Forgot your password?
typodupeerror
Java Oracle Technology

Oracle Knew of Latest Java 0-Day Security Hole In August 265

Posted by timothy
from the when-the-living-is-easy dept.
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
This discussion has been archived. No new comments can be posted.

Oracle Knew of Latest Java 0-Day Security Hole In August

Comments Filter:
  • it's not 0-day (Score:5, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @12:17AM (#42565109)

    if Oracle knew about it in August

  • by Anonymous Coward on Saturday January 12, 2013 @12:25AM (#42565149)

    Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.

  • Re:Jave whitelist? (Score:3, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @12:35AM (#42565195)

    It's not going to hurt you to play minecraft, you don't have to pretend. Just don't install the fucking browser plugin.

  • by segoy (641704) on Saturday January 12, 2013 @01:17AM (#42565361)
    a -150 (approx) day vulnerability?
  • by Samantha Wright (1324923) on Saturday January 12, 2013 @01:20AM (#42565375) Homepage Journal
    Dig hard enough and I'm sure you'll find equally arcane .NET setups. Remember, kids: the only difference between Java and .NET is that Java was paved with good intentions.
  • Re:it's not 0-day (Score:5, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @02:04AM (#42565551)

    And if they knew about it for that long then they should be able to be sued for negligence.

    Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

    Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

  • by bcrowell (177657) on Saturday January 12, 2013 @02:32AM (#42565663) Homepage

    I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"

    There are a lot of problems with this simplistic response.

    One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.

    The other problem is that you have to consider the alternatives.

    Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.

    Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware [net-security.org], comparable to java applets and adobe reader.

    Silverlight is only viable on Windows.

    Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.

  • by Required Snark (1702878) on Saturday January 12, 2013 @02:34AM (#42565677)
    This is remarkably similar the recent post on SCADA devices being vulnerable because they were directly accessible on the net. http://slashdot.org/index2.pl?fhfilter=scada [slashdot.org]

    These are not primarily technical failures, they are institutional failures. The issue is not that Java has a zero day failure; these things happen. The critical failure is that Oracle knew what was going on before this hit the news and they could have avoided the problem with better practices.

    The US has a Laissez-faire attitude towards computer security. It's all left up to the good will of the provider, which is clearly a mistake. Some organizations do a good job, but many fail. This is because security requires expending effort, and there is a natural tendency to cut corners to save money.

    In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur. Neither the direct financial cost or the reputational costs are big enough to modify organizational behavior. That's why there is an never ending stream of these kinds of events.

    Ironically, it seems that highly visible open source projects have a better track record then the private sector. This shows the high level of professionalism that open source organizations maintain.

    Thing will never get any better until the cost of failure becomes much greater. This means having serious fines and/or larger payouts to those who are harmed by the security breach.

    Right now the cost of cleanup after a security failure is so low that there is no meaningful incentive to be proactive. Is Oracle going to have any negative economic repercussions as a result of this screw up? Of course not. Therefore, they will do nothing to change their ways. Until there is some mechanism to hold providers responsible for failure to act there will be no change.

    To clarify the point, the liability should be for failure to act once a problem is found, not for the existence of the original security problem. Having a SCADA device visible on the net with a default password is the kind of event that should cause liability. Likewise not fixing a critical security hole as soon as it is discovered as in this case with Oracle.

  • Why so horrified? (Score:4, Insightful)

    by Tony Isaac (1301187) on Saturday January 12, 2013 @02:36AM (#42565685) Homepage

    Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door? Why would Java be different?

    If you are working on a non-trivial project, and you don't know about at least half a dozen horrible "zero-day" flaws, then you don't know your project very well!

    In real life, businesses have to make trade-offs. They can't fix everything. Every release cycle, product managers have to make decisions about which fixes go in, and which fixes have to wait. I'm no Java fan, but with as many people poking around it as there are, I'm amazed that there aren't many more known vulnerabilities!

  • by thue (121682) on Saturday January 12, 2013 @02:38AM (#42565693) Homepage

    Standalone Java apps already have full arbitrary code execution and full access to the system. What would be the point of using an exploit to gain access to a system you can already access. If you are running a standalone Java app, you have already chosen to trust the code completely, unlike a sandboxed app in a browser.

  • Re:it's not 0-day (Score:5, Insightful)

    by Lisias (447563) on Saturday January 12, 2013 @02:42AM (#42565709) Homepage Journal

    If they want protection and patents then they can accept the down side, liability.

