Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious New Java Flaw Affects All Browsers

Posted by Soulskill on from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

9 of 164 comments (clear)

  1. Guess it's time to uncheck that box by Ma8thew · · Score: 3, Informative

    Can't recall the last time I even used a Java applet. Just uncheck the box in preferences and forget about it.

  2. Re:Howcum? by binarylarry · · Score: 3, Informative

    Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.

    --
    Mod me down, my New Earth Global Warmingist friends!
  3. Re:Article Contents by binarylarry · · Score: 5, Informative

    Actually it affected Linux browsers too.

    However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

    --
    Mod me down, my New Earth Global Warmingist friends!
  4. Re:New? by shutdown+-p+now · · Score: 3, Informative

    Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or .NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on /. several times already.

    Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.

  5. Some precisions.... by ls671 · · Score: 5, Informative

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

    Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

    I thought this should be made clearer... ;-))

    --
    Everything I write is lies, read between the lines.
  6. And yet it ISN'T fixed by Wee · · Score: 3, Informative

    The article says that version 1.6.0_19 is affected.

    So no, not old news. Not "long since" fixed.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

    1. Re:And yet it ISN'T fixed by fluffy99 · · Score: 3, Informative

      I tried to run their simple exploit demo, but it failed to load.

      I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.

  7. Re:Article Contents by jabberw0k · · Score: 3, Informative

    If you are going to make a cogent argument, you should omit the profanity; by resorting to vulgarities you torpedo yourself. What a shame, you probably had a valid point.

  8. Re:Article Contents by Confusador · · Score: 3, Informative

    Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

    Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.