Forgot your password?
typodupeerror
Java Security Sun Microsystems

Serious New Java Flaw Affects All Browsers 164

Posted by Soulskill
from the at-least-it's-consistent dept.
Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."
This discussion has been archived. No new comments can be posted.

Serious New Java Flaw Affects All Browsers

Comments Filter:
  • by K. S. Kyosuke (729550) on Friday April 09, 2010 @05:24PM (#31795250)
    Oh come, on. Shall I try it in Links? I've told you a million times that you're not supposed to overuse hyperboles.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Perhaps, but if people have been getting bad java, they're going to need some ceramic parabolas right quick.

    • Article Contents (Score:5, Insightful)

      by Oxford_Comma_Lover (1679530) on Friday April 09, 2010 @05:28PM (#31795322)

      Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.

      "In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.

      Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.

      • Re:Article Contents (Score:5, Informative)

        by binarylarry (1338699) on Friday April 09, 2010 @05:35PM (#31795438)

        Actually it affected Linux browsers too.

        However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html [sun.com]

        • by Trepidity (597)

          At least with the official Sun JRE, it never affected 64-bit Linux, because they don't support [sun.com] Java Web Start on the 64-bit distribution. (The 64-bit Linux OpenJDK does support JWS, though.)

        • > Actually it affected Linux browsers too.

          Only ones with Java enabled, something I've never needed.

          • Only those using the 'official' Sun binary too.

            These days, most distributions package the OpenJDK. This doesn't include the offending source but rather IcedTea replacements written by some clever Canadians at Red Hat.

          • by jc42 (318812)

            Only ones with Java enabled, something I've never needed.

            Yeah, but somehow, people never seem to pick up on the idea that it's never a good idea to allow your software to automatically run code downloaded from some outside machine. Even linux systems' browsers come with java and javascript enabled, and the user has to know enough to turn them off. We geeks know that this is a good idea, but the other 99.99% of humanity generally doesn't.

            It is sorta stupid. We knew very well by 1980 that accepting code fro

    • by pcolaman (1208838)

      I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

      • Re: (Score:3, Interesting)

        I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

        FTFA: "Browsers running on Apple's Mac OS X are not vulnerable." That includes iPhone, iPod Touch & iPad .... oh, and Mac's, too.

        • by pcolaman (1208838)

          Oh good, so they won't get any Java in their iPads too. That helps when that time of the month rolls around as it's already a mess down there as is.

      • by RockDoctor (15477)

        I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

        Isn't that rather like saying that Antony and Cleopatra were immune to Swine Flu by dint of being dead at the time?

    • Re: (Score:3, Informative)

      by NatasRevol (731260)

      From the first link:

      "Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."

      • Browsers running on Apple's Mac OS X are not vulnerable.

        Of course not, Apple distributes their own version of JVM for OS X not Sun. So this is a fine example of not incorporating every "neat" bleeding edge idea into the JVM is a feature not a handicap.

  • For years?! (Score:2, Insightful)

    by irreverant (1544263)
    That's great, no one knew about it till now? i don't believe that.
  • by Ma8thew (861741) on Friday April 09, 2010 @05:24PM (#31795264)
    Can't recall the last time I even used a Java applet. Just uncheck the box in preferences and forget about it.
    • by sznupi (719324)

      hmm.../me checking in Quick Preferences...yup, "Enable Java" unticked.

      Wait, I don't even hava Java installed on this machine. Seriously, apart from very few webpages and applications (taking into account what is typically used), Java is hardly needed nowadays.

      • by abigor (540274)

        Well, except for all those webapp-type sites you visit. You "use" Java every single time you browse the web, just indirectly.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          And what webapp sites would these be??? Really, there are not too many mainstream sites that require a JRE to function properly. I remember a short period where Java was used similar to Flash (I remember perverse cases where individual animated buttons were Java applets), and I occasionally stumble upon some of these broken down and burnt out sites.

          There are specific sites that tend to use Java, like online tutorials for math and science subjects, or somebody's hack, or just a browser integrated version of

          • by Nadaka (224565)

            He said "just indirectly", indicating he was probably referring to the common use of java in some form on the backend. Many web servers are written in java, then there are the web apps using jsp, servlets or cacoon and several other java based web app frameworks.

    • I just checked - I don't even have java installed on my machine anymore. Never come accross something that I need it for.

      What do people use it for these days?

      • Java is used primarily on the server. Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update. Although the technical suckage is out of the way, exploits like sure don't help it's popularity.

        Java has a >90% install base though.

        • Re: (Score:3, Interesting)

          by thsths (31372)

          > Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update.

