Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous Java Flaw Threatens 'Virtually Everything'

Posted by Zonk on from the let-it-cool-down-first dept.

Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."

25 of 323 comments (clear)

  1. 'Virtually Everything' or 'Everything Virtual'? by Anonymous Coward · · Score: 5, Funny
    I think that

    Dangerous Java Flaw Threatens 'Virtually Everything' Should read

    Dangerous Java Flaw Threatens 'Everything Virtual' I mean, Java is just a freaking virtual machine, not the underpinnings of all laws of physics. I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.
    1. Re:'Virtually Everything' or 'Everything Virtual'? by Vulva+R.+Thompson,+P · · Score: 5, Funny

      I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.

      Speak for yourself, some of us use Java in our coffee mugs. The upcoming patch is supposed to correct a number of leaks.

  2. You forget... by greenreaper · · Score: 4, Funny

    What about the people using it to run nuclear reactors?

    1. Re:You forget... by Azar · · Score: 5, Funny

      Well, as long as they aren't using the nuclear reactor to browse warez sites, I think we will be fine.

    2. Re:You forget... by computational+super · · Score: 5, Funny
      I don't know Java, so I can't start a rational flamewar over why Lisp is better.

      Lisp is preferred in high-security installations (such as nuclear generators) because it's an extra layer of security. Even if a hacker can breach the outer defences, no actual human being can comprehend a Lisp program, so there's no danger of the hacker doing any damage.

      --
      Proud neuron in the Slashdot hivemind since 2002.
    3. Re:You forget... by jason8 · · Score: 3, Funny

      Have you heard of the major Lisp nuclear controller hack of a few years ago? Apparently, hackers somehow managed to get into a nuclear reactor site and make a copy of the top-secret Lisp program used to control the reactor. I can't post the entire program for security reasons, but I will post the last page:

      (Imagine a page full of right-parens)

    4. Re:You forget... by kabdib · · Score: 4, Funny

      Low tech is better.

      Those relays are powered by *steam*, and serve only to control arms in the corridor outside the control room which raise and lower colored flags. Mesopotamian runner-slaves note the configuration of the flags and carry messages to more slaves stationed near the reactor core who in turn are responsible for raising and lowering the control rods, who man the coolant pumps, and in a pinch, who sacrifice goats to the altar of O'krap, the God of Reactor Meltdowns.

      Speaking tubes were tried once ("Ahoy! More coolant on the starboard pile, and hoist up control rod three!") but finding reactor operators who knew Urdu was too difficult.

      The Nuclear Safety Council is considering a move to systems based on "electrics," but the committee responsible for this investigation has been unable to locate the inventors B. Franklin and T. Edison.

      --
      Any sufficiently advanced technology is insufficiently documented.
  3. Re:How...useful. :/ by radarjd · · Score: 3, Funny

    Okay, so which versions are vulnerable?

    The article sadly has little more information than the summary. It doesn't say which VMs, only that "exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment". In other words, the vulnerable VMs are vulnerable.

  4. For the Very Low Price of .... by slas6654 · · Score: 2, Funny

    ...Pure Hacking will provide a complete explanation of the vulnerability.

    For an additional undetermined sum, Pure Hacking will offer an ambiguous and nefarious fix for the vulnerability.

  5. Ubiquitousness? by iBod · · Score: 3, Funny

    >>Due to the ubiquitousness of Java, this could prove a serious security problem.

    Ah! That would be 'ubiquity' then?

    FFS editors!

  6. Doh, ignore the above :-) by greenreaper · · Score: 2, Funny

    That was yet another serious Java bug. Unless they've decided to review a story from January, which I guess is always possible.

  7. SOD - Superstition Obfuscation Demagoguery by kippa · · Score: 2, Funny

    Friday the 13th is the new April Fool's Day!

  8. Well, since this impacts Java... by pw700z · · Score: 5, Funny

    ...at least we can be assured whatever disaster happens, it will happen slowly. Just kidding!

  9. To quote Harry Dresden... by Anonymous Coward · · Score: 5, Funny

    Just because you are paranoid doesn't mean there isn't an invisible demon out to eat your face.

  10. Re:Anyone have details? by Geek+of+Tech · · Score: 4, Funny

    Among other things, it has been confirmed that cellphones, computers, handhelds, iPods, small children, toasters, garage door openers and SUV owners are all vulnerable to this flaw.

