Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Java Security Software IT News Technology

New Java 0-Day Vulnerability Being Exploited In the Wild 193

Posted by Soulskill
from the once-more-unto-the-security-breach dept.
An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."
This discussion has been archived. No new comments can be posted.

New Java 0-Day Vulnerability Being Exploited In the Wild

Comments Filter:
  • by blarkon (1712194) on Saturday March 02, 2013 @09:32AM (#43053807)
    JAVA - Just Another Vulnerability Alert
    • by Anonymous Coward

      Friends don't let friends do "JAVA" (Just Another Viral Affliction)!

    • Gee, Oracles Sun language is news 'gain.
  • by Anonymous Coward

    ...is busy colonizing Hawaii.

  • by etash (1907284) on Saturday March 02, 2013 @09:48AM (#43053879)
    just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

    p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

      They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base. Another way of saying that is, every time you do this, you'll probably find at least one more bug and the same thing happens when the bad guys do it. Welcome to the world of an impossible task that is never the less very important.

    • Re: (Score:2, Interesting)

      by hairyfeet (841228)
      What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you
      • Re: (Score:2, Insightful)

        It's simple. Java was teh hawtness roughly ten years ago. It took four years for university CS departments to catch on, then four years for the first Java-loving graduates to start "entrepreneuring", and then two years for this to significantly influence Java usage. It's a basic convolution-type feedback.
      • Re: (Score:2, Troll)

        by zixxt (1547061)

        What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you want to scream? For the love of God it was almost dead on the desktop! /walks away muttering and sobbing/

        Troll much?

        Java is the best cross platform language in the world. Billions more devices and computer run Java than Windows. Java is making a comeback because it never went anywhere. If I want my application to reach as many people as possible I use Java.

    • Because Oracle don't give a shit about Java. They snagged Sun probably thinking they'd get Google by the balls. No doubt, the board at Sun had some hand in convincing them of that.

  • And how frelling dare anyone out there make fun of Java after all she's been though!
    Leave Java Alone!
    Please...

  • N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?
  • by Anonymous Coward

    Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.

    Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.

  • In the wild, is that the same as in cyberspace?

  • I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?

    In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clear

    • Primary reason: Punching holes in the security sandbox. A lot of the code in the JVM itself needs to grant itself "privileged access", but upon doing so it may have accidentally done so for user code as well. This is the greatest flaw in the Java security architecture, not because it doesn't work, but because it's hard to use correctly.
    • by Tobia Conforto (2818827) on Saturday March 02, 2013 @11:03AM (#43054329)

      AFAIK all these issues are not in the VM.

      The JVM has been stable for many years and is the foundation of countless information systems: websites, money exchange, traffic control, you name it they all run server-side software on the JVM, which by itself is rock-solid.

      The issue is with the "sandboxing" feature of the Java browser plugin. The plugin was engineered to allow executing arbitrary, untrusted JVM bytecode, which would include outward calls to Java's extensive standard library, while still preserving some high-level definition of isolation between the untrusted code and the host OS. Given that Java's standard library is full of classes that do very insecure things by design (including running native code, opening network sockets, and so forth) this security model has proven to be a complete nightmare. They will keep finding sandbox-related bugs in the Java standard library for as long as it exists.

      Oracle should do one of these things:

      • – just dismiss the damned plugin altogether, or
      • – severely restrict it to running signed code or some other kind of host-based whitelist, for the few companies that still need it, or
      • – write a new standard library from scratch that does not include any unsafe code.
      • by gtall (79522)

        Oracle cannot dismiss the damned plugin altogether, they have too much that relies on it, Oracle Forms for one. I'm unsure how that relates to their databases. Are they storing mobile code in their databases for use in their OF crap? OF seems particularly brain dead and I wouldn't mind them blowing it away and replacing it with native apps...but then they'd probably only produce them for MS's rinky-dink OS or Linux which doesn't have much use on the desktop.

      • by _xeno_ (155264)

        AFAIK all these issues are not in the VM.

        If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

        The issue is with the "sandboxing" feature of the Java browser plugin.

        The sandboxing feature isn't unique to the Java plugin. It's a built-in part of the Java runtime. Any Java code can place other Java code into a security context and enable the Java sandbox for that code. It's just that about the only place you'll ever actually see this done is for applets.

        • by amorsen (7485)

          If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

          It is likely that there are similar vulnerabilities in other VMs. People generally do not worry about them, because they are not made for untrusted code. You can crash the Python VM with python -c "from ctypes import string_at; string_at(0xDEADBEEF)". That is fine, because Python does not have sandboxing.

  • by zieroh (307208)

    That's it. I'm done with Java. For good.

  • I've kept Java turned OFF on all of our computers for a long, long time. It's a pig. It hogs computer resource units. I have not not once run into anything that requires it. Just say no to Java.

    • I use Java for Wuala, Falstad's circuit simulator, Freenet, Minecraft, Minecraft Structure Planner, and Enigma's LoL Item Changer. 3 of those are games or related to games, so not totally necessary. Freenet I run out of a sense of patriotism/civic duty as a US citizen, Wuala could be replaced by Spideroak or similar, and Falstad's circuit sim is just for helping people learn about circuits without needing to teach them LTSPICE or similar first.

      I use the Java plugin for absolutely nothing. I've not once run
  • with the COBOL plugin.

  • I was entertained that Larry Ellison attached crapware to their security updates, which have to be specifically turned off in the installation, and their stupid toolbar turns off popup windows, but that disables Oracle's Discoverer product, and it works differently than the IE popup blocker, by not looking for user configurable exceptions. So for pennies per user, Oracle collects from the toolbar makers for every installation. And they're alienating IT departments. I hate working with them-- they're more ma

Bus error -- please leave by the rear door.

Working...