)

GodfatherofSoul (174979) | about a year and a half ago | (#43055135)

Because Oracle don't give a shit about Java. They snagged Sun probably thinking they'd get Google by the balls. No doubt, the board at Sun had some hand in convincing them of that.

Surprise Surprise (-1, Troll)

Murdoch5 (1563847) | about a year and a half ago | (#43053889)

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

Re:Surprise Surprise (2)

bargainsale (1038112) | about a year and a half ago | (#43053915)

C is "secure" now?
Surprise, surprise indeed ...

Re:Surprise Surprise (0, Interesting)

Anonymous Coward | about a year and a half ago | (#43053935)

Sure, it's as secure as you want it to be. Java on the other hand, proves time and time again to be insecure wether you want it to be or not :/

Re:Surprise Surprise (4, Insightful)

pipatron (966506) | about a year and a half ago | (#43053947)

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:Surprise Surprise (1)

dkf (304284) | about a year and a half ago | (#43054069)

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

The JVM is actually written in C++. Just sayin'

Re:Surprise Surprise (2)

Billly Gates (198444) | about a year and a half ago | (#43054107)

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Ok explain why a simple string can buffer overflow? Maybe the latest Gnu C libraries have fixed that now, but damn that is bad as 10 years ago you could! The apis had to be practically rewritten to watch for these like these which explains why it is litered in secure versions of standard function calls.

The problem is you can't really write secure in C unless you know assembly. My simple "give me 2 numbers and I will add them" 10 line program will not look insecure but it is underneath after being compiled (this was 13 years ago I tried this). I know Theo from the OpenBSD tried making secure versions of standard ansi C functions to prevent this. Java at least tries and manages it. I can make the same argument that Java is secure. It is only the programmers who are not etc.

Re:Surprise Surprise (-1)

Anonymous Coward | about a year and a half ago | (#43054227)

You are stupid. That's all I can say because you're beyond help.

Re:Surprise Surprise (1)

FlyingGuy (989135) | about a year and a half ago | (#43054301)

Please show your work eg: int foo(int x,y){ return x+y};

Re:Surprise Surprise (2)

ByteSlicer (735276) | about a year and a half ago | (#43054387)

I'm pretty sure the semicolon should come before the closing curly brace...

Re:Surprise Surprise (2)

phantomfive (622387) | about a year and a half ago | (#43054557)

Strings don't overflow in C, unless you use them wrong.

And you never know, there might be a vuln in the Java string library. Unless you've audited it, I wouldn't say there isn't, since it seems there are vulnerabilities everywhere else.

Re:Surprise Surprise (1)

CODiNE (27417) | about a year and a half ago | (#43054369)

You know that just tells me that javac isn't self-hosting and they never bothered to bootstrap their own compiler. I wouldn't blame C for that.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054393)

C is neither secure nor insecure. Well, it's secure just like a hammer is secure (if you're building a house).

Re:Surprise Surprise (1, Insightful)

Murdoch5 (1563847) | about a year and a half ago | (#43053961)

Just to quote the EXCELLENT comment below, it really is the most true statement I've heard in a while.

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:Surprise Surprise (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43054283)

> Yes, C is secure.

The comment is nonsensical. Security is about vectors. The language itself, is really not "secure" because it has to operate within an environment. By integration, it's no more or less secure than the environment AND the program the language was used to write. You really don't understand the implications of the discussion if you think that comment was "excellent".

Re:Surprise Surprise (0)

etash (1907284) | about a year and a half ago | (#43053923)

you must be trolling or you are clueless. C is secure ? you guy serious ?

Re:Surprise Surprise (1)

amiga3D (567632) | about a year and a half ago | (#43053949)

He probably means that you actually have to have a little knowledge to exploit C while Java is just one big sieve.

