Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cross-Platform Java Sandbox Exploit

timothy posted more than 9 years ago | from the suck dept.

Security 382

DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.

cancel ×

382 comments

Sorry! There are no comments related to the filter you selected.

Makes me wonder... (0, Troll)

Thaidog (235587) | more than 9 years ago | (#10908277)

...If java is really just as bad as ActiveX

Re:Makes me wonder... (1, Troll)

Ctrl-Z (28806) | more than 9 years ago | (#10908289)

... Or worse since it runs on more than just Windows.

Re:Makes me wonder... (4, Informative)

I confirm I'm not a (720413) | more than 9 years ago | (#10908304)

...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com] , that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.

Re:Makes me wonder... (1)

JustOK (667959) | more than 9 years ago | (#10908379)

hasn't to date been a single Java virus.
...that we know about...

Re:Makes me wonder... (3, Insightful)

I confirm I'm not a (720413) | more than 9 years ago | (#10908415)

> > hasn't to date been a single Java virus.
> ...that we know about...

True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.

Re:Makes me wonder... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10908291)

Correct. Except ActiveX cannot infect Linux. So I suppose the answer is actually no. Cheers.

Re:Makes me wonder... (-1)

Anonymous Coward | more than 9 years ago | (#10908296)

Maybe it is just worst

Re:Makes me wonder... (4, Interesting)

fforw (116415) | more than 9 years ago | (#10908387)

...If java is really just as bad as ActiveX
no.

This the only cross plattform security issue known. and it's a theoretical one, no exploits known.

One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:

"I don't think I built in something harmfull and sign that belief with this digital signature"

Re:Makes me wonder... (4, Insightful)

owlstead (636356) | more than 9 years ago | (#10908390)

There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform. However, this is a single bug. With active X, you are in problems if there is a bug in *any* ActiveX component that is safe for scripting. So the target is way smaller with Java. Obviously that also makes it possible to vigourously (no spell check available - dang) test that part, so no excuse for Sun for not doing that.

Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.

So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.

Re:Makes me wonder... (3, Insightful)

rdc_uk (792215) | more than 9 years ago | (#10908403)

" There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform."

What you should have really noted was that this is a bug in the security implementation of java. Which is bad.

ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.

Re:Makes me wonder... (1)

owlstead (636356) | more than 9 years ago | (#10908478)

Lets make a deal: it is a bug in the security implementation of Java by Sun. Sheesh. That's what I said, didn't I?

As for the ActiveX part: ActiveX does have a security implementation. You need to sign your ActiveX component to make it safe for scripting. There can be security leaks in that. For instance the ASN-1 decoder may have a buffer overrun exploit, to name a completely random example. Or you might release a few libraries with the same signing certificate, needing to update *all* the libraries instead of one (another completely random example).

Obviously, it does not have a sandbox implementation, so you're right with the "terminally bad" part :)

Re:Makes me wonder... (2)

rdc_uk (792215) | more than 9 years ago | (#10908641)

" Lets make a deal: it is a bug in the security implementation of Java by Sun. Sheesh. That's what I said, didn't I?"

I think you read an implied slur into me simply having chosen to use the word "java" instead of "sun" when paraphrasing instead of actually quoting you. None was intended.

On to the point; as I recall the 2 main problems with ActiveX security are:

1; the browser (IE being _the_ ActiveX browser IIRC) pushes "security" options such as "allow signed scripts to run". Johnny Hacker is quite capable of signing his code, thus getting it run without question on most installs.

2; it is quite plausible to spoof your signature. Then even if you are requiring manual authentication of each signature before you let it run, it may well look to the casual user like a macromedia or Microsoft signature, and therefore it gets run.

Contrast with the (intention of the) Java security model, where it is not supposed to be possible to GET the kind of access that allows destruction / subversion in the first place.

