Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous Java Flaw Threatens 'Virtually Everything'

Posted by Zonk on from the let-it-cool-down-first dept.

Marc Nathoni writes with a ZDet article about a critically dangerous hole in the Java Runtime Environment. Due to the ubiquitousness of Java, this could prove a serious security problem. "Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. 'Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content,' said Lowe."

50 of 323 comments (clear)

  1. And people called me paranoid by nimr0d · · Score: 4, Insightful

    When I told them NoScript was a great plugin.

    --
    SmartBox
    1. Re:And people called me paranoid by nimr0d · · Score: 5, Informative

      Except NoScript blocks Java from any unapproved pages, effectively making it have everything to do with this article ;)

      --
      SmartBox
    2. Re:And people called me paranoid by 3p1ph4ny · · Score: 4, Informative

      you're right, except it has little to do with java ;)
      Actually, NoScript has an option to block Java, Flash, and all other plugins. So it does, in fact, have something to do with Java.
  2. How...useful. :/ by Kintar1900 · · Score: 5, Insightful

    Also, this exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment

    Okay, so which versions are vulnerable?

    1. Re:How...useful. :/ by radarjd · · Score: 3, Funny

      Okay, so which versions are vulnerable?

      The article sadly has little more information than the summary. It doesn't say which VMs, only that "exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment". In other words, the vulnerable VMs are vulnerable.

    2. Re:How...useful. :/ by shawnce · · Score: 5, Informative

      According to CVE-2007-2788 and CVE-2007-2789 any version of Java before "1.5.0_11-b03" and "1.6.x before 1.6.0_01-b06".

  3. 'Virtually Everything' or 'Everything Virtual'? by Anonymous Coward · · Score: 5, Funny
    I think that

    Dangerous Java Flaw Threatens 'Virtually Everything' Should read

    Dangerous Java Flaw Threatens 'Everything Virtual' I mean, Java is just a freaking virtual machine, not the underpinnings of all laws of physics. I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.
    1. Re:'Virtually Everything' or 'Everything Virtual'? by Vulva+R.+Thompson,+P · · Score: 5, Funny

      I'm pretty sure my shoes and coffee mug are going to make it through this ordeal.

      Speak for yourself, some of us use Java in our coffee mugs. The upcoming patch is supposed to correct a number of leaks.

  4. Extraordinary claims require extraordinary proof by AKAImBatman · · Score: 5, Insightful

    Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk. "Java runs on everything: cell phones, PDAs, and PCs. This is the problem when you have a vulnerability in something so modular--it affects so many different devices.," said Gatford.

    No offsense, but that's a rather incredible claim. They're saying that no matter if you're running a JVM on the server, cell phone, applet, desktop, or just about any other environment, you're vulnerable? I'm sorry, I can't accept that without extraordinary proof to back up such extraordinary claims.

    Java was designed from the beginning with security in mind. Its security infrastructure has been tested for over a decade now. Any and all exploits have always been a flaw in the specific JVM or interface between the JVM and the OS. (Something which has been plauging browsers and other network-aware applications.) Now some security expert is saying that it doesn't matter what you're doing because Java as a whole is flawed?

    It seems more likely to me that they're blowing the whole thing out of proportion and thereby spreading FUD. It's more likely that it's yet another security hole in specific JVMs and someone here is expanding that to all of Java. I'll happily look at the evidence to the contrary as soon as it becomes available.

    Oh, and upgrades for Desktops is not too big of a deal. Java currently includes an autoupdater that should take care of the issue. All that's left is to deploy updates to servers, should these fellows actually prove that the language you're using somehow conveys a serious security through port 80. :-/
    --
    Javascript + Nintendo DSi = DSiCade
  5. TFA is extremely vague by Aefix · · Score: 5, Insightful

    I'd say borderlining FUD. What help is it to tell us that there's some huge security bug without telling us what it is?

  6. You forget... by greenreaper · · Score: 4, Funny

    What about the people using it to run nuclear reactors?

    1. Re:You forget... by Azar · · Score: 5, Funny

      Well, as long as they aren't using the nuclear reactor to browse warez sites, I think we will be fine.