Re:Surprise Surprise (3, Insightful)

putaro (235078) | about a year and a half ago | (#43054003)

Well, then you would both be wrong. C doesn't have a security model to exploit. The security model for loading untrusted code into your C application is "Don't do that" which isn't such a bad idea, really. However, if you remove the stupid idea of trying to run untrusted code in a sandbox within your application, Java is quite secure which is why people write server code in Java. No buffer overflows to start with (a classic exploit of server code written in C)

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054429)

Your java code is almost certainly running in a jvm written in c or c++, running on an OS written almost exclusively in c. Buffer overflows are caused by poor code, they are not forced by the language.

Re:Surprise Surprise (4, Informative)

DarkOx (621550) | about a year and a half ago | (#43054255)

I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.

Now if you want to discuss topics if interpreters (byte code or otherwise) that enforce certain memory management contracts, so you don't have to express them as part of your program ultimately offer better security or just move the problems that might be a valid topic.

Java is not insecure; security is not even an attribute you could put a value on with regard to Java. The browser plugins that ship with the most popular interpreter and runtime implementation might be insecure. There may be bugs in the interpreter where it does not properly enforce contracts making otherwise correct programs under it vulnerable. One little mistake in a C/C++ programs might result in the same thing though. The traditional argument is whats more likely to result in the best outcome: every programmer our there writes good code or a team of skilled programs writes a universal memory manager, and set of libraries that are solid so other programers don't have to get some of that hard stuff right?

I guess the issue is we are finding out more often than not even teams of very skilled developers are bound to slip here and there with something as large and complex as the Java runtime.

Re:Surprise Surprise (3, Insightful)

cbreak (1575875) | about a year and a half ago | (#43054483)

No, honestly, writing evil code in C is easy. You can open files without restrictions, modify them without restrictions, and so on, all with the power of the running user. Executing untrusted C code is NOT SECURE.

Re:Surprise Surprise (0)

hairyfeet (841228) | about a year and a half ago | (#43054787)

And sadly this means I have to defend oracle even though I think Larry is a douchebag...whose fault is that? the answer is NOT oracle, it is SUN that is to blame! lets face it Sun never did release decent programs, just look at how long its taking the ODF to modularize Libre office and clean out the cruft.

Now if you want to blame Oracle for not shitcanning a good chunk of Java and starting over? that I might agree with you about but even then it would take time to come up with new code that would allow the JVM to run older programs written for it without having the gaping security issues but considering how buggy Java was under Sun I really don't think oracle deserves the blame here, they just got the mess when they bought the company, like buying a piece of property only to find out it was built on a garbage dump.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43053963)

Nowhere near as secure as Assembler

Re:Surprise Surprise (-1, Troll)

Murdoch5 (1563847) | about a year and a half ago | (#43054001)

In C you can write secure code, in Java you can only write exploitable code. Even trying to write secure java is a joke, every step of the way there are major issues leading to insecurities. C on the other hand gives you as much control as you want, if you want to write an insecure program do it, if you know how to program properly and securly then you can do that to.

Re:Surprise Surprise (4, Insightful)

egr (932620) | about a year and a half ago | (#43054023)

I think what he means is that C-security is solely dependent on your code, while Java-security is depended on JVM security in addition to your code security. And the developer has no control over JVM security.

Re:Surprise Surprise (3, Insightful)

gtall (79522) | about a year and a half ago | (#43054815)

And who writes their whole program in using just their own code? We have massive C libraries because we cannot reinvent the wheel every time. And it isn't possible to exhaustively check the code in those libraries due to time constraints and sheer complexity.

Re:Surprise Surprise (1)

egr (932620) | about a year and a half ago | (#43054901)

I totally agree with it. Using plain C does not solve anything, does not make life easier, and does not provide anything to replace for example Java applet functionality.

Re:Surprise Surprise (4, Insightful)

cbreak (1575875) | about a year and a half ago | (#43053939)

Executing random C code from somewhere on the net in a Browser is even dumber than doing the same with Java. Java at least has a security model, even if it's broken anew every week, and has more holes than a sieve. C on the other hand has nothing. It really is more or less like a portable Assembly Language as it was developed for.

