Latest Java Update Broken; Two New Sandbox Bypass Flaws Found 223
msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."
Enough Already (Score:5, Insightful)
Someone, please put Java in the browser out of our misery.
Re: (Score:2, Informative)
Someone, please put Java in the browser out of our misery.
As a sysadmin, I say someone please put Java outside the browser out of my misery.
"Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.
Re: (Score:3, Informative)
That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB
Re: (Score:3, Insightful)
From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.
Re: (Score:3)
From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.
Being this the main reason for what some (good) developers made the choice to write a tiny native launcher for their java programs.
Re: (Score:3)
It's really sad how badly Sun screwed up Java. They basically had the world in the palm of their hand at one point - one of the only ways to run rich content in the browser, the only universally available cross platform runtime that the vast majority of people had installed. They tried to do all the right things - Java WebStart to easily run Java applications from a link, downloading all the necessary components on the fly. A simple, easy way to launch applications (just double click on the jar file!).
But e
Re:Enough Already (Score:5, Insightful)
This is one of the very stupid things Java has. The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.
Re: (Score:2)
I am not talking about server applications here they are set up by professionals, not end users. Yes I think having to set up specific memory for a VM is the wrong approach. You don't need to set memory parameters for native applications and they can use all the memory they want so why do I need to set one for VM?
Re: (Score:2)
You usually don't because any competent software company writing Java software of this type will provide a launcher that takes care of this for you and you can remain blissfully unaware of it like any other software. Just because Minecraft is retarded, doesn't make Java retarded.
Re: (Score:3)
Why do I need to set the max limit? Why can't the program just use the memory it actually needs, I don't need to specify this crap for native programs. There are a lot of programs that you don't know before hand what is the memory usage. For example like compilers, file editors and any programs that work with multiple files and objects that are specified by the end user.
Re:Enough Already (Score:4, Informative)
Java has a very small memory footprint by default.
Erm. No. Just no.
class Main { public static void main(String[] args) { while (true); } }
(jdk 1.7.0.6 x86_64 linux)
17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.
The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.
EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here [debian.org] and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.
Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion [mreinhold.org]. There has been a project [java.net] to correct it on the books for almost four years [google.com].
Like everything else with Java, it has been neglected [dzone.com]. Supposedly the results will appear in JDK 9..... sometime in 2015.
And don't cite Android as some exception. Dalvik isn't JRE.
Re: (Score:3)
Good point because we all know that C++ is immune to security holes.
Re:Enough Already (Score:4, Interesting)
Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).
Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.
Re:Enough Already (Score:4, Informative)
in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none
Re: (Score:3)
I've worked on Java processes that use that much RAM. On a server app, if you have it, why not use it (for caches etc.). Better than having it sit there depreciating.
Re: (Score:3)
On a server app, if you have it, why not use it (for caches etc.)
Why use it for caches for your app instead of letting the OS use it for caches for all apps?
And just because the memory is there doesn't mean it's free for grabs. On servers with NUMA, you want to avoid using memory that's not on the CPU you use, or you pay a big performance penalty. The 16 GB you see might be 8 GB per CPU, and grabbing more than what's available in your CPU group might slow performance for you to (to say noth8ing about the system as a whole).
Use the memory you need, don't just grab memor
Re:Enough Already (Score:4, Informative)
I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....
There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.
If someone had a good solution for those sorts of things I would dump Java in a heartbeat.
Re: (Score:2)
At this point there is no reason why HTML5 canvas can't do what WebEx is doing with Java. Java is great for server side development, it shouldn't be on any end user machines.
Disclaimer: 10+ year Java developer, so I am biased in favor of Java for web/server development.
Not until WebRTC (Score:3)
No, not video conferencing, you can't. Not until WebRTC is ready.
Re: (Score:3)
Re: (Score:2)
Webex's use of Java seems that it's only to launch the native client. I'm not sure why they go this route rather than using a URL handler (e.g. webex://[meetingnum]), but once it fires off the native client, it's no longer in use.
Comment removed (Score:4, Funny)
Re:Enough Already (Score:4, Insightful)
Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.
Note: The Java plugin code was never open sourced to OpenJDK, people from IcedTea project developed a new plugin and JNLP engine for Linux. I am starting to think that Sun already knew the bad security quality of the plugin and they decided to never release that code
Comment removed (Score:4, Informative)
Re: (Score:2, Interesting)
Someone, please put Java in the browser out of our misery.
Said by someone that hasn't installed the latest update.
Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
Re: (Score:3, Interesting)
Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.
The same old story (Score:2, Insightful)
Considering that reflection is basically injecting code at runtime, I'd say most things in the Java world don't need it, not sure if it's on or off by default, but in 99% of scenarios I believe it should be set to off.
