Latest Java Update Broken; Two New Sandbox Bypass Flaws Found 223
msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."
Interesting (Score:5, Interesting)
Re:The same old story (Score:5, Interesting)
Considering that reflection is basically injecting code at runtime
That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)
Re:Enough Already (Score:2, Interesting)
Someone, please put Java in the browser out of our misery.
Said by someone that hasn't installed the latest update.
Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
Re:Enough Already (Score:3, Interesting)
Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.
Re:Just let it die already (Score:5, Interesting)
Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.
I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.
The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."
First, that is very short period of time to find these new flaws, and write a proof of concept.
Were these flaws in the prior release, or introduced by the Sunday release?
Did these guys have them in hand prior to the work on sunday's release and hold them back?
Were they using "research" methods that they refused to share? Fuzzers, code inspection?
If the researchers didn't find these new flaws until after sunday, why not?
Just sayin....
Shouldn't the OS prevent the worst of the damage? (Score:4, Interesting)
Java is not broken (Score:5, Interesting)
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
Re:Enough Already (Score:4, Interesting)
Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).
Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.