Its the (piss-weak) "security" attitude that "if company X wants access that would let it format your drives, but only after scanning all the files on them, then its OK, because its company X, isn't it?" that is the problem with ActiveX.

No "program" run through your browser has legitimate need to that level of access to your local machine.

My personal opinion is that there are 2 fundamental flaws in how some companies view "browsers":

1 - they think that the web browser and the file manager shouyld become one.

2 - they think that goal justifies tying the browser tightly to the file system on the local machine, and justifies including low-level local access mechanisms into the browser and the things it can browse.

Personally I disagree; I think that having any "web format" of data/program able to escalate its rights to that kind of level is suicidal in terms of security, and therefore the risks of the required infrastructure make having your web browser serve to handle your local file system vastly outweight the minimal benefit of dropping one program from the machine.

I also think that may have been the longest sentence I've ever written; so I'll preserve it for posterity!

Disable Java (-1, Troll)

erykjj (213892) | more than 9 years ago | (#10908292)

Disable Java in your browser unless you absolutely need it (rare). Period.

Re:Disable Java (1)

leonmergen (807379) | more than 9 years ago | (#10908345)

And your arguments are ?

Come on, don't just make those statements without having anything constructive to say... now you're just flamebaiting.

Re:Disable Java (1)

erykjj (213892) | more than 9 years ago | (#10908382)

You clearly did not 'see the attachment for details'.

Actually, this is my personal experience/observation, not flamebait at all.

Just because your browser can run a certain plugin/extension does not mean it has to - unless you need it. You avoid potential issues by limiting yourself to the bare necessities.

Re:Disable Java (0)

Anonymous Coward | more than 9 years ago | (#10908399)

I agree that the post is rather terse, BUT it is a basic security measure to only enable what you realy need to use. You know, the old thing about the defender needing to defend all the perimeter while the attacker needs to find only a single weak point.

This is the base for the "Secure by default" in Win XP SP2 (not a very good example, I suppose).

You can argue about the "rare" part of the post, but it is a sound advice.

Re:Disable Java (1)

arivanov (12034) | more than 9 years ago | (#10908369)

You are mistaking a Sun plugin exploit with Java exploits in general. This limits this exploit to people who actually have a jdk installed. This limits the population of susceptible systems to people who develop with java or to people who use java based software which uses a recent java spec. Once again a fairly small group (I am talking general population, not slashdot readers).

Re:Disable Java (1)

crazyphilman (609923) | more than 9 years ago | (#10908646)

Aaah, piffle.

Just fetch a newer JVM, they're faster anyway.

And you said Mozilla Firefox wasn't exploitable??? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10908295)

You open source fags suck.

Re:And you said Mozilla Firefox wasn't exploitable (1)

djsmiley (752149) | more than 9 years ago | (#10908315)

java != mozilla

Wow i've learnt something already at uni! i better leave!

Windows and Linux? (3, Interesting)

Locdonan (804414) | more than 9 years ago | (#10908297)

Since the architecture is so different, could a virus really spread between the two of them? I mean Linux is more secure for a userlevel, so I think that may be overrated.

Re:Windows and Linux? (4, Informative)

DaEMoN128 (694605) | more than 9 years ago | (#10908366)

There are already proof of concept viri that work on both linux and windows.
http://antivirus.about.com/library/weekly/aa032801 a.htm/ [about.com]
http://www.itworld.com/AppDev/1312/IWD010328hnvirl in// [itworld.com]
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a /. article if i remember right, but i can't seem to get the right search terms to find it.

Re:Windows and Linux? (1, Funny)

rdc_uk (792215) | more than 9 years ago | (#10908367)

What the article says is that the same exploit (same hole in the Java Runtime Engine's security) allows access to multiple OSes (through multiple browsers)

So; johnny hacker writes his Java exploit; part of which decides what OS it is currently fiddling with, then has it deposit an appropriate payload for the OS.

Voila; spreads through Windows and Linux.

