Slashdot Mirror
Cross-Platform Java Sandbox Exploit
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
Generally, the most cost effective way can be an open source model.(there are others !)
[ Monday is a terrible way to spend one seventh of your life. ]
Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.
And it's a java plugin vulnerability so a website running java on the serverside is not affected.
while (!asleep()) sheep++
From the Sun website:
"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
The "patch before admitting the problem" thing DOES happen on Windows.
But when it happens on windows it is microsoft "covering up their vulnerabilities".
Apparently, for you, when someone else does it they are doing something good...
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform. However, this is a single bug. With active X, you are in problems if there is a bug in *any* ActiveX component that is safe for scripting. So the target is way smaller with Java. Obviously that also makes it possible to vigourously (no spell check available - dang) test that part, so no excuse for Sun for not doing that.
Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.
So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.
" There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform."
What you should have really noted was that this is a bug in the security implementation of java. Which is bad.
ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.
A virus writer's dream!
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
"Write once, infect everywhere."
> > hasn't to date been a single Java virus. ...that we know about...
>
True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.
This is where the serious fun begins.
The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.
When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.
These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.
I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
Would you care to post more information? (It's not that I don't believe you, it's just that I don't see anything about it anywhere)
Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.
daniel
Browsers aren't responsible for sandboxing plugins--in fact, they couldn't do it if they wanted to. Sandboxing is exclusively a function of the language and its runtime, in this case Java. If Sun's Java plugin allows the execution of dangerous code by untrusted code, it is Sun's fault. Note also that this is not the first time that this has happened.
Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
The nice thing is, is that if you are using Linux, Java is most likely not running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
End of Line.
Who the hell moderates stuff like this as "insightful". I don't have any exact numbers in front of me (nor will I spend the time to find them), but I can safely tell you that over their respective lifetimes, ActiveX has suffered many orders of magnitude more exploits than Java ever will. The only meaningful caveat I can think of to this statement is the "default" Java runtime environment (that used to be) packaged with Internet Explorer that is written by Microsoft. Of course, you can hardly attribute any problems with that to Java because Microsoft built it on top of ActiveX and took very little interest in security when doing so.
Also, I should point out that any of theoretical exploits will have the most damage on Windows than other platforms because Windows is insecure. It seems that any code running on a Windows box has, one way or another, unbridled access to resources that should be above the user's privileges, but that's an entirely different situation altogether...
Why bother.
> But sandboxing is not a function of the language - it is solely a function of the runtime.
Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.
In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platform (or, if you prefer, the thingamajig they sell/give away). Period.
Go somewhere random
while (!asleep()) sheep++
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here and here) that black hats are using vulnerability announcements and patches to find exploits rather than finding them themselves. If that's the case, keeping vulnerabilities quiet until the software company's had a chance to patch them is a good idea, even if security through obscurity is in general a bad idea.
You sir are reacting like an idiot. You list applications that do not work and then blame the language. Blame the application writers, not the language. This is like saying "C++ sucks, look how buggy and insecure windows is, C++must be to blame, not the developers." Thanks then post.
so in Linux it can "only" trash the user's home directory.
I think a lot of Linux zealots tend to downplay the importance of the home directory. After all, if you're a smart user and don't run as root, all your important data is going to be in the home directory (and possibly other directories where your user has permissions). I could care less if the OS install gets wiped out -- that can easily be replaced. The data in my home directory can't. In that regard, losing your home directory is just as bad as losing the entire system.
All of what you say is true, but you omit the possibility of a multi-user system. If a single user has non-root permissions he can only destroy his own data, not those of others.
Why is anything anything?
"There are already proof of concept viri that work on both linux and windows."
This has been covered ad-infinitum, and is a non-issue. If you can write to an executable file, you can potentially create a virus for the host system. This has always been a big problem for Microsoft based systems because such systems have no file protections. Anything on Microsoft systems can write to any executable file, hence viruses flourished this way.
Microsoft then must have decided that virus writers had to work too hard to destroy Windows based systems, because Microsoft then coupled automatically-executed scripting languages with all its major products.
Linux systems have files with both an owner and access rights. By default, all executables found on non-developer machines are owned by the administrator and are unwriteable by regular users. Hence the difficulty of Linux viruses propagating.
Adding to that, no one has been been brain damaged enough to create a Linux based email program that includes a scripting language that automatically executes attachments. If Microsoft -really- wanted to harm Linux, it would port all its products over to Linux. Nothing destroys security faster than Microsoft. Further yet, no one has been brain damaged enough to write a Linux based email program that sets the execution bit on a downloaded file.
All known supposed "proof of concept" viruses for Linux are nothing of the sort, since they don't work. No one has yet figured out how to make a virus propagate on a typical Linux system without the express permission of the administrator.
The best anyone has been able to do to Linux is to manually exploit buffer overflows in specific server software on specific sites. Linux users will still be safe from viruses for the foreseeable future. It will require ineptitude of Microsoftian proportions to change that.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
How?
Haven't exploits been found in third party reviewed
code?
Certainly some people get overly smug about free software being more secure. More users means more people finding normal bugs. Security holes, however, aren't usually found by casual users trying to use the software as intended. Security is achieved not by exposing the source to many eyeballs, but to the right eyeballs.
The source for Java is downloadable, feel free to review it...
When was the last time you reviewed any OSS projects code?
think this tries to highlight another reason why allowing a third party review your code is a good thing
How many bugs like this have been found in the plug in? How many have been found in Apache and Sendmail?
open source does not prevent security bugs. why don't you go google for mozilla or firefox security problems. they existed. they were quickly patched, as was the issue you're ragging on sun about. for a platform that is as widely used as java, there have been amazingly few security issues. huh? i guess that proves that open source is not the way to go right?
slashdot reminds me of right-wing radio more and more. it's a place where people come to have their beliefs re-affirmed and not for real discourse and facts.
now, this thread, like many others, is just a bait to get
the last thread i read about sun had some guy stating that sun was crap because they didn't include enough tools, and he cited the lack of gzip. solaris has bundled gzip for many, many years. you know what also? when i installed linux back in 1994 on my 80386, 66Mhz PC, linux didn't inlude gzip either. huh! linux sucks!
The parent is right, client-side Java is dead.
Client side java is not dead. Applets may be, but client side gui applications are still being written. Ask the Eclipse people if they think it is dead.
Bitter and proud of it.