Cross-Platform Java Sandbox Exploit 382
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
Another good reason to allow third party review... (Score:5, Insightful)
I think this tries to highlight another reason why allowing a third party review your code is a good thing
Generally, the most cost effective way can be an open source model.(there are others !)
Write once, run everywhere (Score:4, Insightful)
Re:Another good reason to allow third party review (Score:2)
I only enable them when I'm staring at a blank page and for some morbid curiosity I want to see what is on the site.
Java != Java Sandbox (Score:4, Insightful)
Java == Java Sandbox (Score:5, Insightful)
Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
Java language != Java Sandbox (Score:2, Informative)
Java == Platform (Score:3, Insightful)
Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.
In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platf
Re:Java == Platform (Score:3, Informative)
There are other Java runtimes, which are allowed to use the name Java because they pass the conformance tests (such as IBM's Java runtime), they would not be vulnerable to this exploit.
Java == Java Sandbox... ohpps! (Score:3, Funny)
Java.equals(JavaSandbox)
instead. It's a common mistake, don't sweat it.
Re:Java != Java Sandbox (Score:2)
I believe this is completely wrong. First, if the problem were in the browser and not Java, how did Sun fix it on 2 different operating systems and there was not mention of a specific browser.
Also, AFAIK, the Java plugin does have a sandbox which prevents Java toys from doing things like accessing local files, etc. It takes a trusted and signed applet and
Opera not affected (Score:3, Informative)
Re:Opera not affected (Score:5, Informative)
Not that critical.. (Score:5, Insightful)
And it's a java plugin vulnerability so a website running java on the serverside is not affected.
Re:Not that critical.. (Score:5, Insightful)
Re:Not that critical.. (Score:2)
It seems to me that Applets are dead. I am a java developer and have often browsed for months without encountering the need to tell my browser where my java is.
So most of the people are using java for applications or server-side programming.
Add the fact that this is only a theoretical vulnerability with no known exploits and the fact that not all browsers are affecrted and the conclusi
Re:Not that critical.. (Score:3, Insightful)
Re:Not that critical.. (Score:2)
How many millions of PCs are running that JVM right now? Mom and dad get a PC a year or two ago, which still has the same JRE the manufacturer or their son set up on the thing. There is little chance that they will upgrade it themselves.
Why doesn't the JRE have an auto-update feature enable by default on install, easily disabled from the control panel for those who are savvy (
Re:Not that critical.. (Score:4, Informative)
java.com still offering BAD version (Score:4, Informative)
Version 1.5.0 is available from java.sun.com [sun.com].
WAKE UP SUN!
Re:java.com still offering BAD version (Score:2)
Re:java.com still offering BAD version (Score:2)
java.sun.com is where an administrator should go to.
Re:java.com still offering BAD version (Score:3)
Re:java.com still offering BAD version (Score:4, Informative)
Re:java.com is only offering 1.4 (Score:2)
Re:Not that critical.. (Score:2)
No root privilege escalation (Score:4, Insightful)
"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.
Re:No root privilege escalation (Score:2)
Re:No root privilege escalation (Score:2, Informative)
BFD. Most machines that are used for surfing the web are single user machines and having that users stuff trashed is the same as trashing the whole machine.
Re:No root privilege escalation (Score:3, Insightful)
That is absolute misinformation. How are the two any different?
I run as root and as Administrator because i'm too lazy to set up actual, proper permissions and accounts. That doesn't mean that I couldn't, just that I do
Re:No root privilege escalation (Score:3, Insightful)
This will change when you get a job. I recommend breaking this habit soon.
Re:No root privilege escalation (Score:3, Insightful)
Re:No root privilege escalation (Score:3, Informative)
The difference is that running as a non-admin on Windows is a huge pain, as many programs don't play nicely with non-admin accounts. Windows has a huge legacy of "one user per machine" thinking in its applications development history.
That means that many apps will not run well under non-admin accounts on Windows. Try it sometime and see. Talk to any tech-support person and ask what fraction of calls they get due to people trying to run under non-admin accounts (there's been a spate of this lately as fol
Java finally reaches its full potential (Score:5, Funny)
Windows and Linux, huh? ...what about Mac? (Score:4, Interesting)
Also, what about BSD?