Re:The same old story (Score:5, Interesting)
Considering that reflection is basically injecting code at runtime
That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)
Re: (Score:2)
Potential Reflection scenarios: http://stackoverflow.com/questions/2488531/what-is-the-use-of-reflection-in-java-c-etc [stackoverflow.com]
Re: (Score:3, Insightful)
Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...
Re: (Score:2)
Agreed. When my brother was a C# dev (including when he worked at MS on Codeplex) he talked about using reflection a lot.
Re:The same old story (Score:5, Informative)
Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.
Re: (Score:2)
Re: (Score:2)
You know, mallard, stifftail, goldeneye...
Okay, fine, it's a type of dynamic typing: http://en.wikipedia.org/wiki/Duck_typing [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But "duck" is not monophyletic! Is it Anatinae, Aythyinae, Merginae, Oxyurinae, or something else?
Re: (Score:3)
In the first generation of OOP, the focus was on the 'type' of an object, often involving an 'isa' method. For example, A.isa(file) might return true. The problem is that it is far too easy to get a case where something very file like isa(MyVerySpecialFileThing) but returns false for isa(file) because it has no truncate method (even though we don't want or need to truncate).
Duck typing is the idea that the type of an object and where it inherits from is largely irrelevant. We don't care if A isa file, we ca
Re: (Score:2)
Re: (Score:2)
Now take that compiled code and hand it BrandNewDuckLikeObject you defined yesterday and see what happens. That's exactly the sort of reuse failure duck typing avoids.
Bonus points if it then hands that object back out and it can be recognized as a BrandNewDuckLikeObject again without a dangerous typecast that will fail if performed on a NotSoNewQuackingThing.
Re: (Score:2)
It comes from the phrase "if it walks like a duck, quacks like a duck than its a duck!"
It differs from the idea of strong typing where the interpreter and compiler will require the object be exactly the declared type or perhaps something inherited from that type.
Automobiles might all have functions: start, stop, accelerate, break, hold, left, right; and properties speed, started.
Car may or may not be inherited from automobile, and it might have more properties and functions, such as LeftTurnSignal. A loose
Re:The same old story (Score:4, Informative)
Re: (Score:2)
Reflection in C# is used all the time. If you have written anything more complicated than hello world you have definitely used it. Not directly but the APIs you call use it.
Re:The same old story (Score:4, Informative)
Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.
Re: (Score:2)
Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook.
If that's possible and not intended, you have a bug in your platform.
Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.
Yes, in a decade, perhaps, these two platforms will reach the reflective maturity of Self-93 and its successors. Until then, they're half-botched.
Re:The same old story (Score:5, Insightful)
If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.
Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.
The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.
Re: (Score:2)
AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.
Re: (Score:2)
AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.
You are calling this a core feature because it was part of the central design more than a decade ago when Java was intended to be used in the browser. The overwhelming majority of Java that is live today does not use the sandbox. The sandbox is no more a core feature of Java than your appendix is a core fea
Re: (Score:2)
Well, you're partly right. Sandboxing is always running on all JVM instances, and can be quite handy when dealing with dividing multiple aspects of a running system (like deploying different versions of a given software library across different deployments on the same server instance).
Now I haven't looked into this one yet, and I'm not sure if they found flaws in the plugin shared objects, or in the platform's handling of its platform sandbox.. If it was the platform sandbox, then that's a lot worse imho.
Re: (Score:2)
Like what? I'm curious what you're superior, unflawed language of choice is.
You are also clearly not a Java developer. I can state unequivocally that Java is very fast and reliable. I won't vouch for Java applets because like 99% of all Java developers, I write server-side Java. FYI...a good portion of the web runs on Java.
Re: (Score:2)
and in the notion of executing untrusted code in a language that has system access
Actually, that notion is perfectly fine. In a proper object-based runtime, the untrusted code should only get those references ("capabilities", from security POV) that it's supposed to have access to in order to accomplish its tasks, and nothing more. It can't get anywhere else in any other way then by pointer chasing or querying the provided objects/capabilities and invoking their methods, using the API it's been given access to. Basically, it's the same principle that MS is trying to employ in the develop
Dalvik virtual machine (Score:2)
Re: (Score:2)
The rooting hacks I've seen don't seem to attack the VM. They generally either rely on linked in C libraries where the exploit is actually implemented or they are attacks on the bootloader to get it to load something in kernel mode to set flags in hardware.
The more difficult case is the ones that attack the kernel through permitted system calls.
Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side rol
I just have to say... (Score:3)
Whoops!
I wonder how many of these vulnerabilities will be found and identified before the top brass at Oracle starts questioning the logic in buying Sun. Could Oracle realistically just come out and say "you know what.. we're done with Java"? Is Oracle really this inept at making stuff secure?
