Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug Java Oracle Security

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
This discussion has been archived. No new comments can be posted.

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Comments Filter:
  • by buchner.johannes ( 1139593 ) on Monday January 14, 2013 @12:30PM (#42583129) Homepage Journal

    What happened? Most of these exploits seem to rely on rewriting methods / accessing byte code ... how about disabling that access for applets as a temporary measure?

    • by bobdehnhardt ( 18286 ) on Monday January 14, 2013 @12:35PM (#42583215)

      Nothing is truly secure, it's simply in a state where the vulnerabilities haven't been discovered yet.

      • by Anonymous Coward on Monday January 14, 2013 @08:29PM (#42587811)

        No, no, no and no.

        That is a terrible logical fallacy and everytime it comes up it gets to +5 insightful. This is simply just as broken as the "broken windows" fallacy (nothing to do with Microsoft Windows btw). And for whatever reason, even smart people fall for it.

        The fallacy you're falling for is basically the "shades of gray" fallacy. Instead of having two choices (black or white) you argue that it's all gray. But hence you're restricting the issue to something even more simplistic than before: now instead of two colors, there's only one (gray, no matter the shade).

        So instead of saying that there are technologies inherently more secure than others (for example OpenBSD hasn't been "rooted" nearly as many times as Windows XP), you're saying: "But OpenBSD had *two* remote-root bugs already found in 12 years and there are probably others, but we haven't found them yet. So it is impossible to create something secure".

        And by doing you're implying that OpenBSD or Windows XP: it doesn't matter, it's all gray. Because nothing is truly secure.

        And it's very sad. And it's a terrible fallacy to fall for.

    • by robmv ( 855035 ) on Monday January 14, 2013 @12:40PM (#42583267)

      I don't see think Java the platform is a security nightmare, but if someone doesn't need then don't install it, reduce your chances of being attacked with software you don use.

      Every Chrome/Firefox release has security vulnerabilities fixes, sometimes bugs as critical as this one, and I don't see people screaming "Remove Chrome, Disable Firefox...". All software has bugs, the problem with Java is the slow response of Oracle (and Sun at that time) fixing things, the update cycles are too long and only when a critical bug very loud on the media is found you see them pushing a fix.

      • by zero.kalvin ( 1231372 ) on Monday January 14, 2013 @12:46PM (#42583347)
        Yes, but when a bug is found in either of them (Firefox or Chrome) devs race to plug the whole. On the other hand Oracle knew about this since August and did nothing about it..
        • by Anonymous Coward on Monday January 14, 2013 @01:02PM (#42583523)

          They did not do nothing about it, they did release a patch. (That patch was insufficient and that is a valid point to criticize Oracle.)

        • by Anonymous Coward on Monday January 14, 2013 @04:08PM (#42585455)

          This is absolutely not true. This vulnerability was a zero-day exploit. Zero-day means, by definition, nobody knew about it except the guys who wrote the exploit. We learned about this exploit last Thursday and had a fix on Sunday. Folks were up working around the clock to get the fix out.

          We take security exploits incredibly seriously. Three times a year Oracle produces "critical patch updates" and we're working hard to clear out every bug from our backlog related to security, at the expense of new feature development. The suggestion that Oracle doesn't care about fixing these security problems is simply not true.

          • Three times a year Oracle produces "critical patch updates"...

            Three times a year.

            Not when they are needed, or when they are wanted, or when they are actually ready... but rather, three times a year.

            All you need to know about Oracle is contained in the parent post. They think "three times a year" is taking "security exploits incredibly seriously".

            Reminds me of the sewer worker who's proud to take a bath every year, whether he needs it or not, because he's incredibly serious about hygiene.

      • Re: (Score:2, Informative)

        I don't see think Java the platform is a security nightmare, but if someone doesn't need then don't install it, reduce your chances of being attacked with software you don use.

        Every Chrome/Firefox release has security vulnerabilities fixes, sometimes bugs as critical as this one, and I don't see people screaming "Remove Chrome, Disable Firefox...". All software has bugs, the problem with Java is the slow response of Oracle (and Sun at that time) fixing things, the update cycles are too long and only when a critical bug very loud on the media is found you see them pushing a fix.

        It is a security nightmare. You can put to geek stats and engineering and I will point to examples. At the end of the day what matters is how many exploits keep getting hit by it compared to other products. The only thing that comes close are IE 6 and flash. Even PDFs have exploits but not as many as java nor the frequency.

