Cross-Platform Java Sandbox Exploit 382
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
Re:Makes me wonder... (Score:1, Interesting)
Windows and Linux? (Score:1, Interesting)
Re:Makes me wonder... (Score:5, Interesting)
This the only cross plattform security issue known. and it's a theoretical one, no exploits known.
One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:
"I don't think I built in something harmfull and sign that belief with this digital signature"
Windows and Linux, huh? ...what about Mac? (Score:4, Interesting)
Also, what about BSD?
No patch (Score:3, Interesting)
Re:Disable Java (Score:2, Interesting)
Why is this flamebate?
My browser has _no_ plugins running by default. Also, my browser (Safari) has a separate Java and plugin preference checkbox, and I rarely load Java. The last time I did was to look at some buggy applet that someone wrote at work.
Over the years I have come to dispise Java. It would be different if it worked, but for me, Java has caused many problems, and I have seen 0 benefits from it.
So, I won't get modded as flamebate as well, I'll elaborate.
Oracle's "Universal Installer" is written in Java so that it could be crossplatform, etc, etc. to make it easier and universal for people to install Oracle. How convenient that it took me _hours_ to install it on a NT machine because of a bug in Java made the installer fail if the display was using more than some arbitrary number of colors (256, 16k, dunno, don't care). Thanks.
There are many "web installers" or whatever written in Java for Solaris machines. I've had these fail about 40% of the time.
I've had Netscape crash at least on the order of hundreds of times because of Java.
Java in a browser applet is very slow loading.
My brand new Apple Xserve RAID came with a GUI admin program written in Java. It worked for about a week, now it doesn't, and I have to call Apple and bitch when I get the time.
Java applets _never_ looked near the same on different OSes or even on the same OS with different browsers. Besides the silly thing a coworker wrote, I don't rememember the last time I had to load the Java plugin for a website.
I have installed Websphere once, I won't go into details from here.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
I'm familier with Java for years. This is not some blind "this sucks" thing. I've coded in Java to write applications and applets that run native on a normal OS, and in browsers, and on embeded devices like smartcards and iButtons.
I don't particularly care for Python either, but at least most of the python applications that I have used work, so I have no real objections to it besides I just don't like the language or the quirky way python and python programmers do things. For example, the damn #!/usr/bin/env python thing kills me. Try explaining to (l)users over and over again that there are 2 versions of python on the system. One in
I'm just talking from my experiences here, and I have not had a pleasant experience with Java.
Unix Viruses ? (Score:3, Interesting)
Browsers lack security functionality (Score:3, Interesting)
I prefer to have javascript off all the time.
Being able to selectively enable them for certain sites would be nice and would improve security.
Re:Makes me wonder... (Score:1, Interesting)
Re:Disable Java (Score:3, Interesting)
The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).
One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time) - then rejected it because it wouldn't work through MS Proxy server (a java bug which has never been fixed to this day
Re:Windows and Linux? (Score:4, Interesting)
"Patch released quickly" (Score:3, Interesting)
1. Get notified about a serious security flaw
2.
3. Release a patch a quarter of a year later
4. Profit!
Re:Windows and Linux? (Score:4, Interesting)
1. Create a seperate user called "webuser". Thus when some stupid java exploit attempts to delete your home directory, it can't.
2. configure your selinux security so that the JIT can't create/delete stuff except inside of a "java temp" directory. Fine let the virus go wild, too bad it won't get anywhere.
3. Impliment a sensible backup plan. What's really important for you to backup? Software can generally be downloaded again. The only stuff that's not replaceable is code and settings.
Don't Disable Java (Score:3, Interesting)
So you have plugins including Java applets turned off but then say you haven't seen any useful applets. So let me get this straight: you hide them and then complain that you can't see any good ones. Self-fulfilling prophecy? By that metric, do you drop all usage of OS X if you come across a badly written program on the Mac? Starting the plugin the first time is slow, granted. But I've been running Safari on a 500MHz iBook and Java applets haven't been a problem for me. The best written ones have been the ones where I almost didn't notice they were applets. Well-written ones are like this. A lot of folks who denigrate Java out of hand have come across good applets but not recognized them as Java.
