Another Java Exploit For Sale

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

The Right Thing (TM)

So then do like Google and pay the guy for the bug.

Kill it with FIRE

[Billly+Gates]

Oracle needs to give up on browser plugins. I realize there are some mission critical business apps and a few cases where it is needed just like IE 6. We need to start pressuring the vendors to stop distributing it like we did with obsolete browsers.

With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

With IE 6 and IE 7 gone by 2014 our eyes should focus on Java as the next technology that threatens the security of our networks that needs to bye bye. We need to do our part as IT professionals and inform PHB it is bad security just like IE 6 and demand app vendors to drop it.

Re:Kill it with FIRE

[Darkness404]

Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser, the problem is unlike most web browsers, Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

There is nothing that makes Java any more insecure than JavaScript except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

Re:Kill it with FIRE

[Lennie]

So how many people run Minecraft in the browser ? I thought most run it outside of the browser, right ?

Re:Kill it with FIRE

[Runaway1956]

"fix it once and for all."

Please name some softwares that have been fixed, once and for all. I'm not aware of any. It seems that everything is evolving as threats evolve. You could start with the kernels. Microsoft seems to change theirs, Linux changes theirs, etc.

You might join the chorus, and complain that Oracle evolves to slowly, or that it is incapable of evolving fast enough to remain relevant, but there is no chance in hell that it can be fixed once and for all.

Re:Kill it with FIRE

[afgam28]

While I don't disagree with you completely, I think it's sad that JavaScript and HTML have "beaten" Java applets as the standard way to build network applications. Sun really dropped the ball in terms of the UX for desktop Java, and Oracle's security mismanagement has put the final nail in the coffin of Java on the desktop. But despite all of its flaws, the Java platform provides a much nicer programming model compared to "modern" web technologies.

HTML was originally designed as a way to display static, hyperlinked documents, and JavaScript was originally just a toy scripting language to do simple things like form validation. They've both evolved to support the creation of rich client interfaces, but creating rich clients using HTML5/JavaScript is not pretty. There's a web server, which spits out dynamically generated client code. Embedded in that client code is a mix of content, markup, JavaScript source code and maybe even inline stylesheets. It runs in one of a number of possible virtual machines (or "web browsers") which are all slightly incompatible, not to mention slow compared to a JIT bytecode interpreter (ironically, one of the early complains about Java applets was performance). Standardizing it all is a nightmare that takes years of political infighting and compromising on things like video formats. And you have to learn at least 3 different languages to even do anything!

It would've great if, instead of HTML/JavaScript evolving up into a full-blown rich client platform, Java just "devolved" a little bit so that it provided a stricter sandbox for applets. None of this "signed code" bullshit - everyone just clicks through on that, leading to all sorts of security problems. Just restrict all applets under same sandbox (like JavaScript does). Give it a more native UX (e.g. through SWT instead of AWT/Swing) and an App Store, and it would be great!

There's nothing really inherently wrong with the Java platform, and nothing inherent in its design that makes it less secure than JavaScript. The only problem is Oracle's lack of support, and some small implementation flaws. HTML5/JavaScript on the other hand is just a giant hack. But a standard one.

Doesn't Oracle have a bug bounty program for Java?

[thue]

Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?

Java Sandbox Exploit, Not Java Exploit

[Bob9113]

This is not a bug in Java. It is a bug in the Java browser plugin, called a sandbox exploit.

The Java Virtual Machine (JVM) has access to the filesystem and can fork processes. In an attempt to make this safe to use in a browser, Sun wrote a sandbox, that is supposed to block access to the filesystem and to process execution. The sandbox doesn't work, and may never work. Disabling the Java plugin in your browser is a good thing. It might have been nice if the sandbox worked, but it doesn't. Don't run untrusted code in the JVM, whether in a browser or otherwise -- just like not running untrusted C code.

You can Java on a server, open a port, expose that port to the Internet, and as long as you haven't written a hole, nothing bad will happen. That is because this is not a Java exploit. It is a Java sandbox exploit.

Re:Java Sandbox Exploit, Not Java Exploit

[afgam28]

Well, that depends on what kind of "consumer" they are. If they're a user who only has the Java plugin installed, then yeah, you're right.

But for people who are running non-browser-based desktop apps like Vuze, PHBs who oversee server-side Java projects, and the poor bastards who have to work under them, the advice that "Java is unsafe!!" is misleading and sensationalist.

