Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious New Java Flaw Affects All Browsers

Posted by Soulskill on from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

164 comments

  1. All browsers? by K.+S.+Kyosuke · · Score: 4, Funny

    Oh come, on. Shall I try it in Links? I've told you a million times that you're not supposed to overuse hyperboles.

    --
    Ezekiel 23:20
    1. Re:All browsers? by Anonymous Coward · · Score: 2, Funny

      Perhaps, but if people have been getting bad java, they're going to need some ceramic parabolas right quick.

    2. Re:All browsers? by irreverant · · Score: 1

      don't tell starbucks about this.

      --
      Of all the things I've lost; I miss my mind the most. - Mark Twain
    3. Re:All browsers? by Stumbles · · Score: 1

      Ceramic parabolas? I prefer wired mesh, that way I can put more on my head.

      --
      My karma is not a Chameleon.
    4. Re:All browsers? by Peach+Rings · · Score: 2, Insightful

      Any sane browser is immune. Browsers shouldn't allow execution of Java code any time you simply click on a link. You should use NoScript or, better yet, just disable the Java plugin altogether except in the rare cases when you need it.

    5. Re:All browsers? by pcolaman · · Score: 1

      I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

    6. Re:All browsers? by Anonymous Coward · · Score: 0

      *Whoosh*

    7. Re:All browsers? by Anonymous Coward · · Score: 0

      Really? I'm pretty sure my favorite browser is immune.

      You are kidding right?

    8. Re:All browsers? by NatasRevol · · Score: 2, Informative

      From the first link:

      "Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."

      --
      There are two types of people in the world: Those who crave closure
    9. Re:All browsers? by WrongSizeGlass · · Score: 2, Interesting

      I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

      FTFA: "Browsers running on Apple's Mac OS X are not vulnerable." That includes iPhone, iPod Touch & iPad .... oh, and Mac's, too.

    10. Re:All browsers? by ChefInnocent · · Score: 1

      When do we need Java? I uninstalled it from my "new" computer about 2 years ago. I only notice it's absence when I'm at another machine and it asks me to update the JVM.

    11. Re:All browsers? by TheRaven64 · · Score: 2, Interesting

      I went to disable Java as soon as I saw the headline (before getting to the part that said my platform was not affected). When I got to the preferences dialog, I found that it was already disabled. I turned it off last time there was a high-profile Java vulnerability - about two years ago, as I recall - and had completely forgotten. I guess that means that Java Applets are pretty much dead. I can't remember the last time that I saw one, and I've certainly not seen any sites failing because I had Java disabled.

      --
      I am TheRaven on Soylent News
    12. Re:All browsers? by pcolaman · · Score: 1

      Oh good, so they won't get any Java in their iPads too. That helps when that time of the month rolls around as it's already a mess down there as is.

    13. Re:All browsers? by Bill_the_Engineer · · Score: 1

      Browsers running on Apple's Mac OS X are not vulnerable.

      Of course not, Apple distributes their own version of JVM for OS X not Sun. So this is a fine example of not incorporating every "neat" bleeding edge idea into the JVM is a feature not a handicap.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    14. Re:All browsers? by treeves · · Score: 3, Funny

      Stick it in your latus rectum.

      --
      ...the future crusty old bastards are already drinking the Kool-Aid.
    15. Re:All browsers? by TrancePhreak · · Score: 1

      They are very rare. If it werent for Android dev I wouldn't have installed Java at all.

      --

      -]Phreak Out[-
    16. Re:All browsers? by dgatwood · · Score: 1

      Yes. My favorite browser is actually telnet hostname 80. No pop-up ads, no slow-loading graphics. Bliss. :-D

      *sigh* Only on Slashdot is a post modded to -1 redundant for being posted just a few seconds after another similar post (within the same minute). *sigh*

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    17. Re:All browsers? by afidel · · Score: 1

      Tons of apps still use it, ADP payroll time system is one that's pretty popular.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    18. Re:All browsers? by RockDoctor · · Score: 1

      I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

      Isn't that rather like saying that Antony and Cleopatra were immune to Swine Flu by dint of being dead at the time?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    19. Re:All browsers? by VulpesFoxnik · · Score: 1

      I have to use Java Applets for my online college, but that's about it. A few online games still use Java over Flash (thank god). They are getting rarer, I must agree. I don't think it is because java is bad. It's just that the market Java was targeted to is more diluted with other 'easier' solutions like flash.

      --
      RES PUBLICA NON DOMINETUR
  2. For years?! by irreverant · · Score: 2, Insightful

    That's great, no one knew about it till now? i don't believe that.

    --
    Of all the things I've lost; I miss my mind the most. - Mark Twain
    1. Re:For years?! by postbigbang · · Score: 3, Insightful

      You didn't notice we've been watching you?

      java -start -mykeylogger_to_ru -get_passwords_for_everything & -send_to_nsa_listening_post

      wasn't that link you clicked?

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:For years?! by irreverant · · Score: 1

      no it was i think it was yuminstall nsawatch.tar.gz sudo - *^%$^&*(*hkla7d7s8 (md5 encryption) java -start -nsakeylogger_to_ru -get_passwords_for_pron_everything & -send_to_nsa_proncenter

      --
      Of all the things I've lost; I miss my mind the most. - Mark Twain
    3. Re:For years?! by abigor · · Score: 1, Troll

      I do - who the heck writes applets anymore? Java is a totally pervasive server-side thing these days. I guess JWS was a last kick at the can.

