Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Java Programming Security

Dangerous Java Flaw Threatens 'Virtually Everything' 323

Posted by Zonk from the let-it-cool-down-first dept.
Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."
This discussion has been archived. No new comments can be posted.

Dangerous Java Flaw Threatens 'Virtually Everything' More

Dangerous Java Flaw Threatens 'Virtually Everything'

Comments Filter:

  • 'Virtually Everything' or 'Everything Virtual'? (Score:5, Funny)

    by Anonymous Coward on Friday July 13, 2007 @11:05AM (#19848945)
    I think that

    Dangerous Java Flaw Threatens 'Virtually Everything'
    Should read

    Dangerous Java Flaw Threatens 'Everything Virtual'
    I mean, Java is just a freaking virtual machine, not the underpinnings of all laws of physics. I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.

  • You forget... (Score:5, Funny)

    by greenreaper ( 205818 ) on Friday July 13, 2007 @11:09AM (#19848999) Homepage Journal
    What about the people using it to run nuclear reactors?

  • Re:How...useful. :/ (Score:4, Funny)

    by radarjd ( 931774 ) on Friday July 13, 2007 @11:10AM (#19849015)

    Okay, so which versions are vulnerable?

    The article sadly has little more information than the summary. It doesn't say which VMs, only that "exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment". In other words, the vulnerable VMs are vulnerable.

  • For the Very Low Price of .... (Score:2, Funny)

    by slas6654 ( 996022 ) on Friday July 13, 2007 @11:12AM (#19849043)

    ...Pure Hacking will provide a complete explanation of the vulnerability.

    For an additional undetermined sum, Pure Hacking will offer an ambiguous and nefarious fix for the vulnerability.

  • Re:You forget... (Score:5, Funny)

    by Azar ( 56604 ) on Friday July 13, 2007 @11:13AM (#19849055) Homepage
    Well, as long as they aren't using the nuclear reactor to browse warez sites, I think we will be fine.

  • Ubiquitousness? (Score:4, Funny)

    by iBod ( 534920 ) on Friday July 13, 2007 @11:16AM (#19849111)
    >>Due to the ubiquitousness of Java, this could prove a serious security problem.

    Ah! That would be 'ubiquity' then?

    FFS editors!
  • I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.

    Speak for yourself, some of us use Java in our coffee mugs. The upcoming patch is supposed to correct a number of leaks.

  • Doh, ignore the above :-) (Score:3, Funny)

    by greenreaper ( 205818 ) on Friday July 13, 2007 @11:18AM (#19849155) Homepage Journal
    That was yet another serious Java bug. Unless they've decided to review a story from January, which I guess is always possible.

  • SOD - Superstition Obfuscation Demagoguery (Score:2, Funny)

    by kippa ( 453370 ) on Friday July 13, 2007 @11:19AM (#19849163)
    Friday the 13th is the new April Fool's Day!

  • Well, since this impacts Java... (Score:5, Funny)

    by pw700z ( 679598 ) on Friday July 13, 2007 @11:20AM (#19849181)
    ...at least we can be assured whatever disaster happens, it will happen slowly. Just kidding!

  • To quote Harry Dresden... (Score:5, Funny)

    by Anonymous Coward on Friday July 13, 2007 @11:30AM (#19849299)
    Just because you are paranoid doesn't mean there isn't an invisible demon out to eat your face.

  • Re:Anyone have details? (Score:5, Funny)

    by Geek of Tech ( 678002 ) on Friday July 13, 2007 @11:38AM (#19849433) Homepage Journal
    Among other things, it has been confirmed that cellphones, computers, handhelds, iPods, small children, toasters, garage door openers and SUV owners are all vulnerable to this flaw.

    The only device that isn't vulnerable to this is the Nintendo Wii. The theory is that the swinging of Wiimotes manages to sling the problematic code away from your device.

    If you think that your computer might be at risk, pick it up and start spinning in big circles. This might create enough force to dislodge any vicious code.

  • Re:Are you sure? (Score:3, Funny)

    by networkBoy ( 774728 ) on Friday July 13, 2007 @11:42AM (#19849481) Journal
    And then there is a buffer overflow event, causing data packed collisions, next thing you know I've got your mocha executing in my late.

  • Re:Original AusCERT (Score:1, Funny)

    by profplump ( 309017 ) <zach-slashjunk@kotlarek.com> on Friday July 13, 2007 @12:09PM (#19849845)
    Oh, and Sun wouldn't have had this problem if they'd used pure Java code rather than relying on an existing library.

    Yes. If only Sun would toss out all the C and re-implement their JVM in Java. How you'd launch the Java-based JVM is not clear, but once you got it going you'd never have to worry about buffer overflows again.

  • Re:You forget... (Score:5, Funny)

    by computational super ( 740265 ) on Friday July 13, 2007 @12:21PM (#19850005)
    I don't know Java, so I can't start a rational flamewar over why Lisp is better.

    Lisp is preferred in high-security installations (such as nuclear generators) because it's an extra layer of security. Even if a hacker can breach the outer defences, no actual human being can comprehend a Lisp program, so there's no danger of the hacker doing any damage.

