Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Oracle Bug Java Security Software IT

2 Years Later, Java Security Still Broken By Faulty Oracle Patch 41

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.
This discussion has been archived. No new comments can be posted.

2 Years Later, Java Security Still Broken By Faulty Oracle Patch

Comments Filter:
  • Again? (Score:4, Interesting)

    by jbmartin6 ( 1232050 ) on Friday March 11, 2016 @11:42PM (#51682941)
    I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.
    • Hi,

      This vulnerability only applies to Applets or Java Web Start- SANDBOXED environments. It doesn't matter for any real-world scenario- server apps or desktop apps or Android apps.

      Thing is, sandboxed java is insecure, and by this point it's obvious it's pretty much impossible to secure. So applets or JWS will remain insecure, but they should not be used in the first place and they are barely used in real world anyway these days. Today java is used in BigData/backend/server-side/web-server apps, or in
      • by ls671 ( 1122017 )

        Just consider that running Applets/JWS is just like running a desktop application. Forget about the security manager and its setting in Applets/JWS. Just assume an "allow all" configuration.

        Then, there is still a use for Applets/JWS when you trust the provider as you would trust him to install a desktop application coming from him. Code signing and signature verification is available in both cases. From that perspective, you can still deploy your desktop application through JWS if you wish without any addit

  • by Anonymous Coward on Friday March 11, 2016 @11:48PM (#51682955)

    FTA "... a sandbox exploit for Java Web Start applications and Java applets."
    Great, just label it all "Java", shall we?
    Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
    Just say it's a critical flaw in "Java" security. FFS.

    PS Don't use Java Web Start or Applets.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      PS Don't use Java Web Start or Applets.

      Yeah, but that shit was installed and enabled by default for the longest time with what we call "Java", and being that the exploit targets the web facing Java code, it's all the more exploitable and dangerous.

      BTW, are you an Oracle shill? Java is shit, shit. Tripple shit, has always been shit, the register VM design bogus and less efficient than even old ass VMS. Eat dick Sun / Oracle. Java is dead. Android converts Java code into Davlik, and compiles on install into [mostly] machine code (not to menti

      • by Anonymous Coward

        , the register VM design bogus

        Shit, I meant Java's STACK based VM is bogus. Register VM, as in Davlik et. al. is god-tier.

      • by DamonHD ( 794830 ) <> on Saturday March 12, 2016 @03:57AM (#51683571) Homepage

        With regard to your "Java is shit, shit" you are talking nonsense and should take some deep breaths. Really, grow up. And the rude words don't add gravitas either.

        I use and have used many languages over the last 40 years, 30 professionally, and while Java is not perfect *NOR IS ANYTHING ELSE*. I'm having to use C/C++/ASM again at the moment and would much prefer the inherent safety against, for example, buffer overflows from coding errors of Java, but the run-time is too expensive for my current main application.



      • Re: (Score:2, Troll)

        by gnupun ( 752725 )

        Java is shit, shit. Tripple shit, has always been shit... Android converts Java code into Davlik

        BS! Dalvik is just another implementation of Java VM. Android apps are Java -- java language, java API, java VM concepts/features. Just having a different VM implementation does not negate the fact that it's java code. Stop appropriating other people's technology, making small changes, relabeling it and calling it new and novel.

      • by Anonymous Coward

        Wow, where to begin.

        Dalvik has been discontinued. Womp womp.

        RISC architectures can certainly have their stacks smashed. You don't understand (a) what a stack-based architecture (e.g. x86) is versus a load-store architecture (e.g. SPARC) is and (b) what stack-smashing actually is.

        If you had a good understanding about these topics, you wouldn't say such stupid things.

        Java (the language) is fairly good, if not quite as expressive as some of the more recent, trendy languages. The JVM itself is actually VERY wel

        • by Megol ( 3135005 )

          X86 isn't a stack-based architecture, those architectures are called stack machines which - again - the x86 isn't an example of.

          Very few computers doesn't have stack support either in hardware or as a software convention as it helps make things like re-entrant calls possible.

  • by Lisandro ( 799651 ) on Friday March 11, 2016 @11:56PM (#51682987)

    It runs in a virtual machine and my Oracle rep tells me those are bulletproof!

  • by Anonymous Coward

    is the single worst human being on the entire face of the earth.

    I don't use his software, and neither should anyone else.

    CAPTCHA: Opulent. You can't make this shit up....

  • by Anonymous Coward

    I wish Sun Microsystems hadn't been sold to Oracle. It was necessary, but still it's a pity.

    A lot of smart people were at Sun. James Gosling, Jon Bosak, ... I hate to see collections of really smart people get broken up.

    • by HiThere ( 15173 )

      Maybe. But I still wish Java had non-object structs. I like being able to save binary images to disk without a bunch of serialization...and pull them back without a bunch of deserialization.

      For that matter, if they're going to add so many features into the language, why don't they add a persistent storage B+Tree. I rarely need or want SQL, but a built in B+Tree would be immensely useful. And I don't mean one elaborated the way libdb (SleepyCat) is...more like the way it was, only built into the languag

  • by roman_mir ( 125474 ) on Saturday March 12, 2016 @12:36AM (#51683121) Homepage Journal

    18 years later and /. still allows nonsensical titles on its front page.

    Java is a bloody language, not a thing that breaks your computer.


    Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

    Per [] 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'

    Java is mostly used as a language and runs on server side JVMs, not in people's browsers.

    Oracle, however, is a piece of shit company and its incompetence is legendary, it is a truly sad situation and as I wrote years ago, I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.

    • You didn't read the article didn't you?

      Oct 2013 indicated that Issue 69 could "be
      exploited only through sandboxed Java Web Start applications and sandboxed
      Java applets". This is not true. We verified that it could be successfully
      exploited in a server environment as well such as Google App Engine for
      Java [4].

      Thank you.

    • 18 years later and /. still allows nonsensical titles on its front page.

      People don't like change.

  • big deal (Score:2, Flamebait)

    by ooloorie ( 4394035 )
    Java security has pretty much always been broken in one way or another anyway, so who cares?

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.