Slashdot Mirror
Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
What happened? Most of these exploits seem to rely on rewriting methods / accessing byte code ... how about disabling that access for applets as a temporary measure?
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
This might seriously impede the Year of Java on the Desktop
It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
The solution is to stop running untrusted code in your browser. If you are using a browser's default configuration, then any time you go to a website, the browser will automatically download and execute software from the website, in the form of Flash, Java applets, javascript, and Silverlight, if you have it installed.
And you think there aren't any vulnerabilities in any of those sandboxes?
That's not specific to Java, it applies to all software that's downloaded from an outside source and run on your local machine. That means Adobe Reader (PDF is simply a wrapper for a program written in Postscript), Flash (ditto, written in a special programming language) and even Javascript. It even includes downloaded TrueType fonts (the font hinting program they can include is just that, an executable program). Don't dismiss them just because they're sandboxed. Java was sandboxed, that didn't stop this vulnerability. Sandboxes are software and software has bugs in it, always. The only question is the number and severity of the bugs. The simpler the software, the fewer bugs there tend to be because there's fewer places for them to hide. Their favorite hiding place is in unexpected interactions between different parts of a piece of software, or between the software and the system it runs in, and simpler software has fewer and simpler interactions that're easier to get right.
This even applies to software you buy from a vendor. The difference is that with bought software you tend to download it only a few times and always directly from the source. Contrast this with the Web, where you're downloading multiple pieces of software on virtually every Web page you hit with no idea where they're coming from (and, in the case of advertising networks, the place you download them from may not even know who or where they're coming from).
Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.
Give me Classic Slashdot or give me death!
HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.
How is Mr. Moore computing this interval? Nothing is offered in these stories about why it would take Oracle "two years" to "fix" the "security bugs".
It didn't take two years to write JDK in the first place...
Just because you're paranoid doesn't mean they aren't out to get you
Sure, Java will be dead in 5 years.. just like COBOL.
This also applies to every desktop OS - ESPECIALLY Windows. How many years has Microsoft been attempting to secure Windows? Obviously if you care about national security, you will unplug your PC today.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
The idea is that you are at the same time providing a full language and a sandbox. Together. Java is not inherently more or less secure than any other language (well, mostly), but the above premise is extremely hard to pull off correctly. Think of an applet as some piece of code you download and execute. Would you trust doing that in any special language? Think of Flash, how many flash issues have we seen? And Flash is "less complex" than Java.
Are those security flaws also affecting OpenJDK 6 and/or 7?
"Over theÂhistory of programming, the number of exploits in softwareÂdoubles approximately every two years."
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
This guy isn't a security expert. He doesn't even know that Java is a programming language, and that Oracle's JVM is not "a version of Java used to surf the web". No self respecting expert would misuse terms the way he is, and he should be sued for doing it. It leads to ridiculous situations, where people think Java is inherently bad. I mean, isn't Android based on Java? OMFG ... don't get one of those! Haven't you heard. Java is vulnerable to attack! If the writer got what this guy said correct then his guy is either shilling for Apple or Microsoft against Google/Android, hates Oracle, or is phenomenally incompetent.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Why exactly do we need applets on joe smoe's machine? If your a corporation enable it.
It would be great if all browser had a whitelist of domains that you tag a site for any of this stuff. Yes youtube can play flash, other sites not. Advertisers will just use animated gif\javascript or whatever.
Sure there is this plugin and that to accomplish this...time for FF, Chrome, and IE to build this stuff in and make it off by default and super simple to address. Of course you've got grandma on IE 6/7/8, but even then MS could put out a patch that just turns off applets. The next time IE starts up it ask the user. Group policy would override.
I find it strange that I can install a flash blocker that allows me to whitelist certain websites but that similar functionality seems to be missing for Java... the easy answer is to not allow java to run unless the site or even specific URL is in a whitelist.
The java engine should check whether the code it is about to execute is from a whitelisted location before it executes it. If the code is not, it should warn the user, perhaps prompting to add the site.
