Forgot your password?
typodupeerror
Java Security IT

Java Update Implements Whitelists To Combat 0-Day Hacks 55

Posted by timothy
from the let's-see-your-invitation dept.
kylus writes "The Register is reporting that Oracle's new Java 7 update 40 release comes complete with a new 'Deployment Rule Set' capability which allows administrators to define which particular applets and Java Web Start applications ('Rich Internet Applications') are permitted to run on a given machine. Not a complete solution for the recent trend of Java hacks that have cropped up, but good news for enterprises that have to run this in their environment." Update: 09/19 20:08 GMT by U L : There's an introduction to deploying rule sets on the Java platform group weblog too.
This discussion has been archived. No new comments can be posted.

Java Update Implements Whitelists To Combat 0-Day Hacks

Comments Filter:
  • Oracle are fab (Score:2, Offtopic)

    by hawkinspeter (831501)
    So, it has come to this.
    • Re:Oracle are fab (Score:4, Insightful)

      by Joce640k (829181) on Thursday September 19, 2013 @01:14PM (#44894979) Homepage

      Finally, an admission that they'll never be able to make it secure, that blacklisting everything by default is the only way forward.

      • blacklisting everything by default is the only way forward.

        That's fine as long as I, as the user and sometimes developer of applets, can change that default when I want to.

        Today I installed Java 7 update 40 and Firefox 24, and for the first time in several weeks I can test our web application running from a local disk without Firefox refusing to even load it, regardless of any lowering of security settings. I suspect this was actually Firefox's fault, because the same application worked fine, applet and all, in other browsers on the same system, but in any case it

        • by Joce640k (829181)

          However, if it refers to blocking any unsigned applets ....

          Let's hope so.

          it's not going to go down well.

          Why? Is clicking 'allow' the first time you visit a page too much effort for you?

          (assuming that's what it does)

          I imagine most people can just whitelist one or two domains then everything will be business as usual (except the entire world-wide-web won't be a minefield any more...)

          • (assuming that's what it does)

            Unfortunately, it isn't.

            Recent Java updates, for around the past year or so, have been increasingly draconian in their security measures. We are now reaching the point where you can't run code that you know is perfectly safe, in ways that have worked for years, even if you are willing to turn down the security settings and accept any associated risk. Much of this is Java's fault, although well-intentioned but buggy browser updates have also broken essential functionality at various points within that time f

            • by aled (228417)

              Recent Java updates, for around the past year or so, have been increasingly draconian in their security measures.

              Well, considering that Oracle has been consistently bashed here in Slashdot and other sites because of the security problems with applets and client side Java I would think that is very reasonable for them to increased greatly security.

              • As I wrote before:

                Security that actually stops you doing your job isn't an improvement, it's just broken.

                Also, a lot of the Java bashing that goes on here on Slashdot is little better than trolling. Take a look at how many security issues quietly get fixed in your favourite OSS browser every few weeks. Take a look at any popular browser plug-in. Java plug-ins do have a long and unimpressive history of security vulnerabilities, but they're hardly alone.

                The thing that really annoys me about the current trend with Java is that the supposedly increased security is mostly a work of fiction anyway.

    • Obligatory xkcd: http://xkcd.com/1022/ [xkcd.com]
  • Good (Score:4, Informative)

    by Anonymous Coward on Thursday September 19, 2013 @11:57AM (#44894189)

    This is a good thing for my company. We need java web start for only one application: the social security wage reporting "AccuWage" software. So whitelisting that is easy.

  • About time (Score:5, Insightful)

    by benjfowler (239527) on Thursday September 19, 2013 @11:59AM (#44894211)

    Like it or not, a lot of crap line-of-business/enterprise software still uses old, hacked-together garbage applets, and they need to be supported.

    There's quite a few games out there written as applets too (e.g. Minecraft, the Jin Chess Client), and speaking for myself, I want to run one or two of them without feeling like I'm holidaying in Baghdad.

    • Re: (Score:2, Insightful)

      Would you mind clarifying for me what you would prefer?

      Because I agree with you that Java on the desktop is horrible, but only in the sense that it doesn't properly integrate with the operating system - in that sense, web apps are even worse. DotNet/NGWS is better, but still a layer of pointlessness originally created for no other reason than MS didn't like Sun - if you're going to write platform-specific code, might as well use Win32 - then write your own cross-platform layers if needed so absolutely every

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        DotNet/NGWS is better, but still a layer of pointlessness originally created for no other reason than MS didn't like Sun - if you're going to write platform-specific code, might as well use Win32 - then write your own cross-platform layers if needed so absolutely everything looks *native* and integrates beautifully on each target, something that every existing cross-platform library fails fucking hard at.