I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature. Not to mention you aren't going to sell your product by saying 'We fixed XYZ vulnerabilities in the last 2 years". Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.
When the last topic about these vulnerabilites was posted I mentioned how I don't trust companies with my security any more than I have to and mentioned that my firewall is now pfsense since Linksys, Netgear, and Dlink don't seem to be interested in security without buying a new router every 2 years. Naturally I got modded down. Let's see how this goes this time...
Re: (Score:3)
Ask David Litchfield [davidlitchfield.com]. You might also want to read up on their Unbreakable [cnet.com] campaign a few years prior to purchasing Sun.
Re: (Score:2)
"Is Oracle really this inept at making stuff secure?"
Aside from their database, Oracle is inept at pretty much everything.
Re: (Score:3)
"Is Oracle really this inept at making stuff secure?"
Aside from their database, Oracle is inept at pretty much everything.
From what I have seen of their databases, security sucks there too (for example, no way to securely store certificates for communication or storage encryption), and you basically have to physically and logically protect Oracle database boxes by non-Oracle means.
Re: (Score:2)
Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.
True, but it's amazingly easy to deal with that by adding the phrase "But they have a history of fixing vulnerabilities quickly whenever they are discovered." Unfortunately, Oracle can't seem to do this.
Re: (Score:3)
Have you used Java lately? It hasn't had any killer new features in quite a long time and that stagnation has been there for a period even before Oracle bought Sun. That stagnation looks even worse when you co
Interesting (Score:5, Interesting)
Re: (Score:2)
Re:Interesting (Score:5, Insightful)
Re: (Score:2)
I didn't say it was unjustified just unfair. In fact, depending how Oracle responds, it may actually make Java more secure than other options/languages.
What I am suspicious of is the lack of coverage for the other exploits. Which unfairly diminishes Java's image while elevating the status of similar products that may have the similar vulnerabilities.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Acrobat Reader got a lot better with version 10's secure mode. I don't remember reading of any exploits that were able to get past that.
Re: (Score:2)
Re: (Score:3)
I still find it odd how Java suddenly caught all the attention regarding security.
I think this is largely due to the bad reporting. Ignorant reporters keep referring to this as a Java exploit. It is not. It is a Java sandbox exploit. A Java exploit of this nature would be catastrophic, since there are millions of servers out there running Java. A Java sandbox exploit, on the other hand, is little more than a reminder: Hey, everybody: Disable the Java plugin in your browser, like everyone else did ten years
Re: (Score:2)
Oracle Forms relies on Java in the browser. It isn't going anywhere because they use OForms as a front end to their database. Maybe if we asked really nicely, they'd rewrite OForms in something else. I've been asking them for years to put Uncle Larry out to pasture but they don't seem to listen.
Re: (Score:2)
It started with a serious security flaw that the vendor (Oracle) tried hard to ignore. The publicity was turned up to shame them into fixing the flaw with an out-of-cycle patch. The vendor half-assed the patch and so the cycle of 'all clear' press was interrupted for a new round of drubbing. Then an attempt was made to re-habillitate Java's image and so now we're at the 'not so fast' rebuttal.
Meanwhile, it never really lived up to most of it's promises anyway (especially as a browser plug-in) and so it natu
Comment removed (Score:5, Insightful)
Re: (Score:3)
Perhaps the best course of action would be for Oracle to donate Java to Apache Foundation... but then, the question to ask is: would they even want it?
Re: (Score:2)
Re: (Score:2)
Oracle has a lot of stuff that uses Java, so I doubt their plan was "totally screw Java up so we can ditch it."
Clearly they need to devote serious expertise to hardening it though, or just take the easy route and kill Java in the browser entirely. That's where these problems are all coming from. It wouldn't even be that hard for them, since it's basically a dying method of doing things in the browser anyway.
Enough already (Score:4, Funny)
Why is this so difficult? (Score:2)
I'm not familiar with the architecture, so I have a hard time understanding why this is so difficult. Many C programmers including myself have written simple stack machines that have an "instruction set". It's trivial to separate safe instructions from dangerous ones
One instruction might be 32-bit unsigned addition that rolls over without throwing an exception. Perfectly safe, as long as you can live with the results.
Another instruction might be "open file". Lots of opportunity for mischief there.
So. I
Re: (Score:2)
I'd surmise (since I'm nothing resembling a sandbox expert) that one of the problems is that the sandbox is built to allow a lot of those "dangerous" activities if the applet is signed and asks for permission to do them. It's not a total block.
When the code to do it is in there somewhere, apparently there's a lot of edge cases to find ways to get to it.
Re: (Score:2)
THe flaw is in the reflections.
OK I had to review [wikipedia.org] that.