Re:Surprise Surprise (0)

Murdoch5 (1563847) | about a year and a half ago | (#43054005)

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

Re:Surprise Surprise (2)

dkf (304284) | about a year and a half ago | (#43054171)

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

He's not exactly disagreeing or agreeing with you, as you're so thoroughly confused that you manage to say things that aren't cleanly true or false.

C has no security model. At all. This lets you write things that are totally unsafe. For example, you couldn't have browser exploits with either Flash or Java or any other plugin if it wasn't for the NPAPI [wikipedia.org] , which is a C interface! O! M! G!

Java does have a security model; it tries to segregate untrusted code away from trusted code and ensure that the untrusted code can only do very limited operations. This is hard to get right. (Doubly hard when you've got the plugin glue code in the mix; that just makes everything much more complex.) For most applications, this actually doesn't matter very much as they don't load code from untrusted sources at all; Java is doing just great at powering web application servers, and there are some wonderful libraries to help with this. Browser plugins though are a different beast; their whole point is to load untrusted code and execute it, and any mistake is a problem.

Right now, I recommend disabling the Java plugin in all browsers that you use, or even better removing the plugin entirely. If you must have it enabled (for some horrible corporate web application) then only turn it on when strictly necessary. As a bonus, you won't have to suffer from nasty slow Java-implemented ads. (That was why I originally turned it off in my systems; being defended against hacking was a side benefit.) Also, Java tends to look like ass in a browser these days.

Re:Surprise Surprise (-1)

Murdoch5 (1563847) | about a year and a half ago | (#43054305)

A language shouldn't have a security model, at least in my opinon it shouldn't. The security model should be the programmer, they're entitled to make a program as secure or insecure as they like. I know a lot of programmers, books, industry professionals, engineers and house wifes are going to disagree with me but I don't care.

If you were a tight rope walker and trusted that someone hung a net under the rope then what happens the one time you fall and the net isn't there or malfunctions? Who do you blame and who is left looking like an idiot? Well the answer is the tight rope walker because he trusted someone else to protect him. Programming should work the same way, don't trust that just beacuse a net should be there it is, and don't trust that just because a net should work it will. Believe everything can fail and write accordingly, there is nothing more foolish then seeing an exploit in a language or system which is caused because a net should of been there. I see it a lot and it makes the programmer look like a child.

Take responsiblity for what you work on, put the net up your self and check it. That way when you fall your should be fine and at least if the net does give out you know exactly why and can jump in and fix it before it's a huge issue. This to me is the difference between languages like C and Java, in Java you trust your assistent to have the net setup and ready, in C you better fucking rig that net yourself because it's a long way to the ground. You only have to fall once in C to learn that trusting anyone is a bad idea.

Re:Surprise Surprise (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#43054391)

God. You are missing the point entirely. How fucking stupid are you? The JVM security model is because I don't trust YOUR code not to fuck up everything. This isn't a case of writing code that does something bad by accident. This is a case of a user running malicious code and the malicious code executing, you stupid twat. If I wrote a c program that installs a key logger and your dumb ass was stupid enough to run it, it instals. Java's security model is designed to try to make sure it doesn't install, or is limited to that one java app. It's not a crutch for the programmer, it's an attempt to let an end user do something without having to hand verify every goddamn app on the planet.

Fuck. Ignorance like yours is inexcusable.

Re:Surprise Surprise (-1)

Anonymous Coward | about a year and a half ago | (#43055041)

No, it Just Doesn't Work(tm). The premise that the you can constrain abusive or malicious code inside the JVM is, itself, flawed and always hasn't. And we are never going to *catch up* with all the Java vulnerabilities because it's being used to provide "enhanced features" which have no business running locally without actually getting explicit permission, rather than being a ubiquitous and generally permitted behavior for web applications.

Think I'm kidding? Take a good look at the Java based remote console software software built into IP based KVM's. It's all Java based VNC under the hood, and it should have been an X server. But *no-o-o-o", the authors of VNC thought they could be smarter than the authors of X and stuff it in a pointless Java wrapper to "enhance" it. The result is complete craziness.

