Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Oracle Java Security

Oracle Fixes Java Vulnerability Used By Russian Cyberspies (itworld.com) 126

itwbennett writes: Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year. The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction.
This discussion has been archived. No new comments can be posted.

Oracle Fixes Java Vulnerability Used By Russian Cyberspies

Comments Filter:
  • by Nyder ( 754090 ) on Wednesday October 21, 2015 @11:51PM (#50778757) Journal

    I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?

    • by Anonymous Coward on Thursday October 22, 2015 @12:13AM (#50778819)

      Every software company would go out of business. How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows? How many computer systems are hardened against a random bit flip? And how would the world react to the sudden and massive increase in unemployment as all employees of those companies lose their jobs.

      It'll never happen. Consumers don't care about buggy software and non-buggy software is too difficult to code. Perfect code can fail on bad hardware too.

      • It'll never happen. Consumers don't care about buggy software and non-buggy software is too difficult to code. Perfect code can fail on bad hardware too.

        It doesn't have to be perfect. The sad reality is our software could be drastically more secure without coming anywhere close to perfection.
        If a programmer is even thinking a little about security, or is even informed what typical security problems are, then they start writing better code. But most programmers don't think about security at all.

        • by Anonymous Coward on Thursday October 22, 2015 @04:27AM (#50779565)

          It is worse than that. I work for a 'security' startup that has many fortune 500s as customers. Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.

          • by RabidReindeer ( 2625839 ) on Thursday October 22, 2015 @06:26AM (#50779853)

            That's because we don't really hire software "engineers". We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can. It's like furnishing a house and all your furniture was made by the side of the road by a guy with a chain saw. No sanding, no gloss, no detail work, no mortise-and-tenon or complex joinery, just 10-penny nails and lots of splinters.

            Or maybe a better analogy is particle board. Stamp on a pretty faux-woodgrain facade and ship it. Just hope it doesn't get wet.

            We don't value polished quality work. As long as it's pretty and it's cheap, that's "good enough".

            • We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can

              These are the people Edsgar Dijkstra was talking about when he said, "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." Because BASIC is a hack-and-slash language. It takes a while to get out of that mindset.

              • We hire "hackers" in the literal sense of the term - people who hack and slash with crude brute force to just "Git 'R Dun!" as fast and as cheap as we can

                These are the people Edsgar Dijkstra was talking about when he said, "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." Because BASIC is a hack-and-slash language. It takes a while to get out of that mindset.

                I admire Dijkstra's wise words (in particular about this thought of software being usefully constructed.) With that said, that was a moronic thing to say (like, "never use goto".)

                God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.

                Do not treat long ago spouted tongue-in-check remarks as axioms.

                • God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.

                  I've spent a long time reading through Dijkstra's works, trying to understand what he meant. I'm fairly confident my explanation is accurate.

                  • God knows WTF Dijkstra meant to say with that saying, but the l33t hax0r echo chamber has been repeating that saying for years without even thinking what it means to the merits of said language or the malleability and adaptability of the human brain.

                    I've spent a long time reading through Dijkstra's works, trying to understand what he meant. I'm fairly confident my explanation is accurate.

                    Accurate with respect to what? About what?

                    • When Dijkstra was talking about people whose mind had been 'mutilated' by BASIC, he was talking about people with the hack-and-get-er-done mindset, people who don't try to think of everything that can go wrong, people who just try to get it working in the case needed now, and don't worry about future proofing it (or even debugging it really, except in simple cases).
          • Developers ignore security reports and will mark most of the issues as false positive because they don't want to do defensive programming. They even will use years old outdated libraries, known to have security holes, to develop new features because they would have to learn the new APIs of the new versions and that would hinder their perceived development speed.

            You act as if the developer has a choice in 99.9% of the cases. You must live in a wonderful alternate universe from the one where most programmers work.

            • You act as if the developer has a choice in 99.9% of the cases.

              If you think you don't have a choice, you need to read this book [amazon.com]. It will teach you how to act professional and do the right thing, while keeping your job. There is no excuse for not using defensive programming.....those programmers should be fired.

              • There is no excuse for not using defensive programming.....