        Creating line of of business applications whose purpose is to automate previously manual processes is much faster when utilizing Java or .NET. Entire frameworks are already at your disposal without have to reinvent something as simple as sorting an array. Suggesting that everyone just use Win32 because Windows Forms or WPF or Swing doesn't "look nice" with the rest of the OS windowing system is rather shortsighted. Things cost money to create. Time is expensive. Look and feel is not always the most importan

      • by ADRA (37398)

        Minor point, there are lots of libraries that can bring Java apps a lot more into the OS through JNI hooks, but they're used very sparingly throughout the ecosystem, and you could say the rich client PC Java eco-system is itself very small. I'd be curious to see the effect of having a Dalvik port to X86 Windows/Linux/Mac though. It'd be interesting to see if the extension of what is now a very popular platform would do for these OS's.

      • .NET is a platform. Win32 is an API
        • From a developer viewpoint, NGWS is API layer atop Win32.

          The platform agnosticity is just a legacy of the spat with Sun: it's really just for Windows on x86.

          • You are over simplifying it. The platform is a whole lot more than a "layer on top of win32". It also abstracts away interfacing with drivers, enumerating devices across different buses, and a whole mess of other things that aren't even part of win32 (or NTAPI). The madness of COM is scrubbed away.
            • What driver interfacing can I do with NGWS that I can't do with native user-mode code, please? And when would I actually want to do it?

              • Format a disk. And before you say it, SURE you could write code to interface with SCSI and ATA and implement FAT and NTFS and whatever else in user mode code. The point of a platform is you see a disk and you say format with a couple of flags.

                And this is just a loose example. I'm not going to argue the merits of a platform over a bare API.
    • by hairyfeet (841228)

      I agree this is a good thing and for all of us who have customers that have one or more mission critical Java based applications this should make a pretty good dent in the risk of running Java.

      In the case of my customers I have several that have to send data to the main branch via a Java applet and then there are the SMBs whom are using GoToMyPC to have remote access to their work systems from home. In both cases if it weren't for that single requirement I wouldn't have Java installed on their systems bu

  • by Anonymous Coward

    I'm so glad back in 2001 when I worked for a company that was considering using Java applets that we stayed away from them. They load slow anyway and just cause headaches with compatible Java versions installed on the client and all.

    • The idea was good. The implementation was poor
      • Java applets have had a couple of issues over the years.

        In the early days the problem was incompatible variants. MS had their own JVM which was in very widespread use and only supported a very old version of java.

        More recently the problem has been that the security design just isn't standing up to the threat level on the modern internet. For "untrusted" applets Java was designed arround the idea of designing a full-featured API and then trying to lock it down to run untrusted code (usually but not always in

    • "Write once, test everywhere"

    • by ADRA (37398)

      Assuming the sandbox can be trusted to do the right thing, Applets are pretty trivial to deal with fixed requirements for JVM versions these days without causing a world of hurt for end users.

  • by Anonymous Coward

    "We give up. We're too incompetent to fix the bugs, so we'll just foist a huge inconvenience on our customers who are locked in to our platform."

  • I don't see the point in a feature like this. Everyone has already either uninstalled Java by now or disabled the web plugin. Me turning it back on whenever a page legitimately needs to run a Java App is the ultimate whitelist.
    • Re:pointless (Score:5, Insightful)

      by h4rr4r (612664) on Thursday September 19, 2013 @12:50PM (#44894723)

      No everyone has not. There are a great many enterprise apps that companies rely on that need this. Normal users will not know to turn it on, nor to turn it off.

      • No everyone has not. There are a great many enterprise apps that companies rely on that need this. Normal users will not know to turn it on, nor to turn it off.

        i wouldn't go so far as to call them great. ;)

  • As someone who is just getting back into Java development the security issue of the past few years have had me a little worried. This is a great step in the right direction. Kudos to Oracle. I hope that the work they are doing on the browser plugins in Java 8 improves on this. On a kind of related note; IntelliJ IDEA is a freaking sweet IDE! It isn't quite up there with Visual Studio but it makes working with Java much nicer than it was a decade ago!
  • I would really like this feature for normal Java applications that use the JVM to get around the firewall.

    • by swilver (617741) on Thursday September 19, 2013 @03:55PM (#44896463)

      I'd recommend installing a better firewall instead.

    • by dkf (304284)

      I would really like this feature for normal Java applications that use the JVM to get around the firewall.

      What? That doesn't make any sense, not unless you're talking about basing whether code can get through the firewall on the path to the executable or something equally silly (given the existence of the JVM, Python, Ruby, Perl, ...).

  • Is oracle releasing updates on a bi-daily basis?! I could have sworn I was installing update 25 last month!

    Note: I have no problems with having security exploits and vulnerabilities being patched, it's just at some point it would be easier on the end user to consolidate updates....
  • Package your ruleset.xml into DeploymentRuleSet.jar

    Packaging your ruleset allows the desktop administrator to apply cryptographic signatures [emphasis mine] and prevent users from overriding your policy. This requires usage of a trusted signing certificate. The easiest route to get a signature is to buy one from a certificate authority like Symantec/Verisign, Comodo, GoDaddy, or any other; [...]. The default certificate authority list contains about 80 authorities from which you may purchase a signing cer

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...