Dangerous Java Flaw Threatens 'Virtually Everything' 323
Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."
'Virtually Everything' or 'Everything Virtual'? (Score:5, Funny)
You forget... (Score:5, Funny)
Re:How...useful. :/ (Score:4, Funny)
The article sadly has little more information than the summary. It doesn't say which VMs, only that "exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment". In other words, the vulnerable VMs are vulnerable.
For the Very Low Price of .... (Score:2, Funny)
For an additional undetermined sum, Pure Hacking will offer an ambiguous and nefarious fix for the vulnerability.
Re:You forget... (Score:5, Funny)
Ubiquitousness? (Score:4, Funny)
Ah! That would be 'ubiquity' then?
FFS editors!
Re:'Virtually Everything' or 'Everything Virtual'? (Score:5, Funny)
Speak for yourself, some of us use Java in our coffee mugs. The upcoming patch is supposed to correct a number of leaks.
Doh, ignore the above :-) (Score:3, Funny)
SOD - Superstition Obfuscation Demagoguery (Score:2, Funny)
Well, since this impacts Java... (Score:5, Funny)
To quote Harry Dresden... (Score:5, Funny)
Re:Anyone have details? (Score:5, Funny)
The only device that isn't vulnerable to this is the Nintendo Wii. The theory is that the swinging of Wiimotes manages to sling the problematic code away from your device.
If you think that your computer might be at risk, pick it up and start spinning in big circles. This might create enough force to dislodge any vicious code.
Re:Are you sure? (Score:3, Funny)
Re:Original AusCERT (Score:1, Funny)
Yes. If only Sun would toss out all the C and re-implement their JVM in Java. How you'd launch the Java-based JVM is not clear, but once you got it going you'd never have to worry about buffer overflows again.
Re:You forget... (Score:5, Funny)
Lisp is preferred in high-security installations (such as nuclear generators) because it's an extra layer of security. Even if a hacker can breach the outer defences, no actual human being can comprehend a Lisp program, so there's no danger of the hacker doing any damage.
Re:Original AusCERT (Score:4, Funny)
I mean, C is just portable Assembler, right? If C is the source of all them evil buffer overflows, I reckon that means Assembler's got 'em, too?
Heck: me an' Jethro wuz wonderin' how these here computers ever got far enough along for the Sun to 'shine and the Java to perk.
Yep. I reckon only them city slickers with all their fancy talk do anything but Java anymore, buncha used car salesmen.
Re:Are you sure? (Score:5, Funny)
Just my luck... (Score:4, Funny)
Lava Flow (Score:4, Funny)
Re:Is Apple affected? (Score:4, Funny)
java updater gives me nothing (Score:3, Funny)
Screw it. I run Windows anyway, it's not like my system isn't already full of holes. What's one more?
Re:You forget... (Score:3, Funny)
Have you heard of the major Lisp nuclear controller hack of a few years ago? Apparently, hackers somehow managed to get into a nuclear reactor site and make a copy of the top-secret Lisp program used to control the reactor. I can't post the entire program for security reasons, but I will post the last page:
(Imagine a page full of right-parens)
Re:You forget... (Score:5, Funny)
Those relays are powered by *steam*, and serve only to control arms in the corridor outside the control room which raise and lower colored flags. Mesopotamian runner-slaves note the configuration of the flags and carry messages to more slaves stationed near the reactor core who in turn are responsible for raising and lowering the control rods, who man the coolant pumps, and in a pinch, who sacrifice goats to the altar of O'krap, the God of Reactor Meltdowns.
Speaking tubes were tried once ("Ahoy! More coolant on the starboard pile, and hoist up control rod three!") but finding reactor operators who knew Urdu was too difficult.
The Nuclear Safety Council is considering a move to systems based on "electrics," but the committee responsible for this investigation has been unable to locate the inventors B. Franklin and T. Edison.
Re:Original AusCERT (Score:1, Funny)
Bunch of FUD-spreading fear-mongers. Hrumph.
Plus if anyone does write an exploit it will take so long to load and run the thing that everyone will be patched anyhow. Hell, machines capable of running a Java exploit must still be at least five years away. The last time I checked you need about 2G of ram to run "Hello World" (the source takes about 700MB), and you'd best have a big page file to back it up too.
But Java is getting faster and less bloated. They are learning to profile the language using the same methods that geologists use to track the drift of continental plates.
Why is it that an infinite number of monkeys at an infinite number of typewriters would reproduce all human knowledge instantly, but they would take about 12 times the age of the universe to generate the Java API? Oh yeah, I guess they would still have to load the thing.
At least the language is object-oriented. It would be inexcusable to any non-object-oriented language to become so huge and rancid. Can you imagine generating anything so horrible in C, Python, Perl, GW Basic, Fortran, etc without having the benefits of containers with 40 levels of abstraction? I guess you could write several million noop commands for every particle in the universe, but the compiler might be able to optimise that out.
Hey, maybe if they add another 40EB of rancid filth to the language then someone might be able to declare an unsigned integer. Or maybe not.
I'm kidding, of course. I love the language. It's just fucking great.
Re:And people called me paranoid (Score:1, Funny)