    2. Re:You forget... by Anonymous Coward · · Score: 5, Interesting
      I'm pretty sure that Java's license explicitly states that it should not be used to run nuclear reactors. You might think I'm joking but from here:

      You acknowledge that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. I'm not certain but I once heard someone say that languages like Lisp are used in nuclear facilities because they are quick, stable and can be analyzed mathematically to be proved 'correct.' The garbage collector causes Java to be none of these. Also, I think that since Lisp is interpreted, you can switch a program with another modified program without losing execution or control. Not too sure on the details of that though.
    3. Re:You forget... by Ambitwistor · · Score: 4, Insightful

      Lisp is traditionally garbage collected. I suppose you could modify a Lisp to operate without a GC, but you could probably modify Java the same way. Perhaps you're thinking of another language?

    4. Re:You forget... by wol · · Score: 3, Informative

      While Lisp might be used for nuclear facilities, it is not because of lack garbage collection or because it is only interpreted. Lisp has garbage collection and while development typically takes place using the interpreter, the production program is typically compiled. I don't know Java, so I can't start a rational flamewar over why Lisp is better. (Irrational flamewars, on the other hand...)

      --
      If you think deeply enough, you will have no single direction for your outrage.
    5. Re:You forget... by JesseMcDonald · · Score: 5, Informative

      I'm not certain but I once heard someone say that languages like Lisp are used in nuclear facilities because they are quick, stable and can be analyzed mathematically to be proved 'correct.' The garbage collector causes Java to be none of these. Also, I think that since Lisp is interpreted, you can switch a program with another modified program without losing execution or control. Not too sure on the details of that though.

      1. Lisp also makes extensive use of garbage collection, although there are real-time garbage collection algorithms for it.
      2. Most variants of Lisp are compiled, not interpreted.
      3. Despite being compiled, you can indeed update a Lisp program on-the-fly. This is accomplished through partial recompilation and dynamic linking.
      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    6. Re:You forget... by timster · · Score: 5, Insightful

      Commercial nuclear reactors, at least in the US, are controlled via relays, not integrated circuits. The control room for a nuclear plant looks a lot like the array of switches and dials on the spacecraft in the movie Apollo 13, scaled up to fill a large room. You might see some more modern technology used for recording or monitoring purposes, but the fundamental operations are not based on anything as unreliable as software.

      --
      I have seen the future, and it is inconvenient.
    7. Re:You forget... by MenTaLguY · · Score: 4, Insightful

      There is no single standard behavior for Lisp garbage collection, nor even really is "Lisp" a single language. It's a wild forest of various implementations and dialects, some of them confederated under the Common Lisp specification.

      --

      DNA just wants to be free...
    8. Re:You forget... by computational+super · · Score: 5, Funny
      I don't know Java, so I can't start a rational flamewar over why Lisp is better.

      Lisp is preferred in high-security installations (such as nuclear generators) because it's an extra layer of security. Even if a hacker can breach the outer defences, no actual human being can comprehend a Lisp program, so there's no danger of the hacker doing any damage.

      --
      Proud neuron in the Slashdot hivemind since 2002.
    9. Re:You forget... by jason8 · · Score: 3, Funny

      Have you heard of the major Lisp nuclear controller hack of a few years ago? Apparently, hackers somehow managed to get into a nuclear reactor site and make a copy of the top-secret Lisp program used to control the reactor. I can't post the entire program for security reasons, but I will post the last page:

      (Imagine a page full of right-parens)

    10. Re:You forget... by kabdib · · Score: 4, Funny

      Low tech is better.

      Those relays are powered by *steam*, and serve only to control arms in the corridor outside the control room which raise and lower colored flags. Mesopotamian runner-slaves note the configuration of the flags and carry messages to more slaves stationed near the reactor core who in turn are responsible for raising and lowering the control rods, who man the coolant pumps, and in a pinch, who sacrifice goats to the altar of O'krap, the God of Reactor Meltdowns.

      Speaking tubes were tried once ("Ahoy! More coolant on the starboard pile, and hoist up control rod three!") but finding reactor operators who knew Urdu was too difficult.

      The Nuclear Safety Council is considering a move to systems based on "electrics," but the committee responsible for this investigation has been unable to locate the inventors B. Franklin and T. Edison.

