Another Java Exploit For Sale 150
tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
Doesn't Oracle have a bug bounty program for Java? (Score:5, Interesting)
Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?
Re:Doesn't Oracle have a bug bounty program for Ja (Score:4, Interesting)
Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.
Re:Kill it with FIRE (Score:1, Interesting)
Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.
Both applications that should be completely client side
And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.
So the Java browser plugin deserves to exist because... otherwise kiddies can't get around Sonicwall? Really?
Furthermore, that's a terrible argument because an institution that can prevent non-whitelisted applications from launching can also trivially block whatever website hosts the .jar for the program you want to run. And if they do, it's their damn equipment anyway, stop screwing around on it.
The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.
This is completely true, but people have pretty much given up on Flash. I doubt you pine for ActiveX.
The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser
Java is a plugin, not a web browser
, the problem is unlike most web browsers
Java is a plugin, not a web browser
, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.
Agreed. Oracle is terrible.
There is nothing that makes Java any more insecure than JavaScript
Yes, there most definitely is. Javascript cannot access the filesystem. Java can. Javascript cannot spawn processes. Java can. The difference is that the Java plugin takes something that is fundamentally unsafe and attempts to bottle it up, where Javascript simply doesn't have the dangerous parts that malware gains access to.
except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!
Why? As a user, what reason is there for you, personally, to have the Java browser plugin installed? So you can play minecraft? Use the standalone client instead. You'll get a better framerate without the browser, ffs. For the mathematical applets that I was linked to once? Please. Those are trivial to write in Javascript.
Comment removed (Score:5, Interesting)
Re:This is insane (Score:4, Interesting)
It's so weird. This betrayal at acquisition seems to play out over and over. A great team is disbanded by the heavy-handed and mouth-breathing attitude of the new boss.
I'm reminded of the Easter egg in Amiga OS 1.2, which was a secret message accessible by an obscure sequence of keystrokes, UI mouse clicks, and floppy disk ejection/insertion.