Serious New Java Flaw Affects All Browsers 164
Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."
Guess it's time to uncheck that box (Score:4, Informative)
This is javocalypse (Score:2, Informative)
http://blog.cr0.org/2010/04/javacalypse.html [cr0.org]
How to disable Java? (Score:2, Informative)
In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.
Re:Howcum? (Score:4, Informative)
Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.
Already fixed a long time ago in jdk 6 r 17 (Score:0, Informative)
yawn. old news.
http://java.sun.com/javase/6/webnotes/6u17.html
6872824 javawebstart general arbitary code execution using java web start
this has long since been fixed.
Re:Article Contents (Score:5, Informative)
Actually it affected Linux browsers too.
However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html [sun.com]
Re:How to disable Java? (Score:3, Informative)
Re:Guess it's time to uncheck that box (Score:3, Informative)
Java Webstart, not applet. Basically you download a .jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles .jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).
Re:How to disable Java? (Score:2, Informative)
Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!
There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.
To check if you're vulnerable, PoC is here: http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html [cmpxchg8b.com]
Re:New? (Score:4, Informative)
Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or .NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on /. several times already.
Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.
Re:Guess it's time to uncheck that box (Score:1, Informative)
Some precisions.... (Score:5, Informative)
Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.
Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.
I thought this should be made clearer... ;-))
Re:All browsers? (Score:3, Informative)
From the first link:
"Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."
And yet it ISN'T fixed (Score:4, Informative)
So no, not old news. Not "long since" fixed.
-B
Re:Article Contents (Score:3, Informative)
Re:Article Contents (Score:3, Informative)
Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!
Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.
Re:And yet it ISN'T fixed (Score:4, Informative)
I tried to run their simple exploit demo, but it failed to load.
I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.
Re:Article Contents (Score:3, Informative)
(try $ echo rm -rf ~)? rm will probably not understand it
test@localhost:~$ echo rm -rf ~ /home/test
.. .bashrc
..
rm -rf
test@localhost:~$ ls -a ~
.
test@localhost:~$ rm -rf ~
rm: cannot remove directory `/home/test': Permission denied
test@localhost:~$ ls -a ~
.
Aside from my test user not having permission to remove the directory itself, "rm -rf ~" does work and is devastating.