Forgot your password?
typodupeerror
Java Oracle Security

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found 223

Posted by Soulskill
from the it-just-goes-on-and-on-my-friends dept.
msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."
This discussion has been archived. No new comments can be posted.

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Comments Filter:
  • Re:Enough Already (Score:2, Informative)

    by arth1 (260657) on Friday January 18, 2013 @02:56PM (#42627743) Homepage Journal

    Someone, please put Java in the browser out of our misery.

    As a sysadmin, I say someone please put Java outside the browser out of my misery.
    "Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.

  • Re:Enough Already (Score:3, Informative)

    by CodeReign (2426810) on Friday January 18, 2013 @03:09PM (#42627871)

    That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

  • by sjames (1099) on Friday January 18, 2013 @03:24PM (#42628035) Homepage

    Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.

  • by The Moof (859402) on Friday January 18, 2013 @03:25PM (#42628045)
    It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.

    Like I said, it's screwy.
  • by AuMatar (183847) on Friday January 18, 2013 @03:28PM (#42628073)

    Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.

  • Re:Enough Already (Score:4, Informative)

    by Above (100351) on Friday January 18, 2013 @03:33PM (#42628141)

    I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....

    There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.

    If someone had a good solution for those sorts of things I would dump Java in a heartbeat.

  • Re:Enough Already (Score:4, Informative)

    by Anonymous Coward on Friday January 18, 2013 @03:58PM (#42628453)

    in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none

  • by K. S. Kyosuke (729550) on Friday January 18, 2013 @05:05PM (#42629163)
    I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).
  • Re:Enough Already (Score:4, Informative)

    by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Friday January 18, 2013 @05:25PM (#42629351) Journal

    Well as I posted when the band aid patch that is now busted was put out it could take 2 years to fix the actual problem [zdnet.com] because the underlying code is "broken" and pretty much needs a full rewrite. We can't really blame Oracle for this as Java was a mess when Sun had it, Oracle merely got stuck with the mess when they bought out Sun.

    The thing I WILL blame Oracle for is the fact that if you update the damned software with the patch it RE-ENABLES the browser plug in unless you know to disable it, along with the usual crapware that comes with everything. Oh and I also blame the jerk that made Minecraft for bringing shitty Java back to the home users, for a good while there I had all but wiped Java out on home users systems, then that damned game came up and here we go again.

    Personally I think Homeland Security should order Oracle to put out a patch that disables the browser plug in and bar them from re-enabling it when they patch as those that actually NEED Java can find out how to turn on the plug in easy enough but those that don't won't know to disable it every. single. time. they have an update.

  • Re:Enough Already (Score:0, Informative)

    by roman_mir (125474) on Friday January 18, 2013 @05:53PM (#42629585) Homepage Journal

    The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.

    - I agree, it's terrible that you have to tell the VM how much memory it is allowed to take from the physical box it is running on.

    Oh, wait.

    That's like every VM, at least every VM that runs on a server. Seriously, you have limits on how much memory is set to a specific VM. You think that's the wrong approach for a VM?

    --

    Now, maybe there should be a way to tell JVM upfront that you want it to be bound only by the underlying OS and the memory that it can give to the JVM, that I actually agree with.

  • Re:Enough Already (Score:0, Informative)

    by Anonymous Coward on Friday January 18, 2013 @06:03PM (#42629697)

    If there were no limit then Java would consume all the memory on the machine (in fact it seems to do this even with limits).

    Java sucks.

  • Re:Enough Already (Score:4, Informative)

    by TopSpin (753) on Friday January 18, 2013 @06:55PM (#42630179) Journal

    Java has a very small memory footprint by default.

    Erm. No. Just no.

    class Main { public static void main(String[] args) { while (true); } }

    (jdk 1.7.0.6 x86_64 linux)

    17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.

    The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.

    EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here [debian.org] and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.

    Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion [mreinhold.org]. There has been a project [java.net] to correct it on the books for almost four years [google.com].

    Like everything else with Java, it has been neglected [dzone.com]. Supposedly the results will appear in JDK 9..... sometime in 2015.

    And don't cite Android as some exception. Dalvik isn't JRE.

All constants are variables.

Working...