    4. Re:For years?! by toriver · · Score: 1

      Er, JWS is NOT the same as applets, but means desktop apps that are loaded via the web.

    5. Re:For years?! by leenks · · Score: 2, Insightful

      Troll. Client side java applications are still very popular in enterprises where something richer than a typical webapp is required (though this may change as browser tech matures), and JWS is a convenient medium for deploying them. Hell, even Eclipse RCP applications can be deployed with webstart.

    6. Re:For years?! by Bill_the_Engineer · · Score: 2, Insightful

      Agree. I use Java because it's the easiest way to write cross platform client applications without having to experience DLL hell or dependency issues.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    7. Re:For years?! by buchner.johannes · · Score: 1

      Java Webstart is also awesome (if your browser works) to try out java programs, e.g. http://jabref.sourceforge.net/

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  3. Guess it's time to uncheck that box by Ma8thew · · Score: 3, Informative

    Can't recall the last time I even used a Java applet. Just uncheck the box in preferences and forget about it.

    1. Re:Guess it's time to uncheck that box by sznupi · · Score: 1

      hmm.../me checking in Quick Preferences...yup, "Enable Java" unticked.

      Wait, I don't even hava Java installed on this machine. Seriously, apart from very few webpages and applications (taking into account what is typically used), Java is hardly needed nowadays.

      --
      One that hath name thou can not otter
    2. Re:Guess it's time to uncheck that box by Blue+Stone · · Score: 1

      I just checked - I don't even have java installed on my machine anymore. Never come accross something that I need it for.

      What do people use it for these days?

      --
      Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    3. Re:Guess it's time to uncheck that box by binarylarry · · Score: 1

      Java is used primarily on the server. Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update. Although the technical suckage is out of the way, exploits like sure don't help it's popularity.

      Java has a >90% install base though.

      --
      Mod me down, my New Earth Global Warmingist friends!
    4. Re:Guess it's time to uncheck that box by Ma8thew · · Score: 1

      Oh wait, despite what the hyperbole of the summary may suggest this doesn't affect browsers on the Mac anyway.

    5. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      What alternative client do you wish to see in your browser?
      MS silverlight?
      Flash?

      I can't understand comment's like "just disable java" from people in this forum.

    6. Re:Guess it's time to uncheck that box by pjt33 · · Score: 2, Informative

      Java Webstart, not applet. Basically you download a .jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles .jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).

    7. Re:Guess it's time to uncheck that box by TwoUtes · · Score: 1

      Surprisingly enough, it is required to run training videos through a web site run by a major US government space agency who shall remain nameless.

    8. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 1, Insightful

      OK, I'm not trolling (seriously), but, honestly, I have to ask:

      Does anyone here actually use Java for anything? And I don't mean "I write Java Enterprise Beans," I mean for client applications, since this flaw affects launching Java client apps. Presumably you can keep on running your favorite J2EE XML-based Spring Hibernate Ultimate whatever without worrying about Java applets or Java Web Start or any of that Java client technology.

      If you do use client Java, what are you using it for? The only thing I can think of that I've ever see anyone run a client Java app for was writing server-side Java code.

      I guess what I'm asking is, why would I install Java in the first place?

    9. Re:Guess it's time to uncheck that box by abigor · · Score: 1

      Well, except for all those webapp-type sites you visit. You "use" Java every single time you browse the web, just indirectly.

    10. Re:Guess it's time to uncheck that box by AchilleTalon · · Score: 4, Funny

      Well, I am mainly writing Web client applications in Java to gain unauthorized access to your desktop.

      --
      Achille Talon
      Hop!
    11. Re:Guess it's time to uncheck that box by thsths · · Score: 2, Interesting

      > Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update.

      Can you tell me where I get a Java plugin that doesn't suck? Because mine still does - it takes seconds to load, blocks the browser in the mean time, it always looks ugly (something wrong with the fonts?), and it often interferes with the web page. Plus the update mechanism is terrible - certainly if you have a normal user account for normal use.

      Actually even the Flash plugin is a lot better, plus Flash graphics just look excellent.

    12. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 1, Informative

      I work for a reasonably large multi-national corporation, and we distribute a suite of server management tools as java applets. I don't ask why Java was chosen, and I don't know how well received the suite is by customers, but I know my job would be impossible without a JRE on my office workstation.

    13. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      >>Does anyone here actually use Java for anything?

      Yes, a large part of the population in Norway at least, and some other countrys use it for BankID. (Site is in norwegian)

      BankID is required as a logon methode for online banking at many banks and it is approved for use as legally binding electronic signatures. It is usually implemented as a java applet, not with JWS tho

      Some more info here at DnB Nor.
      (DnB Nor is just a normal bank that uses BankID, however I was unable to find any other page in english describing it wit a fast google)

    14. Re:Guess it's time to uncheck that box by GIL_Dude · · Score: 2, Insightful

      http://runescape.com/ is a Java site my son uses all the time. AT&T Connect web conferencing service is one I use at work all the time. There are certainly folks that need it for a bunch of different things, but I will certainly stipulate that it isn't used on the desktop (thankfully!) as much as it was. That said, at work, every time we send out a Java security patch we get calls from users of all kinds of vertical market apps about how the patch broke their app and we have to get the vendor to get a new version out really quick. Quite annoying how it always breaks stuff as it moves forward.