        Other browsers and technologies like silverlight have good engineering principles and less vulnerabilities. ... actually Firefox does have some as well compared to Chrome but htey update.

        • by aled ( 228417 )

          Java is sandboxed sort of, but it has RMI which sole purpose is to include untrusted unsigned c code. Corporations love it as it means +COM ojbect access for excel, but it also means a cracker can put whatever he wants in it. As Sun/Oracle try to sandbox and limit RMI it then breaks apps and teh corps end up whininng and locking down insecure old versions of it so their shitware apps work as they do with sticking with IE 6 as well.

          This part of your post has wrong information. RMI is remote method invocation, has no relationship to execute c code. May be you are referring to JNI, Java Native Interface. I don't think you can execute native code in an unsigned applet. Why would anyone use it for accesing an excel spreedsheet is beyond me given that there are excelent pure java libraries for doing so.
          Perhaps some company used Java and a COM bridge in the IE6 age when there where few alternatives and now is reticent to re implement it. Ma

          • by rve ( 4436 )

            The troll. You are feeding it.

            It's a good one, better than most. Clever use of a series of real technical terms taken out of context and having nothing to do with the issue or Java or each other, and to finish it off, some truly awful advice

    • by gandhi_2 ( 1108023 ) on Monday January 14, 2013 @12:51PM (#42583399) Homepage

      Maybe if they'd spent less time trying to get people to install ask toolbar or somesuch bullshit....

      • by Anonymous Coward on Monday January 14, 2013 @01:22PM (#42583735)

        yes, we already blacklist Java across the company where I work due to this.

        in general they're quite liberal about letting employees manage their own computers (it's a software dev studio) but Java is blacklisted because of the Ask bundling, which is considered Spyware at corporate level and difficult to remove cleanly.

    • Java used to be secure and sandboxed. What happened?

      That struck the odd chord in me too. In my mind Java has also held the status of being a relatively secure system.

      • Until it was the top attack vector in browsers for about 5 years running, sure. After that I think people started to go sour on it.

    • by bbn ( 172659 ) <baldur.norddahl@gmail.com> on Monday January 14, 2013 @01:52PM (#42584053)

      Java code is sandboxed but many parts of the Java standard library is not written in Java. Every time SUN took the easy way out and used an external library instead of reimplementing in Java, they opened the platform to exploits of bugs in that library. Also it seems the SUN engineers did not really like to code in Java so they made a very large part of the platform in C - even when they could have made those parts in Java.

      The standard library rt.jar file has more than 1000 methods that are implemented by native calls to C code or third party C libraries. It is simply too much to check that every single one of those crossed all the t's and dotted the i's. So we keep finding more bugs.

      The sandbox itself is fairly secure so there is nothing wrong with the idea. It is just the implementation that went wrong.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Monday January 14, 2013 @02:18PM (#42584313)
      Comment removed based on user account deletion
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday January 14, 2013 @12:33PM (#42583183)
    Comment removed based on user account deletion
    • Re:Two years? (Score:5, Insightful)

      by Anonymous Coward on Monday January 14, 2013 @12:48PM (#42583361)

      It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.

      Ah, but that's the beauty of it! Owing to the blind hatred of Java around these parts, he can pull any alarmist timeframe out of his ass at any time, and we're certainly not going to argue with him!!! If anyone does, we can accuse them of liking Java, and then we excommunicate them and shame them in the entire software engineering world until they can't ever get a job again as a warning to others! It's brilliant!

      • Re: (Score:3, Insightful)

        by mcgrew ( 92797 ) *

        Owing to the blind hatred of Java around these parts

        The hatred is by no means blind. And it isn't hatred so much as simple disgust.

        • Perhaps it's time to rethink the whole "execute in user space" thing and go back to HTML/CSS rendering and server-side CGI.

          Near as I can tell, the whole user-space execution thing has been a security and compatibility clusterfark since day one. The "cloud" is a user data loss / privacy nightmare by design, too.

          Honestly, it seems to me that outside of the usual HTML uses - reading a blog or a news site, shopping, that sort of thing - most people I know actually use the web to ship video and audio back and fo

          • by Phrogman ( 80473 )

            Well I agree with you. I use the web to read stuff, sometimes to view stuff, and to post information back. I use applications for pretty much any other use of the web.