    +2 Really Insightful

  • Re:it's not 0-day (Score:5, Insightful)

    by Ambassador Kosh (18352) on Saturday January 12, 2013 @02:46AM (#42565719)

    This is why programming is not an engineering profession despite what many keep claiming.

    Until they have the same standards as a mechanical, aerospace, chemical, etc engineers they are not really engineers.

  • by Anonymous Coward on Saturday January 12, 2013 @02:51AM (#42565743)

    Javascript. Fuck me!

    The only thing in computing more fucking brain dead than javascript is XML. You bastards! You've sucked the brain cells out of too many people with your bullshit non-programming and bullshit non-formats.

    If java is dead and javascript is the answer then you've asked the wrong fucking question!

  • by isopropanol (1936936) on Saturday January 12, 2013 @03:33AM (#42565889) Journal
    Just because it is possible to code badly in an language does not mean you can only code badly.
  • by sourcerror (1718066) on Saturday January 12, 2013 @03:54AM (#42565969)

    that in fact runs untrusted code (say, third-party web applications) and places them in a Java sandbox, then they can use this exploit to leave the sandbox.

    Only applets run in sandbox so there's nothing to leave. On the server side there are two choices:

    - shared hosting (Tomcat): everyone uses the same VM just like with PHP so we are sparing memory, but increasing the security risk
    - virtual private server: everyone uses the their own VM and everyone is secure

  • by Anonymous Coward on Saturday January 12, 2013 @03:59AM (#42565985)

    The other problem is that you have to consider the alternatives.

    Yes, for anyone who argues that Java should just go away, show me an alternative that does everything I need:

    • portability - I just zip up my Java byte code in a single "jar" file and then all anyone needs to run my program is a recent Java Runtime Environment. I don't have to cross compile binaries for all kinds of different architectures or require my users to have a full development environment with just the right libraries (and header files) available.
    • GUI - I can write a program with a responsive/fast full featured graphical user interface (menus, 2D drawing, etc) using a standard API.
    • data structures - I can develop sophisticated object-oriented data structures (like C++) and even get bounds checking and garbage collection as an added bonus.
    • speed - the JIT compiling of byte code to native does hurt the start-up time but, once my program is up and running, the speed is very close to that of C/C++/etc.
    • longevity - I don't want to invest a lot of time learning some hot new technology only to see it abandoned a couple years down the road and, what with all the enterprise use of Java, Java's got at least another decade in it if not more.

    Now, maybe Google will eventually come up with some (JavaScript-based?) solution that does everything I need and more. But, until then, for me, and people like me, Java will fill an important niche in the software tool ecosystem.

  • Re: it's not 0-day (Score:5, Insightful)

    by Ambassador Kosh (18352) on Saturday January 12, 2013 @04:05AM (#42566001)

    If a structural engineer signs off on that without doing the actual calculations to show it is safe and that project is investigated they will lose their license.

    They will also end up with criminal liability.

  • Re: it's not 0-day (Score:3, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @04:06AM (#42566005)

    The point is that even highly paid engineers cannot engineer the miraculous things that software systems are supposed to do in the equivalent allotted time, manpower and money, while maintaining the reliability and quality expected of their field.

  • by TopSpin (753) on Saturday January 12, 2013 @04:32AM (#42566055) Journal

    java on the web is effectively dead

    What killed it?

    It's clunky. That's the shortest correct explanation I can provide. The whole user experience is just awful.

    The first thing you experience when you encounter a Java applet is a sinking feeling as the browser becomes unresponsive with a large gray void somewhere on the page that will eventually render the applet. Sometimes this is alleviated slightly by a progress indicator in some weird JVM font that looks like it was salvaged from OpenBoot. All this "loading" takes large amounts of RAM so the OS starts paging which creates more anxiety for the user as the drive LED indicates vast amounts of mysterious IO. In any case the process takes too long and by the time the applet has rendered something meaningful most users have lost patience.

    At this point the applet has started rendering. Frequently this is a bad thing because many Java applets are tragically ugly. Repulsive, really. So bad they look like hastily made email phishing attempts. It would have been better if the "loading" had never ended leaving the user to seek alternatives. The moment a user sees those fonts they squint, groan a bit inside and consider calling someone for help. The GUI widgets look weird. Things don't work right, like copy and paste or common GUI hot keys. And everything lags; you can feel extra tens of milliseconds of lag with every UI operation; click, scroll, whatever. It all lags.