Have you used Java since the old Netscape days? The plugins in IE, Mozilla, Firefox and Safari have not caused me any problems in years. I find it hard to believe that I've just been the only person in the world and/or am extremely lucky.
Well... except for that one applet that was a site logo rippling like it was underwater. Pure eye candy that sucked up 60% CPU time sustained on a 3GHz processor. Once again, good technology, bad applet writer.
That said, I prefer DHTML and related technologies to visual Java applets these days. In a better world, I would have the UI handled by the browser's renderer and the logic handled by Java. Javascript is nice and all, but sometimes you want to do some heavier lifting. And I sure as hell am not going to use ActiveX for that even if it was supported on non-IE and non-Windows environments.
And I too am talking from experience as I have developed on Java on Windows since Win95, OS/2 Warp, Novell NetWare, Solaris, OS X and Linux. Applets, servlets, EJBs and standalone apps. Aside from filesystem path differences, I have had maybe two problems in the last seven years moving my code from one platform to the next. And yes, I can code in C (K&R and ANSI) and C++ (including ISO98) too. Learned them before Java, so it's not because I haven't seen any other platforms.
By the way, your mention of NullPointerException is funny to me. Take a C app and access a null pointer. Boom! Hope you have core files enabled so you load the image in a handy debugger. Take a Java app and access a null reference (pointer). Not only can the exception be caught so that it doesn't completely take down the app, but you get an easy to read (relative to C and C++) stacktrace telling you exactly where it occurred so that you can fix it.
It's not the only language in the world and definitely isn't the only language you should have in your toolbelt, but it doesn't deserve the maligning you just gave it.
Re:You have got to be shitting me. (Score:4, Interesting)
ActiveX pops up a dialog box at every new instance on every site. The user ends up thinking, "Oh, another damned popup," and just clicks on it. It's like email and dealing with spam. There are so many junk emails, eventually you make a mistake accepting one you shouldn't have or dumping one that you would have wanted.
With the Java applet sandbox, only actions that are potentially dangerous require a confirmation dialog, and 99.9% of all applets do not need signing. Sure, today Sun announced a vulnerability. That makes how many in the last ten years? Seriously, compare that number with the number of exploits in basically any network-aware program in any language. Dumping Java over this is like refusing to go out to restaurants anymore because a friend of a friend got food poisoning.
You want to be absolutely safe, unplug your network or modem cable. There you go. Absolute network safety. Life is a compromise.
Re:Disable Java (Score:3, Interesting)
I actually have several websites with banking etc that use applets. The JVM load time is annoying though, I agree with that.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
Yes, that is an unfortunate wording in the JVM. It should say "null reference exception". Everything except primitives are pointers in Java, but unlike C/C++, Java does not allow pointer arithmetic, so they call them references instead.
If you see "null pointer exceptions" often, you must be unfortunate enough to have to be running some pretty amateurish programs though (no offence). Null pointers are not hard to avoid in normal code, and in situations where they might fail from an external source (for instance loaded from file), the programmer should of course wrap that in checks to see that the instance is properly initialized before proceding.
I have not had a pleasant experience with Java.
So I see.... sorry to hear that. My experiences have been much better. Eclipse and Azureus kicks ass. I couldn't do without Java on my mobile phones these days.
Re:"Patch released quickly" (Score:2, Interesting)
I never trusted Java on the browser and never install the plugin. On the other hand, there ARE a lot of PostScript network printers out there running a language interpreter, too. I always thought it'd be fun to write a PostScript worm that would propigate from printer to printer and, while running on the printer, would quietly replace every instance of the word "Strategic" with the word "Satanic."
Applets are dead (Score:3, Interesting)
Web developers make sure not to have the functionality of their website depend on applets, as Windows only comes with a mutant of java 1.2 - if any - installed, and of the clients on the interweb, the overwhealming majority will be windows PCs with Internet Explorer. You just can't count on visitors being willing to download a 14 megabyte installer to use your site.
Also the performance of client side Java is still very poor compared to the alternatives, and in the early years, when Java was still heralded as the future of computing, it was so unreliable, that it's image has been tainted forever.