Mac (Score:4, Informative)
Anyone else try this on the mac and have similar results?
The nice thing is (Score:2)
Re:The nice thing is (Score:3, Insightful)
The nice thing is, is that if you are using Linux, Java is most likely not running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
More detailed info ... (Score:3, Informative)
there have been lots of those before (Score:5, Insightful)
When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.
These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.
I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
Applets are dead (Score:3, Interesting)
Web developers make sure not to have the functionality of their website depend on applets, as Windows only comes with a mutant of java 1.2 - if any - installed, and of the clients on the interweb, the overwhealming majority will be windows PCs with Internet Explorer. You just can't count on visitors being willing to download a 14 megabyte installer to use your site.
Also the performance of client side Java is still very poor compared to the alternatives, and in
Re:Applets are dead (Score:3, Insightful)
The parent is right, client-side Java is dead.
Client side java is not dead. Applets may be, but client side gui applications are still being written. Ask the Eclipse people if they think it is dead.
No patch (Score:3, Interesting)
Re:No patch (Score:2)
Re:No patch (Score:2)
Re:No patch (Score:2)
Re:No patch (Score:2)
Whatever, it's not my bandwidth.
Re:No patch (Score:2)
let's have a little perspective (Score:5, Insightful)
Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust [enterpriseitplanet.com] - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.
daniel
Re:let's have a little perspective (Score:2)
The Java sandbox has had lots of security exploits over the years. I suspect the main reason people stopped discovering them is because Sun pretty much destroyed Java for applet use.
and you're complaining because
Indirectly, yes. Sun has lost its focus on a thin client platform and instead
Re:let's have a little perspective (Score:2)
Well...less whiners soon since Java is going to be open-sourced [zdnet.com.au].
Re:let's have a little perspective (Score:2)
Ummm that was a security flaw in GDIplus.dll That was by all standards an OS level bug and one that can be laid right at the feet of microsoft. I have seen the phishing exploit which seems like more of an abuse of tabs. And everything has to set up just so for it to work. Overall I would say that FireFox/Thunderbird are safer not just because of the lack of hacker mindshare but because they do not bury there hooks so deep in the OS as does IE and Outlook. Micr
Re:let's have a little perspective (Score:5, Insightful)
Consider three email clients for home users of Windows:
Outlook Express - proprietary, bundled, and happily executes malware without a thought (and aids in social engineering attacks by hiding file extensions), insecure by design
Pegasus Mail - proprietary, free, but not open source. Never excecutes anything unless explicitly told to, secure by design.
Thunderbird - open source, secure by design.
Design's the key, not the platform.
But things aren't helped by idiotic PC games and applications requiring users to have administrative rights in order to play them (The Sims, The Sims 2, for example - it even says so on the box).
"All bugs are shallow" doesn't apply to security (Score:3, Insightful)
Where's the patch? (Score:2)
The linked notice sez the bug is patched in 1.4.2_06, but the web site and java auto-update both say the 1.4.2_05 I have now is the latest.
Does anyone out there have _06 yet or is this another case of premature press-releasination?
I wonder why java.com isn't dishing out 1.5 (Score:2)
follow the links to the JRE download.
www.java.com is STILL dishing out the wrong version (1.4.2_05). Grrrr. Naughty Sun!
Re:Where's the patch? (Score:3, Informative)
So What's a Doofus User To Do? (Score:2)
To fix this vulnerability, you have to go to
http://java.sun.com/j2se/1.5.0/download.jsp [sun.com]
and download the J2SE 5.0 JRE, right?
(Yeah, yeah, I know, and then install it.)
no ;-) (Score:2)
WAKE UP SUN!
Uninstall old version first (Score:2)
Just use JDK1.4.2_06 or JDK1.5 (Score:2)
If I had a girlfriend, I'd invite her to hang out and share the joy; this'd be way better than a movie as a date... Um... Maybe I should get out more, now that I think about it...