Re:Surprise Surprise (1)

AmiMoJo (196126) | about a year and a half ago | (#43054633)

All the major browsers have click-to-play for plug-ins now, so even if you have it installed you should be safe from drive-by infections if you have it enabled.

Actually I don't know if IE10 supports click-to-play, but surfing the net with IE is like licking the toilet seat down the pub - inadvisable at best.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43053943)

Oh the hipsters have long moved to python. To quote CERN "Thanks to python we're no longer IO bound"

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43053991)

Dude, Python was like eight years ago. Then it was RoR and then Scala. Don't know about today.... Go maybe.

It's like nightclubs in the big city. The place to be seen is always going to change every few years.

Re:Surprise Surprise (1)

History's Coming To (1059484) | about a year and a half ago | (#43054495)

These days it's about using as many different languages as possible, ideally in the wrong place. Big desktop application? JavaScript hosted on a remote server sounds ideal! Website to display a list of your mobile phone apps? Show off your 1337 Java skillz by making the whole thing a plugin! A quick script to verify the format of an email address? To the Assembler!

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43053951)

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

What do you think the JVM is written in?

Yeah, C and probably C++.

Grow a brain, you twerp.

Re:Surprise Surprise (1)

catchblue22 (1004569) | about a year and a half ago | (#43054145)

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

What do you think the JVM is written in?

Yeah, C and probably C++.

Grow a brain, you twerp.

I've heard it argued that Java is insecure because too much of it is written in C++, poor quality code no doubt. It would have been more secure if a core of commands was written in C++, and the rest was written in Java. Then, more effort could be put into making the core secure.

Re:Surprise Surprise (1)

mt1955 (698912) | about a year and a half ago | (#43054385)

It is a poor worker who blames his tools. The language is not the problem, it is what you do with it but still...

YOUR PROGRAMMING TASK: To shoot yourself in the foot.

C: You shoot yourself in the foot.

C++: You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying, "That's me, over there."

Perl: You grep through a list of your body parts, shooting the bits that look like feet. On the first try, you don't shoot anything, and realize that you're matching hashrefs instead of scalars. On the second try, you shoot off your big toe instead of the whole foot (shouldn't have used greedy matching in the regex). Finally, you shoot yourself in the foot, generalize your code to allow it to shoot anyone anywhere, and post it on CPAN as SUICIDE::LITE.

Python: You want to shoot the toes off your foot. You ask your foot to tell you about all of your toes, but to please pause for a while after each one so you can shoot it. After you shoot, your foot begins where it left off.

FORTRAN: You shoot yourself in each toe, iteratively, until you run out of toes, then you read in the next foot and repeat. If you run out of bullets, you continue with the attempts to shoot anyways because you have no exception-handling capability.

Pascal: The compiler won't let you shoot yourself in the foot.

Ada: After correctly packing your foot, you attempt to concurrently load the gun, pull the trigger, scream, and shoot yourself in the foot. When you try, however, you discover you can't because your foot is of the wrong type.

COBOL: Using a COLT 45 HANDGUN, AIM gun at LEG.FOOT, THEN place ARM.HAND.FINGER on HANDGUN.TRIGGER and SQUEEZE. THEN return HANDGUN to HOLSTER. CHECK whether shoelace needs to be re-tied.

LISP: You shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds...

FORTH: Foot in yourself shoot.

BASIC: Shoot yourself in the foot with a water pistol. On large systems, continue until entire lower body is waterlogged.

Java: You find that Microsoft and Oracle have released incompatible class libraries both implementing Gun objects. You then find that although there are plenty of feet objects implemented in the past, you cannot get access to one. But seeing as Java is so cool, you don't care and go around shooting anything else you can find.

