Serious New Java Flaw Affects All Browsers

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

Re:Howcum?

[Anonymous Coward]

Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.
what? in other news Adobe said "it's not an exploit in Acrobat, it's an exploit in the way parameters are provided to Acrobat, when it displays a PDF document"

remind me again, if I don't install Java do I have this "web start native executable" ?

Re:Guess it's time to uncheck that box

[thsths]

> Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update.

Can you tell me where I get a Java plugin that doesn't suck? Because mine still does - it takes seconds to load, blocks the browser in the mean time, it always looks ugly (something wrong with the fonts?), and it often interferes with the web page. Plus the update mechanism is terrible - certainly if you have a normal user account for normal use.

Actually even the Flash plugin is a lot better, plus Flash graphics just look excellent.

Re:All browsers?

[WrongSizeGlass]

I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

FTFA: "Browsers running on Apple's Mac OS X are not vulnerable." That includes iPhone, iPod Touch & iPad .... oh, and Mac's, too.

Re:All browsers?

[TheRaven64]

I went to disable Java as soon as I saw the headline (before getting to the part that said my platform was not affected). When I got to the preferences dialog, I found that it was already disabled. I turned it off last time there was a high-profile Java vulnerability - about two years ago, as I recall - and had completely forgotten. I guess that means that Java Applets are pretty much dead. I can't remember the last time that I saw one, and I've certainly not seen any sites failing because I had Java disabled.

Re:Java has had a built-in backdoor

[petermgreen]

Personally I doubt this was deliberate.

The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

Re:Article Contents

[GigaplexNZ]

Unless your username has the string "user" in it, that won't do a heck of a lot. Why do so many people try to create a way to suggest "replace with current user's home directory" when a syntactically correct one exists already? The added bonus is that it works even if the user's home directory is set up in a different location to the normal convention.

rm -rf ~

Re:Article Contents

[Anonymous Coward]

Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?".

Obviously most of your clients would be people who don't really understand what happened, what caused it and how to prevent it. Getting your security design and configuration guidance from the opinions (or lack thereof) of people who need to pay to have their system cleaned isn't really how good engineering or administration is done. If you set up non-priveleged accounts you can backup configuration and user data to another account without exec permissions. If the user's account gets compromised but without root priveleges, the data is safe and the system can be cleaned in a couple of minutes instead of a couple of hours. That could be done cheaper for the customer, yet with a bigger profit margin to you. Most users who use a service like yours would still want you to handle it. I presume you charge enough for your time that your saved time would leave them enough money to spend on some storage space, so they wouldn't be using reduced space due to backups.

Among windows users I know who manage their own boxes, there seems to be an acceptance of reinstalling the OS quite often just to get it to a useable state. I haven't had to do that for years, only reinstalling for upgrades. Why would you put yourself through that? You're supposed to be the expert, the users lack the knowledge they are paying you to supply. The feature of permission restrictions is in the OS for a reason. I'd suggest you look for ways your job can be done more efficiently by scripting or otherwise automating backup and restore functions, and by preventing system damage. Sure, they care more about the data, but damage is damage and more is worse, even if the user doesn't understand. This will give you a competitive advantage over techs who do not supply such service.