Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Java Security

New Java Vulnerability Found Affecting Java 5, 6, and 7 SE 121

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."
This discussion has been archived. No new comments can be posted.

New Java Vulnerability Found Affecting Java 5, 6, and 7 SE

Comments Filter:
  • by Nsks ( 2738937 ) on Tuesday September 25, 2012 @02:17PM (#41453915)
    What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle
    • by sgrover ( 1167171 ) on Tuesday September 25, 2012 @02:21PM (#41453975) Homepage

      Dude!!! You almost made pop come out my nose! I laughed so hard!

      • by Anonymous Coward

        Your dad came out of your nose?

        http://www.popvssoda.com Fight!

      • by hoggoth ( 414195 )

        At first glance I thought you said 'pop corn out of my nose'. I was picturing kernels going in one nostril and fully popped corn shooting out the other.

        • Man, all these years I've wondered what the big boys mean by "compiling the kernel". Thank you sir!
        • by Whalou ( 721698 )
          I had read 'poop' instead of 'pop' and thought that I never wanted to laugh that hard.
    • by Anonymous Coward

      Really, somebody better tell Microsoft so they can stop issuing worthless security updates: http://technet.microsoft.com/en-us/security/bulletin/ms12-016

    • by gagol ( 583737 ) on Tuesday September 25, 2012 @02:24PM (#41454039)
      You mean like this [cisecurity.org]?
    • by scorp1us ( 235526 ) on Tuesday September 25, 2012 @02:29PM (#41454087) Journal

      Nah, I'd say Flash is the most exploited runtime.

      I never liked Java, but .NET is even worse for a web platform as it only supports a fraction of the platforms. Java was invented to be portable, .NET was invented to be less portable Java.

    • What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

      All of the present exploits have come from Sun, prior to being acquired by Oracle. Did you expect Oracle to go back and regression test for exploits? I thought the code being open source would allow these things to be found?

    • I certainly hope .Net is secure...because the '.Net security updates' utterly fail to install themselves on any machine I own. Doesn't matter what version (v1.0 to whatever they're at now), doesn't matter what OS version (I've got XP and 7), I don't think a single one has ever installed. These days I don't even bother trying unless I'm already in a bad mood.

    • .NET actually has a bigger attack surface when it comes to sandbox exploits, because its type system is much more complicated, and so its bytecode verifier has to be more complex as well to deal with that, with more corner cases that it can potentially get wrong. For example, .NET has the concept of managed pointers (aka byref) for parameter passing. It also has the concept of vararg methods on VM level (with a variable number of argument actually being pushed on the execution stack - not like Java array-ba

    • by Trogre ( 513942 )

      We could all just bypass Oracle and Microsoft, and move to Dalvik.

  • by Anonymous Coward

    As with previous exploits, what about IcedTea (OpenJDK)? Are Linux users yet again kicking back and enjoying the show?

    • IcedTea is really, really close to being a viable replacement for Oracle's JRE. Some crappy webapps from vendors who should know better (Juniper, looking at you) fail on IcedTea probably because of stupid reasons that could be fixed instantaeously if the vendor bothered with even the slighted QA on the open JRE. This issue is rapidly elevating to critical because as everybody can see, relying on Oracle for anything is just bad business.

  • While I commend their efforts, they could've reduced unneeded panic, FUD, and distraction by giving Oracle a few weeks to patch it before the big announcement.

    Now customers everywhere will be concerned about this bug instead of the disclosed-to-the-vendor-only bug that gives you full administrative rights but which won't be made public until a reasonable time after the vendor was notified.

    Apologies in advance if Oracle was notified a few weeks before this was made public and didn't disclose it themselves.

  • The OpenJDK teams at Debian (who also do Ubuntu) and Red Hat are good people to notify as well. Unlike Oracle, they won't sit on bugs.

  • by Anonymous Coward on Tuesday September 25, 2012 @02:26PM (#41454055)

    Release of Java 5: September 30, 2004
    Oracle's acquisition of Sun: January 27, 2010

    I know it's fun to hate on Oracle (commencing Ellison yacht joke in 5, 4, 3...), but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.

    Shouldn't we at least wait until after we find out that Oracle knew all about this for months on end, chose to tell no one, and then ported it forward into Java 7 before we lambaste them?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No! Fuck Oracle! They are the 1%!

    • by Nimey ( 114278 ) on Tuesday September 25, 2012 @02:58PM (#41454599) Homepage Journal

      Java 5 was even EOL'd well before Oracle bought Sun.