Re:Surprise Surprise (4, Interesting)

erroneus (253617) | about a year and a half ago | (#43053979)

I think the people exploiting Java has a LONG list of vulternabilities in queue. With each update of Java, fixing the last known holes, they just update their exploit code to utilize the next vulnerability in their queue. This could go on for a long, long time.

And where I work, we have to use Documentum Webtop which requires Java. Now they have us pushing Java updates all the time.

Oracle needs to pay out a bounty for Java vulnerabilities so collect as many as possible so the next fix(es) will be better.

Re:Surprise Surprise (0)

Murdoch5 (1563847) | about a year and a half ago | (#43054025)

Nice post :-)

Re:Surprise Surprise (2)

AmiMoJo (196126) | about a year and a half ago | (#43054703)

It's a shame there isn't a really good open source alternative to Oracle's JVM that people could switch to. At least with the endless stream of Adobe Reader vulnerabilities you can just witch to Sumatra PDF or one of the many other free viewer applications.

As far as I can can tell most of the free JVMs are either abandoned or don't run on Windows.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054801)

Because the hotspot JVM is the BEST virtual machine currently in existence. Period. And no, these vulnerabilities has nothing to do with it.

Stop spreading bullshit.

Re:Surprise Surprise (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43055137)

The JVM might be wonderful but, empirically, the browser plugin is a pile of junk, at least in terms of code quality.

Could somebody, e.g. Apache, incubate a project to replace the Oracle Java web plugin? I don't use Windows but imagine if each company was willing to pay $2/user/year for a better plugin for their mission critical apps. The IcedTea plugin on Linux seems to be in a decent state these days, after quite a rough start - perhaps it could be a basis for a new Windows Java plugin.

Re:Surprise Surprise (4, Insightful)

putaro (235078) | about a year and a half ago | (#43053989)

Unfortunately there is no "stupid" moderation. The issue is the Java sandbox which has the goal of letting you run untrusted code (e.g. applets) on your system without any worries. Unfortunately the attack surface of the sandbox is huge because there are so many different API's that are usable and all it takes is a bug in one of them to give you an exploit.

Turn off Java in your browser and you'll be a happy camper. Stop spreading FUD. The Linux kernel still has exploits (http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/).

Oh, and I spent 10 years as a kernel developer in C and another 10 years as a Java developer so I guess I'm a Real Hipster Programmer.

Re:Surprise Surprise (-1)

Murdoch5 (1563847) | about a year and a half ago | (#43054083)

Okay granted not every Java programmer is a hipster, I will take that back, just most Java programmers I know are complete fools who have no clue about secure programming. I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable. A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code. All of these things are really annoying features of Java. If I write a program I want to know it's secure because I took the time to make it secure, I don't want the language to have holes because somewhere in the model it's broken.

So I'll admit your probably not a hipster, that wasn't fair to say but in the end I just find a good C programmer an invaluable addition to a team over any Java programmer.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054299)

> A good language should NEVER apply safety's for the programmer

Yeah, fuck type systems!
Every comment you make is a joke. I laugh.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054395)

A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.

Fuck you. Not all of us want spend the time rigging nets, managing memory and the like. Some of us just want to get shit done and not reinvent the wheel every time. Most of us aren't writing drivers or embedded code. A language being good is dependent on the domain and the needs of the programmer. C is good for what it was intended for, which is systems programming. It's not so good for a lot of other kinds of programming.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054509)

Most of us aren't writing drivers or embedded code.

You're doin' it wrong, brother.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054407)

A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.

Safey's what? You put an apostrophe before the "s", so surely it must be a possessive... but safety's what?

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054615)

Hot Dog - a return to the good old days!!!
I remember when, wayyy back when, the arguement against C was that
when using machine code (pdp/11 | vax11/780 in my case) the programmer was
responsible for all of those tasks that C worked to solve and the machine
code programmes were better for it.
HA HA HA - ROTFLMAO wiping tears from my senile old eyes!

Re:Surprise Surprise (1)

dkf (304284) | about a year and a half ago | (#43054181)

Turn off Java in your browser and you'll be a happy camper.