  • Re:Original AusCERT (Score:4, Funny)

    by smittyoneeach ( 243267 ) * on Friday July 13, 2007 @12:25PM (#19850049) Homepage Journal
    Well, if y'all goin' for the pure-Java solution, y'all obviously do the BIOS and bootleg^Wbootloader in Java, too.
    I mean, C is just portable Assembler, right? If C is the source of all them evil buffer overflows, I reckon that means Assembler's got 'em, too?
    Heck: me an' Jethro wuz wonderin' how these here computers ever got far enough along for the Sun to 'shine and the Java to perk.
    Yep. I reckon only them city slickers with all their fancy talk do anything but Java anymore, buncha used car salesmen.

  • Re:Are you sure? (Score:5, Funny)

    by joshv ( 13017 ) on Friday July 13, 2007 @12:29PM (#19850093)
    That's probably because the bug inside had failed and the battery started corroding causing it to expand and crack the mug.

  • Just my luck... (Score:4, Funny)

    by bensafrickingenius ( 828123 ) on Friday July 13, 2007 @12:41PM (#19850219)
    I just got done installing Java in 3 computer labs, and took the extra step of turning off that damn annoying autoupdate feature in the Java Control Panel on every machine. Crap, there goes my weekend...

  • Lava Flow (Score:4, Funny)

    by Kinthelt ( 96845 ) on Friday July 13, 2007 @12:47PM (#19850281) Homepage
    Am I the only one who originally read this as: Dangerous Lava Flow Threatens 'Virtually Everything'?

  • Re:Is Apple affected? (Score:4, Funny)

    by Oswald ( 235719 ) on Friday July 13, 2007 @01:17PM (#19850671)
    You know it is. Java is Write Once, Run Anywhere, remember?

  • java updater gives me nothing (Score:3, Funny)

    by nuzak ( 959558 ) on Friday July 13, 2007 @01:26PM (#19850795) Journal
    This hole might have been a bit easier for Sun to patch if they hadn't made the automatic updater, jusched.exe such an unstable and annoying piece of junk. Or if they made updates work at all. My JRE is still beta 2 and has never seen an update since.

    Screw it. I run Windows anyway, it's not like my system isn't already full of holes. What's one more?

  • Re:You forget... (Score:3, Funny)

    by jason8 ( 917879 ) on Friday July 13, 2007 @02:24PM (#19851507)

    Have you heard of the major Lisp nuclear controller hack of a few years ago? Apparently, hackers somehow managed to get into a nuclear reactor site and make a copy of the top-secret Lisp program used to control the reactor. I can't post the entire program for security reasons, but I will post the last page:

    (Imagine a page full of right-parens)

  • Re:You forget... (Score:5, Funny)

    by kabdib ( 81955 ) on Friday July 13, 2007 @02:35PM (#19851629) Homepage
    Low tech is better.

    Those relays are powered by *steam*, and serve only to control arms in the corridor outside the control room which raise and lower colored flags. Mesopotamian runner-slaves note the configuration of the flags and carry messages to more slaves stationed near the reactor core who in turn are responsible for raising and lowering the control rods, who man the coolant pumps, and in a pinch, who sacrifice goats to the altar of O'krap, the God of Reactor Meltdowns.

    Speaking tubes were tried once ("Ahoy! More coolant on the starboard pile, and hoist up control rod three!") but finding reactor operators who knew Urdu was too difficult.

    The Nuclear Safety Council is considering a move to systems based on "electrics," but the committee responsible for this investigation has been unable to locate the inventors B. Franklin and T. Edison.

  • Re:Original AusCERT (Score:1, Funny)

    by Anonymous Coward on Friday July 13, 2007 @03:59PM (#19852491)

    Bunch of FUD-spreading fear-mongers. Hrumph.

    Plus if anyone does write an exploit it will take so long to load and run the thing that everyone will be patched anyhow. Hell, machines capable of running a Java exploit must still be at least five years away. The last time I checked you need about 2G of ram to run "Hello World" (the source takes about 700MB), and you'd best have a big page file to back it up too.

    But Java is getting faster and less bloated. They are learning to profile the language using the same methods that geologists use to track the drift of continental plates.

    Why is it that an infinite number of monkeys at an infinite number of typewriters would reproduce all human knowledge instantly, but they would take about 12 times the age of the universe to generate the Java API? Oh yeah, I guess they would still have to load the thing.

    At least the language is object-oriented. It would be inexcusable to any non-object-oriented language to become so huge and rancid. Can you imagine generating anything so horrible in C, Python, Perl, GW Basic, Fortran, etc without having the benefits of containers with 40 levels of abstraction? I guess you could write several million noop commands for every particle in the universe, but the compiler might be able to optimise that out.

    Hey, maybe if they add another 40EB of rancid filth to the language then someone might be able to declare an unsigned integer. Or maybe not.

    I'm kidding, of course. I love the language. It's just fucking great.

  • Re:And people called me paranoid (Score:1, Funny)

    by Anonymous Coward on Friday July 13, 2007 @06:25PM (#19853873)
    Shoosh! Good job I switched to Vista then :-)

Slashdot Top Deals

This file will self-destruct in five minutes.

Close