    15. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      Quite a bold claim. Do you have evidence that he visits at least one Java-based site per browser session?

    16. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 2, Insightful

      And what webapp sites would these be??? Really, there are not too many mainstream sites that require a JRE to function properly. I remember a short period where Java was used similar to Flash (I remember perverse cases where individual animated buttons were Java applets), and I occasionally stumble upon some of these broken down and burnt out sites.

      There are specific sites that tend to use Java, like online tutorials for math and science subjects, or somebody's hack, or just a browser integrated version of some Java app for something like an interactive simulator, but these are fairly niche.

      Or are you yet another fool that thinks that Java and Javascript are closely related?

    17. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      Well I guess if I would give this the benefit of the doubt, you are implying that Java is still used quite a bit on the server side by a lot of widely used sites. But it is really a stretch to find any relevance between server side implementation and client side execution.

      Like many people have pointed out, often one isn't even aware that they don't have any JRE installed on their system until they happen to that one pesky website to do some specific thing.

      Big (often crappy) Java "apps" (not applets) for enterprisey stuff are often deployed with their own JRE.

      (And yes I am aware that this whole issue is with WebStart deployment and not browser applets... just commenting on the parent's comments)

    18. Re:Guess it's time to uncheck that box by drerwk · · Score: 1

      I'm working a $20M DARPA project. Client is in Swing, and server computation engine is in Java. It has no browser component.

    19. Re:Guess it's time to uncheck that box by Threni · · Score: 1

      An alternative to ActiveX for some webapps, for example Portwise.

    20. Re:Guess it's time to uncheck that box by tomhudson · · Score: 1

      Shhh. ... there are four ... and don't ask. They'll have to kill you BEFORE they tell you.

    21. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      You're either confusing Java with JavaScript, or you're talking about server-side Java. Either way, no need to leave that box checked in your browser.

    22. Re:Guess it's time to uncheck that box by daem0n1x · · Score: 1

      I use a Java applet to file my taxes every year.

      My company sells some desktop solutions based in Java. You wouldn't even know they're made in Java if you used them.

    23. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      I haven't used Java in 4-something years. I only notice its requirement for an occasional web game, and when that happens, I don't play it.

      I would rate Silverlight ahead of Java, though, but that's my opinion. Being MS touted is irrelevant - it's simply better. I see all 3 as sucking, but from best to worst, Silverlight > Java > Flash. I hope they all die.

    24. Re:Guess it's time to uncheck that box by Nadaka · · Score: 1

      He said "just indirectly", indicating he was probably referring to the common use of java in some form on the backend. Many web servers are written in java, then there are the web apps using jsp, servlets or cacoon and several other java based web app frameworks.

    25. Re:Guess it's time to uncheck that box by Nadaka · · Score: 1

      I helped write a P2P live video streaming server in an applet.

    26. Re:Guess it's time to uncheck that box by tonywestonuk · · Score: 1

        You wouldn't even know they're made in Java if you used them.

      I think this is part of the problem - Crap java apps, make Java look bad. Good Java apps, go unnoticed.

    27. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      ResoMail is a secure mail application which is client side Java.

    28. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      You "use" Java every single time you browse the web

      Yeah, but we don't have to like it.

    29. Re:Guess it's time to uncheck that box by TheTurtlesMoves · · Score: 1

      One app the company i worked on was delivered to the client (on time and on budget--but that was just luck!). After the acceptance testing we were told that they are really happy we didn't use "slow" java. It was fast and responsive etc. They loved it. It was 100% pure java...

      Bad java apps are not like bad C apps. Because everyone seems to thinks is "java's" fault. But how many crappy, bloated and insecure C/C++ apps are out there? A lot, yet the language doesn't get blamed.

      --
      The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
    30. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 0

      This isn't true unless I'm missing something in the thread.

      You probably use Javascript, but you definitely don't use Java every single time. They are not the same.

  4. This is javocalypse by Anonymous Coward · · Score: 2, Informative

    http://blog.cr0.org/2010/04/javacalypse.html

  5. New? by Anonymous Coward · · Score: 0

    This isn't New. Java is a sea of vulnerabilities.

    1. Re:New? by binarylarry · · Score: 4, Insightful

      Compared to what? Java has a pretty fantastic security track record.

      Also this isn't an exploit in the Java runtime, it's an exploit in the way the web start native launcher parses arguments before using them to launch the Java virtual machine.

      --
      Mod me down, my New Earth Global Warmingist friends!
    2. Re:New? by Yvan256 · · Score: 3, Insightful

      Compared to
      [_] Enable Java

    3. Re:New? by binarylarry · · Score: 3, Insightful

      It gets even safer with:

      [_] Enable teh interwebs

      oh oh! and this one:

      [_] Enable computer power

      The ultimately in security, I've done it!

      --
      Mod me down, my New Earth Global Warmingist friends!
    4. Re:New? by shutdown+-p+now · · Score: 3, Informative

      Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or .NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on /. several times already.

      Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.

    5. Re:New? by Culture20 · · Score: 2, Funny

      [_] Enable computer power

      The ultimately in security, I've done it!

      I didn't see a "*($^#@$@^$&&&... NO CARRIER". I call shenanigans!