That way your banking and ecommerce sites would still work easily while the "bad guys" would at least have to successfully social-engineer you into adding their site, a situation much better than what we currently see where all you have to do is inadvertently browse to a web page with compromized java applets embedded.
Like who?
remove java, solved!
Nuke it. From space. Sharks, lasers, etc. Only way to be sure.
Some guy has the source code, examined it long enough and carefully enough to come up with an estimate of the time required to fix it... and didn't fix it? Didn't document the problems? Didn't bother to tell us what is wrong and where it is wrong? Sounds fishy. I don't think I believe it.
The guy invented Metasploit. He's not lying.
That, to me, seems so obvious as a basic security measure, it amazes me that software as old as Java would still have such vulnerabilities.
I can see absolutely no reason to start with an unprivileged app that can somehow give itself privilege it did not start with. In reality, such actions should be up to the user to decide *before* they run the app (although that may still be quite vulnerable to social engineering, it would at least remove the technical aspects of the vulnerability).
File under 'M' for 'Manic ranting'
Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.
The problem is, the default Java runtime install includes a browser plugin that allows Java applets embedded in a webpage to run automatically. Code delivered this way is supposed to run inside a strict sandbox, but that sandbox has been repeatedly shown to be full of holes.
(Desktop apps written in Java, including UGENE and ImageJ [and Eclipse, and the mostly-not-Java LibreOffice] do not use the browser plugin and will run fine even if the browser plugin is disabled or deleted completely. Your standard don't-be-an-idiot advice does indeed apply to these kinds of apps. But the JRE you installed to run ImageJ will install the browser plugin you never asked for and don't need.)
Oracle really should consider making the browser plugin a separate, optional, non-default installation.
This is like opening an email attachment form the same domain name; don't do that because somehow that PDF file, Excel file, Word document or whatever is harboring some evil code.
But does any of that mean you should remove Excel or PDF readers or Word or Libre Office or anything else from your own machine? Of course not. Java apps are totally safe on your machine and removing Java from your machine makes exactly zero sense.
The only people (mis) representing this situation are people who have an economic stake in "competing " languages and runtimes and language warriors , so that would include M$, consultants who want to be able to bill to rewrite Java apps (for no reason) , authors and evangelists from competing languages etc etc etc . You should all be ashamed of yourselves. C# is a great language , Java is a great language , Perl is a great language , C is a great language, Scala is a great language, Lisp is a great language.. so just GTFU.
They all have undiscovered holes. What makes Java any riskier than IE? What makes it any riskier than Chrome or Firefox? Is it the lack of any update strategy on Oracle's part?
Need a Python, C++, Unix, Linux develop
The only way that number is within an order of magnitude of being correct is if it is a reference server-side Java, which isn't the issue. In-browser Java is the issue, and very few common websites require in-browser Java to function correctly (in-browser JavaScript, perhaps, but aside from artifacts of early-90s marketing in the naming, the two have nothing in common.)
Java vulnerability can be fixed in a few seconds:
apt-get remove java
There. Vulnerability fixed.
But we have javascript, which probably no more secure than java, especially now that we are now adding more features to it, canvas, websockets.
The thing is I see no need for more attack vectors so we might as well limit them not use java/flash on the web browser.
I run executable all the time, All apps should run in a vm by default, and only get access to real stuff if I explicitly say so, otherwise all data is faked to the app.
These vulnerabilities affect java applets right? How many java applets are "in the wild"? 10? Most java applets are in-house businesses task specific apps from what I've seen. Meaning if you're casually browsing the web and the JVM is on... turn it off you don't need it... wants to come on and you don't trust it, block it... standard web practices here.
I think he meant Kobol, the originating planet of the thirteen tribes.... Took a lot longer than 5 years to die but then again, the Galactica found it in ruin and didn't stay for archeological studies...