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

Re:Surprise Surprise (1)

Curupira (1899458) | about a year and a half ago | (#43054793)

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

After this horrible sequence of 0-day exploits, I've finally disabled the Java plugin in ALL my browsers. There you are, instructions [ibm.com] for removal of the Sun (or IBM) Java browser plugin on Windows, without removing the JRE. :)

Re:Surprise Surprise (1)

geekmux (1040042) | about a year and a half ago | (#43054065)

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

The only failure I see here is your rather ignorant attitude that every language cannot be made just as vulnerable in the hands of the inexperienced.

Re:Surprise Surprise (2)

craznar (710808) | about a year and a half ago | (#43054419)

The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.

Comes down to who's programmers you trust more - your own, or Oracle's ?

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054525)

The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.

Comes down to who's programmers you trust more - your own, or Oracle's ?

What happens if your C program uses external libraries ? Can you GUARANTEE that they don't do something nefarious ? Unless your programming stops at hello world complexity programs, you're going to have vulnerabilities wether you want them or not. The JVM is a C++ program and it has vulnerabilites.
So in the end languages that enforce a security model are good. Unfortunately for us, neither C nor C++ do. They are archaic languages that still do damage to this day. And to be clear I'm not a Java programer, but to say that C or C++ safe languages is pure idiocy.

Re:Surprise Surprise (0)

Anonymous Coward | about a year and a half ago | (#43054859)

Okay, now I am really pissed off.

Just compare the number of exploits ever discovered for a given time period for Apache http server or Apache Tomcat. It seems to me that there are less exploits baked in the JVM than people put personally in their C code.

Sheesh, I love C, love Assembly, even Verilog, and I love the JVM (various languages), but I hate these one-bit idiots like you.

Is it just me ... (0)

Anonymous Coward | about a year and a half ago | (#43053921)

.. or has all these exploits come about following on from the Oracle takeover of Sun?

Coincidence? Or has Java always had these problems. I don't remember them occurring five years ago.

Re:Is it just me ... (2)

erroneus (253617) | about a year and a half ago | (#43054089)

A few things are different:

1. People dislike Oracle as a company
2. The purposes/reasons for exploiting have shifted significantly
3. Sun was likely more friendly to people presenting information about bugs to be fixed.

Why in the news so often lately? (0)

Anonymous Coward | about a year and a half ago | (#43053955)

So why has Java been in the news so much lately with vulnerabilities? I don't remember this being as big a deal 10 years ago when Java applets were a "thing" on the web, so why now all of a sudden? Has Oracle done something to screw the pooch on security, or has some sort of tipping point of interest in Java exploit research been reached?

Re:Why in the news so often lately? (1)

aahzmandius (52806) | about a year and a half ago | (#43053985)

The tipping point is the many, many, many devices that probably aren't running other anti-virus (smartphones and tablets).

Re:Why in the news so often lately? (0)

Anonymous Coward | about a year and a half ago | (#43054201)

No it isn't. Smartphones and Tablets don't support java anyways. Android can only run special java code, it doesn't run random java applets from the web. Neither does iOS. The tipping point was when Apple and Facebook got hacked through Java. They made a big deal about it.

Re:Why in the news so often lately? (3, Insightful)

hairyfeet (841228) | about a year and a half ago | (#43054673)

Nope its the damned games. Minecraft and Pogo and a shitload of other damned Java games have been released and become REAL popular which means a shitload of java installs that can be pwned. Its a damned shame, I saw Java practically disappear from the non corporate desktop only to see java all over the damned place now.

Iced-Tea affected? (0)

Anonymous Coward | about a year and a half ago | (#43054059)

Does this effect the iced-tea java plugins too?

Anybody else read the headline and think ... (0)

Anonymous Coward | about a year and a half ago | (#43054101)

"Mutual of Omaha's Wild Security Exploits"?

With a gray haired host that will have "Jim" go out and tackle these security beasts with his bare hands ... on his keyboard?

Nevermind.

