Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious New Java Flaw Affects All Browsers

Posted by Soulskill on from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

5 of 164 comments (clear)

  1. Re:Guess it's time to uncheck that box by thsths · · Score: 2, Interesting

    > Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update.

    Can you tell me where I get a Java plugin that doesn't suck? Because mine still does - it takes seconds to load, blocks the browser in the mean time, it always looks ugly (something wrong with the fonts?), and it often interferes with the web page. Plus the update mechanism is terrible - certainly if you have a normal user account for normal use.

    Actually even the Flash plugin is a lot better, plus Flash graphics just look excellent.

  2. Re:All browsers? by WrongSizeGlass · · Score: 2, Interesting

    I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

    FTFA: "Browsers running on Apple's Mac OS X are not vulnerable." That includes iPhone, iPod Touch & iPad .... oh, and Mac's, too.

  3. Re:All browsers? by TheRaven64 · · Score: 2, Interesting

    I went to disable Java as soon as I saw the headline (before getting to the part that said my platform was not affected). When I got to the preferences dialog, I found that it was already disabled. I turned it off last time there was a high-profile Java vulnerability - about two years ago, as I recall - and had completely forgotten. I guess that means that Java Applets are pretty much dead. I can't remember the last time that I saw one, and I've certainly not seen any sites failing because I had Java disabled.

    --
    I am TheRaven on Soylent News
  4. Re:Java has had a built-in backdoor by petermgreen · · Score: 5, Interesting

    Personally I doubt this was deliberate.

    The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

    Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  5. Re:Article Contents by GigaplexNZ · · Score: 2, Interesting

    Unless your username has the string "user" in it, that won't do a heck of a lot. Why do so many people try to create a way to suggest "replace with current user's home directory" when a syntactically correct one exists already? The added bonus is that it works even if the user's home directory is set up in a different location to the normal convention.

    rm -rf ~