Javascript is sandboxed in most browsers and in Firefox most of it is neutered in terms of access to local resources.
Java is untrusted and just runs without a user doing anything! That is the difference. Flash is now trusted and signed and Chrome auto updates it as does Windows Update now if you use IE 9. Mozilla it turns click to play now to prevent exploits.
http://saveie6.com/
I have a jar of molasses that seems to be equivalent to this concept.
Javascript has NOTHING to do with java.
Doesn't this mean the same problem is present in C#, as it is really just a clone of Java
I don't know the meaning of the word 'don't' - J
So after following the rabbit hole, the article links here (see PDF) and here (same site, just "codes" for the issues) while exclaiming about 50 issues in Java! If you cut out the fluff, the only issue is the Reflection API. C# will and does have the same exact vulnerabilities. And after looking through it, it wouldn't take 2 years to apply these "fixes"; however, some "fixes" remove Java functionality, so it will never be "fixed" because why remove functionality. Any language can do bad things. We can only hope that the general public doesn't read this shill crap.
/endrant
However, I admit that this is also a good thing to hopefully encourage Oracle to provider quicker updates/patches/etc.
I still don't see a mass migration to other languages happening. JAXB (and annotations in general) is one of the best things Java ever invented. I have yet to find a language with features that make XML reading/writing as easy as JAXB. Unicode, i18n, and l10n were well-done from the beginning. Even though people laugh at the notion of byte code and the cross-platformness of Java, I still have yet to see another language do this better. Java will die when either a better solution emerges or enough corporate shill kills it.
And I still don't understand why Linux is being bogged down with C# mono programs such as Banshee, TomBoy, etc. Don't get me wrong, these are great programs, but why not write them in a language that is more open? It would have been just as easy to do these in Java with GTK+.
The G
To paraphrase a well known saying, I think it's time for the internet to start seeing oracle as damage and route around it.
One really simple thing that seems needed, and that should be extremely simple to do, would be a whitelist/blacklist plugin for java applets in firefox. The vast majority of java applet users are probably people who work in a bank, a law practice, or a medical office and only ever need to use a single applet. They need an option where they can blacklist all java applets by default, but allow applets from medicalrecords.com or whatever. These folks can't just disable the java plugin completely. Setting plugins.click_to_play to true is also a solution, but it breaks sites that use flash, and it doesn't protect the business against an office worker who clicks on stuff without thinking. (I tried setting this flag on my desktop box at home, and was too much of a nuisance. This is what I have flashblock for, and flashblock does the job better.)
Another helpful step would be to make it easier for people to find out which versions of java they have on their computers and easier for them to avoid unsafe versions. On my ubuntu box, managing this is a total mess. If I do "java -version", it tells me I'm running java 1.6, which would be immune to this vulnerability. But if I check inside the directory /usr/lib/jvm , it turns out I actually have 1.5, 1.6, and 1.7 all installed. Well, which one is firefox using? I get zero results from dpkg --get-selections icedtea . In firefox, doing tools:add-ons:plugins tells me I have IcedTea-Web 1.2, which tells me nothing about the java version. Typing about:plugins in the url bar shows me literally two dozen version numbers. Googling turns up somebody's test app at http://javatester.org/version.html , but (a) how do I know this guy isn't a black hat, and (b) even if that showed I was currently running 1.6, what happens if a future apt-get upgrade bumps me into 1.7?
The final thing that should really happen IMO is that the OSS community should get off the java upgrade treadmill. The IcedTea project should designate some version such as 1.6 as a high-security, stable version and focus some real effort on making that version secure. Distros should stop packaging 1.7+ until the dust settles -- and if that take a couple of years, who the heck cares? Hell, I wouldn't care if it took a decade, or forever.
Find free books.
"It's been in MY jar of molasses since 199x!"
Does COBOL have as many security issues as Java?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Yes, but Java is a completely different language from JavaScript.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Of course there are hundreds or thousands of native API calls made by the Java stack.