    The only device that isn't vulnerable to this is the Nintendo Wii. The theory is that the swinging of Wiimotes manages to sling the problematic code away from your device.

    If you think that your computer might be at risk, pick it up and start spinning in big circles. This might create enough force to dislodge any vicious code.

    --
    Stop the Slashdot effect! Don't read the articles!
  11. Re:Are you sure? by networkBoy · · Score: 2, Funny

    And then there is a buffer overflow event, causing data packed collisions, next thing you know I've got your mocha executing in my late.

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  12. Re:Original AusCERT by profplump · · Score: 1, Funny

    Oh, and Sun wouldn't have had this problem if they'd used pure Java code rather than relying on an existing library.

    Yes. If only Sun would toss out all the C and re-implement their JVM in Java. How you'd launch the Java-based JVM is not clear, but once you got it going you'd never have to worry about buffer overflows again.

  13. Re:Original AusCERT by smittyoneeach · · Score: 3, Funny

    Well, if y'all goin' for the pure-Java solution, y'all obviously do the BIOS and bootleg^Wbootloader in Java, too.
    I mean, C is just portable Assembler, right? If C is the source of all them evil buffer overflows, I reckon that means Assembler's got 'em, too?
    Heck: me an' Jethro wuz wonderin' how these here computers ever got far enough along for the Sun to 'shine and the Java to perk.
    Yep. I reckon only them city slickers with all their fancy talk do anything but Java anymore, buncha used car salesmen.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  14. Re:Are you sure? by joshv · · Score: 4, Funny

    That's probably because the bug inside had failed and the battery started corroding causing it to expand and crack the mug.

  15. Just my luck... by bensafrickingenius · · Score: 3, Funny

    I just got done installing Java in 3 computer labs, and took the extra step of turning off that damn annoying autoupdate feature in the Java Control Panel on every machine. Crap, there goes my weekend...

    --
    I am not left-handed, either!
  16. Lava Flow by Kinthelt · · Score: 3, Funny

    Am I the only one who originally read this as: Dangerous Lava Flow Threatens 'Virtually Everything'?

    --

    "Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)

  17. Re:Is Apple affected? by Oswald · · Score: 3, Funny

    You know it is. Java is Write Once, Run Anywhere, remember?

  18. java updater gives me nothing by nuzak · · Score: 2, Funny

    This hole might have been a bit easier for Sun to patch if they hadn't made the automatic updater, jusched.exe such an unstable and annoying piece of junk. Or if they made updates work at all. My JRE is still beta 2 and has never seen an update since.

    Screw it. I run Windows anyway, it's not like my system isn't already full of holes. What's one more?

    --
    Done with slashdot, done with nerds, getting a life.
  19. Re:Original AusCERT by Anonymous Coward · · Score: 1, Funny

    Bunch of FUD-spreading fear-mongers. Hrumph.

    Plus if anyone does write an exploit it will take so long to load and run the thing that everyone will be patched anyhow. Hell, machines capable of running a Java exploit must still be at least five years away. The last time I checked you need about 2G of ram to run "Hello World" (the source takes about 700MB), and you'd best have a big page file to back it up too.

    But Java is getting faster and less bloated. They are learning to profile the language using the same methods that geologists use to track the drift of continental plates.

    Why is it that an infinite number of monkeys at an infinite number of typewriters would reproduce all human knowledge instantly, but they would take about 12 times the age of the universe to generate the Java API? Oh yeah, I guess they would still have to load the thing.

    At least the language is object-oriented. It would be inexcusable to any non-object-oriented language to become so huge and rancid. Can you imagine generating anything so horrible in C, Python, Perl, GW Basic, Fortran, etc without having the benefits of containers with 40 levels of abstraction? I guess you could write several million noop commands for every particle in the universe, but the compiler might be able to optimise that out.

    Hey, maybe if they add another 40EB of rancid filth to the language then someone might be able to declare an unsigned integer. Or maybe not.

    I'm kidding, of course. I love the language. It's just fucking great.

  20. Re:And people called me paranoid by Anonymous Coward · · Score: 1, Funny

    Shoosh! Good job I switched to Vista then :-)