Serious New Java Flaw Affects All Browsers 164
Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."
For years?! (Score:2, Insightful)
Article Contents (Score:5, Insightful)
Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.
"In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.
Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.
Re:New? (Score:5, Insightful)
Compared to what? Java has a pretty fantastic security track record.
Also this isn't an exploit in the Java runtime, it's an exploit in the way the web start native launcher parses arguments before using them to launch the Java virtual machine.
Re:New? (Score:4, Insightful)
Compared to
[_] Enable Java
Re:For years?! (Score:4, Insightful)
You didn't notice we've been watching you?
java -start -mykeylogger_to_ru -get_passwords_for_everything & -send_to_nsa_listening_post
wasn't that link you clicked?
Re:New? (Score:4, Insightful)
It gets even safer with:
[_] Enable teh interwebs
oh oh! and this one:
[_] Enable computer power
The ultimately in security, I've done it!
Re:Guess it's time to uncheck that box (Score:1, Insightful)
OK, I'm not trolling (seriously), but, honestly, I have to ask:
Does anyone here actually use Java for anything? And I don't mean "I write Java Enterprise Beans," I mean for client applications, since this flaw affects launching Java client apps. Presumably you can keep on running your favorite J2EE XML-based Spring Hibernate Ultimate whatever without worrying about Java applets or Java Web Start or any of that Java client technology.
If you do use client Java, what are you using it for? The only thing I can think of that I've ever see anyone run a client Java app for was writing server-side Java code.
I guess what I'm asking is, why would I install Java in the first place?
Re:All browsers? (Score:2, Insightful)
Any sane browser is immune. Browsers shouldn't allow execution of Java code any time you simply click on a link. You should use NoScript or, better yet, just disable the Java plugin altogether except in the rare cases when you need it.
Re:Guess it's time to uncheck that box (Score:3, Insightful)
Re:For years?! (Score:3, Insightful)
Troll. Client side java applications are still very popular in enterprises where something richer than a typical webapp is required (though this may change as browser tech matures), and JWS is a convenient medium for deploying them. Hell, even Eclipse RCP applications can be deployed with webstart [eclipse.org].
Java has had a built-in backdoor (Score:5, Insightful)
This isn't a bug. This is a backdoor inserted by someone at Sun.
The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.
Comment removed (Score:5, Insightful)
Re:For years?! (Score:3, Insightful)
Agree. I use Java because it's the easiest way to write cross platform client applications without having to experience DLL hell or dependency issues.
Re:Article Contents (Score:3, Insightful)
Don't even need to trick them, just put wrappers in place so that next time they try to use one of those tools it runs the malware. For bonus points design the malware so it takes what the user was originally trying to do as a command line parameter and runs that as well so the user isn't any the wiser.
Re:Guess it's time to uncheck that box (Score:2, Insightful)
And what webapp sites would these be??? Really, there are not too many mainstream sites that require a JRE to function properly. I remember a short period where Java was used similar to Flash (I remember perverse cases where individual animated buttons were Java applets), and I occasionally stumble upon some of these broken down and burnt out sites.
There are specific sites that tend to use Java, like online tutorials for math and science subjects, or somebody's hack, or just a browser integrated version of some Java app for something like an interactive simulator, but these are fairly niche.
Or are you yet another fool that thinks that Java and Javascript are closely related?
Sounds like FUD to me... (Score:2, Insightful)
If you RTFA, you'll see that the problem is that a link can redirect the executable that gets launched so that INSTEAD of java launching, something nefarious gets launched.
While the whole scenario described is a bit contrived, it is something that should definitely be corrected. It is not however, a flaw in Java.
Calling this a flaw in java is equivalent to claiming that