Write once, run anywhere :)

Re:Windows and Linux? (1)

owlstead (636356) | more than 9 years ago | (#10908422)

That goes for any plugin that you cross compile though. If you create a bug in the plugin you are in a mess on any platform (except if they are platform specific). Unfortunately, Java is a sort of META plugin, like flash etc. So there are many Java runtimes/plugins out there which all need to be patched. Also, with a platform dependent plugin you might need to do some cross compiling to the exploit as well. You will need to do something like that for the exploid anyway, deleting "boot.ini" on a linux system may not work.

Re:Windows and Linux? (1, Insightful)

Burb (620144) | more than 9 years ago | (#10908414)

"Write once, infect everywhere."

Re:Windows and Linux? (1)

Locdonan (804414) | more than 9 years ago | (#10908638)

ok, 2 things. At least I have sparked some conversation. Now, isn't a dual payload kind of bulky? I have programmed in Java, and getting the thing to run right is fairly simple, but the more complex it gets, the fast it grows. I can see how Windows with "Everyones an Admin" approach can be easily exploited, but Linux seems too locked down. Sudo items are a pain at times.

Also in my defense, I have only used Linux for about 50 hours. (use time, not time I have had it.) Could a Java-based prog really offer that strong of an intrusion into a linux box?

Mwahhaaa (1)

akpcep (659230) | more than 9 years ago | (#10908300)

Virus on yer Linux box. Hopefully this should reduce the smugness-level of *nix zealots.

Re:Mwahhaaa (0)

Anonymous Coward | more than 9 years ago | (#10908504)

Don't dis the *nix on the /. or else they'ss kick you in the OO or the (_|_).

Cross platform....yum (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10908301)

At least Active X would only affect certain users. Java exploits now affecting virtually *everyone*. What a great idea, cross-platform viruses. /cheer Java

Another good reason to allow third party review... (4, Insightful)

johnhennessy (94737) | more than 9 years ago | (#10908312)


I think this tries to highlight another reason why allowing a third party review your code is a good thing

Generally, the most cost effective way can be an open source model.(there are others !)

Write once, run everywhere (3, Insightful)

Lucky Kevin (305138) | more than 9 years ago | (#10908413)

A virus writer's dream!

Re:Another good reason to allow third party review (1)

atcdevil (700926) | more than 9 years ago | (#10908429)

This is absolutely the least insightful statements that has ever been rated insightful on slashdot. Not that I disagree or anything, but EVERYONE knows this.

Re:Another good reason to allow third party review (1)

hackstraw (262471) | more than 9 years ago | (#10908573)

Actually, its another good reason that I don't load any plugins.

I only enable them when I'm staring at a blank page and for some morbid curiosity I want to see what is on the site.

no fear slashdot! (0, Flamebait)

Scythr0x0rs (801943) | more than 9 years ago | (#10908318)

You may soon be receiving a Java virus via your web browser.

Symptoms:

1) system loads increase by 3x magnitude
2) system starts to work slowly
3) the JVM has now loaded
4) the virus starts to install... ...
you can use the 15 minutes it takes java to load a virus (or anything) to close your web browser at this point.
5) If you are not able to stop the virus, look out for strange windows with dodgy toolkits. Yes, Java AWT, this means you.

At least... (0, Flamebait)

lxt (724570) | more than 9 years ago | (#10908319)

At least (unlike several other large companies), Sun produced a patch before the issue was released to the public. How many times does this normally happen (certainly, I can think of no instances this has happened for Windows - anyone care to enlighten me?)...

Re:At least... (1, Informative)

Anonymous Coward | more than 9 years ago | (#10908346)

That's the way Microsoft typically tried to do it before everyone started bitching about them doing it that way. Of course Sun does it that way and they're the darling hero. Slashdot is Fox News for people who should know better.

Re:At least... (1, Informative)

Anonymous Coward | more than 9 years ago | (#10908351)

It happens all the time with Windows. The difference is that when the /. crowd finds out that Microsoft knew about an exploit a month before they release the patch it turns into another bashing session.