            I don't need a lot of the "functionality" that seems to important to web developers these days. A lot of that stuff could be done on the back end, or at least with a much more secure system than relying on Javascript to implement it.

            Its perhaps time for a new client-side coding mechanism that starts with security first and foremost, and adds e

      • Re:Two years? (Score:4, Insightful)

        by LordLimecat ( 1103839 ) on Monday January 14, 2013 @02:16PM (#42584283)

        and we're certainly not going to argue with him

        Why would we? Given that Java has been a security nightmare for 5+ years, 2 years to "secure" it (ie, doesnt have a critical exploit every 2 months) doesnt seem far fetched. If anything its conservative.

        Seriously, anyone want to take bets on whether in 2 years browsers will still treat java plugin as an unusual security case? (firefox / chrome auto-disable java unless its the most current version due to its massive problems).

    • Re:Two years? (Score:5, Interesting)

      by Zocalo ( 252965 ) on Monday January 14, 2013 @12:54PM (#42583437) Homepage
      Possibly, but it could also have something to do with Oracle's announcement that Java will be getting regular updates on a two year schedule [computerworld.com]. Maybe he's just assuming it's going to take a major iteration - from the v8.x series due in September to the next release, v9.x to completely fix this class of flaws.
    • I cannot find an explanation for the two year estimate.

      Hey, Java is going to be vulnerable for a couple years so that means you should hire us to help protect you.

  • by Anonymous Coward on Monday January 14, 2013 @12:35PM (#42583195)

    The solution is to stop running untrusted code in your browser. If you are using a browser's default configuration, then any time you go to a website, the browser will automatically download and execute software from the website, in the form of Flash, Java applets, javascript, and Silverlight, if you have it installed.

    And you think there aren't any vulnerabilities in any of those sandboxes?

    • by Wrath0fb0b ( 302444 ) on Monday January 14, 2013 @02:00PM (#42584153)

      But there are also well-documented CSS vulnerabilities [metasploit.com], XUL exploits [secunia.com] and even one in a JPG parser [verisigninc.com].

      Should we disable those as well? Are you part of some guerrilla marketing campaign to bring back Lynx?

      • by LordLimecat ( 1103839 ) on Monday January 14, 2013 @02:18PM (#42584311)

        Living is a risk. You have to quantify and try to mitigate the bigger risks.

        Java qualifies as a "bigger risk", and you mitigate it by uninstalling JRE.

        • by dkf ( 304284 ) <donal.k.fellows@manchester.ac.uk> on Monday January 14, 2013 @05:42PM (#42586387) Homepage

          Java qualifies as a "bigger risk", and you mitigate it by uninstalling JRE.

          You mitigate by disabling Java in the browser. You also want to do that for performance reasons; the Java plugin is resource hungry by comparison with most other plugins (let alone with running Javascript code). I've been keeping it switched off for ages, and the logic behind that wasn't security even though that was one of the nice outcomes. Uninstalling the JRE is a much more extensive change, in that it tends to result in the inability to run any Java program, including many that are totally unrelated to web security. The best response is always the proportionate one.

          Of course, with this much hyperbole you're well suited to be a security commentator. Throwing babies out with bathwater a speciality! Next up, why you should disable HTTPS because of the compromise of one CA...

        • It's not merely that Java represents a bigger risk. The reward is fairly insignificant as well.

          If you disabled Flash, you'd have trouble with all sorts of sites, especially those that play video. If you disabled Java, you'd have trouble doing, well, nothing, because no respectable site has applets running straight off their pages anymore.

      • by Anonymous Coward on Monday January 14, 2013 @04:22PM (#42585585)

        Personally I'd vote for bringing back gopher! And if that means we "lose" that blinged out "web-2.0" crap, it's not a day too soon.

  • by Todd Knarr ( 15451 ) on Monday January 14, 2013 @12:35PM (#42583205) Homepage

    The safest thing to do at this point is just assume that Java is always going to be vulnerable.

