Slashdot Log In
Cross-Platform Java Sandbox Exploit
Posted by
timothy
on Wed Nov 24, 2004 08:22 AM
from the suck dept.
from the suck dept.
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Another good reason to allow third party review... (Score:5, Insightful)
I think this tries to highlight another reason why allowing a third party review your code is a good thing
Generally, the most cost effective way can be an open source model.(there are others !)
Write once, run everywhere (Score:4, Insightful)
Parent
Java != Java Sandbox (Score:4, Insightful)
Java == Java Sandbox (Score:5, Insightful)
Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
Parent
Java == Platform (Score:3, Insightful)
Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.
In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platf
Re:Java == Platform (Score:3, Informative)
There are other Java runtimes, which are allowed to use the name Java because they pass the conformance tests (such as IBM's Java runtime), they would not be vulnerable to this exploit.
Opera not affected (Score:3, Informative)
Re:Opera not affected (Score:5, Informative)
Parent
Not that critical.. (Score:5, Insightful)
And it's a java plugin vulnerability so a website running java on the serverside is not affected.
Re:Not that critical.. (Score:5, Insightful)
Parent
Re:Not that critical.. (Score:3, Insightful)
java.com still offering BAD version (Score:4, Informative)
Version 1.5.0 is available from java.sun.com [sun.com].
WAKE UP SUN!
Parent
Re:java.com still offering BAD version (Score:4, Informative)
Parent
Re:java.com still offering BAD version (Score:3)
Re:Not that critical.. (Score:4, Informative)
Parent
No root privilege escalation (Score:4, Insightful)
"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.
Re:No root privilege escalation (Score:3, Insightful)
That is absolute misinformation. How are the two any different?
I run as root and as Administrator because i'm too lazy to set up actual, proper permissions and accounts. That doesn't mean that I couldn't, just that I do
Re:No root privilege escalation (Score:3, Insightful)
This will change when you get a job. I recommend breaking this habit soon.
Re:No root privilege escalation (Score:3, Insightful)
Java finally reaches its full potential (Score:5, Funny)
Windows and Linux, huh? ...what about Mac? (Score:4, Interesting)
Also, what about BSD?
Mac (Score:4, Informative)
Anyone else try this on the mac and have similar results?
Parent
More detailed info ... (Score:3, Informative)
there have been lots of those before (Score:5, Insightful)
When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.
These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.
I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
No patch (Score:3, Interesting)
let's have a little perspective (Score:5, Insightful)
Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust [enterpriseitplanet.com] - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.
daniel
Re:let's have a little perspective (Score:5, Insightful)
Consider three email clients for home users of Windows:
Outlook Express - proprietary, bundled, and happily executes malware without a thought (and aids in social engineering attacks by hiding file extensions), insecure by design
Pegasus Mail - proprietary, free, but not open source. Never excecutes anything unless explicitly told to, secure by design.
Thunderbird - open source, secure by design.
Design's the key, not the platform.
But things aren't helped by idiotic PC games and applications requiring users to have administrative rights in order to play them (The Sims, The Sims 2, for example - it even says so on the box).
Parent
Unix Viruses ? (Score:3, Interesting)
Browsers lack security functionality (Score:3, Interesting)
I prefer to have javascript off all the time.
Being able to selectively enable them for certain sites would be nice and would improve security.
Re:Makes me wonder... (Score:5, Interesting)
This the only cross plattform security issue known. and it's a theoretical one, no exploits known.
One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:
"I don't think I built in something harmfull and sign that belief with this digital signature"
Parent
Re:Makes me wonder... (Score:3, Insightful)
Well.. the result of this vulnerability is a circumvention of the sandbox environment ( not in C code but via Javascript [idefense.com] ). You may argue that the sandbox in itself has not failed which is formally correct, but a hacker shouldn't be able to circumvent it vi
Re:Makes me wonder... (Score:5, Insightful)
Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.
So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.
Parent
Re:Makes me wonder... (Score:4, Insightful)
What you should have really noted was that this is a bug in the security implementation of java. Which is bad.
ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.
Parent
Re:Makes me wonder... (Score:3)
I think you read an implied slur into me simply having chosen to use the word "java" instead of "sun" when paraphrasing instead of actually quoting you. None was intended.