      • by fatp ( 1171151 )
        Oracle 11gR2 bundles jdk 5.
    • by Cid Highwind ( 9258 ) on Tuesday September 25, 2012 @03:08PM (#41454825) Homepage

      Number of fscks Larry Ellison has given about Java since finding out owning it doesn't mean Google owes him a ton of money for Dalvik: 0

    • Actually, after the acquisition Sun Microsystems, Inc. and Oracle USA, Inc. were merged to form Oracle America, Inc. So strictly speaking, Oracle is Sun. I wholly agree though that we need to know for how long they knew about this before passing judgement.
    • by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Tuesday September 25, 2012 @03:32PM (#41455277)

      They've owned the product for almost three years now, so I'd say that bugs in current versions are their fault for not doing sufficient QA to find/fix, regardless of where they originated. When you own something, you own the responsibility too.

    • Part of this is not Oracle's or Sun's fault. It is the customers who uses 10 year old software that relies on these exploits to provide functionality like COM integration with Excel and other useless features.

      The more Oracle plugs these holes the more users will demand to keep XP and Java 1.4.2 around the office. Corporate customers hate change and fixes make them nervous.

      Java does run on every platform. The problem is it does not run on past versions of itself and like ancient versions of IE they create lo

  • by blahbooboo ( 839709 ) on Tuesday September 25, 2012 @02:29PM (#41454085)

    Please discuss.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      No, Java is the old Flash.

    • I can't I'm verklempt
    • by Anonymous Coward

      wabbit season

    • Post subjects are like headlines:

      If they end with a question mark, the answer is always "no."

    • He'll save every one of us!

    • Not that bad but could be better. Unfortunately, in Oracle's hands its more likely to get worse.

      Actually, Javascript needs to be the new Java. Which seems to actually be happening. Sure, Javascript sucks seriously in its own way and can't touch Java in performance, but it does the job, blows Java out of the water in responsivess, and has multiple implementations not under the control of any one company.

      • by dkf ( 304284 )

        Actually, Javascript needs to be the new Java. Which seems to actually be happening.

        Shit. Swapping something that's extremely well defined (even anal-retentively so) for something with as... err... whimsical set of variations as Javascript is such a huge step forward. Not.

        Sure, Javascript sucks seriously in its own way and can't touch Java in performance, but it does the job, blows Java out of the water in responsivess, and has multiple implementations not under the control of any one company.

        On the other hand, the main reason that JS is responsive is that it's got a fully warmed up engine going by the time your browser actually loads any script code. There's a large class of things that you can't do in JS (well, not the JS that's in browsers) and the multiple implementations vary in subtle ways that bite you

  • Wowzers (Score:5, Funny)

    by Billly Gates ( 198444 ) on Tuesday September 25, 2012 @03:26PM (#41455155) Journal

    Good thing we use Java 1.4.2 at work. Looks like I am safe

  • by onyxruby ( 118189 ) <onyxruby@ c o m c a s t . net> on Tuesday September 25, 2012 @03:59PM (#41455705)

    Oracle, did you learn from last time?

    1. Have you publicly acknowledged the exploit?
    2. Have you given at least some idea of how it works?
    3. Have you given any mitigation instructions or will people simply have to uninstall your product since your not saying how to mitigate this?
    4. Have you given any type of public communication along the lines of "were working on it"?
    5. Are you giving any type of eta for a hot fix?
    6. Have you learned that saying, we'll fix a critical exploit on one billion machines at the regular quarterly update schedule is not acceptable?

    Home sick today or I would have been neck deep in this all bloody day. Haven't had a chance to look and see if they learned from their last royal clusterfuck or not.

    • by Anonymous Coward

      Answer:
      They dropped all the vulnerable functions and re-added them with new names. As such, the exploits no longer work.

      Fixed!

      (And for the newbs who think this is a joke... guess again, true story. Thanks, Oracle!)

  • Java was replaced by Flash long ago, and now even Flash is being replaced by HTML5. I have always disabled Java browser plugins exactly because it's unsecure. Five years ago this discovery may still have had some impact, but hardly anyone uses Java applets these days.

    • Go to my workplace. HTML 5 can not happen as we and millions around the world still use IE 7 and are still working on partial CSS 2 support all with java applets that the beancounters see no need to upgrade as it would come out of the CEO's bonus.

      You expect us to replace our 200k Cisco equipment because CiscoConnect requires Java 1.4.x and XP? I THINK NOT.

      Bank of America's corporate portal, Manpower, KRONOS (if you had an hour job you used such a system), all require ancient java that is administred only by

  • I didn't realize Oracle made Java 5

Genius is ten percent inspiration and fifty percent capital gains.

Working...