      --
      Any sufficiently advanced technology is insufficiently documented.
  7. And how? by khasim · · Score: 3, Interesting
    I'm not seeing ANYTHING there aside from melodramatic hyperbole.

    "It would be an extremely difficult and laborious process for an organization trying to patch Java Runtime across the enterprise," he said.

    WARNING! WARNING! WARNING! WARNING! WARNING!

    Wouldn't you just roll it out the same as with any other patch?

    Without any more information and judging from comments such as that, I'm going to say that this "threat" will soon be found to be nothing. Just more Internet hype from someone trying to make a name for himself.
    1. Re:And how? by ajs · · Score: 3, Informative

      Wouldn't you just roll it out the same as with any other patch? Yes you would. Which means, a full release cycle. Most enterprises (a catch-all phrase that usually maps to the largest corporate environments, involving thousands of employees) support a range of in-house and 3rd party applications, utilities and infrastructure tools. QA on a release cycle for desktops can cost hundreds of thousands of dollars in employee time and delayed projects, but to perform the release any more cavalierly can result in even more damage.

      Most folks who've worked in small-to-medium businesses or less critical environments (such as education) simply can't comprehend the hell that is trying to coordinate a release to such a large community.
  8. here is the security flaw by Anonymous Coward · · Score: 3, Interesting

    I'm pretty sure this is it:

    http://groups.google.com/group/ph4nt0m/msg/05b1131 63fb0cc55

  9. One Huge Problem by Anonymous Coward · · Score: 3, Insightful

    One huge problem I see with this is that not only are users generally unaware of what JRE/JDK they're using, they may not even know that they're using one at all. Some software like to install their own JRE version, so a user might have three or more different versions spread around the system, which needs rooting out (I suggest "c:\>dir rt.jar /S" on windows machines)

  10. Ubiquitousness? by iBod · · Score: 3, Funny

    >>Due to the ubiquitousness of Java, this could prove a serious security problem.

    Ah! That would be 'ubiquity' then?

    FFS editors!

  11. Original AusCERT by didiken · · Score: 5, Informative

    It looks like AusCERT has published on their page about this:

    Quoted from
    AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment vulnerability allows remote compromise

          1. Impact

          A buffer overflow vulnerability in the image parsing code in the Java
          Runtime Environment may allow an untrusted applet or application to
          elevate its privileges. For example, an applet may grant itself
          permissions to read and write local files or execute local
          applications that are accessible to the user running the untrusted
          applet.

          A second vulnerability may allow an untrusted applet or application to
          cause the Java Virtual Machine to hang.

          Sun acknowledges, with thanks, Chris Evans of the Google Security
          Team, for bringing these issues to our attention.

          These issues are also referenced in the following documents:

          CVE-2007-2788 at
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788

          CVE-2007-2789 at
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789

    1. Re:Original AusCERT by AKAImBatman · · Score: 5, Informative

      Oh good grief, is that all it is? A buffer overflow in images that only affects desktops and servers supporting image uploads that are not running the latest version of a given JVM? What happened to the spreading to PDAs and cell phones, the problem for all users worldwide, the end of things and mankind himself!?!

      Bunch of FUD-spreading fear-mongers. Hrumph.

      Oh, and Sun wouldn't have had this problem if they'd used pure Java code rather than relying on an existing library.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Original AusCERT by AKAImBatman · · Score: 5, Informative

      Looks to me like the major problem is for embedded devices, where the update isn't easy.

      No, it doesn't. First off, I guarantee you that J2ME implementations do NOT use the same parsing library as the desktop JVM. It's far too heavyweight. Add to that fact that the embedded implementations are written by the phone vendor, significantly decreasing the risk.

      Secondly, J2ME does not support JPEGs or BMPs. The standard only supports PNGs. If you want to open JPEGs, you have to use a pure-Java decoder. (Which would not be vulnerable.)

      Thirdly, Java applet support is extremely limited in Symbian devices; the only devices I'm aware of that support applets. It's basically Java ME + a few extra APIs to bring it up to Java 1.1 standards. It's doubtful that these VMs even contain the APIs that are being exploited here.