Yeah, I'm old.

No, go ahead and stay on my lawn.

Boohoooooo (1)

Fuzzums (250400) | about a year and a half ago | (#43054103)

And how frelling dare anyone out there make fun of Java after all she's been though!
Leave Java Alone!
Please...

And this matters ... (1)

stevez67 (2374822) | about a year and a half ago | (#43054109)

N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?

Firefox and Android not vulnerable (1)

Anonymous Coward | about a year and a half ago | (#43054111)

Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.

Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.

In the wild (1)

arnodf (1310501) | about a year and a half ago | (#43054115)

In the wild, is that the same as in cyberspace?

Why does this VM have so many vulnerabilities? (1)

Anonymous Coward | about a year and a half ago | (#43054151)

I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?

In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clearly eluded the JVM. Home come?

Re:Why does this VM have so many vulnerabilities? (1)

Wookie Monster (605020) | about a year and a half ago | (#43054239)

Primary reason: Punching holes in the security sandbox. A lot of the code in the JVM itself needs to grant itself "privileged access", but upon doing so it may have accidentally done so for user code as well. This is the greatest flaw in the Java security architecture, not because it doesn't work, but because it's hard to use correctly.

Re:Why does this VM have so many vulnerabilities? (5, Interesting)

Tobia Conforto (2818827) | about a year and a half ago | (#43054329)

AFAIK all these issues are not in the VM.

The JVM has been stable for many years and is the foundation of countless information systems: websites, money exchange, traffic control, you name it they all run server-side software on the JVM, which by itself is rock-solid.

The issue is with the "sandboxing" feature of the Java browser plugin. The plugin was engineered to allow executing arbitrary, untrusted JVM bytecode, which would include outward calls to Java's extensive standard library, while still preserving some high-level definition of isolation between the untrusted code and the host OS. Given that Java's standard library is full of classes that do very insecure things by design (including running native code, opening network sockets, and so forth) this security model has proven to be a complete nightmare. They will keep finding sandbox-related bugs in the Java standard library for as long as it exists.

Oracle should do one of these things:

  • – just dismiss the damned plugin altogether, or
  • – severely restrict it to running signed code or some other kind of host-based whitelist, for the few companies that still need it, or
  • – write a new standard library from scratch that does not include any unsafe code.

Re:Why does this VM have so many vulnerabilities? (2)

gtall (79522) | about a year and a half ago | (#43054861)

Oracle cannot dismiss the damned plugin altogether, they have too much that relies on it, Oracle Forms for one. I'm unsure how that relates to their databases. Are they storing mobile code in their databases for use in their OF crap? OF seems particularly brain dead and I wouldn't mind them blowing it away and replacing it with native apps...but then they'd probably only produce them for MS's rinky-dink OS or Linux which doesn't have much use on the desktop.

Re:Why does this VM have so many vulnerabilities? (0)

Anonymous Coward | about a year and a half ago | (#43054893)

> Oracle cannot dismiss the damned plugin altogether

They can and they should.

Re:Why does this VM have so many vulnerabilities? (0)

Anonymous Coward | about a year and a half ago | (#43054361)

Thank you, Wookie and Tobia. Very informative answers.

It seems then that the Java sandbox, while sounding plausable on paper, in practice cannot delivery what it seemed to promise.

Security by wishful thinking?

Exploit (0)

Anonymous Coward | about a year and a half ago | (#43054169)

Apparently it requires browsing as an administrator to exploit this leak.
Just don't do that.

Also it is always a good idea to block execution of programs from user-writable directories, using AppLocker or Software Restriction policies.

Re:Exploit (1)

hairyfeet (841228) | about a year and a half ago | (#43054731)

Or if you are on Vista or better just use any of the Chromium based browser or IE as those automatically run in low rights mode and not administrator. Why oh why can't Mozilla support low rights mode when its over 6 years old now is beyond me but the fact that FF runs with the same privilege as the user while the Chromium browsers don't was enough for me to replace Firefox with Comodo Dragon on all my installs, you should always use least privilege and FF just won't do that. Ironically the only "how to" on using LRM with FF actually undermines LRM until its worthless, so if you use Java don't use Firefox, use Chrome, Dragon, SWIron, any of the Chromium based will give you better security.