Re:At least... (4, Insightful)

rdc_uk (792215) | more than 9 years ago | (#10908388)

The "patch before admitting the problem" thing DOES happen on Windows.

But when it happens on windows it is microsoft "covering up their vulnerabilities".

Apparently, for you, when someone else does it they are doing something good...

Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.

Re:Still do not understand... (1)

DrWho520 (655973) | more than 9 years ago | (#10908480)

It was nice that a patch was released before the exploit was widely known, but this is the first I have heard of the exploit. From TFA, the exploit was patched last month by Sun, but now we hear details. Now is when I first found out about this.

I am sure this would have clouded over the launch of Solaris 10, but I would have appreciated knowing about this last month when the exploit was patched.

Oh well. (-1, Troll)

quamaretto (666270) | more than 9 years ago | (#10908321)

I guess it's time for us all to move to Smalltalk [smalltalk.org] , or maybe Flash. Yup, Java loses the intarweb. Microsoft wins. Go home.

Java != Java Sandbox (4, Insightful)

Cyphus (818873) | more than 9 years ago | (#10908340)

Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.

Java == Java Sandbox (4, Insightful)

jeif1k (809151) | more than 9 years ago | (#10908461)

Browsers aren't responsible for sandboxing plugins--in fact, they couldn't do it if they wanted to. Sandboxing is exclusively a function of the language and its runtime, in this case Java. If Sun's Java plugin allows the execution of dangerous code by untrusted code, it is Sun's fault. Note also that this is not the first time that this has happened.

Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.

Java language != Java Sandbox (2, Informative)

Cyphus (818873) | more than 9 years ago | (#10908506)

I agree with you, browsers aren't responsible for the sandboxing, and it is Sun's fault for having a buggy plugin. But sandboxing is not a function of the language - it is solely a function of the runtime. I could use a different runtime with the same compiled Java code and not have the problem. Therefore its not a problem with the language.

Re:Java != Java Sandbox (0)

Anonymous Coward | more than 9 years ago | (#10908534)

The sandbox wouldn't exist if it wasn't for Java. HTML is not IE dependent. I think that kind of nullifies your point.

Re:Java != Java Sandbox (0)

Anonymous Coward | more than 9 years ago | (#10908543)

Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.

You're new here, right?

Re:Java != Java Sandbox (1)

hackstraw (262471) | more than 9 years ago | (#10908617)

Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.

I believe this is completely wrong. First, if the problem were in the browser and not Java, how did Sun fix it on 2 different operating systems and there was not mention of a specific browser.

Also, AFAIK, the Java plugin does have a sandbox which prevents Java toys from doing things like accessing local files, etc. It takes a trusted and signed applet and user intervention to go outside of the sandbox.

Time for an open source Java implementation? (0)

cyclop (780354) | more than 9 years ago | (#10908347)

Ok,I know it's (1)the most trivial thing to say on /. and (2)looks like plain karma-whoring, but someone had to say it.

I know about Kaffe, but it seems to not work that well (most Java programs don't work with Kaffe)...

I'll only say this once *ever* (-1, Flamebait)

Rik Sweeney (471717) | more than 9 years ago | (#10908348)

"So Microsoft's version is more secure then?"

Re:I'll only say this once *ever* (-1)

Anonymous Coward | more than 9 years ago | (#10908596)

If this were a microsoft only exploit and you posted something about linux you would be considered a god.

Its really a shame how fucking touchy these *nix assholes get when it comes to admiting flaws.

Opera not affected (3, Informative)

TheJavaGuy (725547) | more than 9 years ago | (#10908353)

This bug affected IE and Firefox, but not the Opera Browser [opera.com] .