      First of all, thanks to the OP for the link to AusCERT. Very, very helpful!

      Oh dear, where are my manners? I'd also like to thank the poster for finding the relevant AusCERT article. Without it, we'd still be at the FUD level. :-)
      --
      Javascript + Nintendo DSi = DSiCade
    3. Re:Original AusCERT by AKAImBatman · · Score: 4, Insightful

      No, it's not hype. Problems like this actually highlight Java's features all that much more.

      The problem in this case is that Sun used a native library to do the image parsing rather than writing a pure-Java equivalent. This shortcut ended up being a costly mistake that has resulted in a variety of holes caused by that library. If Sun simply rewrote the code in Java (which wouldn't be hard; only time consuming), the problems would go away.

      --
      Javascript + Nintendo DSi = DSiCade
    4. Re:Original AusCERT by smittyoneeach · · Score: 3, Funny

      Well, if y'all goin' for the pure-Java solution, y'all obviously do the BIOS and bootleg^Wbootloader in Java, too.
      I mean, C is just portable Assembler, right? If C is the source of all them evil buffer overflows, I reckon that means Assembler's got 'em, too?
      Heck: me an' Jethro wuz wonderin' how these here computers ever got far enough along for the Sun to 'shine and the Java to perk.
      Yep. I reckon only them city slickers with all their fancy talk do anything but Java anymore, buncha used car salesmen.

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    5. Re:Original AusCERT by burner · · Score: 3, Informative

      Native methods are there to allow a Java program to call code that has not been written in Java, providing access to things such as platform specific functionality. It does not necessarily make your program run faster and should generally not be used to improve performance.

      --
      MRSH-Recording device, corned beef sandwich with kraut, seafaring bird, and the foamy top of a beverage.
  12. Re:Extraordinary claims require extraordinary proo by AKAImBatman · · Score: 4, Informative

    That last line should read, "serious security risk through port 80."

    I find it interesting that this team is supposedly reporting a major flaw, yet manually running the Java updater finds no new JVM versions to download. Didn't they contact Sun first? Shouldn't there be a patch already? Meh. The whole thing stinks.

    If you want to run the updater yourself, you can either right-click on the Java icon in your taskbar and select "Control Panel", or you can run the "javacpl.exe" file in the "c:\Program Files\Java\jre\bin" directory. Look under the "Update" tab to see the update schedule. Click "Update Now" to check for the lastest release.

    Mac users do not need to access a separate updater. Java updates are pushed through the standard system updates, accessible through the control panel. These are also scheduled to run on a regular basis. Only Linux/Unix users should need to manually update their JVMs if and when a patch becomes available. Some of these OSes do have a Java updater, but I don't know the current details about these.

    --
    Javascript + Nintendo DSi = DSiCade
  13. Well, since this impacts Java... by pw700z · · Score: 5, Funny

    ...at least we can be assured whatever disaster happens, it will happen slowly. Just kidding!

  14. I know. by greenreaper · · Score: 3, Insightful

    That's what makes it a joke, for all those who've actually read the license agreement. :-)

  15. This isn't new by radish · · Score: 4, Informative

    This issue (I'll provide a link to the AusCERT page as the summary neglected to) was first publically announced on June 4 and fully patched by June 29th. All that's happened recently is some minor updates to the ticket. Yes it's serious, but anyone paying attention to such things will have patched already.

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

  16. Re:Fixed in JRE 5 Update 12? by Mr.+Sketch · · Score: 5, Informative

    It's fixed in:
    * JDK and JRE 6 Update 1 or later
    * JDK and JRE 5.0 Update 11 or later
    * SDK and JRE 1.4.2_15 and later

    From:
    http://www.auscert.org.au/render.html?it=7664

    --
    Things you think are in the Constitution, but are not.
  17. Re:The sky is falling by dgun · · Score: 5, Informative

    Google Security Team

    I see at the top where they mention the Google security team. But the article quotes only someone named Chris Gatford from "penetration testing firm Pure Hacking" and someone from "Australia's Computer Emergency Response Team"

    AUSCERT ^ has issued something on this, but there is not many details. They claim the exploit is the ability for applets to escalate privileges.

    Also, someone asked, but here are the versions they claim are vulnerable, for windows and solaris.

