Slashdot Mirror
Java/Script Alert: Cross-Platform Browser Vulnerability
Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are
vulnerable
to remote command execution. This has been tested on Microsoft,
and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)
I'm going to stick my neck out here and say, What.In.The.Hell? Who's the editor on-duty here, an Onion stand in?
First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?
A programmer is a machine for converting coffee into code.
Java is NOT THE SAME THING as JavaScript.
Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
</rant>
- tristan
that this is a troll by the bugtraq poster to confuse people on the Java JavaScript issue?
if you turn off JavaScript, you turn off the vulnerability.
Man, talk about a one-liner to give the anti-Java folks.
The coolest voice ever.
" The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, "
It would seem to me that the opposite is true. Mozilla goes out of their way to make it easy to report bugs and problems, while with MSIE all there is is a feedback thing buried in the Help menu that is likely a black hole resulting in nothing but spam.
Microsoft has a habit of leaving bugs and problems in place for years, while the Mozilla guys appear to be much more responsive. After all, they killed popups for their browser.
In other words, it seems to me that Mozilla has a much better and much more developed "improve the product and get rid of bugs" system going than Microsoft does for MSIE.
(I'm still waiting for MS to turn on the "bottom of the browser line that shows links, progress, etc" that they removed.)
"You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers"
The Mozilla guys are much more accountable: look at the forums they have for dealing with problems. Also, they have to be accountable or people will choose "No Mo' !". In contrast, Microsoft does not have to be accountable with MSIE: whether or not anyone likes it, they give it away as the default browser on just about all PC's.
Don't blame Durga. I voted for Centauri.
At first blush this seems plain wrong.
There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java
Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.
If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.
Am I missing something here?
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
It's pretty clear that IE's problems are slowly but surely being squashed. When you have a user base as large as IE's, it is inevitable that these problems will be found quickly and exploited and then fixed. We can take this as an indication that the larger the user base of a software product, the faster bugs will be found and eliminated.
..Not to mention it flies entirely in the face of the fact that IE has the most piss-poor standards support of any modern browser. (CSS in particular).
It's pretty clear, judging by this and some of your former posts, that you work for Microsoft or at least enjoy spreading their nonsense FUD. Your assumptive argument--that a smaller user base means that OSS has more undiscovered bugs--is entirely illogical.
Now take Mozilla and Opera as opposing examples. The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, waiting for someone to come along and exploit them. But without a serious user base hammering away at the product all of these problems lie wide open for any hacker to come along and abuse.
There you go again. You seem to miss the point entirely that having code open for review allows "hackers" to find security holes much faster and easier. So if a problem exists, it gets fixed much sooner than a closed source program which requires a lot more prodding and guesswork to discover the vulnerabilities. And yet IE still has historically had far more security issues than Mozilla.
Just because you don't use Microsoft products doesn't mean that you aren't vulnerable. You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers.
Yet another patently untrue statement. Microsoft products have a far worse history of vulnerabilities than Open Source alternatives. Again your comment about "lack of users" is irrelevant. And your statement that OSS developers lack accountability is entirely baseless.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
No, what would be ironic is if an entire website full of know-nothing blowhards constantly touted any and all browsers except one because that one "had security vulnerabilities" and then a security vulnerability came along that worked in every browser except the one the jackwits hated. That would be ironic.
This message seems very strange.
Take, for example, the commentary:
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.
Furthermore, the language used is like nothing I have ever seen before.
The poster states that this is a Java problem, but then states that any browser with Javascript is vulnerable to remote command execution. He/she then goes on to give an exploit which has nothing to do with either Java or remote command execution.
The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?
As for the other exploits, they don't seem to have anything to do with the first exploit. They seem to be old Java exploits.
At the end, the poster recommends everyone turn off Java. But at the beginning, the poster said that everything with Javascript enabled is vulnerable, and the first exploit has nothing to do with Java.
Overall, I think it is easy to see that this poster was a troll. The general statements that are made, the lack of any specific information, and the mixing of unrelated exploits seem to make this quite obvious.
(Apologies if you did write the origional yourself, but I didn;t get the feeling that is the case.
I guess it was some scriptkiddie looking for five years for a bug in the javascript implementation, so he can tell his l33t friends how evil javascript is and everybody should disable it RIGHT NOW* and how l33t html 1.0 is and why everybody should use animated gifs instead of the hr tag. this must be the most exciting day for him... finally he can post something to bugtraq and get r33l l33t and even make it to the slashdot frontpage. His exquisite choice of various l33t wordZ speaks for his skillz. * (Note that he actually suggest to switch off Java)
lack of accountability of the OSS project developers.
1) Many OSS developers are employed by companies (AOL/Time, RedHat, IBM, etc.) that they must be accountable to, and 2) Unlike proprietary products, when an OSS app does something wrong, people point and go "This is the schmuck that did it." There is a lot of accountability when everyone can see what you code.
And a larger codebase doesn't help much when the vast majority of that codebase does the same exact thing online. You tell me how many old ladies checking their MSN mail and ordering E-greeting cards it would take to find this vulnerability.
I'm not saying everyone using IE is dumb, or that everyone using Linux is smart. What I am saying is that thousands of users just like me wouldn't have made this problem any more visible. I would never have stumbled upon this. Moreover, I can guarantee you that many more Linux/Mozilla users are tech-savvy and fill out their bug reports compared to Windows users. Besides, it "stands to reason" that Mozilla could fix bugs faster. IE users trust a small few people to their security; if they don't fix it no one will. In the OSS world, it only takes a couple frustrated coders tired of a vulnerability to have it fixed.
We're a community, Windows users are consumers.