Cross-Platform Java Sandbox Exploit

DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.

Re:Makes me wonder...

[Anonymous Coward]

Correct. Except ActiveX cannot infect Linux. So I suppose the answer is actually no. Cheers.

Windows and Linux?

[Locdonan]

Since the architecture is so different, could a virus really spread between the two of them? I mean Linux is more secure for a userlevel, so I think that may be overrated.

Re:Makes me wonder...

[fforw]

...If java is really just as bad as ActiveX

no.

This the only cross plattform security issue known. and it's a theoretical one, no exploits known.

One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:

"I don't think I built in something harmfull and sign that belief with this digital signature"

Windows and Linux, huh? ...what about Mac?

[mrchaotica]

Is the Java that comes on Macs exploitable by this too? (Maybe not, since Apple might have changed something, but I don't know)

Also, what about BSD?

No patch

[roman_mir]

There is no patch, there is only the next release of the JRE, why is that? Wouldn't it make more sense to also release an executable patch rather than forcing a 14MB download (not that I care, I download it at 400KB/s?)

Re:Disable Java

[hackstraw]

Disable Java in your browser unless you absolutely need it (rare). Period.

Why is this flamebate?

My browser has _no_ plugins running by default. Also, my browser (Safari) has a separate Java and plugin preference checkbox, and I rarely load Java. The last time I did was to look at some buggy applet that someone wrote at work.

Over the years I have come to dispise Java. It would be different if it worked, but for me, Java has caused many problems, and I have seen 0 benefits from it.

So, I won't get modded as flamebate as well, I'll elaborate.

Oracle's "Universal Installer" is written in Java so that it could be crossplatform, etc, etc. to make it easier and universal for people to install Oracle. How convenient that it took me _hours_ to install it on a NT machine because of a bug in Java made the installer fail if the display was using more than some arbitrary number of colors (256, 16k, dunno, don't care). Thanks.

There are many "web installers" or whatever written in Java for Solaris machines. I've had these fail about 40% of the time.

I've had Netscape crash at least on the order of hundreds of times because of Java.

Java in a browser applet is very slow loading.

My brand new Apple Xserve RAID came with a GUI admin program written in Java. It worked for about a week, now it doesn't, and I have to call Apple and bitch when I get the time.

Java applets _never_ looked near the same on different OSes or even on the same OS with different browsers. Besides the silly thing a coworker wrote, I don't rememember the last time I had to load the Java plugin for a website.

I have installed Websphere once, I won't go into details from here.

One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".

I'm familier with Java for years. This is not some blind "this sucks" thing. I've coded in Java to write applications and applets that run native on a normal OS, and in browsers, and on embeded devices like smartcards and iButtons.

I don't particularly care for Python either, but at least most of the python applications that I have used work, so I have no real objections to it besides I just don't like the language or the quirky way python and python programmers do things. For example, the damn #!/usr/bin/env python thing kills me. Try explaining to (l)users over and over again that there are 2 versions of python on the system. One in /usr/bin one in /usr/local/bin. If the (l)user has sufficiently screwed up their PATH statement, or uses a broken shell (like bash which cannot decide which dotfiles to load under which invocation, don't get me started with (t)csh)) then the wrong instance of python gets loaded, and I have to go through my speach again about how #!/usr/bin/env python is wrong. But since it works most of the time, I don't rant about it like Java.

I'm just talking from my experiences here, and I have not had a pleasant experience with Java.

Unix Viruses ?

[anux]

I have always found the idea of viruses on Unix amusing. I mean, any user can cause damage to his/her files, either manually or by running a script or binary. But this is not an "infection" as the system is left completely untouched. What worries me though is the way the news sites report "Linux viruses". Someone unfamiliar with Linux/Unix might think: "Oh! So Unix also has viruses, just like Windows." This I think is giving a completely wrong impression about Unix to such people.