    First vulnerability:
    * JDK and JRE 6
    * JDK and JRE 5.0 Update 10 and earlier
    * SDK and JRE 1.4.2_14 and earlier
    * SDK and JRE 1.3.1_20 and earlier

    Second vulnerability:
    * JDK and JRE 6
    * JDK and JRE 5.0 Update 10 and earlier
    * SDK and JRE 1.4.2_14 and earlier
    * SDK and JRE 1.3.1_19 and earlier

    And a link to the Aussie security alert

    --
    FAQs are evil.
  18. To quote Harry Dresden... by Anonymous Coward · · Score: 5, Funny

    Just because you are paranoid doesn't mean there isn't an invisible demon out to eat your face.

  19. Re:Anyone have details? by Geek+of+Tech · · Score: 4, Funny

    Among other things, it has been confirmed that cellphones, computers, handhelds, iPods, small children, toasters, garage door openers and SUV owners are all vulnerable to this flaw.

    The only device that isn't vulnerable to this is the Nintendo Wii. The theory is that the swinging of Wiimotes manages to sling the problematic code away from your device.

    If you think that your computer might be at risk, pick it up and start spinning in big circles. This might create enough force to dislodge any vicious code.

    --
    Stop the Slashdot effect! Don't read the articles!
  20. Re:Extraordinary claims require extraordinary proo by AKAImBatman · · Score: 4, Informative

    It appears to be referring to the GIF exploit, which was patched a couple of months ago.

    No, as others have pointed out it's a flaw in JPEGs and BMP files. PNGs (pretty much the only format used in J2ME in cell phones and PDAs) are safe. Here are the advisories:

    http://www.auscert.org.au/render.html?it=7664
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789

    The biggest concern is that arbitrary applets could be pushed to user's machines. This is mitigated by the fact that the latest JVM's have already been repaired. Thanks to the Java autoupdater, there should not be many desktops at risk.

    A secondary concern is servers that accept image uploads. BMPs are usually not accepted anyway, but JPEGs could be a concern. So it is best to upgrade these. Which brings us around to your concern...

    The problem is that most Java enterprise software winds up becoming tightly coupled with a specific JVM. (In Oracle's case, a good half-dozen *different* JVMs!) You can't upgrade the JVM without breaking the enterprise app (trust me, I tried, they really work only with the specific JVM shipped), so you're left with vulnerable JVMs and no way to upgrade them. I don't have a solution to that problem.

    For one, it is possible to upgrade these JVMs. It's a bit trickier than a standard install, but it can be done, at least inside the same VM version. (e.g. Java 1.4 apps will usually not suffer from an upgrade to 1.4.1, but a Java 5 upgrade would be disasterous.)

    Secondly, I *DO* have a solution. Yell at the vendor! If they're going to stupidly integrate the JVM for no reason other than to make your life difficult (ostensibly to make it easier, yeah right) then they can take the burden of getting you a patch. Don't let the vendor off the hook until they get the problem fixed! That's just good practice, nothing to do with Java.

    (Of course, a better practice is to find a vendor who doesn't stupidly integrate JVMs, but I digress.)

    BTW, are you talking about Oracle AS or Oracle Database? Oracle AS would need to be patched for situations like this just in case you handle or will handle image uploads. Oracle Database would not be at risk since there is almost no chance of the database being made to parse images in its procedural code. Desktop applications are similarly unaffected unless they download arbitrary images from the internet.
    --
    Javascript + Nintendo DSi = DSiCade
  21. Re:Are you sure? by joshv · · Score: 4, Funny

    That's probably because the bug inside had failed and the battery started corroding causing it to expand and crack the mug.

  22. Just my luck... by bensafrickingenius · · Score: 3, Funny

    I just got done installing Java in 3 computer labs, and took the extra step of turning off that damn annoying autoupdate feature in the Java Control Panel on every machine. Crap, there goes my weekend...

    --
    I am not left-handed, either!
  23. Lava Flow by Kinthelt · · Score: 3, Funny

    Am I the only one who originally read this as: Dangerous Lava Flow Threatens 'Virtually Everything'?