    6. Re:New? by washu_k · · Score: 1

      Java has security bugs just like everything else. I don't know if it has more or less than average. The problem is that so many Java apps require specific JVM versions so you are stuck with buggy versions.

      I'm a desktop admin who has to support running many different Java apps, most provided by our clients. While a few will work with whatever JVM as long as it's new enough, most require a specific version. It's not just dumb apps that have a hard coded version check. Some don't check yet still fail with the wrong JVM version, often in odd ways. For example we have one app that if run on the wrong version, even one patch release different, will no longer have working cut and paste. I can run the apps just fine across Windows or Linux, but the JVM must be the right version.

      The problem is now the most common infection on our machines, despite many still running IE6, is Vundo variants that get in through the JVM.

    7. Re:New? by suomynonAyletamitlU · · Score: 1

      I'm just waiting for someone to

      [_] Enable evil in the world

      I don't even know why that was compiled in, much less on by default.

    8. Re:New? by jcoy42 · · Score: 1

      You forgot "dig hole, put computer in hole, fill hole with concrete".

      --
      Never trust an atom. They make up everything.
    9. Re:New? by petermgreen · · Score: 1

      Afaict it is possible to set up a "private" jvm and use it for just one app. Doing this for any apps that need it and either having no jvm installed where the browser can find it at all or keeping the one used by the browser up to date is probablly a sensible approach to reducing exposure.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    10. Re:New? by washu_k · · Score: 1

      We looked into this, but the problem is that most of the apps are launched from client web sites that we have no control over. If the specific buggy JVM is hidden from the browser than any apps that need it fail. As it stand now malware has several buggy JVMs to chose from as almost no apps use the same version as any of the others.

      The best we can do is lock down the machines as much as possible so any malware that gets launched doesn't have rights to infect anything other than the user's profile. A reboot and a profile delete usually clears them up.

    11. Re:New? by jpmorgan · · Score: 1

      Except for breaking DEP/noexec heap protections by leaving a lot of writable and executable memory in predictable locations. It may not have had a lot of security flaws itself over the years, but it's been one hell of an enabler.

    12. Re:New? by fluffy99 · · Score: 1

      Afaict it is possible to set up a "private" jvm and use it for just one app. Doing this for any apps that need it and either having no jvm installed where the browser can find it at all or keeping the one used by the browser up to date is probablly a sensible approach to reducing exposure.

      From the perspective of someone who does security scanning and updates, these 'private' instances of java, mozilla, apache, etc are a pain in the arse. They simply never get any security updates. While it's debatable whether that represents a real vulnerability, it still gets red flagged by most security scanning software and has to get updated manually which often breaks that app.

    13. Re:New? by thePowerOfGrayskull · · Score: 1

      Not to mention that every supporting link in the posting is broken...

  6. People have Java enabled in their browser? by WindSword · · Score: 3, Funny

    Wow! I never knew.

  7. Howcum? by gmfeier · · Score: 0, Troll

    Just asking: "Browsers running on Apple's Mac OS X are not vulnerable. "

    1. Re:Howcum? by binarylarry · · Score: 3, Informative

      Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.

      --
      Mod me down, my New Earth Global Warmingist friends!
    2. Re:Howcum? by gmfeier · · Score: 0

      Thanks. Way beyond my level of competence, such as it is.

    3. Re:Howcum? by Anonymous Coward · · Score: 1, Interesting

      Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.
      what? in other news Adobe said "it's not an exploit in Acrobat, it's an exploit in the way parameters are provided to Acrobat, when it displays a PDF document"

      remind me again, if I don't install Java do I have this "web start native executable" ?

    4. Re:Howcum? by robmv · · Score: 1

      I think it is a Java bug and not a browser bug, The researchers created a embed/object tag with parameters. They are adding a codebase parameter. embed/object parameters could be arbitrarily named, that is defined by the plugin to be used (Note the real standard object tag has a codebase attribute but they are not using it, they are using a param tag)

      There is no way a browser will know how the plugin handle the arbitrarily named parameters, unless they specifically add it for the Java plugin, the browser send them to the plugin, in this case the Java plugin is the one that get that codebase and start javaws, so I think the Mac OS X plugin has checks that the standard Sun implementation or they are not starting javaws directly as another process

  8. Article Contents by Oxford_Comma_Lover · · Score: 4, Insightful

    Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.

    "In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.

    Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Article Contents by binarylarry · · Score: 5, Informative

      Actually it affected Linux browsers too.

      However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

      --
      Mod me down, my New Earth Global Warmingist friends!
    2. Re:Article Contents by Anonymous Coward · · Score: 0

      The difference is, in windows you seem to get admin privs pretty easily, whereas linux/bsd exploits at best may give you local user.

    3. Re:Article Contents by Trepidity · · Score: 1

      At least with the official Sun JRE, it never affected 64-bit Linux, because they don't support Java Web Start on the 64-bit distribution. (The 64-bit Linux OpenJDK does support JWS, though.)

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    4. Re:Article Contents by hairyfeet · · Score: 5, Insightful

      Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

      So can we please let this little fact DIAF already? Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?". All anybody has ever ever cared about, even when I tell them I'm gonna have to nuke it, is "can you give me back my stuff please?". So let us just let this little "malware at root VS user" crud die already. If you have malware running at either level it has access to your stuff, which depending on how religiously you back up (which guess what? 99.995% of users in my experience don't have recent backups, if they have backups at all) can be a PITA at best and a true tragedy if you use irreplaceable memories.