Browsers lack security functionality

[freelunch]

Browsers should allow you to configure java and javascript on a per site basis. Much like you can allow pop-ups from certain sites.

I prefer to have javascript off all the time.

Being able to selectively enable them for certain sites would be nice and would improve security.

Re:Makes me wonder...

[Anonymous Coward]

Get a mac. Not only is it not affected by this bug, it also has a spell checker for every textbox in the OS.

Re:Disable Java

[Tony Hoyle]

Wow, that's worse than I've seen.

The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).

One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time) - then rejected it because it wouldn't work through MS Proxy server (a java bug which has never been fixed to this day .. if first appeared in 1.3.1-02, was fixed in 1.3.1-05, broke again in 1.3.1-06 and never fixed since).

Re:Windows and Linux?

[fforw]

I think a lot of Linux zealots tend to downplay the importance of the home directory. After all, if you're a smart user and don't run as root, all your important data is going to be in the home directory (and possibly other directories where your user has permissions). I could care less if the OS install gets wiped out -- that can easily be replaced. The data in my home directory can't. In that regard, losing your home directory is just as bad as losing the entire system.

The home directory normally only includes data and settings. It's not fun if you lose data ( if it's important data you should have backups ), but it's worse to have a system compromise where the attacker can control your system, install backdoors to use your system for every purpose he can think of and can even fry your hardware in some cases.

"Patch released quickly"

[hkb]

4 months is quick? Boy, I'm sure glad there's such a large anti-full disclosure mentality going around lately. Now, vendors don't have to secure their vulnerabilities in a timely manner!

1. Get notified about a serious security flaw
2. ....
3. Release a patch a quarter of a year later
4. Profit!

Re:Windows and Linux?

[Mysticalfruit]

Your totally right. Here's how you solve the problem.

1. Create a seperate user called "webuser". Thus when some stupid java exploit attempts to delete your home directory, it can't.

2. configure your selinux security so that the JIT can't create/delete stuff except inside of a "java temp" directory. Fine let the virus go wild, too bad it won't get anywhere.

3. Impliment a sensible backup plan. What's really important for you to backup? Software can generally be downloaded again. The only stuff that's not replaceable is code and settings.

Don't Disable Java

[ttfkam]

My browser has _no_ plugins running by default. Also, my browser (Safari) has a separate Java and plugin preference checkbox, and I rarely load Java. The last time I did was to look at some buggy applet that someone wrote at work.

Over the years I have come to dispise Java. It would be different if it worked, but for me, Java has caused many problems, and I have seen 0 benefits from it.

So you have plugins including Java applets turned off but then say you haven't seen any useful applets. So let me get this straight: you hide them and then complain that you can't see any good ones. Self-fulfilling prophecy? By that metric, do you drop all usage of OS X if you come across a badly written program on the Mac? Starting the plugin the first time is slow, granted. But I've been running Safari on a 500MHz iBook and Java applets haven't been a problem for me. The best written ones have been the ones where I almost didn't notice they were applets. Well-written ones are like this. A lot of folks who denigrate Java out of hand have come across good applets but not recognized them as Java.

I've had Netscape crash at least on the order of hundreds of times because of Java.

Have you used Java since the old Netscape days? The plugins in IE, Mozilla, Firefox and Safari have not caused me any problems in years. I find it hard to believe that I've just been the only person in the world and/or am extremely lucky.

Well... except for that one applet that was a site logo rippling like it was underwater. Pure eye candy that sucked up 60% CPU time sustained on a 3GHz processor. Once again, good technology, bad applet writer.

That said, I prefer DHTML and related technologies to visual Java applets these days. In a better world, I would have the UI handled by the browser's renderer and the logic handled by Java. Javascript is nice and all, but sometimes you want to do some heavier lifting. And I sure as hell am not going to use ActiveX for that even if it was supported on non-IE and non-Windows environments.