    --

    "Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)

  24. Re:It's a C/C++ flaw in the Java environment. by ClassMyAss · · Score: 4, Insightful

    You're right, it's not a tool's fault if people don't know how to use it. But C has been around a hell of a long time, and people have been making buffer overrun mistakes for the entire history of its existence, even those who should (and do!) know better, simply because unless it's the main thing on your mind when you're coding C it's an easy mistake to make. So I don't think it's likely that people will ever stop making these mistakes, regardless of education, because the language allows them (and to some extent encourages them).

    Would you really suggest that it's better to train people to not cut their fingers off using table saws than to get them to switch to table saws with some sort of finger guard? Yeah, it's not that the unprotected ones are at fault if you slip up and slice your pinky off, but it seems perfectly reasonable to avoid the problem altogether with a little prior consideration at the tool level, especially if the extra safety modifications are easy. Though to be fair, in this case I don't know what the "best" alternative to C is, since most of the real popular languages these days are interpreted either entirely or at a byte-code level, so are somewhat slow.

  25. JVM in Java by CustomDesigned · · Score: 3, Informative
    IBM produced a working demonstration system called "Jalapeno" that codes the entire JVM in Java. If you're wondering how it bootstraps, it is a JIT. So in operation the JVM either interprets bytecode or translates it to native machine code. The JIT has hooks to let a utility translate the bytecode of the JVM itself and package it as a loadable module. The demonstration system supports i386 only. The most interesting part of the project was creating a minimal number of privileged bytecodes to support things like memory management and IO.

    So if your JVM includes a JIT, it is not so farfetched for it to be "pure" Java. (The privileged bytecodes are an extension to the Java standard.) Such a design eliminates whole classes of common bugs. Unfortunately, there are infinitely many additional classes of bugs to take their place. One reason why production JVMs are still coded in C is that the code generation of mature C compilers is so much better than a first generation JIT.

  26. Java version used by your broswer by AtomicJake · · Score: 3, Informative

    If you have multiple Java versions on your computer and/or you do not know which version is used by your browser, try this page:
    http://www.javatester.org/version.html

    According to AusCERT, http://www.auscert.org.au/render.html?it=7664
    you are vulnerable, if your JRE is:
    - Sun Java Runtime Environment (JRE) 6
    - Sun Java Runtime Environment (JRE) 5.0 Update 10 and prior
    - Sun Java Runtime Environment (JRE) 1.4.2_14 and prior
    - Sun Java Runtime Environment (JRE) 1.3.1_20 and prior

  27. Re:Is Apple affected? by Oswald · · Score: 3, Funny

    You know it is. Java is Write Once, Run Anywhere, remember?

  28. Naming and installer by pe1chl · · Score: 3, Informative

    Can anyone explain why Sun changes the name of the package with every minor version?

    J2SE Runtime Environment 5.0 Update 11
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2

    What will the next update be called? J2SE Runtime Environment 6.0 Update 3?

    Installer changes every time, too. It is just inconvenient for those that want to do unattended installs.

  29. Re:not FUD by AKAImBatman · · Score: 3, Interesting

    If applets are vulnerable, that's not FUD, it's serious.

    Of course it's serious. That doesn't mean that it affects everything from mobile devices to servers! That was just plain FUD on the part of the article. They made it sound like every implementation of Java ever was now vulnerable and there is nothing we can do about it. In reality, it's a serious problem, but far less so than advertised. In fact, nearly all desktops should be updated by now thanks to the Java autoupdater.

    Unfortunately, Java sucks for writing that kind of code.

    Oh, don't start. I've written plenty of image and datafile loading routines in Java. You don't get nice "struct" features* for memory management, but that doesn't materially impact the ability to load and parse the data. The biggest thing to remember is that some formats use endians in something other than network order. (I'm looking at you Ronald Rivest! Do you know how much it would have saved me if MD5 used the same byte order as every other RFC under the sun? Grr...)

    * I did write a proof-of-concept "struct" pre-processor once in an attempt to make a colleague happier. It basically added a new form of class type other than "class" and "interface". When parsed, it would be transformed into a ByteBuffer object with getX()/setX() accessors/mutators that accessed the correct locations of the buffer.
    --
    Javascript + Nintendo DSi = DSiCade