Is java still used for web pages (Score:2)
Not so long ago (for someone my age. For some /. it may be half a life time ago) java web applets were everywhere. Has this now been replaced with flash or have webdesigners decided they didn't need what java can do or am I visiting the wrong pages?
Not I am not talking about web applications here but java applets that things l
God I hate being stuck in Windows (Score:2)
I know that Microsoft won't release a patch for their JVM. That means I will have to deploy the entire Sun JRE on all worsktations and then deploy s
Unix Viruses ? (Score:3, Interesting)
Browsers lack security functionality (Score:3, Interesting)
I prefer to have javascript off all the time.
Being able to selectively enable them for certain sites would be nice and would improve security.
"Patch released quickly" (Score:3, Interesting)
1. Get notified about a serious security flaw
2.
3. Release a patch a quarter of a year later
4. Profit!
Found in April not June (Score:3, Informative)
But according to the Bugtraq posting [neohapsis.com] Sun Microsystems was informed on April 29, 2004.
I was hit last night by this exploit (Score:3, Informative)
Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.
Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.
Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).
Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.
I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.
"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).
There goes my day...
-Don
Re:Makes me wonder... (Score:2, Troll)
Re:Makes me wonder... (Score:5, Informative)
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com], that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
Re:Makes me wonder... (Score:4, Insightful)
> > hasn't to date been a single Java virus. ...that we know about...
>
True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.
Re:Makes me wonder... (Score:5, Interesting)
This the only cross plattform security issue known. and it's a theoretical one, no exploits known.
One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:
"I don't think I built in something harmfull and sign that belief with this digital signature"
Re:Makes me wonder... (Score:3, Insightful)
Well.. the result of this vulnerability is a circumvention of the sandbox environment ( not in C code but via Javascript [idefense.com] ). You may argue that the sandbox in itself has not failed which is formally correct, but a hacker shouldn't be able to circumvent it vi
Re:Makes me wonder... (Score:5, Insightful)
Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.
So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.
Re:Makes me wonder... (Score:4, Insightful)
What you should have really noted was that this is a bug in the security implementation of java. Which is bad.
ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.
Re:Makes me wonder... (Score:2)
As for the ActiveX part: ActiveX does have a security implementation. You need to sign your ActiveX component to make it safe for scripting. There can be security leaks in that. For instance the ASN-1 decoder may have a buffer overrun exploit, to name a completely random example. Or you might release a few libraries with the same signing certificate, needing to update *all* the libraries instea
Re:Makes me wonder... (Score:3)
I think you read an implied slur into me simply having chosen to use the word "java" instead of "sun" when paraphrasing instead of actually quoting you. None was intended.
On to the point; as I recall the 2 main problems with ActiveX security are:
1; the browser (IE being _the_ ActiveX browser IIRC) pushes "security" options such as "allow signed scripts to run". Johnny Hacker is quite capab
You have got to be shitting me. (Score:5, Insightful)
Who the hell moderates stuff like this as "insightful". I don't have any exact numbers in front of me (nor will I spend the time to find them), but I can safely tell you that over their respective lifetimes, ActiveX has suffered many orders of magnitude more exploits than Java ever will. The only meaningful caveat I can think of to this statement is the "default" Java runtime environment (that used to be) packaged with Internet Explorer that is written by Microsoft. Of course, you can hardly attribute any problems with that to Java because Microsoft built it on top of ActiveX and took very little interest in security when doing so.
Also, I should point out that any of theoretical exploits will have the most damage on Windows than other platforms because Windows is insecure. It seems that any code running on a Windows box has, one way or another, unbridled access to resources that should be above the user's privileges, but that's an entirely different situation altogether...
Re:You have got to be shitting me. (Score:4, Interesting)
ActiveX pops up a dialog box at every new instance on every site. The user ends up thinking, "Oh, another damned popup," and just clicks on it. It's like email and dealing with spam. There are so many junk emails, eventually you make a mistake accepting one you shouldn't have or dumping one that you would have wanted.
With the Java applet sandbox, only actions that are potentially dangerous require a confirmation dialog, and 99.9% of all applets do not need signing. Sure, today Sun announced a vulnerability. That makes how many in the last ten years? Seriously, compare that number with the number of exploits in basically any network-aware program in any language. Dumping Java over this is like refusing to go out to restaurants anymore because a friend of a friend got food poisoning.