And I too am talking from experience as I have developed on Java on Windows since Win95, OS/2 Warp, Novell NetWare, Solaris, OS X and Linux. Applets, servlets, EJBs and standalone apps. Aside from filesystem path differences, I have had maybe two problems in the last seven years moving my code from one platform to the next. And yes, I can code in C (K&R and ANSI) and C++ (including ISO98) too. Learned them before Java, so it's not because I haven't seen any other platforms.

By the way, your mention of NullPointerException is funny to me. Take a C app and access a null pointer. Boom! Hope you have core files enabled so you load the image in a handy debugger. Take a Java app and access a null reference (pointer). Not only can the exception be caught so that it doesn't completely take down the app, but you get an easy to read (relative to C and C++) stacktrace telling you exactly where it occurred so that you can fix it.

It's not the only language in the world and definitely isn't the only language you should have in your toolbelt, but it doesn't deserve the maligning you just gave it.

Re:You have got to be shitting me.

[ttfkam]

Exactly! And another aspect that people can't seem to wrap their heads around is the lack of confirmation windows in Java client-side. Sure a signed applet that will be accessing the local filesystem or connecting to an arbitrary server on the net will pop up a dialog box as it should, but normally it just starts up and runs.

ActiveX pops up a dialog box at every new instance on every site. The user ends up thinking, "Oh, another damned popup," and just clicks on it. It's like email and dealing with spam. There are so many junk emails, eventually you make a mistake accepting one you shouldn't have or dumping one that you would have wanted.

With the Java applet sandbox, only actions that are potentially dangerous require a confirmation dialog, and 99.9% of all applets do not need signing. Sure, today Sun announced a vulnerability. That makes how many in the last ten years? Seriously, compare that number with the number of exploits in basically any network-aware program in any language. Dumping Java over this is like refusing to go out to restaurants anymore because a friend of a friend got food poisoning.

You want to be absolutely safe, unplug your network or modem cable. There you go. Absolute network safety. Life is a compromise.

Re:Disable Java

[LarsWestergren]

I don't rememember the last time I had to load the Java plugin for a website.

I actually have several websites with banking etc that use applets. The JVM load time is annoying though, I agree with that.

One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".

Yes, that is an unfortunate wording in the JVM. It should say "null reference exception". Everything except primitives are pointers in Java, but unlike C/C++, Java does not allow pointer arithmetic, so they call them references instead.

If you see "null pointer exceptions" often, you must be unfortunate enough to have to be running some pretty amateurish programs though (no offence). Null pointers are not hard to avoid in normal code, and in situations where they might fail from an external source (for instance loaded from file), the programmer should of course wrap that in checks to see that the instance is properly initialized before proceding.

I have not had a pleasant experience with Java.

So I see.... sorry to hear that. My experiences have been much better. Eclipse and Azureus kicks ass. I couldn't do without Java on my mobile phones these days.

Re:"Patch released quickly"

[Greyfox]

That's probably the fastest the Sun process can move. Doubtless the programming team had it done in under a week and the rest of the time was spent tring to find a manager who would be willing to put his ass on the line by committing to release the change.

I never trusted Java on the browser and never install the plugin. On the other hand, there ARE a lot of PostScript network printers out there running a language interpreter, too. I always thought it'd be fun to write a PostScript worm that would propigate from printer to printer and, while running on the printer, would quietly replace every instance of the word "Strategic" with the word "Satanic."

Applets are dead

[rve]

The parent is right, client-side Java is dead.

Web developers make sure not to have the functionality of their website depend on applets, as Windows only comes with a mutant of java 1.2 - if any - installed, and of the clients on the interweb, the overwhealming majority will be windows PCs with Internet Explorer. You just can't count on visitors being willing to download a 14 megabyte installer to use your site.

Also the performance of client side Java is still very poor compared to the alternatives, and in the early years, when Java was still heralded as the future of computing, it was so unreliable, that it's image has been tainted forever.