Forgot your password?
typodupeerror
Java Oracle Security

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found 223

Posted by Soulskill
from the it-just-goes-on-and-on-my-friends dept.
msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."
This discussion has been archived. No new comments can be posted.

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Comments Filter:
  • Interesting (Score:5, Interesting)

    by jones_supa (887896) on Friday January 18, 2013 @03:01PM (#42627793)
    I still find it odd how Java suddenly caught all the attention regarding security.
  • by K. S. Kyosuke (729550) on Friday January 18, 2013 @03:01PM (#42627795)

    Considering that reflection is basically injecting code at runtime

    That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)

  • Re:Enough Already (Score:2, Interesting)

    by Anonymous Coward on Friday January 18, 2013 @03:14PM (#42627937)

    Someone, please put Java in the browser out of our misery.

    Said by someone that hasn't installed the latest update.

    Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

  • Re:Enough Already (Score:3, Interesting)

    by Anonymous Coward on Friday January 18, 2013 @03:24PM (#42628033)

    Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

    Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
    As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.

  • by icebike (68054) on Friday January 18, 2013 @03:35PM (#42628163)

    Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

    I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.

    The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."

    First, that is very short period of time to find these new flaws, and write a proof of concept.
    Were these flaws in the prior release, or introduced by the Sunday release?
    Did these guys have them in hand prior to the work on sunday's release and hold them back?
    Were they using "research" methods that they refused to share? Fuzzers, code inspection?
    If the researchers didn't find these new flaws until after sunday, why not?

    Just sayin....

  • by overunder (2504886) on Friday January 18, 2013 @03:41PM (#42628243)
    I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?
  • Java is not broken (Score:5, Interesting)

    by zmooc (33175) <zmooc@nOsPaM.zmooc.net> on Friday January 18, 2013 @04:22PM (#42628701) Homepage

    The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

  • Re:Enough Already (Score:4, Interesting)

    by gweihir (88907) on Friday January 18, 2013 @10:30PM (#42631625)

    Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).

    Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.

No user-servicable parts inside. Refer to qualified service personnel.

Working...