You want to be absolutely safe, unplug your network or modem cable. There you go. Absolute network safety. Life is a compromise.
Re:Disable Java (Score:2)
Come on, don't just make those statements without having anything constructive to say... now you're just flamebaiting.
Re:Disable Java (Score:2)
Re:Disable Java (Score:2)
Just fetch a newer JVM, they're faster anyway.
Re:Disable Java (Score:3, Interesting)
The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).
One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time)
Regarding Java (Score:3, Insightful)
Re:Regarding Java (Score:3, Insightful)
Thanks!
You list applications that do not work and then blame the language. Blame the application writers, not the language.
I don't have an issue with the language. Its the buggy runtime environment (jre) that I have an issue with. The language has many good features. From what I understand, its one of the best languages to program in. But since the jre is so finicky and broken, its not worth it to use the language, no matter how good it is.
Another issue that I h
Don't Disable Java (Score:3, Interesting)
So you have plugins including Java applets turned off but then say you haven't seen any useful applets. So let me get t
Re:Disable Java (Score:3, Interesting)
I actually have several websites with banking etc that use applets. The JVM load time is annoying though, I agree with that.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
Yes, that is an unfortunate wording in the JVM. It should say "null reference exception". Everything except primitives
Re:Windows and Linux? (Score:5, Informative)
http://antivirus.about.com/library/weekly/aa03280
http://www.itworld.com/AppDev/1312/IWD010328hnvir
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a
Re:Windows and Linux? (Score:3, Insightful)
This has been covered ad-infinitum, and is a non-issue. If you can write to an executable file, you can potentially create a virus for the host system. This has always been a big problem for Microsoft based systems because such systems have no file protections. Anything on Microsoft systems can write to any executable file, hence viruses flourished this way.
Microsoft then must have decided that virus writers had to work too h
Re:Windows and Linux? (Score:3, Informative)
For at least a decade there have been "Windows-based systems" with file system access control much more sophisticated than anything offered by Linux (at least in typical configurations using rwxrwxrwx style permissions) even today.
Not to say the hard shell on most Windows systems doesn't more closely resemble swiss cheese, but you don't need to resort to inaccurate statements to make that case.
Re:Windows and Linux? (Score:2, Funny)
So; johnny hacker writes his Java exploit; part of which decides what OS it is currently fiddling with, then has it deposit an appropriate payload for the OS.
Voila; spreads through Windows and Linux.
Write once, run anywhere
Re:Windows and Linux? (Score:2)
Re:Windows and Linux? (Score:5, Insightful)
I think a lot of Linux zealots tend to downplay the importance of the home directory. After all, if you're a smart user and don't run as root, all your important data is going to be in the home directory (and possibly other directories where your user has permissions). I could care less if the OS install gets wiped out -- that can easily be replaced. The data in my home directory can't. In that regard, losing your home directory is just as bad as losing the entire system.
Re:Windows and Linux? (Score:4, Interesting)
Re:Windows and Linux? (Score:3, Insightful)
Re:Windows and Linux? (Score:4, Interesting)
1. Create a seperate user called "webuser". Thus when some stupid java exploit attempts to delete your home directory, it can't.
2. configure your selinux security so that the JIT can't create/delete stuff except inside of a "java temp" directory. Fine let the virus go wild, too bad it won't get anywhere.
3. Impliment a sensible backup plan. What's really important for you to backup? Software can generally be downloaded again. The only stuff that's not replaceable is code and settings.
Re:At least... (Score:5, Insightful)
But when it happens on windows it is microsoft "covering up their vulnerabilities".
Apparently, for you, when someone else does it they are doing something good...
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
Re:At least... (Score:3, Insightful)
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here [computerworld.com] and here [bbc.co.uk]) that black hats are using vulnerability announcements and patches to find exploi
Re:Still do not understand... (Score:2)
I am sure this would have clouded over the launch of Solaris 10, but I would have appreciated knowing about this last month when the exploit was patched.
Mod parent up (Score:2)
Re:WARNING! (Score:2)