    That's not specific to Java, it applies to all software that's downloaded from an outside source and run on your local machine. That means Adobe Reader (PDF is simply a wrapper for a program written in Postscript), Flash (ditto, written in a special programming language) and even Javascript. It even includes downloaded TrueType fonts (the font hinting program they can include is just that, an executable program). Don't dismiss them just because they're sandboxed. Java was sandboxed, that didn't stop this vulnerability. Sandboxes are software and software has bugs in it, always. The only question is the number and severity of the bugs. The simpler the software, the fewer bugs there tend to be because there's fewer places for them to hide. Their favorite hiding place is in unexpected interactions between different parts of a piece of software, or between the software and the system it runs in, and simpler software has fewer and simpler interactions that're easier to get right.

    This even applies to software you buy from a vendor. The difference is that with bought software you tend to download it only a few times and always directly from the source. Contrast this with the Web, where you're downloading multiple pieces of software on virtually every Web page you hit with no idea where they're coming from (and, in the case of advertising networks, the place you download them from may not even know who or where they're coming from).

    • by TheGratefulNet ( 143330 ) on Monday January 14, 2013 @12:40PM (#42583273)

      in short, 'mobile code' (stuff that runs and is sent across from them to you, to be run on YOUR platform) is untrustable by nature.

      I never liked the idea of it, not once. I think its all a security fail.

      'here, here's some binary code. run this. no, don't ask questions, just execute this, please'.

      why people thought that was a good idea is beyond me.

    • by Zero__Kelvin ( 151819 ) on Monday January 14, 2013 @12:51PM (#42583403) Homepage
      That's not specific to Sun/Oracle's JVM Implementation, but goes for all software, at all times.

      "it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web" ... "The safest thing to do at this point is just assume that Java is always going to be vulnerable,""

      This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web". No self respecting expert would misuse terms the way he is, and he should be sued for doing it. It leads to ridiculous situations, where people think Java is inherently bad. I mean, isn't Android based on Java? OMFG ... don't get one of those! Haven't you heard. Java is vulnerable to attack! If the writer got what this guy said correct then his guy is either shilling for Apple or Microsoft against Google/Android, hates Oracle, or is phenomenally incompetent.

      • Re: (Score:2, Insightful)

        by amicusNYCL ( 1538833 )

        You think the chief security officer of Rapid7 doesn't understand the nature of Java, huh? It's not that he's trying to use language that most people would understand, but that he actually does not know that Java is a programming language and what the JVM actually is. That's some stunning logic you've got there. He sounds like he probably knows his stuff [rapid7.com].

        • I certainly left open the possibility that he is intentionally misleading people. You'd find people's logic less stunning if you learned to read and understand what you read. That being said, I didn't know who he was, or I would have went straight to the latter part of my post and skipped the possibly incompetent part.
      • by PCM2 ( 4486 )

        This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web".

        You're assuming quite a lot there. I didn't see any sentence in there that said "Oracle's JVM is the version of Java used to surf the web." But most of the exploits we're talking about certainly do involve the version of Java used to surf the web -- the Java plugin. People who are just running desktop Java apps aren't vulnerable. These are browser exploits, or exploits that attack the interface between the plugin and the browser. If a Reuters reporter wants to simplify the language so that regular people c

        • "But most of the exploits we're talking about certainly do involve the version of Java used to surf the web"

          It's not a version of Java! Java is a fscking programming language. It is no more correct to say Java is vulnerable than is is to say C is vulnerable or COBOL is vulnerable. Also ...

          " If a Reuters reporter wants to simplify the language so that regular people can understand it, where's the harm?"

          Oh ... Oh ... I remember this one from elementary school English class! It would be because he used quo

    • by Hatta ( 162192 )

      Sandboxes are software and software has bugs in it, always.

      So how does this bode for the cloud? OSs and hypervisors are conceptually similar at least to an OS and a sandboxed app. What prevents a hypervisor from being attacked in the same way that Java's sandbox was?

      • by Todd Knarr ( 15451 ) on Monday January 14, 2013 @01:23PM (#42583747) Homepage

        Absolutely nothing. In fact, I think they've already found ways to break out of most of the hypervisors out there and gain access to the host machine from inside a VM. The only exceptions I can think of are the IBM mainframe hypervisors, and those have the dual advantages of a) decades of work finding and removing bugs and b) hardware that was designed to run the hypervisor and has special support for isolating the hypervisor from the virtual machines.

        Bear in mind that for cloud applications you actually need to be worried about the reverse: protecting your application from the hypervisor breaking into it. The worst incursions won't be from other applications breaking out of their VMs, it'll be incursions from the cloud provider's own internal network (from conventionally-infected machines) infiltrating the host machines' hypervisor software and from there reaching down to infect hosted applications.