                "It's not a business goal that will drive sales."

                - Manager

                • There is no excuse for not using defensive programming.....

                  "It's not a business goal that will drive sales."
                  - Manager

                  You're stubborn holding on to your negative misconceptions of the world, but this book will teach you how to do defensive programming within your schedule.

                  • No, I'm merely pointing out reality. You live in fantasy land.

                    • No, I'm merely pointing out reality. You live in fantasy land.

                      This comment is meaningless. Plenty of people have told you how to solve your problems; books have been written about how to solve your problems.
                      I don't know why you refuse to try to fix your problems, but that does explain why you have so many problems in the first place. Your problems keep piling up because you don't fix them.

                • I messed up on the link in that previous comment sorry, this book [amazon.com] will help you do defensive programming within your schedule (and once you get the hang of it, probably faster than schedule because you'll have fewer bugs).
        • If a programmer is even thinking a little about security, or is even informed what typical security problems are, then they start writing better code. But most programmers don't think about security at all.

          And then the programmer wakes up into the reality of the fact that their manager demands that the product be done yesterday and far under budget leaving them next to no time to worry about such issues.

          • And then the programmer wakes up into the reality of the fact that their manager demands that the product be done yesterday and far under budget leaving them next to no time to worry about such issues.

            Next time you are standing in line at the checkout, start yelling and screaming, demanding that you be checked-out immediately, and you be given a 30% discount on everything.
            The reason your manager does that to you is because you are a pushover. Read this book [amazon.com] and it will tell you how to do better..

      • by darkain ( 749283 )

        On top of that, WHO would be responsible, considering the deep integration of technology today? Can you even name the number of libraries in use in an application like Chrome? Check chrome://credits/ at some point! Now, is the security flaw in the library? Or the application implementing the library? Or in some interaction between two particular libraries? Or only possible on certain hardware not present in the development studio? Many exploits in the wild today require a very sophisticated arrangement of v

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          It's not without precedence, software in safety critical machinery deals with the responsibility issue when someone gets hurt.

          If libraries are used then it is up to the person that uses them to ensure that the library is safe to use.
          The responsibility can be shifted to the library developer by them providing a document claiming that it is safe to use, otherwise it is up to the developer of the safe machinery to ensure that the functions used are safe.
          Typically you don't just use a library, you use a library

        • Can you even name the number of libraries in use in an application like Chrome?

          Can you even name the number of (different) components in use in the Empire State Building?

          Quantity is no excuse.

      • How many non-embedded, non-life critical developers here check every mathematical operation for under or over flows?

        You don't need to check every operation for over/underflow. You do need to properly purge any data input comes from the user (or other untrusted source), including sizes and numbers.

      • Re: (Score:2, Informative)

        Every software company would go out of business.

        There's a difference between "We found a bug in our software and are notifying our customers with an update" and Oracle's "Here's this months bucketload of bugs, updating last months bucketload of bugs, and the month before that, and the month before that, and the month before that, and the month... . Next month's bucketload of bugs will be delivered on schedule, and further bugs will be delivered every subsequent month until the Sun burns out".

        As everyone should have realised by now, JVM actually stands f

      • Not every company. Companies like Oracle/Microsoft/Apple/IBM would be able to afford it. But it would destroy basically almost all non-commercial open source software and most if not all small/medium software companies.

        Basically the GPs idea would leave us ONLY with companies like Oracle being able to afford to write software.

    • by Anonymous Coward

      If you made people legally liable for damages as a result of software bugs, no one would ever write software again. Bugs are inevitable, including security holes, and anyone writing code would go under in very short order.

      On the other hand, I'm in favor of holding companies responsible for data breaches. It's far more practical, and is a better target for protecting privacy and other assets. Your code doesn't have to be perfect to prevent it, your security practices just have to be good. And as an added bon

      • by Anonymous Coward

        Yet there is software in applications where the developers are legally liable for damages.

        People don't even realize that there is software in those applications because it just works and failures typically only happens when mechanical parts are worn out.