Re:Opera not affected (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10908455)

Would you care to post more information? (It's not that I don't believe you, it's just that I don't see anything about it anywhere)

Not that critical.. (4, Insightful)

fforw (116415) | more than 9 years ago | (#10908356)

This only affects the Java plugins in the 1.3 and 1.4 Java release. The current java release 1.5/5.0 is not affected at all.

And it's a java plugin vulnerability so a website running java on the serverside is not affected.

Re:Not that critical.. (0)

Anonymous Coward | more than 9 years ago | (#10908383)

Yeah cause everyone is always patched right up to the newest release of everything at all times.

Now we have to patch not just all our Windows installs, but our Linux and Solaris installs as well.

java.com is only offering 1.4 (0)

Anonymous Coward | more than 9 years ago | (#10908418)

Where did you get 1.5 for windows?

java.com still offering BAD version (3, Informative)

prandal (87280) | more than 9 years ago | (#10908447)

www.java.com is only offering j2re-1.4.2_05, a vulnerable version.

Version 1.5.0 is available from java.sun.com [sun.com] .

WAKE UP SUN!

Re:java.com still offering BAD version (0)

Anonymous Coward | more than 9 years ago | (#10908605)

You know what pisses me off about Sun's java website is the stupid java/os detection they have.

"Congratulations you have the latest version of Java"

Forget about the fact that I might want to download an install for ANOTHER computer. Want to download an installer for a different OS? Too bad, we're not giving you the links. This is a serious oversite that is making it a pain in the ass for administrators.

Re:java.com still offering BAD version (1)

prandal (87280) | more than 9 years ago | (#10908635)

Hear hear! And the fact that the "java test" page is well hidden from view. Yet another triumph of web page design gimmicks over usability.

Re:java.com still offering BAD version (1)

fforw (116415) | more than 9 years ago | (#10908660)

java.com is the java marketing site.

java.sun.com is where an administrator should go to.

Re:java.com is only offering 1.4 (1)

fforw (116415) | more than 9 years ago | (#10908458)

http://java.sun.com/j2se/1.5.0/download.jsp

Re:Not that critical.. (0)

Anonymous Coward | more than 9 years ago | (#10908473)

The current java release 1.5/5.0 is not affected at all.
Meanwhile, applications such as Freenet [freenetproject.org] are not working reliably under 1.5 JREs, and 1.4 is still suggested. "Latest and Greatest" is one thing when you're talking about an OS, but with Java, using the latest release is often counterproductive.

Re:Not that critical.. (1)

fforw (116415) | more than 9 years ago | (#10908509)

Meanwhile, applications such as Freenet are not working reliably under 1.5 JREs, and 1.4 is still suggested. "Latest and Greatest" is one thing when you're talking about an OS, but with Java, using the latest release is often counterproductive.
Applications like Freenet are not affected by the vulnerability. It only affects the Interface which couples java with a webbrowser (Java Plugin).

Re:Not that critical.. (4, Insightful)

sporty (27564) | more than 9 years ago | (#10908483)

Not that critical? 1.5 was released in the last month. What do you think all the people were using before last month?

Re:Not that critical.. (1)

fforw (116415) | more than 9 years ago | (#10908582)

Not that critical? 1.5 was released in the last month. What do you think all the people were using before last month?
It seems to me that Applets are dead. I am a java developer and have often browsed for months without encountering the need to tell my browser where my java is.

So most of the people are using java for applications or server-side programming.

Add the fact that this is only a theoretical vulnerability with no known exploits and the fact that not all browsers are affecrted and the conclusion (for me) is "not that critical".

Re:Not that critical.. (1)

hendridm (302246) | more than 9 years ago | (#10908634)

This only affects the Java plugins in the 1.3 and 1.4 Java release. The current java release 1.5/5.0 is not affected at all.

How many millions of PCs are running that JVM right now? Mom and dad get a PC a year or two ago, which still has the same JRE the manufacturer or their son set up on the thing. There is little chance that they will upgrade it themselves.