Sooner or later you have to talk to the OS.
I do not fail; I succeed at finding out what does not work.
in soviet Russia, nobody expects the Spanish inquisition!
Perhaps the time is right for a COBOL browser plugin?
I was thinking this when I started reading his post, but then I actually read and comprehended what the poster said. He was talking about javascipt because we download javascript code and execute it without any warnings and that isn't a problem.
Stop yelling about javascript and java being unrelated. We all know it, and it doesn't help any discussions. The people that don't know they are different probably won't have a lot of insightful comments on threads about languages.
Perhaps it's time to rethink the whole "execute in user space" thing and go back to HTML/CSS rendering and server-side CGI.
Near as I can tell, the whole user-space execution thing has been a security and compatibility clusterfark since day one. The "cloud" is a user data loss / privacy nightmare by design, too.
Honestly, it seems to me that outside of the usual HTML uses - reading a blog or a news site, shopping, that sort of thing - most people I know actually use the web to ship video and audio back and forth. Personally, I've done less surfing, emailing and other usual net activities this year than ever before; I have dedicated appliances that stream music from Internet radio stations, deal with video, e-books...
Guess I'm just a desktop kinda guy. Get off my lawn?
I've fallen off your lawn, and I can't get up.
no, COBOL was written by actual programmers, long before software engineers infected earth.
Javascript has NOTHING to do with java.
Actually, they're both rather mediocre programming languages in their own miserable ways. They have that in common.
Please, provide your examples of which are good languages in your opinion.
I, for one, think that Java is good enough for the job.
"I think this line is mostly filler"
I think he meant Kobol, the originating planet of the thirteen tribes.... Took a lot longer than 5 years to die but then again, the Galactica found it in ruin and didn't stay for archeological studies...
Remember, if you use Kobol in a project the gods will punish you.
"I think this line is mostly filler"
ups.com
Needed to print thermal labels from the website interface. For some reason it uninstalled itsaelf or i got away without it for a year. But had to install java to get it to work again, pretty much on the day all this started but noone there had a clue. sigh....custom driver, activeX control, java all needed to be install to print the damned label.
It is not even in the damn instructions...it is just ASSUMED to be on the machine these days. That machine does nothing but UPS labels so the usual browsing baggage was not installed.
Wrong answer!
no, COBOL was written before software security was invented.
"I think this line is mostly filler"
Hmmm... would someone mind again explaining how to robustly disable the Java plugin from Internet Explorer, Firefox, and Chrome...
* WITHOUT uninstalling the JRE or JDK,
* WITHOUT globally disabling plugins (like Flash) in general,
* ROBUSTLY, in a way that can't be subverted by Oracle's installer or brain-damaged update logic, and
* in a way that allows you to permanently or temporarily re-enable the Java plugin for a domain, specific host, or wildcard/regex-matched URL... and allows you to do it retroactively, AFTER the page has loaded, without resubmitting a form (if that's how you got to the page in the first place) or restart the browser after re-enabling Java. Few things suck more than completing an online purchase for Java-delivered premium content, or going through some extended login process involving hardware tokens and one-time passwords, only to have to repeat the whole thing from scratch (or try to get a refund) because you forgot (or didn't notice) that Java has to be enabled before you start?
COBOL has a better solution.
Java has a bad history. I disabled it on all of our machines years ago due to problems like this and the fact that so much poorly written Java code sucks CRU wasting computer resources and slowing down machines. I would recommend never using Java. I don't run into any situations that require it so there is no point in bothering to risk it.
You are entirely incorrect on so many fronts, it's funny. I think you should just stop posting on Java since we've probably seen every error you can make already in this story. To finish it off, Javascript is not only sandboxed within each browser's implementation, it is also severely restricted in those implementations in what it can do. Want to edit a local file... can't do it in Javascript in a browser - those capabilities do not exist there. Want to call a new server? Again, can't do it in a browser. Etc etc etc.