    Finally whatever unfortunate task led our victim here has been accomplished and it's time to leave. You click 'home' or some link or whatever to be on your way and BOOM!, the browser segfaults and closes. Recent browsers mitigate this habit by isolating applets (and other plug-ins) in process sandboxes, but the user still gets that extra little poke in the eye to top off the rest of the 'experience.' The sort of effort required to make the JVM run smoothly inside common browsers has never been applied and to this day it is a fragile and crashy combination.

    People that care about the user experience, people with tens or hundreds of millions of users using their site(s), don't tolerate this heinous shit. So Java applets die the death they deserve.

  • Re: it's not 0-day (Score:4, Insightful)

    by Anonymous Coward on Saturday January 12, 2013 @05:19AM (#42566141)

    Software is "designed" all the time. The downside is that you can only get "more of the same" that way. There's a reason why software engineering is mostly known for bloated code that works but doesn't really do what you need it to do. When engineers build truly new stuff, things routinely go wrong as well. See the Boeing Dreamliner or the Airbus A380 for examples. The structural engineering for big builds is hugely expensive, even when it's not groundbreaking. Software is both much more complex and almost always substantially new, because most things that aren't new are abstracted and automated. No sane engineer would sign off on a build with as many variables and new techniques as are in medium sized software projects. If getting software bugs under control were as easy as doing "proper engineering", it would be a solved problem: We would just apply engineering methods and call it a day. Tools which enable software developers to check for correctness are a very active research topic, but even advanced tools still only scratch the surface of big projects. Complete correctness proofs are almost intractable even for example sized code.

  • by Anonymous Coward on Saturday January 12, 2013 @06:03AM (#42566233)

    Java is a platform, not a normal application. It's infrastructure. A bug in the infrastructure potentially affects every application depending on that infrastructure. That makes the impact of every bug orders of magnitude larger than it is in a normal application. The importance of that outweighs the importance of deadlines.

  • by gweihir (88907) on Saturday January 12, 2013 @08:20AM (#42566529)

    There are numerous indications to be found in their enterprise database products that Oracle really _is_ clueless with regard to security. For example, they do not know how to protect passwords and certificates against competent attackers. Such a company has no business being even a tiny bit as important as Oracle is today. Apparently there are no working mechanisms in capitalism to keep monsters like them under control.

  • by Alomex (148003) on Saturday January 12, 2013 @11:11AM (#42567373) Homepage

    to provide a richer *and* secure programming environment inside a web browser, it's clear that aspect of it is a failure.

    This was clear five minutes after Java was introduced. Eighteen years later the web still is mostly a static medium with modest programming. So modest indeed that a screwed-up dynamically scoped mishmash of a script language (JavaScript) suffices to meet them.

    Java was a 45K ton battleship when all that was needed was an 100lb sturdy fishing dory.

  • Re:Burned (Score:2, Insightful)

    by hairyfeet (841228) <bassbeast1968 AT gmail DOT com> on Saturday January 12, 2013 @01:02PM (#42568069) Journal

    Uhhh...wouldn't the smartest move just to be to get away from using the software that is a security fucking nightmare in the first place?

    This is what I don't get, I actually support Flash because the alternative (HTML V5) is COMPLETELY BROKEN and doesn't run worth a piss, it sucks cycles, its performance is like a bad joke, I don't care which engine you run it on put it side by side with a Flash at the same resolution and it'll crap through twice the resources, so I GET why we should hang onto Flash until HTML V5 gets its shit together, but with Java Its not like we don't have other frameworks that work folks, and Java has always been a security nightmare from hell, its security was terrible when Sun had it, its still terrible now that Oracle has it, so why in the hell keep using it?

    If you are gonna stick with Java put a rubber on the damned thing and stick it into a VM with rollbacks, don't run that damned buggy POS on actual production machines, I mean how many times you gotta get pawned before you learn? I'm so damned glad I got out of ancient corporate crap, I haven't had to deal with Java in over 5 years now and my life is better for it. I can understand if some moron spent a couple of million on a system based on Java and you're trapped, but honestly you really shouldn't be surprised by this as Java has ALWAYS been a malware writers wet dream.

A committee is a group that keeps the minutes and loses hours. -- Milton Berle

Working...