Forgot your password?
typodupeerror
Java Security Sun Microsystems

Serious New Java Flaw Affects All Browsers 164

Posted by Soulskill
from the at-least-it's-consistent dept.
Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."
This discussion has been archived. No new comments can be posted.

Serious New Java Flaw Affects All Browsers

Comments Filter:
  • For years?! (Score:2, Insightful)

    by irreverant (1544263) on Friday April 09, 2010 @05:24PM (#31795262)
    That's great, no one knew about it till now? i don't believe that.
  • Article Contents (Score:5, Insightful)

    by Oxford_Comma_Lover (1679530) on Friday April 09, 2010 @05:28PM (#31795322)

    Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.

    "In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.

    Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.

  • Re:New? (Score:5, Insightful)

    by binarylarry (1338699) on Friday April 09, 2010 @05:31PM (#31795380)

    Compared to what? Java has a pretty fantastic security track record.

    Also this isn't an exploit in the Java runtime, it's an exploit in the way the web start native launcher parses arguments before using them to launch the Java virtual machine.

  • Re:New? (Score:4, Insightful)

    by Yvan256 (722131) on Friday April 09, 2010 @05:40PM (#31795496) Homepage Journal

    Compared to
    [_] Enable Java

  • Re:For years?! (Score:4, Insightful)

    by postbigbang (761081) on Friday April 09, 2010 @05:41PM (#31795504)

    You didn't notice we've been watching you?

    java -start -mykeylogger_to_ru -get_passwords_for_everything & -send_to_nsa_listening_post

    wasn't that link you clicked?

  • Re:New? (Score:4, Insightful)

    by binarylarry (1338699) on Friday April 09, 2010 @05:42PM (#31795514)

    It gets even safer with:

    [_] Enable teh interwebs

    oh oh! and this one:

    [_] Enable computer power

    The ultimately in security, I've done it!

  • by Anonymous Coward on Friday April 09, 2010 @05:44PM (#31795536)

    OK, I'm not trolling (seriously), but, honestly, I have to ask:

    Does anyone here actually use Java for anything? And I don't mean "I write Java Enterprise Beans," I mean for client applications, since this flaw affects launching Java client apps. Presumably you can keep on running your favorite J2EE XML-based Spring Hibernate Ultimate whatever without worrying about Java applets or Java Web Start or any of that Java client technology.

    If you do use client Java, what are you using it for? The only thing I can think of that I've ever see anyone run a client Java app for was writing server-side Java code.

    I guess what I'm asking is, why would I install Java in the first place?

  • Re:All browsers? (Score:2, Insightful)

    by Peach Rings (1782482) on Friday April 09, 2010 @05:45PM (#31795554) Homepage

    Any sane browser is immune. Browsers shouldn't allow execution of Java code any time you simply click on a link. You should use NoScript or, better yet, just disable the Java plugin altogether except in the rare cases when you need it.

  • by GIL_Dude (850471) on Friday April 09, 2010 @06:11PM (#31795794) Homepage
    http://runescape.com/ [runescape.com] is a Java site my son uses all the time. AT&T Connect web conferencing service is one I use at work all the time. There are certainly folks that need it for a bunch of different things, but I will certainly stipulate that it isn't used on the desktop (thankfully!) as much as it was. That said, at work, every time we send out a Java security patch we get calls from users of all kinds of vertical market apps about how the patch broke their app and we have to get the vendor to get a new version out really quick. Quite annoying how it always breaks stuff as it moves forward.
  • Re:For years?! (Score:3, Insightful)

    by leenks (906881) on Friday April 09, 2010 @06:29PM (#31795942)

    Troll. Client side java applications are still very popular in enterprises where something richer than a typical webapp is required (though this may change as browser tech matures), and JWS is a convenient medium for deploying them. Hell, even Eclipse RCP applications can be deployed with webstart [eclipse.org].

  • by Animats (122034) on Friday April 09, 2010 @06:37PM (#31796006) Homepage

    This isn't a bug. This is a backdoor inserted by someone at Sun.

    The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.

  • by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Friday April 09, 2010 @07:06PM (#31796232) Journal

    Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

    So can we please let this little fact DIAF already? Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?". All anybody has ever ever cared about, even when I tell them I'm gonna have to nuke it, is "can you give me back my stuff please?". So let us just let this little "malware at root VS user" crud die already. If you have malware running at either level it has access to your stuff, which depending on how religiously you back up (which guess what? 99.995% of users in my experience don't have recent backups, if they have backups at all) can be a PITA at best and a true tragedy if you use irreplaceable memories.

    So in conclusion: If the malware can run, whether on Linux or Windows, it can get to your stuff, which is WAY more important than whether or not your system gets hosed. After all any geek here at /. can get a system fully running and tweaked nicely in a couple of hours, how long would it take to replace that only copy of your vacation photos, or that only copy of your late grandmother's last Xmas here on earth?

  • Re:For years?! (Score:3, Insightful)

    by Bill_the_Engineer (772575) on Friday April 09, 2010 @07:19PM (#31796352)

    Agree. I use Java because it's the easiest way to write cross platform client applications without having to experience DLL hell or dependency issues.

  • by petermgreen (876956) <plugwash@@@p10link...net> on Friday April 09, 2010 @07:29PM (#31796444) Homepage

    Don't even need to trick them, just put wrappers in place so that next time they try to use one of those tools it runs the malware. For bonus points design the malware so it takes what the user was originally trying to do as a command line parameter and runs that as well so the user isn't any the wiser.

  • by Anonymous Coward on Friday April 09, 2010 @07:38PM (#31796526)

    And what webapp sites would these be??? Really, there are not too many mainstream sites that require a JRE to function properly. I remember a short period where Java was used similar to Flash (I remember perverse cases where individual animated buttons were Java applets), and I occasionally stumble upon some of these broken down and burnt out sites.

    There are specific sites that tend to use Java, like online tutorials for math and science subjects, or somebody's hack, or just a browser integrated version of some Java app for something like an interactive simulator, but these are fairly niche.

    Or are you yet another fool that thinks that Java and Javascript are closely related?

  • by mswhippingboy (754599) on Saturday April 10, 2010 @02:22AM (#31798256)
    This is not a flaw in java. This is (possibly) a flaw in JavaWS, which is nothing more than a technology for launching applications from a web page. It does not affect java applets, or java applications launched from the command line or desktop.
    If you RTFA, you'll see that the problem is that a link can redirect the executable that gets launched so that INSTEAD of java launching, something nefarious gets launched.

    While the whole scenario described is a bit contrived, it is something that should definitely be corrected. It is not however, a flaw in Java.
    Calling this a flaw in java is equivalent to claiming that .Net has a serious security flaw because a link can be created that claims to launch a .Net application when in reality it points to a spyware executable.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...