LOL. When I was taking 100-level CS courses to get my EE and thought I was all cool because I had several years hacking with things like the C-64, I wrote some self-modifying assembly and turned it in as part of an assignment. The TA marked off for it as "too clever for its own good" or something along those lines. I was miffed at first, but saw the point after a while. I guess some people didn't.
That said, if there's something that uses "eval" li
Re: (Score:2)
You don't understand reflection evidently. Reflection is a core feature of languages such as C# and java
Let's leave specific languages out of it, and discuss reflection in language-neutral terms. AFAICT, it's a vague term that encompasses several things. 1. Reading out the names and types of data members of an object at runtime. 2. Reading out the names of function members of an object at runtime. 3. Reading out the exact *class* of that object at runtime (which would lead you back to 1 and 2, so t
If they keep this up... (Score:5, Funny)
Adobe is gonna get jealous.
Re: (Score:2)
Same for MS and others. ;)
Shouldn't the OS prevent the worst of the damage? (Score:4, Interesting)
For cripes sake... Java Plugin != Java (Score:5, Insightful)
Re: (Score:2)
Java is fine, it's the barely-used-these-days plugin that's the problem.
That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows (and also gave the Mac world their first widespread trojan, Flashback). It's just a good thing so few people use it. It's not like it ships with some new computers or anything.
I'm not suggesting that the major problems with the Java platform are anywhere other than relating to the plugin, but it's pretty disingenuous to say that no one has it. This tim
Re: (Score:3)
You're confusing "have" with "use". You can have something installed that you don't use. Many people have the Java applet plugin installed, but few actually use it.
Knowing this, try reading the gp post again and you'll see it makes perfect sense.
Re: (Score:2)
I would guess that something like WebEx is the single biggest use on the public internet. I'm not sure how many people use it. The Java installer doesn't even give you a choice about what to install, there are no options at all during installation the last time I ran through it (last July).
Oracle doesn't get security! (Score:3, Insightful)
I've said time and time again that Oracle doesn't get security, they just don't. They have been pulling things like this for a very long time. I never could have imagined saying this 10 years ago or so, but Oracle, you need to look at Microsoft for some pointers on handling security. Since you probably not willing to do that, I'll spell it out for you:
When you find out about a notable security flaw you need to have a patch ready to go within 60 days.
Meaningful notification. The everyday hacks that run IT need to have reasonable notification of security flaws.
Workarounds. If you can't fix it, that's fine, but give me a workaround or I'm going to start uninstalling your product.
How does it the flaw work? If you can't tell me how it works it means I have to reverse engineer it myself and this annoys me.
The difference between theoretical flaws and something that is broken beyond saving is typically 8-10 years.
The bad guys make a lot of money by counting on you dismissing security concerns.
You need to make it easier to administer updates to your products.
You need to make it easier to limit updates to your products. Why does Java 6 automatically update to 7? This is a bad, bad thing.
From a security standpoint I can't think of anything I would wish for more than the death of Java. Every chance I have to get rid of Java I put in my two cents to do exactly that.
Documentum in the office here... (Score:2)
... these updates and stuff are not fun.
Java is not broken (Score:5, Interesting)
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
Re: (Score:2)
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums.
It sounds like there are quite a few people getting very good use out of the plugin, actually. Not Oracle's "customers", per se, but nonetheless they obviously appear to enjoy it.
Stahp it! Please, Stahp!!! (Score:2)
Re: (Score:2)
who cares? java does not belong in the browser, javascript does not belong on the server. end of story.
No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.
Re: (Score:2)
Please cite some evidence that the above is true.
Re: (Score:2)
Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!
Who are you calling "old", sonny?
I'm not that old (far from retirement age), and worked with brand new 140kB and 160kB 5.25" floppy disks on a brand new PC, several years after graduating. Earlier I worked with PDP-8, PDP-11, IBM-360, and DEC-20, which were floppy-free, and cassette-tape systems such as the PET. Even those who recall 80kB 8" floppies, or subsequent 100kB and 110kB 5.25" ones might not be retired yet.
Re:Just let it die already (Score:5, Funny)
Unless you have a robot with poking capabilities inside the bag with you, of course.
Re: (Score:3)
Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE .
Run that by me, again?
Re:Just let it die already (Score:4, Informative)
Like I said, it's screwy.
Re: (Score:2)
Why Yes, Yes it was.
One wonders to what extent we should take advice from a guy who can't form a conversant sentence.
Re:Just let it die already (Score:5, Interesting)
Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.
I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.
The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."
First, that is very short period of time to find these new flaws, and write a proof of concept.
Were these flaws in the prior release, or introduced by the Sunday release?
Did these guys have them in hand prior to the work on sunday's release and hold them back?
Were they using "research" methods that they refused to share? Fuzzers, code inspection?
If the researchers didn't find these new flaws until after sunday, why not?
Just sayin....