    • by bcrowell ( 177657 ) on Monday January 14, 2013 @02:23PM (#42584367) Homepage

      PDF is simply a wrapper for a program written in Postscript

      Not true. Postscript is a Turing-complete language. PDF is basically a redesign of postscript that, among other changes, makes it into a Turing-incomplete language. This makes PDF inherently more secure than Postscript.

      The security flaws that keep popping up in Adobe Reader are not holes in PDF itself, they're holes in other features that were added on later, such as the ability of recent versions of PDF to embed javascript. By default, AR will execute javascript that's embedded in pdf files. This is both a privacy (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

      Better yet, simply don't use AR as your PDF plugin in your browser. On linux, Evince is pretty good.

      The situation with PDF is actually closely analogous to the one with java applets. Both technologies were designed with security in mind, and are inherently possible to implement straightforwardly in a secure way. Both are open specs that are freely implementable without paying patent royalties. In both cases, the evolution of the spec is currently being guided by an evil corporation that doesn't care about security. The main difference is that in the case of PDF, the relevant read/write functionality exists in multiple completely independent implementations, whereas for java, there is no full reimplementation by anyone besides sun/oracle, only implementations that use almost all of oracle's code and replace portions that weren't freely available.

  • So? (Score:4, Interesting)

    by Hatta ( 162192 ) on Monday January 14, 2013 @12:36PM (#42583221) Journal

    Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

    • by Anonymous Coward on Monday January 14, 2013 @01:07PM (#42583567)

      Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

      The problem is, the default Java runtime install includes a browser plugin that allows Java applets embedded in a webpage to run automatically. Code delivered this way is supposed to run inside a strict sandbox, but that sandbox has been repeatedly shown to be full of holes.

      (Desktop apps written in Java, including UGENE and ImageJ [and Eclipse, and the mostly-not-Java LibreOffice] do not use the browser plugin and will run fine even if the browser plugin is disabled or deleted completely. Your standard don't-be-an-idiot advice does indeed apply to these kinds of apps. But the JRE you installed to run ImageJ will install the browser plugin you never asked for and don't need.)

      Oracle really should consider making the browser plugin a separate, optional, non-default installation.

  • Fact free claims (Score:2, Insightful)

    by Anonymous Coward

    HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

    How is Mr. Moore computing this interval? Nothing is offered in these stories about why it would take Oracle "two years" to "fix" the "security bugs".

  • by waddgodd ( 34934 ) on Monday January 14, 2013 @12:38PM (#42583245) Homepage Journal

    It didn't take two years to write JDK in the first place...

    • This has nothing to do with JDK (Java Development Kit.) It is the JRE (Java Runtime Environment, including the JVM (Java Virtual Machine)) as implemented by Oracle. That being said, the JDK has been around for at least a decade. If anyone knows how long it took to write, it's not the guy confusing it with the JRE. Of that much I am certain. See also ... [javabeat.net]
      • the JDK has been around for at least a decade

        You're trying to slam someone else for their dubious selection of jargon but the best you could do is "at least a decade"? (For nostalgia purposes I keep the original edition of "Java in a Nutshell" on my desk, copyright 1996, and yes, JDK is in the index.)

        • So you are saying that I was correct, but because I didn't indicate the exact moment of its inception (which I would only know if I was James Gosling anyway) that I was in error somehow? I wasn't "slamming" anyone. I'm tempted to do so now though, but you aren't worth the effort. HANL and hope to never hear from you again ...
        • And for what it's worth, the JDK includes the JRE and JVM, so yes, if the original JDK took a year (it didn't Oak [wikipedia.org] was under development for three years and it took two more for Java 1.0 to ship.) a complete rewrite, including the JVM should be less than two.

          The problem with that statement is not that he said JDK, it's that his understanding of the time frame and effort to produce the original JDK is completely wrong and furthermore the current JVM looks almost nothing like the original from 1995. A complete

    • Writing a JRE is like writing an OS. You can write a toy one in a few months (Minux) or spend lifetimes writing one good enough to be competitive in the real world (Linux).
  • This also applies to every desktop OS - ESPECIALLY Windows. How many years has Microsoft been attempting to secure Windows? Obviously if you care about national security, you will unplug your PC today.