Why doesn't the JRE have an auto-update feature enable by default on install, easily disabled from the control panel for those who are savvy (and stays disabled, unlike Acrobat Reader)?

No root privilege escalation (3, Insightful)

Xpilot (117961) | more than 9 years ago | (#10908371)

From the Sun website:

"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."

A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

Re:No root privilege escalation (1)

mordors9 (665662) | more than 9 years ago | (#10908423)

Unfortunately I see an astounding number of people log in to irc channels and they are running linux as root. Of course it serves them right if their system gets fscked because of it.

Re:No root privilege escalation (0)

Anonymous Coward | more than 9 years ago | (#10908598)

A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

Flamebait!

Uhhhh, that's a fault of the user not the OS.

Maybe it's news to you, but a compromised user account on Windows (NT+) doesn't "trash the stuff that the user doesn't have read/write permissions on" either. Meaning that while I agree with you that "it's possible to contain on Linux", inferring that it's impossible to do so on Windows is ridiculous. Also, the reverse doesn't wash either - I don't know how many Linux geeks you know, but all the ones I know run as root religiously.

(Ahhhh! Parent marked Score:3 Informative - I'm reading /. again!)

Re:No root privilege escalation (1, Informative)

hackstraw (262471) | more than 9 years ago | (#10908652)

A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

BFD. Most machines that are used for surfing the web are single user machines and having that users stuff trashed is the same as trashing the whole machine.

Java finally reaches its full potential (5, Funny)

scatter_gather (649698) | more than 9 years ago | (#10908376)

Write once, exploit everywhere!
:)

Sun needs to update their site! (0, Redundant)

Anonymous Coward | more than 9 years ago | (#10908386)

The latest version for download on java.com [java.com] is still the 1.4.2_05... Someone needs to apply the cattleprod to the webmonkey :)

And you can quickly see which version you are running on this page [java.com] which also thinks _05 is latest!

V1.4.2_06 is available for download here [sun.com]

Mod parent up (1)

upside (574799) | more than 9 years ago | (#10908400)

If you go to java.sun.com and click on Java VM under "popular downloads" you also end up getting the vulnerable _05 version.

Re:Sun needs to update their site! (1)

Gr8Apes (679165) | more than 9 years ago | (#10908644)

Actually, I'm running 1.4.2_06, and it still lists me as running an older version. Because I am, there's 1.5 (5.0) available now.

WARNING! (1, Informative)

prandal (87280) | more than 9 years ago | (#10908393)

java.sun.com is STILL dishing out J2re-1.4.2_05.

Be sure to get the right one from java.sun.com/j2se

Re:WARNING! (1)

prandal (87280) | more than 9 years ago | (#10908405)

Oops, engage brain before posting. www.java.com is the one which is wrong. I raised this issue on bugtraq / full-disclosure yesterday. Obviously Sun's a bit slow.

Java automatic update binary is old and unpached (0)

Anonymous Coward | more than 9 years ago | (#10908394)

at least for Windows, using Update from Java control panel, I'm receiving

1.4.2 05 which STILL contains the hole!!

Only from

https://jsecom16.sun.com/ECom/EComActionServlet/Le galPage:~:com.sun.sunit.sdlc.content.LegalWebPageI nfo;jsessionid=E905362D3A165CC3656EFD992704CC78;js essionid=E905362D3A165CC3656EFD992704CC78 [sun.com]

(stupid link, no?)

it's possible to get

1.4.2 06

Sun bad!

Windows and Linux, huh? ...what about Mac? (3, Interesting)

mrchaotica (681592) | more than 9 years ago | (#10908417)

Is the Java that comes on Macs exploitable by this too? (Maybe not, since Apple might have changed something, but I don't know)

Also, what about BSD?