      So in conclusion: If the malware can run, whether on Linux or Windows, it can get to your stuff, which is WAY more important than whether or not your system gets hosed. After all any geek here at /. can get a system fully running and tweaked nicely in a couple of hours, how long would it take to replace that only copy of your vacation photos, or that only copy of your late grandmother's last Xmas here on earth?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Article Contents by petermgreen · · Score: 1

      meh

      Given access to a users profile it's pretty trivial to set a trap such that next time they use su/sudo*/a menu entry that asks for a password to become roote/etc the malware gets root.

      Though frankly running as a normal user is enough to send spam, perform ddos etc anyway.

      *assuming a sudo config that allows general root access, e.g. the default on ubuntu.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    6. Re:Article Contents by John+Hasler · · Score: 1

      > Actually it affected Linux browsers too.

      Only ones with Java enabled, something I've never needed.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    7. Re:Article Contents by GameboyRMH · · Score: 1

      That's right, a Linux virus could try to trick dumb users into giving root access using gksudo, kdesu, or even plain ol' su/sudo.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    8. Re:Article Contents by petermgreen · · Score: 2, Insightful

      Don't even need to trick them, just put wrappers in place so that next time they try to use one of those tools it runs the malware. For bonus points design the malware so it takes what the user was originally trying to do as a command line parameter and runs that as well so the user isn't any the wiser.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    9. Re:Article Contents by ChunderDownunder · · Score: 1

      Only those using the 'official' Sun binary too.

      These days, most distributions package the OpenJDK. This doesn't include the offending source but rather IcedTea replacements written by some clever Canadians at Red Hat.

    10. Re:Article Contents by Anonymous Coward · · Score: 0

      "plain ol' su/sudo."

      What about su-su-sudio?

    11. Re:Article Contents by Anonymous Coward · · Score: 0

      >> Yes, the summary's misleading; but the article at least is a bit clearer

      As always.

    12. Re:Article Contents by jabberw0k · · Score: 3, Informative

      If you are going to make a cogent argument, you should omit the profanity; by resorting to vulgarities you torpedo yourself. What a shame, you probably had a valid point.

    13. Re:Article Contents by jc42 · · Score: 1

      Only ones with Java enabled, something I've never needed.

      Yeah, but somehow, people never seem to pick up on the idea that it's never a good idea to allow your software to automatically run code downloaded from some outside machine. Even linux systems' browsers come with java and javascript enabled, and the user has to know enough to turn them off. We geeks know that this is a good idea, but the other 99.99% of humanity generally doesn't.

      It is sorta stupid. We knew very well by 1980 that accepting code from strangers and blindly executing it just wasn't a very good idea. This has been quite well publicised by all the security "experts" (and it doesn't really take much expertise to understand the concept ;-). It's a bit of a disappointment that computer software is still being produced (and accepted by users) that get this really simple security concept wrong.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    14. Re:Article Contents by blackraven14250 · · Score: 1

      Hey, guess what?

      rm -r /home/*user* will work to destroy all of your shit before you know "something weird" is happening.

    15. Re:Article Contents by Confusador · · Score: 3, Informative

      Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

      Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.

    16. Re:Article Contents by GigaplexNZ · · Score: 2, Interesting

      Unless your username has the string "user" in it, that won't do a heck of a lot. Why do so many people try to create a way to suggest "replace with current user's home directory" when a syntactically correct one exists already? The added bonus is that it works even if the user's home directory is set up in a different location to the normal convention.

      rm -rf ~

    17. Re:Article Contents by Anonymous Coward · · Score: 1, Interesting

      Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?".

      Obviously most of your clients would be people who don't really understand what happened, what caused it and how to prevent it. Getting your security design and configuration guidance from the opinions (or lack thereof) of people who need to pay to have their system cleaned isn't really how good engineering or administration is done. If you set up non-priveleged accounts you can backup configuration and user data to another account without exec permissions. If the user's account gets compromised but without root priveleges, the data is safe and the system can be cleaned in a couple of minutes instead of a couple of hours. That could be done cheaper for the customer, yet with a bigger profit margin to you. Most users who use a service like yours would still want you to handle it. I presume you charge enough for your time that your saved time would leave them enough money to spend on some storage space, so they wouldn't be using reduced space due to backups.

      Among windows users I know who manage their own boxes, there seems to be an acceptance of reinstalling the OS quite often just to get it to a useable state. I haven't had to do that for years, only reinstalling for upgrades. Why would you put yourself through that? You're supposed to be the expert, the users lack the knowledge they are paying you to supply. The feature of permission restrictions is in the OS for a reason. I'd suggest you look for ways your job can be done more efficiently by scripting or otherwise automating backup and restore functions, and by preventing system damage. Sure, they care more about the data, but damage is damage and more is worse, even if the user doesn't understand. This will give you a competitive advantage over techs who do not supply such service.

    18. Re:Article Contents by buchner.johannes · · Score: 1

      You do realise ~ is replaced by the shell (try $ echo rm -rf ~)? rm will probably not understand it. You want the environment variable HOME.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    19. Re:Article Contents by Galactic+Dominator · · Score: 1

      Ah, that would be tricking them.