        I've seen people here claim that EE can't code for shit. That is a pretty strange claim since they are the ones that has write software that stands up to safety certification and has to prove that the software is incapable of causing danger, even in the case

      • If you made people legally liable for damages as a result of software bugs, no one would ever write software again. Bugs are inevitable, including security holes, and anyone writing code would go under in very short order.

        By that logic, there should be no automobile, construction, or medical device industries.

        Nothing is perfect and there's always something you can be held legally liable for. On the other hand, if you are making an honest effort and observe best practices, you can still produce something of sufficient quality that you can stand behind and still stay in business.

        But that's not what users demand. They demand cheap products and expect them to fail. Because, in the end, they're getting what they pay for.

        • By that logic, there should be no automobile, construction, or medical device industries.

          At least in the automobile and medical device industries, most of the players are huge megacorps who can afford the liability insurance and lawyers when it comes to lawsuits. Do you really want a software world where only the likes of companies like Oracle can play because they're the only ones who can afford the liability costs?

          • The automobile companies weren't always mega-corporations. They typically started out the size of Tesla. GM is the conglomeration of the Chevrolet, Buick, Pontiac, Cadillac companies plus probably a few names that used to be well-known before being bought out long ago.

            I think if you took inventory of a typical hospital you'd still find lots of specialty devices and products that aren't from GE, et. al. Not everything is a hulking big MRI machine that requires major resources to build.

            Architectural and engin

    • by phantomfive ( 622387 ) on Thursday October 22, 2015 @12:46AM (#50778951) Journal

      I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?

      A lot fewer. Oracle fixed 154 security issues here, which means they are going through their code looking for them.

      They should have done that a long time ago.

    • by ADRA ( 37398 )

      All OSS software would go belly up. Good job!

    • I dunno, ask Bobby Tables mom...

    • I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?

      Every software has bugs . Companies should be made legally responsible for knowing the existence of a bug and not disclosing / fixing it for whatever reasons.

    • None, because nobody would sell software.
    • All that corporate resource and yet, won't release an Java MSI installer without paying for a support contract. Of course, support contracts for anything touching Oracle involve sums of money usually reserved for oil rich middle eastern nations.

      I know one can extract the hidden MSI inside the EXE file. However, frequency of updates and the non-trivial upgrade procedure in controlled/locked-down corporate environments means a lot of businesses are more exposed than they should be.

      Die Java, Die. (And I'm not

    • Probably none of them - however, we would see every software product instantly bereft of its internet stack, no connectivity to anything except the system it was run on.

      I agree we need to do more to protect systems, but we should do this with education and standardised connectivity libraries and similar systems rather than draconian penalties.

    • Have fun having most open source software disappear since no one will be able to afford the equivalent of malpractice insurance. The only thing you'll be left with is megacorps writing software that will be able to afford to shield themselves.

    • I wonder how many of these security flaw bugs would happen if we made companies actually legal responsible for the flaws in them?

      This only makes sense when said software platforms that are 1) explicitly marketed for critical software development, and 2) client companies are, in good faith, using such platforms to build real critical systems.

      Java is specifically marketed with a very clear disclaimer to not be used for critical systems. Same with, oh, I dunno, 99.99999 (and a whole bunch of other 9's)% of the rest of software built on this planet.

      You would have to have a set of parameters by which bugs would be considered critical,

  • unless you have to run some business app, nobody should have Java installed. seriously, there is no need for bytecode language bullshit. Flash is almost gone, please, put a bullet in Java.

    • Re:remove Java (Score:5, Interesting)

      by Anonymous Coward on Thursday October 22, 2015 @12:39AM (#50778921)

      Bytecode language bullshit? The majority of languages these days compile down to bytecode. And while verbose, Java is one of the best statically typed, cross-platform languages out there. The core library is massive and well documented. Cross-platform threading, cross-platform GUI, cross-platform networking, etc... No need to worry about managing a bunch of dependices and versions upgrades for the collection of libraries you'd need to replace what you'd get from the main Java library, all consistently documented, updated, and supported for you for free. A lot of the Python documentation doesn't even tell you the structure or type of what is returned. The Java docs handle all parameters, return values, and most of the edge causes like what happens when you pass in a bad value. Many 'modern' languages leave that important info out.