Re:Windows and Linux, huh? ...what about Mac? (-1)

Anonymous Coward | more than 9 years ago | (#10908538)

BSD is already dying. It doesn't need a virus to help it on its way :-P

Great placement... (-1, Troll)

alwsn (593349) | more than 9 years ago | (#10908431)

I love that my ad is from Java Studio Creator. It makes me want to rush and use their product.

The nice thing is (1)

CastrTroy (595695) | more than 9 years ago | (#10908442)

The nice thing is, is that if you are using Linux, Java is most likely running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.

More detailed info ... (3, Informative)

Anonymous Coward | more than 9 years ago | (#10908443)

From the horses mouth right here [jouko.iki.fi] . The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.

there have been lots of those before (5, Insightful)

jeif1k (809151) | more than 9 years ago | (#10908444)

The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.

When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.

These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.

I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.

Write once, infect everywhere! (1, Funny)

dangermen (248354) | more than 9 years ago | (#10908446)

Write once, infect everywhere!

No patch (2, Interesting)

roman_mir (125474) | more than 9 years ago | (#10908452)

There is no patch, there is only the next release of the JRE, why is that? Wouldn't it make more sense to also release an executable patch rather than forcing a 14MB download (not that I care, I download it at 400KB/s?)

Re:No patch (1)

prandal (87280) | more than 9 years ago | (#10908467)

No, it wouldn't. People could be running any mix of old Java runtimes. A full release is the only goof-proof way of ensuring that the fixed version is correctly deployed.

Re:No patch (1)

roman_mir (125474) | more than 9 years ago | (#10908498)

So? As if it is impossible to build a patch that detects what you are running and update what is necessary... these are computers after all, they can do that.

Re:No patch (1)

prandal (87280) | more than 9 years ago | (#10908532)

Yes, but there are still people out there running JVM 1.3.x. I suspect a universal patch would be larger than the 14MB full install.

Re:No patch (1)

roman_mir (125474) | more than 9 years ago | (#10908553)

Doubt that very very much. Besides, the binary identifier only needs to point to the correct patch.
Whatever, it's not my bandwidth.

Re:No patch (1)

prandal (87280) | more than 9 years ago | (#10908622)

Yes, right, and download that way for corporate deployment? Or multiple home machines? I for one would prefer full releases over patches for most products. In the old days, Veritas used to release fully patched builds of Backup Exec on a regular basis. It made a sysadmin's job so much easier not having to chase after a handful of patches every time a new (licensed) copy was deployed. Patches bad, full releases good ;-)

let's have a little perspective (5, Insightful)

bratboy (649043) | more than 9 years ago | (#10908459)

I'm sorry, but the comments here are getting a little absurd. The Java sandbox has had how many security exploits discovered in the eight or nine years it's been around? Perhaps there have been a couple, but I can't remember any. And now, a flaw is discovered by an independent researcher, a patch quickly released, and the bug made public only after a significant amount of time has passed for people to upgrade, and before an exploit appears - and you're complaining because ...? Oh right, because Java isn't open source.

Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust [enterpriseitplanet.com] - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.

daniel

Re:let's have a little perspective (1)

jeif1k (809151) | more than 9 years ago | (#10908482)

The Java sandbox has had how many security exploits discovered in the eight or nine years it's been around? Perhaps there have been a couple, but I can't remember any.

The Java sandbox has had lots of security exploits over the years. I suspect the main reason people stopped discovering them is because Sun pretty much destroyed Java for applet use.

and you're complaining because ...? Oh right, because Java isn't open source.

Indirectly, yes. Sun has lost its focus on a thin client platform and instead gone for the money--server side development. Open source could have forked Java as an applet platform before it got bloated and complex and focused on making it high quality for that purpose.

The major reason we don't see more is *not* because it's so much more robust

Oh, you are so wrong. The major reason Firefox works well is because the community took the bloated commercially-derived software (Mozilla) and pruned it down to its essentials (Firefox). It is about time that the same happened with Java.

Re:let's have a little perspective (1)

flibuste (523578) | more than 9 years ago | (#10908556)

Oh right, because Java isn't open source.