      --
      brandelf -t FreeBSD /brain
    20. Re:Article Contents by Anonymous Coward · · Score: 0

      One reason God invented backups.

    21. Re:Article Contents by GigaplexNZ · · Score: 2, Informative
      Yes, I realise that.

      (try $ echo rm -rf ~)? rm will probably not understand it

      test@localhost:~$ echo rm -rf ~
      rm -rf /home/test

      test@localhost:~$ ls -a ~
      . .. .bashrc

      test@localhost:~$ rm -rf ~
      rm: cannot remove directory `/home/test': Permission denied

      test@localhost:~$ ls -a ~
      . ..

      Aside from my test user not having permission to remove the directory itself, "rm -rf ~" does work and is devastating.

    22. Re:Article Contents by jesset77 · · Score: 1

      Given access to a users profile it's pretty trivial to set a trap such that next time they use su/sudo*/a menu entry that asks for a password to become roote/etc the malware gets root.

      While you are absolutely correct in this point, it is also true that most non-power users (assuming you get them into linux at all to begin with) rarely ever need to sudo, they're too busy playing farmville in Konquerer, or nautilus or whatever.

      Malware that hangs around all ninja like waiting for you to press the magic button is rare compared to malware that fscks your computer up so bad you bring it in for "being all slow and wierd and stuff".

      And besides, KGB level secret squirrel malware poses little risk to your in-laws, as they are not strategic to gaining access to Chinese dissident Gmail accounts. ;3

      --
      People willing to trade their freedom of expression for temporary entertainment deserve neither and will lose both.
    23. Re:Article Contents by Anonymous Coward · · Score: 0

      Why do so many people try to create a way to suggest "replace with current user's home directory" when a syntactically correct one exists already?

      It's the worms. The brain eating worms. They crawl out from Windows computers and slowly eat away the user's soft organs...

    24. Re:Article Contents by Anonymous Coward · · Score: 1, Funny

      After all any geek here at /. can get a system fully running and tweaked nicely in a couple of hours, how long would it take to replace that only copy of your vacation photos, or that only copy of your late grandmother's last Xmas here on earth?

      Backups.
      Wanna hear somehing amazing? If your root/admin account is safe you can store those on the same computer!

    25. Re:Article Contents by patiodragon · · Score: 1

      "The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!"

      This is just plain wrong. Of the people's computers I've gone to repair (reinstall Windows), half of them have said "nothing" when I ask them if there is anything on it they need to save. So, while I can't say 100% don't care, your quote about 100% caring about "their stuff" is just plain bullshit. Half the people just want to surf the web and check their web mail.

    26. Re:Article Contents by Anonymous Coward · · Score: 0

      Actually I believe I have the latest install of java (19) and this was still succeptible to this under the latest Firefox (3.6.3). It took me a while to even figure out how to disable java in firefox.

    27. Re:Article Contents by Anonymous Coward · · Score: 0

      you should try rm -rf '~'

    28. Re:Article Contents by Anonymous Coward · · Score: 0

      You're an idiot.
      You should have tried
      $ rm -r '~'
      it would tell you that rm doesn't understand ~ because only the shell understands ~.
      Granted, rm doesn't resolve environment variables either, so GP point is somewhat misdirected. But if you want to make a portable tool, you should use the environment variable and not ~, because ~ is just a hint for the shell to read $HOME, and not a concept built in to Unix.

    29. Re:Article Contents by Fred_A · · Score: 1

      You do realise ~ is replaced by the shell (try $ echo rm -rf ~)? rm will probably not understand it.

      It's because it's replaced by the shell that rm doesn't have to understand it. That's why the DOS design was stupid.

      --

      May contain traces of nut.
      Made from the freshest electrons.
    30. Re:Article Contents by supssa · · Score: 1

      You've worked in PC repair for 15 years? I'm very sorry you never had any aspirations beyond a high school level career. PC repair wasn't even tough or cool in 1995-1996 dude.

      --
      Hatin' on products I don't like and getting modded up talking about tech I totally don't understand like it was 2005!
  9. How to disable Java? by mtxf · · Score: 2, Informative

    In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.

    1. Re:How to disable Java? by The+MAZZTer · · Score: 2, Informative

      That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.

    2. Re:How to disable Java? by Anonymous Coward · · Score: 0

      That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.

      What's this "Java" that everyone is talking about?

    3. Re:How to disable Java? by mtxf · · Score: 2, Informative

      Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!

      --------------------
      Affected Software
      ------------------------

      All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
      affected by this vulnerability. Disabling the java plugin is not sufficient to
      prevent exploitation, as the toolkit is installed independently.

      There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.

      To check if you're vulnerable, PoC is here: http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

    4. Re:How to disable Java? by binarylarry · · Score: 0

      This was fixed in a really old update: http://java.sun.com/javase/6/webnotes/6u17.html

      --
      Mod me down, my New Earth Global Warmingist friends!
  10. Already fixed a long time ago in jdk 6 r 17 by Anonymous Coward · · Score: 0, Informative

    yawn. old news.
    http://java.sun.com/javase/6/webnotes/6u17.html
    6872824 javawebstart general arbitary code execution using java web start
    this has long since been fixed.

  11. This is Javocalypse by Anonymous Coward · · Score: 1, Funny

    Really.

  12. Yet another reason to use NoScript. by SomeGuyFromCA · · Score: 0

    I've never been a fan of Flash/Java/Javascript/ActiveX.