Java does have the capability to be signed and sealed, which is about as close to trusted code as you can get. But that's "too hard" for most to deal with, apparently. If applets required signed/sealed jars to run to begin with or pop up a warning, you'd still have a mess of stupid people trained by years of clicking through annoying confirmation boxes in Windows that would still run unsafe applets. So I doubt it would help in any meaningful way.
I don't have java plugins in my browsers, and run noscript in Firefox for non work sites. That's about as safe as you can get.
The cesspool just got a check and balance.
If you are running a website targeting engineers and designers actively integrating products into new designs, take my parent post into consideration before considering all sorts of fancy window-dressing programming which requires java, javascript, pop-ups, etc to be enabled before content is displayed.
Businesses having lack of foresight who hire webmasters who implement finicky programming techniques isolate themselves from engineers trying to research products to be designed into other products. How many times has one tried to obtain product info only to be met with all sorts of script programming demanding java be enabled? Some business types will still pay a good salary to have prospective customers abandon their site because it is so difficult to use.
I do a lot of research for businesses in the design phase, and often this research is quite confidential. That is why they have me involved. I am not supposed to reveal the company name or even what it is they have me researching.
Business question: How much would you pay to have a script written that discouraged the engineer from your site, so your product was never considered in the design phase? How much would you pay for someone who would hire someone that writes this stuff? The answers to these questions will have a large influence on your future sales.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Where have you been?
Oracle has owned Java since April, 2009, when they bought out Sun.
File under 'M' for 'Manic ranting'
Who will out live the earth? Roaches or COBOL code?
MOVE 'FUNNY' TO WS-MODERATION-CODE.
to fix that stuck accelerator problem?
The government would fine them big time, if not possible keep them from making the cars that are affected.
Time to start handing out fines to Oracle I would think. See if that might change the 2 years to something a bit more realistic, like 6 months.
Be seeing you...
Java was designed with the intention of providing a secure sandbox. The reality is instructive about the consequences of using a complex and many-featured product. Simple is no guarantee of security, but complexity is definitely an enemy of security.
Exactly! This is why DJBDNS runs its parts in separate, simple processes: to reduce complexity.
Yes, the idea of zone transfers, secondary, and forwarding servers all break with this model, but fixing that is an exercise left to the student.
PS: I always handled complexity while maintaining security through abstraction + avoiding API layering violations, you know, like starting to interpret the meaning of MIME dat before verifying the validity of the MIME container object, which is what caused so many OutLook security vulnerabilities. But I now realize after reading your post that that was just my silly API design class talking.
Java may have it's security-problems, but it's not like it's the only framework/language that has it's problems.. You must be very naive to think that other languages/frameworks don't have the same kind of security-problems as java does. There is no such thing as complete secure, and there never will be...
Who will out live the earth? Roaches or COBOL code?
There are only two constants in the Universe: death and COBOL.
No colour or religion ever stopped the bullet from a gun
Javascript has NOTHING to do with java.
Well, historically they share a past. JavaScript was named JavaScript because of Java. Before that it was called Livescript.
I read it on /. :)
Defining Statistics and Social Research
Three times a year.
Not when they are needed, or when they are wanted, or when they are actually ready... but rather, three times a year.
All you need to know about Oracle is contained in the parent post. They think "three times a year" is taking "security exploits incredibly seriously".
Reminds me of the sewer worker who's proud to take a bath every year, whether he needs it or not, because he's incredibly serious about hygiene.
I find this entire issue to be rather odd. I was under the impression that when Sun Microsystems was developing Java that its code was heavily looked at to make sure holes of the type found could not be there. Yet now that Oracle has it, "we should disable Java" because the Department of Homeland Security's US-CERT says so. If that is the case, then why isn't a warning issued so that people stop using Windows? After all, it too is full of holes that allows hackers to target it constantly. And Microsoft has been constantly fixing it and yet more holes appear.
Agrisea Tsunami - Epyc Servers... https://agrisea.net/products