  • OpenJDK (Score:2, Interesting)

    by Anonymous Coward

    Are those security flaws also affecting OpenJDK 6 and/or 7?

  • by Twillerror ( 536681 ) on Monday January 14, 2013 @12:52PM (#42583419) Homepage Journal

    Why exactly do we need applets on joe smoe's machine? If your a corporation enable it.

    It would be great if all browser had a whitelist of domains that you tag a site for any of this stuff. Yes youtube can play flash, other sites not. Advertisers will just use animated gif\javascript or whatever.

    Sure there is this plugin and that to accomplish this...time for FF, Chrome, and IE to build this stuff in and make it off by default and super simple to address. Of course you've got grandma on IE 6/7/8, but even then MS could put out a patch that just turns off applets. The next time IE starts up it ask the user. Group policy would override.

    • Java applets were a good idea in 1996 or so when the web was mostly text documents and static images. Now there isn't very much that an applet does that can't be done with equal facility and somewhat greater security by making a web application using any one of a number of technologies. (Admittedly deploying an application server has its own set of security issues but for the most part, they are limited to the server side of the street.) I can't think of anywhere I've encountered Java applets in the past
    • Flashblock [mozilla.org]?

    • by gl4ss ( 559668 )

      both firefox and chrome ask per site if you want to run java.

      by the way.. just today I had to fix my java plugins to work, to authenticate via my bank to a 3rd party(the bank uses a java applet for security code input.. there's no real logic why though). the shit wouldn't work in either firefox or chrome before I ran it in IE. such bullshit.

  • by Anonymous Coward on Monday January 14, 2013 @12:54PM (#42583431)

    I find it strange that I can install a flash blocker that allows me to whitelist certain websites but that similar functionality seems to be missing for Java... the easy answer is to not allow java to run unless the site or even specific URL is in a whitelist.

    The java engine should check whether the code it is about to execute is from a whitelisted location before it executes it. If the code is not, it should warn the user, perhaps prompting to add the site.

    That way your banking and ecommerce sites would still work easily while the "bad guys" would at least have to successfully social-engineer you into adding their site, a situation much better than what we currently see where all you have to do is inadvertently browse to a web page with compromized java applets embedded.

    • by David_Hart ( 1184661 ) on Monday January 14, 2013 @01:24PM (#42583761)

      If you are using Firefox, Chrome, or Safari, you can install NoScript. I find that it works well. It takes some effort to figure out which scripts you need to run for each page to display properly and which are the advertisement scripts. But it does the job. So far, I have found only one site that doesn't work with NoScript, but it's not a common site.

      If you are not using If you are using Firefox, Chrome, or Safari, then it may be time to switch. I, personally, have always preferred IE. However, I made the switch to Firefox a couple of years ago and haven't turned back since. The security plugins for FireFox are much better than for IE and most are free (open source).

    • by gl4ss ( 559668 )

      like chrome & firefox? they both ask per site...

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Monday January 14, 2013 @01:03PM (#42583527) Journal

    ... why, exactly, a java application that starts with the security manager turned on should *EVER* somehow need legitimate permission to turn the security manager off?

    That, to me, seems so obvious as a basic security measure, it amazes me that software as old as Java would still have such vulnerabilities.

    I can see absolutely no reason to start with an unprivileged app that can somehow give itself privilege it did not start with. In reality, such actions should be up to the user to decide *before* they run the app (although that may still be quite vulnerable to social engineering, it would at least remove the technical aspects of the vulnerability).

  • by WOOFYGOOFY ( 1334993 ) on Monday January 14, 2013 @01:11PM (#42583607)
    Get real. People running Java based apps on their computers are in no danger of anything. What is being talked about is Applets, where arbitrary code is injected and run in the browser-hosted sandbox. So you surf to some website We-R-Malware and it asks you to let it run their applet (written in Java) in your browser and you say "sure, great idea".

    This is like opening an email attachment form the same domain name; don't do that because somehow that PDF file, Excel file, Word document or whatever is harboring some evil code.

    But does any of that mean you should remove Excel or PDF readers or Word or Libre Office or anything else from your own machine? Of course not. Java apps are totally safe on your machine and removing Java from your machine makes exactly zero sense.