    Let random webpages run arbitary code on my computer? Sounds like a great idea!

    Some marketeer must have come up with that one.

    --
    if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
    1. Re:Yet another reason to use NoScript. by Anonymous Coward · · Score: 0

      Running your web browser without any plugins is not any safer than running Java applets. I've seen far more browser exploits in the past years than Java exploits. Java has a far better security record.

  13. felonious 'bankers' euphoric/orgasmic over our.. by Anonymous Coward · · Score: 0

    apathy, lack of ability to concentrate/believe we have any abilities to hold anyone responsible for their unconscionable behaviors.

    that's costing US big, & not just in the total permanent debt we're being held hostage by.

    must be our children deserve nothing better. we only feel sad for them now. lemming sea.

  14. options may include stopping their cash flow by Anonymous Coward · · Score: 0

    hasn't been raised yet, quite the opposite in fact.

    or, they could be arrested for grand larceny, fraud, misrepresentation etc..., as any one of us would be were we committing similar crimes.

    that would make way too much sense &/or could possibly result in some improved behaviors by their replacements.

  15. I use it by XanC · · Score: 1

    It's pretty much the only option for printing from a browser without requiring a prompt. (And printing in text mode, too.)

    This part of the project isn't for general consumption, though; it's only for customers who need this particular functionality.

  16. the FF plugin I use to avoid this by Tumbleweed · · Score: 1

    'QuickJava'. That 'J' icon is always disabled.

  17. Is it really that bad? by ZipprHead · · Score: 1

    From the article:

    "Java.exe and javaw.exe support an undocumented-hidden command-line parameter "-XXaltjvm" and curiosly also "-J-XXaltjvm" (see -J switch in javaws.exe). This instructs Java to load an alternative JavaVM library (jvm.dll or libjvm.so) from the desired path. Game over."

    But you would have to get that DLL or SO there in the first place no?

    1. Re:Is it really that bad? by John+Hasler · · Score: 1

      > But you would have to get that DLL or SO there in the first place no?

      Yes, but this is on Windows. The bot that controls your machine will already have installed all the standard malware libraries and utilities.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Is it really that bad? by fluffy99 · · Score: 1

      But you would have to get that DLL or SO there in the first place no?

      There are methods of ensuring a given file is in the temp/cache directory. This just provides a method of executing it. The file name can be specified as a UNC? Which means it can download it from \\server\share\exploit.jar if you don't have netbios blocked at the firewall.

    3. Re:Is it really that bad? by Anonymous Coward · · Score: 0

      I'm sorry, but that's a hilarious oversight. Jebus, I can't even imagine myself having programmed that in 1995. Didn't anyone at SUN know how filepaths work?!

  18. Some precisions.... by ls671 · · Score: 5, Informative

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

    Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

    I thought this should be made clearer... ;-))

    --
    Everything I write is lies, read between the lines.
    1. Re:Some precisions.... by ls671 · · Score: 1

      This is worse that I thought, further research reveals that : ;-)

      In their default configurations:

      1) Firefox prompt you with a dialog similar to "open file abc.exe". ;-))

      2) IE8 opens the unsigned application right away without prompting. ;-((

      http://java.sun.com/javase/technologies/desktop/javawebstart/demos.html

      Also Web Start use some sandboxing, but I have trusted it since I have never looked it up ;-))

      --
      Everything I write is lies, read between the lines.
    2. Re:Some precisions.... by essinger · · Score: 1

      Yeah, when I saw Web Start I knew it was nothing serious. Just another anti-Java Slashdot article.

    3. Re:Some precisions.... by essinger · · Score: 1

      Alright, a little worse than I thought. More just annoying really, unless you don't keep your software up-to-date.

    4. Re:Some precisions.... by fluffy99 · · Score: 1

      IE8 opens the unsigned application right away without prompting. ;-((

      http://java.sun.com/javase/technologies/desktop/javawebstart/demos.html

      Those apps ARE signed. If you look in the java control panel you'll see that there is a certificate for Sun installed. Remove that certificate and those apps behave just like all the other unsigned apps, and you'll get prompted first.

      Of course this is unrelated to the current flaw.

    5. Re:Some precisions.... by Anonymous Coward · · Score: 0

      That's plain wrong. Java Webstart applications run sandboxed (just like applets) unless you explicitly grant them extra permissions (a window pops up asking you for permission).

    6. Re:Some precisions.... by jrumney · · Score: 1

      Java Web Start runs apps in a sandbox by default. To obtain extra priviledges, apps have to be signed and the user is presented with a confirmation dialog, the same as for Java applets.

    7. Re:Some precisions.... by Anonymous Coward · · Score: 0

      It's still sandboxed. Developers need to specify what permissions their application uses and the user gets a prompt that an application needs those permissions. There are a lot of lazy developers who specify that their application needs "all permissions" and a lot of users who click on the "yes" button without reading though...

    8. Re:Some precisions.... by tsotha · · Score: 1

      My friend, you have no idea what you're talking about. An application run under Java Webstart is very much like an applet - it runs in the sandbox unless you specifically, deliberately give it more access.

    9. Re:Some precisions.... by caluml · · Score: 1

      Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file.

      What the hell?

