Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Exploit Patched? Not So Fast

Posted by timothy on from the few-beans-short dept.

PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"

16 of 87 comments (clear)

  1. Arrrrrg by Haawkeye · · Score: 5, Insightful

    Come on really! That's it java is coming off my machines!

    1. Re:Arrrrrg by cbhacking · · Score: 4, Insightful

      Using what, a VM? That's probably the easiest and most cross-platform, but that hardly makes it easy (especially since VMs that are designed for easy use make extremely poor sandboxes). AppArmor or SELinux or some such? Well beyond the capabilities of most users. A dedicated low-privilege user account? That's possible on pretty much any platform, but will still leave a mess that you'll have to clean up afterward.

      Besides, I'd really rather stop before the attacker gets arbitrary code execution on my machine. Java is disabled or simply not present on my machines, thank you.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:Arrrrrg by Jeremiah+Cornelius · · Score: 4, Funny

      Oracle should be "patched" by Anonymous.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:Arrrrrg by Nerdfest · · Score: 5, Informative

      I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

    4. Re:Arrrrrg by whoever57 · · Score: 4, Insightful

      When was the last time you saw a Java applet?

      Try using Webex without Java enabled in your browser.

      --
      The real "Libtards" are the Libertarians!
    5. Re:Arrrrrg by Nerdfest · · Score: 3, Informative

      That product is pretty much a security exploit by its very nature.

    6. Re:Arrrrrg by LordLimecat · · Score: 5, Funny

      Sandbox [Java VM] externally

      Using what, a VM?

      Yo dawg, I heard you liked virtual machines...

  2. Not surprising by cbhacking · · Score: 4, Interesting

    They've patched 6 of the 19 vulns that were reported back in April. Three were patched a couple months back as part of their usual 4-month patch cycle. As far as I know, those were never used in the wild. Three more were patched just recently, in response to rampant in-the-wild use and inclusion in exploit kits, etc.

    Of course, that leaves 13 still unpatched, and while apparently quite a few of them are defense-in-depth (insufficient, on their own, for full compromise), when you've got that many unpatched vulns it is totally unsurprising that somebody can chain a few of them together into a working exploit.

    --
    There's no place I could be, since I've found Serenity...
  3. WORE by tobiasly · · Score: 5, Funny

    Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

    1. Re:WORE by sjames · · Score: 3, Funny

      Honest to God, when I glanced at the subject, I read it as "WHORE" which seems somewhat apt for Java these days.

    2. Re:WORE by cbhacking · · Score: 5, Interesting

      Normally I'd agree with you, but the exact same thing is true of JavaScript and yet very, very few people are calling for a universal end to that. Now, a handful of people (relative to the global computer userbase) use NoScript, but even among NoScript users most realize that it's either too complex or too difficult for most people to use correctly all the time.

      As it happens, I do block plug-ins (especially Flash and Java) by default, permitting them only on a case-by-case basis, except where I can remove them entirely. However, even to my (highly technical; he's been coding since he was in high school) father, that's too much of a hassle. He expects (rightly, if not wisely) that software vendors will keep their software as secure as possible, and respond quickly to any threats. That's the standard to which I'm holding Oracle here, and they're failing to meet it.

      --
      There's no place I could be, since I've found Serenity...
    3. Re:WORE by SplashMyBandit · · Score: 4, Informative

      > With Java, you can exploit OS X, Linux, BSD, any ...
      I know you say "Java applets" later on, but it is important to qualify this at every stage (since even the techie Slashdot readers appear to be horribly ignorant that there are differences between JavaScript, Java applets and Java applications).

      Readers should take note:

      1. 1) In general Java applications and web services are secure (in fact, more secure than C++ etc)
      2. 2) It is malicious Java applets that pose a potential risk to users (just like malicious buffer-overrun inducing JPEG images do).

      Now cue the hundreds of Java-hating posts that don't know the difference between JavaScript, Java applets and Java applications/servlets but still think that some other technology is more secure (hint: it is not - every tech out there has holes that get discovered from time to time - including your operating system).

  4. Not so fast by MobileTatsu-NJG · · Score: 5, Funny

    Not so fast.

    Isn't that Java's mission statement?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  5. Re:about:addons by Runaway1956 · · Score: 3, Insightful

    Protip, your ass.

    The real protip? If your bank requires you to enable java or flash to use their site, you're banking in the wrong place.

    Now, pull your head out of your ass, and thing "security" instead of "convenience".

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  6. OpenJDK vs. Oracle Java? by someones · · Score: 3, Interesting

    I switched to OpenJDK a while back.
    In its early days it was bugged and crashed all the time, but that time seems long forgotten past.

    Is there a reason to favor Oracle's Java over OpenJDK?

  7. Re:about:addons by BlackThorne_DK · · Score: 3, Interesting

    Oh well, welcome to my world. In Denmark, not only does the bank require Java. The _state_ require you to use the same braindead java-infested login (NemID), not only on all banks, but also on every public accessible site (Pensions, Healthcare, Unemployment benefits, Student benefits...).
    No matter what I do, and which bank I choose, I need to use NemID, and Java.

    I just disabled Java on my work machine. Now I need to make a virtual machine or something, if I actually want to pay my bills. :-(