          Can you tell me where I get a Java plugin that doesn't suck? Because mine still does - it takes seconds to load, blocks the browser in the mean time, it always looks ugly (something wrong with the fonts?), and it often interferes with the web page. Plus the update mechanism is terrible - certainly if you have a normal user account for normal use.

          Actually even the Flash plugin is a lot

      • by TwoUtes (1075403)
        Surprisingly enough, it is required to run training videos through a web site run by a major US government space agency who shall remain nameless.
      • Re: (Score:3, Insightful)

        by GIL_Dude (850471)
        http://runescape.com/ [runescape.com] is a Java site my son uses all the time. AT&T Connect web conferencing service is one I use at work all the time. There are certainly folks that need it for a bunch of different things, but I will certainly stipulate that it isn't used on the desktop (thankfully!) as much as it was. That said, at work, every time we send out a Java security patch we get calls from users of all kinds of vertical market apps about how the patch broke their app and we have to get the vendor to get a n
    • by Ma8thew (861741)
      Oh wait, despite what the hyperbole of the summary may suggest this doesn't affect browsers on the Mac anyway.
    • Re: (Score:3, Informative)

      by pjt33 (739471)

      Java Webstart, not applet. Basically you download a .jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles .jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).

  • This is javocalypse (Score:2, Informative)

    by Anonymous Coward
  • by WindSword (596780) on Friday April 09, 2010 @05:25PM (#31795276)
    Wow! I never knew.
  • How to disable Java? (Score:2, Informative)

    by mtxf (948276)

    In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.

    • Re: (Score:3, Informative)

      by The MAZZTer (911996)
      That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.
    • Re: (Score:2, Informative)

      by mtxf (948276)

      Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!

      --------------------
      Affected Software
      ------------------------

      All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
      affected by this vulnerability. Disabling the java plugin is not sufficient to
      prevent exploitation, as the toolkit is installed independently.

      There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.

      To check if you're

  • by Anonymous Coward

    Really. [cr0.org]

  • 'QuickJava'. That 'J' icon is always disabled.

  • Some precisions.... (Score:5, Informative)

    by ls671 (1122017) on Friday April 09, 2010 @06:06PM (#31795754) Homepage

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

    Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

    I thought this should be made clearer... ;-))

    • by ls671 (1122017)

      This is worse that I thought, further research reveals that : ;-)

      In their default configurations:

      1) Firefox prompt you with a dialog similar to "open file abc.exe". ;-))

      2) IE8 opens the unsigned application right away without prompting. ;-((

      http://java.sun.com/javase/technologies/desktop/javawebstart/demos.html [sun.com]

      Also Web Start use some sandboxing, but I have trusted it since I have never looked it up ;-))

    • by jrumney (197329)
      Java Web Start runs apps in a sandbox by default. To obtain extra priviledges, apps have to be signed and the user is presented with a confirmation dialog, the same as for Java applets.
    • by tsotha (720379)
      My friend, you have no idea what you're talking about. An application run under Java Webstart is very much like an applet - it runs in the sandbox unless you specifically, deliberately give it more access.
    • by caluml (551744)

      Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file.

      What the hell?

      Java has a very finely grained security permissions model, and although I don't know, I would expect javaws to honour it.
      E.g.

      grant codeBase "file:{jnlpx.home}/javaws.jar" {
      permission java.net.SocketPermission "1.2.3.4:313", "connect,resolve";
      }

  • This means that there will be a JDK 1.6u20 out soon.

  • by Animats (122034) on Friday April 09, 2010 @06:37PM (#31796006) Homepage

    This isn't a bug. This is a backdoor inserted by someone at Sun.

    The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.

    • Personally I doubt this was deliberate.

      The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

      Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

      • by jrumney (197329)
        The Java applet plugin has a documented parameter to specify the version of JVM to run, so including such a parameter in Java Web Start is unlikely to be a malicious back door. The workaround for both vulnerabilites is to uninstall old vulnerable JVMs from your system so they are not available to exploit.
  • HURRY!!! (Score:2, Funny)

    by Anonymous Coward

    Both users of Java Web Start need to be contacted immediately!

  • This is not a flaw in java. This is (possibly) a flaw in JavaWS, which is nothing more than a technology for launching applications from a web page. It does not affect java applets, or java applications launched from the command line or desktop.
    If you RTFA, you'll see that the problem is that a link can redirect the executable that gets launched so that INSTEAD of java launching, something nefarious gets launched.

    While the whole scenario described is a bit contrived, it is something that should definitely

Lisp Users: Due to the holiday next Monday, there will be no garbage collection.

Working...