On to the point; as I recall the 2 main problems with ActiveX security are:
1; the browser (IE being _the_ ActiveX browser IIRC) pushes "security" options such as "allow signed scripts to run". Johnny Hacker is quite capab
You have got to be shitting me. (Score:5, Insightful)
Who the hell moderates stuff like this as "insightful". I don't have any exact numbers in front of me (nor will I spend the time to find them), but I can safely tell you that over their respective lifetimes, ActiveX has suffered many orders of magnitude more exploits than Java ever will. The only meaningful caveat I can think of to this statement is the "default" Java runtime environment (that used to be) packaged with Internet Explorer that is written by Microsoft. Of course, you can hardly attribute any problems with that to Java because Microsoft built it on top of ActiveX and took very little interest in security when doing so.
Also, I should point out that any of theoretical exploits will have the most damage on Windows than other platforms because Windows is insecure. It seems that any code running on a Windows box has, one way or another, unbridled access to resources that should be above the user's privileges, but that's an entirely different situation altogether...
Parent
Re:You have got to be shitting me. (Score:4, Interesting)
ActiveX pops up a dialog box at every new instance on every site. The user ends up thinking, "Oh, another damned popup," and just clicks on it. It's like email and dealing with spam. There are so many junk emails, eventually you make a mistake accepting one you shouldn't have or dumping one that you would have wanted.
With the Java applet sandbox, only actions that are potentially dangerous require a confirmation dialog, and 99.9% of all applets do not need signing. Sure, today Sun announced a vulnerability. That makes how many in the last ten years? Seriously, compare that number with the number of exploits in basically any network-aware program in any language. Dumping Java over this is like refusing to go out to restaurants anymore because a friend of a friend got food poisoning.
You want to be absolutely safe, unplug your network or modem cable. There you go. Absolute network safety. Life is a compromise.
Parent
Re:Makes me wonder... (Score:5, Informative)
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com], that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
Parent
Re:Makes me wonder... (Score:4, Insightful)
> > hasn't to date been a single Java virus. ...that we know about...
>
True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.
Parent
Re:Windows and Linux? (Score:5, Informative)
http://antivirus.about.com/library/weekly/aa03280
http://www.itworld.com/AppDev/1312/IWD010328hnvir
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a
Parent
Re:Windows and Linux? (Score:5, Insightful)
I think a lot of Linux zealots tend to downplay the importance of the home directory. After all, if you're a smart user and don't run as root, all your important data is going to be in the home directory (and possibly other directories where your user has permissions). I could care less if the OS install gets wiped out -- that can easily be replaced. The data in my home directory can't. In that regard, losing your home directory is just as bad as losing the entire system.
Parent
Re:Windows and Linux? (Score:4, Interesting)
Parent
Re:Windows and Linux? (Score:3, Insightful)
Re:Windows and Linux? (Score:4, Interesting)
1. Create a seperate user called "webuser". Thus when some stupid java exploit attempts to delete your home directory, it can't.
2. configure your selinux security so that the JIT can't create/delete stuff except inside of a "java temp" directory. Fine let the virus go wild, too bad it won't get anywhere.
3. Impliment a sensible backup plan. What's really important for you to backup? Software can generally be downloaded again. The only stuff that's not replaceable is code and settings.
Parent
Re:At least... (Score:5, Insightful)
But when it happens on windows it is microsoft "covering up their vulnerabilities".
Apparently, for you, when someone else does it they are doing something good...
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
Parent
Re:At least... (Score:3, Insightful)
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here [computerworld.com] and here [bbc.co.uk]) that black hats are using vulnerability announcements and patches to find exploi
Re:The nice thing is (Score:3, Insightful)
The nice thing is, is that if you are using Linux, Java is most likely not running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
Re:Where's the patch? (Score:3, Informative)
Re:Disable Java (Score:3, Interesting)
The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).
One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time)
Regarding Java (Score:3, Insightful)
Re:Regarding Java (Score:3, Insightful)
Thanks!
You list applications that do not work and then blame the language. Blame the application writers, not the language.
I don't have an issue with the language. Its the buggy runtime environment (jre) that I have an issue with. The language has many good features. From what I understand, its one of the best languages to program in. But since the jre is so finicky and broken, its not worth it to use the language, no matter how good it is.
Another issue that I h