    The only people (mis) representing this situation are people who have an economic stake in "competing " languages and runtimes and language warriors , so that would include M$, consultants who want to be able to bill to rewrite Java apps (for no reason) , authors and evangelists from competing languages etc etc etc . You should all be ashamed of yourselves. C# is a great language , Java is a great language , Perl is a great language , C is a great language, Scala is a great language, Lisp is a great language.. so just GTFU.

  • They all have undiscovered holes. What makes Java any riskier than IE? What makes it any riskier than Chrome or Firefox? Is it the lack of any update strategy on Oracle's part?

  • These vulnerabilities affect java applets right? How many java applets are "in the wild"? 10? Most java applets are in-house businesses task specific apps from what I've seen. Meaning if you're casually browsing the web and the JVM is on... turn it off you don't need it... wants to come on and you don't trust it, block it... standard web practices here.
  • Doesn't this mean the same problem is present in C#, as it is really just a clone of Java

  • Reflection API (Score:3, Interesting)

    by RedHackTea ( 2779623 ) on Monday January 14, 2013 @01:49PM (#42584033)
    So after following the rabbit hole, the article links here [security-e...ations.com] (see PDF) and here [security-e...ations.com] (same site, just "codes" for the issues) while exclaiming about 50 issues in Java! If you cut out the fluff, the only issue is the Reflection API. C# will and does have the same exact vulnerabilities. And after looking through it, it wouldn't take 2 years to apply these "fixes"; however, some "fixes" remove Java functionality, so it will never be "fixed" because why remove functionality. Any language can do bad things. We can only hope that the general public doesn't read this shill crap.

    However, I admit that this is also a good thing to hopefully encourage Oracle to provider quicker updates/patches/etc.

    I still don't see a mass migration to other languages happening. JAXB (and annotations in general) is one of the best things Java ever invented. I have yet to find a language with features that make XML reading/writing as easy as JAXB. Unicode, i18n, and l10n were well-done from the beginning. Even though people laugh at the notion of byte code and the cross-platformness of Java, I still have yet to see another language do this better. Java will die when either a better solution emerges or enough corporate shill kills it.

    And I still don't understand why Linux is being bogged down with C# mono programs such as Banshee, TomBoy, etc. Don't get me wrong, these are great programs, but why not write them in a language that is more open? It would have been just as easy to do these in Java with GTK+.

    /endrant
  • by bcrowell ( 177657 ) on Monday January 14, 2013 @01:53PM (#42584065) Homepage

    To paraphrase a well known saying, I think it's time for the internet to start seeing oracle as damage and route around it.

    One really simple thing that seems needed, and that should be extremely simple to do, would be a whitelist/blacklist plugin for java applets in firefox. The vast majority of java applet users are probably people who work in a bank, a law practice, or a medical office and only ever need to use a single applet. They need an option where they can blacklist all java applets by default, but allow applets from medicalrecords.com or whatever. These folks can't just disable the java plugin completely. Setting plugins.click_to_play to true is also a solution, but it breaks sites that use flash, and it doesn't protect the business against an office worker who clicks on stuff without thinking. (I tried setting this flag on my desktop box at home, and was too much of a nuisance. This is what I have flashblock for, and flashblock does the job better.)

    Another helpful step would be to make it easier for people to find out which versions of java they have on their computers and easier for them to avoid unsafe versions. On my ubuntu box, managing this is a total mess. If I do "java -version", it tells me I'm running java 1.6, which would be immune to this vulnerability. But if I check inside the directory /usr/lib/jvm , it turns out I actually have 1.5, 1.6, and 1.7 all installed. Well, which one is firefox using? I get zero results from dpkg --get-selections icedtea . In firefox, doing tools:add-ons:plugins tells me I have IcedTea-Web 1.2, which tells me nothing about the java version. Typing about:plugins in the url bar shows me literally two dozen version numbers. Googling turns up somebody's test app at http://javatester.org/version.html [javatester.org] , but (a) how do I know this guy isn't a black hat, and (b) even if that showed I was currently running 1.6, what happens if a future apt-get upgrade bumps me into 1.7?

    The final thing that should really happen IMO is that the OSS community should get off the java upgrade treadmill. The IcedTea [wikipedia.org] project should designate some version such as 1.6 as a high-security, stable version and focus some real effort on making that version secure. Distros should stop packaging 1.7+ until the dust settles -- and if that take a couple of years, who the heck cares? Hell, I wouldn't care if it took a decade, or forever.

Single tasking: Just Say No.

Working...