      All these massive security holes in Java are actually in the C++ code. Part of the web start framework. Anyone bashing Java about it's security vulnerabilities is actually basing C++.

      We're going to be wishing for flash to come back. HTML5, canvas only websites will be much worse.

      • Do these same vulnerabilities exist in OpenJDK? If not, then the problems aren't with Java the programming language, but with Oracle's implementation of the JVM.

        It would be like saying that bugs in Visual Studio are "problems with C".
        • OpenJDK is Oracle's JDK, minus a few commercial features.

          Bear in mind that the 154 holes is for all Oracle products. They have a unified update release schedule which Java follows. There were actually "only" about 25 (I think) security holes fixed in the latest Java release. Of those, a lot were in components like CORBA or JAXRS, stuff that most code doesn't really need access to. And of course these only matter for sandboxing; I think only one affected server apps and that was a partial denial-of-service

      • All these massive security holes in Java are actually in the C++ code.

        If you read the article, you'll see that the bug described is actually in the Java code. But carry on.

        • by Gr8Apes ( 679165 )

          If you read the article, you'll see that the bug described is actually in the Java code. But carry on.

          Actually, if you read the article, you would have read that the bug is actually in the Java browser plugin.

          The Java vulnerability can be used to bypass the user confirmation requirement before a Web-based Java application is executed by the Java browser plug-in.

          No plug-in, no exploit. In fact, 99% of the CVEs are related to the browser plugins. But don't let that stop you.

          • No plug-in, no exploit. In fact, 99% of the CVEs are related to the browser plugins. But don't let that stop you.

            That's true, but I figured by this point everyone realized that already.

            • by Gr8Apes ( 679165 )

              That's true, but I figured by this point everyone realized that already.

              If you read some of the comments, you'll see that's not true. BTW, the java browser plugin is written in C code, AFAIK.

              • BTW, the java browser plugin is written in C code, AFAIK.

                Yeah, that's probably true.
                The problem was a design issue though, access granted where it shouldn't have been, not a language issue (it could have been done in any language).

  • by Billly Gates ( 198444 ) on Thursday October 22, 2015 @12:11AM (#50778815) Journal

    ... for those on Java 5/6 to get these updates.

    So wonderful our Cisco routers, SAP, and Kronos require +200 exploitable holes be on all corporate computers where I get blamed and writeups for cryptolocker infections.

    Needless to say our accounting department does not want to pay upgrade as they work fine.

    • Kronos is used at my workplace.
      We got the email today - "don't upgrade Java because it won't fucking work with Kronos trololo".

      It's absolute trash.

    • by Anonymous Coward

      Sounds like the issue is not with Oracle but either with the other products, which should be responsible for negotiating with Oracle to provide updates, or if these products are end-of-life and this no more updated, with your company for employing products that are end-of-life for important critical business tasks.

  • Is that thing still around?

    • Re: (Score:2, Funny)

      by EmeraldBot ( 3513925 )
      Yes, but if I may say so, it's rather clear you haven't been...
    • Prepare for the wrath of the Oracle minions.

  • by Anonymous Coward

    ... get rid of that !@#$%^&* Ask Toolbar bug...

    When is there a bright hacker that can find a major bug in that thing in order to have it finally removed from the installation.

    • Install the open jdk if you want to avoid the nag of bundled software. It's curious to see how easily people complain about freely provided software when the advertising partnerships are part of how some people keep the lights on. You may not like the ask toolbar, nobody does, but would you rather pay for a license to use the JVM?
  • Java came out in 1991 and it's still being patched for security? Very lame indeed.
    • by MouseR ( 3264 )

      Let me get this straight...

      You're actually complaining about bug fixes?

      Disclaimer: I work for Oracle, but not in the Java group.

      • Well everyone complains about Adobe Flash, they cant even get by for a week without someone outing a security bug they find and Oracle manages to sit on 154 patches? for how long? well over 6 months to my knowledge. MS releases fixes every month but Oracle..get my point? Why is Oracle getting a pass?
  • 99 little bugs in the code,
    99 little bugs in the code.
    Take one down, patch it around.

    127 little bugs in the code.

No spitting on the Bus! Thank you, The Mgt.

Working...