Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious New Java Flaw Affects All Browsers

Posted by Soulskill on from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

9 of 164 comments (clear)

  1. All browsers? by K.+S.+Kyosuke · · Score: 4, Funny

    Oh come, on. Shall I try it in Links? I've told you a million times that you're not supposed to overuse hyperboles.

    --
    Ezekiel 23:20
  2. Article Contents by Oxford_Comma_Lover · · Score: 4, Insightful

    Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.

    "In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.

    Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Article Contents by binarylarry · · Score: 5, Informative

      Actually it affected Linux browsers too.

      However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

      --
      Mod me down, my New Earth Global Warmingist friends!
    2. Re:Article Contents by hairyfeet · · Score: 5, Insightful

      Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

      So can we please let this little fact DIAF already? Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?". All anybody has ever ever cared about, even when I tell them I'm gonna have to nuke it, is "can you give me back my stuff please?". So let us just let this little "malware at root VS user" crud die already. If you have malware running at either level it has access to your stuff, which depending on how religiously you back up (which guess what? 99.995% of users in my experience don't have recent backups, if they have backups at all) can be a PITA at best and a true tragedy if you use irreplaceable memories.

      So in conclusion: If the malware can run, whether on Linux or Windows, it can get to your stuff, which is WAY more important than whether or not your system gets hosed. After all any geek here at /. can get a system fully running and tweaked nicely in a couple of hours, how long would it take to replace that only copy of your vacation photos, or that only copy of your late grandmother's last Xmas here on earth?

      --
      ACs don't waste your time replying, your posts are never seen by me.
  3. Re:New? by binarylarry · · Score: 4, Insightful

    Compared to what? Java has a pretty fantastic security track record.

    Also this isn't an exploit in the Java runtime, it's an exploit in the way the web start native launcher parses arguments before using them to launch the Java virtual machine.

    --
    Mod me down, my New Earth Global Warmingist friends!
  4. Re:Guess it's time to uncheck that box by AchilleTalon · · Score: 4, Funny

    Well, I am mainly writing Web client applications in Java to gain unauthorized access to your desktop.

    --
    Achille Talon
    Hop!
  5. Some precisions.... by ls671 · · Score: 5, Informative

    Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

    Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

    I thought this should be made clearer... ;-))

    --
    Everything I write is lies, read between the lines.
  6. Java has had a built-in backdoor by Animats · · Score: 5, Insightful

    This isn't a bug. This is a backdoor inserted by someone at Sun.

    The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.

    1. Re:Java has had a built-in backdoor by petermgreen · · Score: 5, Interesting

      Personally I doubt this was deliberate.

      The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

      Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register