      Java has a very finely grained security permissions model, and although I don't know, I would expect javaws to honour it.
      E.g.

      grant codeBase "file:{jnlpx.home}/javaws.jar" {
      permission java.net.SocketPermission "1.2.3.4:313", "connect,resolve";
      }

      --
      Get your own free personal location tracker
  19. Re: mod parent down. RTFA. Affects 1.6.0_19. by Anonymous Coward · · Score: 0

    RTFA http://seclists.org/fulldisclosure/2010/Apr/119 says:

    $ java -version
    java version "1.6.0_19"
    Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
    Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing)

  20. On the positive side.... by ishmalius · · Score: 1

    This means that there will be a JDK 1.6u20 out soon.

  21. Somebody please mod parent up! by KGBear · · Score: 1

    Thank you, SomeGuy! I wish more people saw that.

    1. Re:Somebody please mod parent up! by Anonymous Coward · · Score: 0

      Isn't it ironic the parent post was modded up more than its parent?

  22. And yet it ISN'T fixed by Wee · · Score: 3, Informative

    The article says that version 1.6.0_19 is affected.

    So no, not old news. Not "long since" fixed.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

    1. Re:And yet it ISN'T fixed by Anonymous Coward · · Score: 0

      I tried to run their simple exploit demo, but it failed to load.

    2. Re:And yet it ISN'T fixed by fluffy99 · · Score: 3, Informative

      I tried to run their simple exploit demo, but it failed to load.

      I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.

  23. Java role-playing game tools by Zan+Lynx · · Score: 1

    There are some pretty useful tools for playing RPGs like GURPS, D&D, etc. I use GURPS Character Sheet and I've used a couple of different Java shared map programs to make it easy to play pen and paper games over the Internet.

  24. Java has had a built-in backdoor by Animats · · Score: 5, Insightful

    This isn't a bug. This is a backdoor inserted by someone at Sun.

    The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.

    1. Re:Java has had a built-in backdoor by petermgreen · · Score: 5, Interesting

      Personally I doubt this was deliberate.

      The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

      Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    2. Re:Java has had a built-in backdoor by jrumney · · Score: 1

      The Java applet plugin has a documented parameter to specify the version of JVM to run, so including such a parameter in Java Web Start is unlikely to be a malicious back door. The workaround for both vulnerabilites is to uninstall old vulnerable JVMs from your system so they are not available to exploit.

  25. HURRY!!! by Anonymous Coward · · Score: 2, Funny

    Both users of Java Web Start need to be contacted immediately!

  26. As compared to what? by Anonymous Coward · · Score: 0

    As compared to what?

  27. This is why I use NoScript by Anonymous Coward · · Score: 0

    Java isn't really doing any good for anybody nowadays, is it?

    1. Re:This is why I use NoScript by Anonymous Coward · · Score: 0

      Java is good for plenty nowadays. In particular, it is more useful in one day then you will ever be in your entire life.

  28. Sounds like FUD to me... by mswhippingboy · · Score: 2, Insightful

    This is not a flaw in java. This is (possibly) a flaw in JavaWS, which is nothing more than a technology for launching applications from a web page. It does not affect java applets, or java applications launched from the command line or desktop.
    If you RTFA, you'll see that the problem is that a link can redirect the executable that gets launched so that INSTEAD of java launching, something nefarious gets launched.

    While the whole scenario described is a bit contrived, it is something that should definitely be corrected. It is not however, a flaw in Java.
    Calling this a flaw in java is equivalent to claiming that .Net has a serious security flaw because a link can be created that claims to launch a .Net application when in reality it points to a spyware executable.

    --
    Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
    1. Re:Sounds like FUD to me... by trancemission · · Score: 0

      how does said exe/dll get on host?

    2. Re:Sounds like FUD to me... by trancemission · · Score: 0

      does it really allow it to be loaded from a url

    3. Re:Sounds like FUD to me... by mswhippingboy · · Score: 1

      When an app is launched using JavaWS, the JVM that resides on your workstation is what gets launched - not one from the host (that's why you have to have Java installed to launch using a JavaWS - aka JNLP). The java code itself (i.e. the java application you are intending to launch) is downloaded from the host. The problem above is that the JavaWS code on the server can specify via a parameter what JVM to use when launching the application, and therein lies the vulnerability. If the JavaWS code specifies a trojan horse DLL disguised as JVM previously loaded on your machine, there is a chance it could lauch a virus or malware. Of course, this would require that the virus/malware be already present on your machine and the parameter would have to know where it is located (which is why I feel the scenario is a bit contrived), but nonetheless, the possibility exists.

      --
      Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
  29. not really by Anonymous Coward · · Score: 0

    Oh come on. That's not really a problem. Do you know what is java web start? A way to download a native Java application on your pc. This native application have full control of your pc.

    So java web start say: hey do you want to run this application on your pc? Are you sure about it? Really really sure?

    If you say yes, it more plausibile that problem came from an application with simple:

    Runtime.exec("c:\\evil.exe")

    than from an obscure option in javaws....

  30. Wire mest by Jim+Efaw · · Score: 1

    Ceramic parabolas? I prefer wired mesh, that way I can put more on my head.

    *Whoosh*

    Maybe it's not the kind of "whoosh" you think it is. Maybe he's just likes that sort of nasty.

  31. Using Java Web Start by Anonymous Coward · · Score: 0

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file. Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code. I thought this should be made clearer... ;-))