Typical of any Oracle Product (0)

Anonymous Coward | about a year and a half ago | (#43054175)

What do you expect from a bunch of idiots that spend all of their time supporting ONE product - their DB, and it's one that is going down in it's ability to do what it is supposed to do. Most customers are moving to Open Source products since they are just better... I have Java totally disabled - it was once a great language, now it's just crap... Simple...

oracle (0)

Anonymous Coward | about a year and a half ago | (#43054185)

it happened after oracle took over java. these big companies just cant understand the product. they just have money to buy and kill it.

Why is it time to kill java ? (0)

burni2 (1643061) | about a year and a half ago | (#43054215)

Because badly written & maintained software should cease to exist.

Guys you are really funny, I hope all complaining now - and demanding the death of java - have used Linux or FreeBSD when we had Windows-Open-For-Everyone-Alert-Weeks.

MS Blaster - recalling ? Anyone ?!

When you put those arguments in the right perspective the "funny people above me" should have stopped using Windows along with sendmail ;) and Linux yes
there were some local privilige exploits, and unboxing the java sendbox is nothing else, because if you use the right browser(opera) or addon(addblock) then these java-applets aren't executed without your expressed will (click+unblock)

Yes, software is - if no quallity assurance is applied/also a quallity aware develloper counts - unsafe by default because of the complexity and the human factor, usage of many third party libs, time pressure.

But what I see in the last years is that I suspect Oracle of not applying a quallity regime, and supplying java with addware (yes google chrome or whatever is addware, when it is installed without the consent of the user).

"Kill Flash, Kill Java, HTML5 the new king"

Have you ever imagined what killing flash and those applet feature boxes means ?

The predominant inability to use addblockers, because when a site heavily relies on javascript/html5 filtering proxies need time to catch up.
And when you filter all script-tags interwoven js-apps can stop working and cripple your browsing experience. I hunt for adds, 1px images, popups a.s.o. with Privoxy and it get's harder to cope with javascript/html5 because your website isn't that modular anymore it's interwoven To be more specific if you HTTP/GET a website, this isn't the website that will displayed to you because of ajax(server side) and dynamic on the fly html generation on the other side.

Also selective activation/allowing a js/html5 applet to use certain features of your browser (sound/storage/new window) are partly unrestricted.

Flash isn't. You can select not loading an applet! instead of please delete Line 10 of the java script tag .. oh well this kills the dropdown menues necessary to navigate the site.

Flash did a great job and I am sure many flash haters have used youtube without an additional moviedownloader(jdownloader).

Btw.
Yes, this is a flaimbait on flamers flaiming flamingos!

Here we go (1)

Anonymous Coward | about a year and a half ago | (#43054275)

For fuck's sake, can people please specify that the APPLET has vulnerabilities?

Yes, JAVA is lame and should die (0)

Anonymous Coward | about a year and a half ago | (#43054315)

But these things aren't its fault. This is a problem of bad OS design. Is they that should be patched, or better, redesigned from scratch.

Security Setting (0)

Anonymous Coward | about a year and a half ago | (#43055033)

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities [infoworld.com] found [infoworld.com] all the time in other [securiteam.com] languages/frameworks [drupal.org] , how come all we seem to hear about is lame Java applet sandboxing issues?

Re:Security Setting (1)

gnomff (2740801) | about a year and a half ago | (#43055057)

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities [infoworld.com] found [infoworld.com] all the time in other [securiteam.com] languages/frameworks [drupal.org] , how come all we seem to hear about is lame Java applet sandboxing issues?

Didn't realize I wasn't logged in when I made that post

Enough (1)

zieroh (307208) | about a year and a half ago | (#43055171)

That's it. I'm done with Java. For good.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?