Dangerous Java Flaw Threatens 'Virtually Everything'

← Back to Stories (view on slashdot.org)

Dangerous Java Flaw Threatens 'Virtually Everything'

Posted by Zonk on Friday July 13, 2007 @03:02AM from the let-it-cool-down-first dept.

Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."

4 of 323 comments (clear)

Min score:

Reason:

Sort:

How...useful. :/ by Kintar1900 · 2007-07-13 03:05 · Score: 5, Insightful

Also, this exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment
Okay, so which versions are vulnerable?
Extraordinary claims require extraordinary proof by AKAImBatman · 2007-07-13 03:08 · Score: 5, Insightful

Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. "Java runs on everything: cell phones, PDAs, and PCs. This is the problem when you have a vulnerability in something so modular--it affects so many different devices.," said Gatford.

No offsense, but that's a rather incredible claim. They're saying that no matter if you're running a JVM on the server, cell phone, applet, desktop, or just about any other environment, you're vulnerable? I'm sorry, I can't accept that without extraordinary proof to back up such extraordinary claims.

Java was designed from the beginning with security in mind. Its security infrastructure has been tested for over a decade now. Any and all exploits have always been a flaw in the specific JVM or interface between the JVM and the OS. (Something which has been plauging browsers and other network-aware applications.) Now some security expert is saying that it doesn't matter what you're doing because Java as a whole is flawed?

It seems more likely to me that they're blowing the whole thing out of proportion and thereby spreading FUD. It's more likely that it's yet another security hole in specific JVMs and someone here is expanding that to all of Java. I'll happily look at the evidence to the contrary as soon as it becomes available.

Oh, and upgrades for Desktops is not too big of a deal. Java currently includes an autoupdater that should take care of the issue. All that's left is to deploy updates to servers, should these fellows actually prove that the language you're using somehow conveys a serious security through port 80. :-/

--
Javascript + Nintendo DSi = DSiCade
TFA is extremely vague by Aefix · 2007-07-13 03:09 · Score: 5, Insightful

I'd say borderlining FUD. What help is it to tell us that there's some huge security bug without telling us what it is?
Re:You forget... by timster · 2007-07-13 03:45 · Score: 5, Insightful

Commercial nuclear reactors, at least in the US, are controlled via relays, not integrated circuits. The control room for a nuclear plant looks a lot like the array of switches and dials on the spacecraft in the movie Apollo 13, scaled up to fill a large room. You might see some more modern technology used for recording or monitoring purposes, but the fundamental operations are not based on anything as unreliable as software.

--
I have seen the future, and it is inconvenient.