Well...less whiners soon since Java is going to be open-sourced [zdnet.com.au] .

Re:let's have a little perspective (1)

LWATCDR (28044) | more than 9 years ago | (#10908589)

"security flaws (e.g. the same JPG flaw as IE) "
Ummm that was a security flaw in GDIplus.dll That was by all standards an OS level bug and one that can be laid right at the feet of microsoft. I have seen the phishing exploit which seems like more of an abuse of tabs. And everything has to set up just so for it to work. Overall I would say that FireFox/Thunderbird are safer not just because of the lack of hacker mindshare but because they do not bury there hooks so deep in the OS as does IE and Outlook. Microsoft wants the browser to be part of the OS while Firefox runs on top of the OS as a program should.

Re:let's have a little perspective (0)

Anonymous Coward | more than 9 years ago | (#10908630)

*Cough*.. Firefox is not still bloated?

Yawn and inevitably someone will bring up the tired example of Apache (typically admin'd by people who know what they are doing) as proof that it's the software and has absolutely nothing to do with the computer illiterate masses who willingly submit their credit card information to untrusted sources and blindly click yes on any popup window they see.

I do wish Firefox takes over the majority marketshare.. if just to disprove the fanboi rallying cry as to why Open Source is so much better than a Microsoft solution.

Where's the patch? (1)

Asprin (545477) | more than 9 years ago | (#10908485)


The linked notice sez the bug is patched in 1.4.2_06, but the web site and java auto-update both say the 1.4.2_05 I have now is the latest.

Does anyone out there have _06 yet or is this another case of premature press-releasination?

Re:Where's the patch? (1)

Slimcea (832228) | more than 9 years ago | (#10908540)

1.4.2_06 is the latest. You can get it at here [sun.com] . Alternatively, use 1.5.0.

Auto-update is broken though. Hasn't been working for some time for me at least (always tells me I have the latest version). Sun might want to look into this.

I wonder why java.com isn't dishing out 1.5 (1)

prandal (87280) | more than 9 years ago | (#10908566)

Get j2re from here [sun.com] .

follow the links to the JRE download.

www.java.com is STILL dishing out the wrong version (1.4.2_05). Grrrr. Naughty Sun!

So What's a Doofus User To Do? (1)

dwm (151474) | more than 9 years ago | (#10908535)

Okay, I'm a doofus.

To fix this vulnerability, you have to go to

http://java.sun.com/j2se/1.5.0/download.jsp [sun.com]

and download the J2SE 5.0 JRE, right?

(Yeah, yeah, I know, and then install it.)

Just use JDK1.4.2_06 or JDK1.5 (1)

crazyphilman (609923) | more than 9 years ago | (#10908606)

The new JDK/JRE is "safe"... I've heard they're faster, too, with some JRE improvements. I just downloaded the whole 1.5 set, and I'm pretty excited, looking forward to it... I install it on my Slackware instance tonight!

If I had a girlfriend, I'd invite her to hang out and share the joy; this'd be way better than a movie as a date... Um... Maybe I should get out more, now that I think about it...

Is java still used for web pages (1)

SmallFurryCreature (593017) | more than 9 years ago | (#10908631)

My browser is opera on linux so obviously I am vulnarable. So I checked my preferences and I not only haven't got it enabled. It doesn't even have the link to where it can find java.

Not so long ago (for someone my age. For some /. it may be half a life time ago) java web applets were everywhere. Has this now been replaced with flash or have webdesigners decided they didn't need what java can do or am I visiting the wrong pages?

Not I am not talking about web applications here but java applets that things like menus, scrolling news banner etc etc.

I did a quick check of both real life and online friends and only a few had java enabled. Hardly a scientific measurement and neither is asking here but is your webbrowser java enabled?

This is not an anti-java post. I like azureus wich would never be available to a linux user if it had not been done in java.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>