Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Java Vulnerability Found Affecting Java 5, 6, and 7 SE

Posted by Unknown on from the everything-is-compromised dept.

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

15 of 121 comments (clear)

  1. Java runtime vs. .NET runtime by Nsks · · Score: 5, Funny

    What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

    1. Re:Java runtime vs. .NET runtime by sgrover · · Score: 4, Funny

      Dude!!! You almost made pop come out my nose! I laughed so hard!

    2. Re:Java runtime vs. .NET runtime by gagol · · Score: 4, Informative

      You mean like this?

      --
      Tomorrow is another day...
    3. Re:Java runtime vs. .NET runtime by scorp1us · · Score: 4, Interesting

      Nah, I'd say Flash is the most exploited runtime.

      I never liked Java, but .NET is even worse for a web platform as it only supports a fraction of the platforms. Java was invented to be portable, .NET was invented to be less portable Java.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  2. Report exploits to Debian and Red Hat too by David+Gerard · · Score: 4, Insightful

    The OpenJDK teams at Debian (who also do Ubuntu) and Red Hat are good people to notify as well. Unlike Oracle, they won't sit on bugs.

    --
    http://rocknerd.co.uk
  3. "Wow, thanks a lot Oracle." by Anonymous Coward · · Score: 5, Insightful

    Release of Java 5: September 30, 2004
    Oracle's acquisition of Sun: January 27, 2010

    I know it's fun to hate on Oracle (commencing Ellison yacht joke in 5, 4, 3...), but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.

    Shouldn't we at least wait until after we find out that Oracle knew all about this for months on end, chose to tell no one, and then ported it forward into Java 7 before we lambaste them?

    1. Re:"Wow, thanks a lot Oracle." by Nimey · · Score: 4, Informative

      Java 5 was even EOL'd well before Oracle bought Sun.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    2. Re:"Wow, thanks a lot Oracle." by Cid+Highwind · · Score: 4, Insightful

      Number of fscks Larry Ellison has given about Java since finding out owning it doesn't mean Google owes him a ton of money for Dalvik: 0

      --
      0 1 - just my two bits
    3. Re:"Wow, thanks a lot Oracle." by Trepidity · · Score: 4, Insightful

      They've owned the product for almost three years now, so I'd say that bugs in current versions are their fault for not doing sufficient QA to find/fix, regardless of where they originated. When you own something, you own the responsibility too.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  4. Is Java the new Flash? by blahbooboo · · Score: 4, Funny

    Please discuss.

    1. Re:Is Java the new Flash? by Anonymous Coward · · Score: 3, Funny

      No, Java is the old Flash.

  5. If you have an IT job you might need it. by Anonymous Coward · · Score: 4, Interesting

    Java plugins won't help you flip burgers, but if you work in a large corporation you will find about fifty mission-critical apps you definitely will need that plug-in for.

    And the sysadmins hate EVERY SINGLE ONE OF THEM.

    Because they SUCK to admin... end users who don't have to use or admin the codebase love them, because they are pretty and sound like coffee.

  6. Re:the java plugin? by codealot · · Score: 3, Informative

    I just RTFA, from what I can tell this affects anyone who needs to run untrusted code in a JVM with a SecurityManager, not just applets.

    That said, I can't think of any reason to do that besides applets, so most vulnerable users are those with browser plugins. Virtually everyone I know who runs Java deploys it within a servlet container where untrusted code is not normally a concern. Given that, the story seems a bit overblown.

  7. Wowzers by Billly+Gates · · Score: 5, Funny

    Good thing we use Java 1.4.2 at work. Looks like I am safe

    --
    http://saveie6.com/
  8. Oracle, did you learn from last time? by onyxruby · · Score: 4, Insightful

    Oracle, did you learn from last time?

    1. Have you publicly acknowledged the exploit?
    2. Have you given at least some idea of how it works?
    3. Have you given any mitigation instructions or will people simply have to uninstall your product since your not saying how to mitigate this?
    4. Have you given any type of public communication along the lines of "were working on it"?
    5. Are you giving any type of eta for a hot fix?
    6. Have you learned that saying, we'll fix a critical exploit on one billion machines at the regular quarterly update schedule is not acceptable?

    Home sick today or I would have been neck deep in this all bloody day. Haven't had a chance to look and see if they learned from their last royal clusterfuck or not.