Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous Java Flaw Threatens 'Virtually Everything'

Posted by Zonk on from the let-it-cool-down-first dept.

Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."

4 of 323 comments (clear)

  1. Re:You forget... by Anonymous Coward · · Score: 5, Interesting
    I'm pretty sure that Java's license explicitly states that it should not be used to run nuclear reactors. You might think I'm joking but from here:

    You acknowledge that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. I'm not certain but I once heard someone say that languages like Lisp are used in nuclear facilities because they are quick, stable and can be analyzed mathematically to be proved 'correct.' The garbage collector causes Java to be none of these. Also, I think that since Lisp is interpreted, you can switch a program with another modified program without losing execution or control. Not too sure on the details of that though.
  2. And how? by khasim · · Score: 3, Interesting
    I'm not seeing ANYTHING there aside from melodramatic hyperbole.

    "It would be an extremely difficult and laborious process for an organization trying to patch Java Runtime across the enterprise," he said.

    WARNING! WARNING! WARNING! WARNING! WARNING!

    Wouldn't you just roll it out the same as with any other patch?

    Without any more information and judging from comments such as that, I'm going to say that this "threat" will soon be found to be nothing. Just more Internet hype from someone trying to make a name for himself.
  3. here is the security flaw by Anonymous Coward · · Score: 3, Interesting

    I'm pretty sure this is it:

    http://groups.google.com/group/ph4nt0m/msg/05b1131 63fb0cc55

  4. Re:not FUD by AKAImBatman · · Score: 3, Interesting

    If applets are vulnerable, that's not FUD, it's serious.

    Of course it's serious. That doesn't mean that it affects everything from mobile devices to servers! That was just plain FUD on the part of the article. They made it sound like every implementation of Java ever was now vulnerable and there is nothing we can do about it. In reality, it's a serious problem, but far less so than advertised. In fact, nearly all desktops should be updated by now thanks to the Java autoupdater.

    Unfortunately, Java sucks for writing that kind of code.

    Oh, don't start. I've written plenty of image and datafile loading routines in Java. You don't get nice "struct" features* for memory management, but that doesn't materially impact the ability to load and parse the data. The biggest thing to remember is that some formats use endians in something other than network order. (I'm looking at you Ronald Rivest! Do you know how much it would have saved me if MD5 used the same byte order as every other RFC under the sun? Grr...)

    * I did write a proof-of-concept "struct" pre-processor once in an attempt to make a colleague happier. It basically added a new form of class type other than "class" and "interface". When parsed, it would be transformed into a ByteBuffer object with getX()/setX() accessors/mutators that accessed the correct locations of the buffer.
    --
    Javascript + Nintendo DSi = DSiCade