Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious New Java Flaw Affects All Browsers

Posted by Soulskill on from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

18 of 164 comments (clear)

  1. Guess it's time to uncheck that box by Ma8thew · · Score: 3, Informative

    Can't recall the last time I even used a Java applet. Just uncheck the box in preferences and forget about it.

    1. Re:Guess it's time to uncheck that box by pjt33 · · Score: 2, Informative

      Java Webstart, not applet. Basically you download a .jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles .jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).

    2. Re:Guess it's time to uncheck that box by Anonymous Coward · · Score: 1, Informative

      I work for a reasonably large multi-national corporation, and we distribute a suite of server management tools as java applets. I don't ask why Java was chosen, and I don't know how well received the suite is by customers, but I know my job would be impossible without a JRE on my office workstation.

  2. This is javocalypse by Anonymous Coward · · Score: 2, Informative

    http://blog.cr0.org/2010/04/javacalypse.html

  3. How to disable Java? by mtxf · · Score: 2, Informative

    In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.

    1. Re:How to disable Java? by The+MAZZTer · · Score: 2, Informative

      That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.

    2. Re:How to disable Java? by mtxf · · Score: 2, Informative

      Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!

      --------------------
      Affected Software
      ------------------------

      All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
      affected by this vulnerability. Disabling the java plugin is not sufficient to
      prevent exploitation, as the toolkit is installed independently.

      There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.

      To check if you're vulnerable, PoC is here: http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

  4. Re:Howcum? by binarylarry · · Score: 3, Informative

    Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.

    --
    Mod me down, my New Earth Global Warmingist friends!
  5. Already fixed a long time ago in jdk 6 r 17 by Anonymous Coward · · Score: 0, Informative

    yawn. old news.
    http://java.sun.com/javase/6/webnotes/6u17.html
    6872824 javawebstart general arbitary code execution using java web start
    this has long since been fixed.

  6. Re:Article Contents by binarylarry · · Score: 5, Informative

    Actually it affected Linux browsers too.

    However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

    --
    Mod me down, my New Earth Global Warmingist friends!
  7. Re:New? by shutdown+-p+now · · Score: 3, Informative

    Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or .NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on /. several times already.

    Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.

  8. Some precisions.... by ls671 · · Score: 5, Informative

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

    Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

    I thought this should be made clearer... ;-))

    --
    Everything I write is lies, read between the lines.
  9. Re:All browsers? by NatasRevol · · Score: 2, Informative

    From the first link:

    "Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."

    --
    There are two types of people in the world: Those who crave closure
  10. And yet it ISN'T fixed by Wee · · Score: 3, Informative

    The article says that version 1.6.0_19 is affected.

    So no, not old news. Not "long since" fixed.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

    1. Re:And yet it ISN'T fixed by fluffy99 · · Score: 3, Informative

      I tried to run their simple exploit demo, but it failed to load.

      I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.

  11. Re:Article Contents by jabberw0k · · Score: 3, Informative

    If you are going to make a cogent argument, you should omit the profanity; by resorting to vulgarities you torpedo yourself. What a shame, you probably had a valid point.

  12. Re:Article Contents by Confusador · · Score: 3, Informative

    Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

    Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.

  13. Re:Article Contents by GigaplexNZ · · Score: 2, Informative
    Yes, I realise that.

    (try $ echo rm -rf ~)? rm will probably not understand it

    test@localhost:~$ echo rm -rf ~
    rm -rf /home/test

    test@localhost:~$ ls -a ~
    . .. .bashrc

    test@localhost:~$ rm -rf ~
    rm: cannot remove directory `/home/test': Permission denied

    test@localhost:~$ ls -a ~
    . ..

    Aside from my test user not having permission to remove the directory itself, "rm -rf ~" does work and is devastating.