I'd wager that most Java applications are not applets, and so they are safe from this exploit and similar ones. So the distinction between the Java platform in general and the browser plugin is a valid one.

Re:Java Sandbox Exploit, Not Java Exploit

[ChunderDownunder]

I wouldn't be too keen to blame the plugin per se anyway.

The whole Java library (rt.jar and others) relies on a security model. Each class invoked has checks to see if a security manager is running and if yes then possibly deny a request based on permissions.

Poor development practices in not vetting the codebase for security checks have caused this. Specifically, this security breach is via new functionality included in JRE 1.7, where any assumptions of security requirements have been invalidated.

An audit of every class included in the JRE needs to occur with unit tests for expected behaviour inside a sandbox and outside.

Applets in a browser are the most common usage of a SecurityManager but pointing a finger at the plugin itself won't fix the underlying library code...

Re:Doesn't Oracle have a bug bounty program for Ja

[Shoten]

Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.

Re:Oracle owns Java now?

[SIR_Taco]

You mean the redundancy issues?

Re:That's right!

[Shoten]

You haven't noticed how they handle patches and vulnerability management for their database products, have you...

"This is the Critical Patch Update for , which fixes a whole lot of stuff we aren't going to tell you about. It's nearly a gig in size and changes all kinds of things...but we aren't going to tell you about any of that, either. Good luck deploying this on your mission-critical applications. You can thank us for doing this in 3-month cycles instead of twice a year (like we used to do) later."

You are fricking mad!

[tjstork]

Can you really think you can compare a jack of all trades master of none half witted rendering engine that is html 5, coupled with a dull language that isn't even type safe and costs a comparitive fortune to debug, vs well, a -modern- language. I agree plugins can be hokey but html5 sucks.

Actually, the opposite

Java applets are billion times more appropriate for running an application in a browser than a combination of
- markup language created to structure text,
- stylesheet language created to format it,
- and some alien abomination to make it all 'dynamic'.

I do see value in web apps, it is for example extremely useful to have access to Google Drive with it's text editor, regardless of where i am... But I cannot disregard that it has just a big pile of ugly hacks underneath to make it what it is. At least Java has been created exactly for writing applications and it does the job better than whole "HTML5, CSS3" stack.

The Web turned horribly, horribly wrong way.

Re:Actually, the opposite

[Billly+Gates]

You are looking at it as a developer. Not a user nor IT support professional.
Java is:
-butt ugly
-take 30 seconds to a minute to load
-can't run on mobile platforms
- fonts and widgets are not native and look weird. Are LCD fonts in yet? Ubuntu and debian have the old school non font hinting which is a horrible eye sore
- Security risk
- Not every computer has it and those that do have different versions
- No one uses it that much

Users hate it and think they are ugly and look like something from the 1980s while Flash is all pretty and fancy and loads instantly. People do not want applications in browsers. They use applets for that on their phones or tablet operating systems hence why Windows 8 was made whether you hate it or not. The browser is for simple logic and a gui platform.

You may feel the web is horribly wrong but I.T. loves it via the cloud and salesforce.com apps. No need to install software on 5,000 computers anymore.

Re:This is insane

[thoth]

Well, the obvious conspiracy theory is that disgruntled former Sun engineers, people with extremely deep knowledge about Java, are angry at Oracle and venting their frustrations by poking holes in their former product. ;)

Re:This is insane

[trims]

Simple:

• Oracle completely screwed up the acquisition, and made major changes to the Java division. Management was completely redone, and the release/bug process was made much worse (not that it was great under Sun).
• All the old Sun personnel got pissed off at Oracle, for a variety of reasons. Less than 25% of those there in 2008 are still in the Java division; and, that's from an organization where people averaged 10+ years of work at Sun. Oracle hasn't been able to replace this brain drain, and is unlikely to ever succeed in restaffing to an acceptable level. The JDK codebase is incredibly complex - far worse than practically anything else I can think of, including the Linux kernel. The number of people on the planet who are good VM coders numbers maybe a hundred or two. That's it. And the rest of the organization has been decimated, too.

I worked at Sun for 6 years in the JVM group before the acquisition. I stayed on for another 1.5 years before I left. I only know a handful of people there anymore, and they're staying simply to ride it out to retirement (all are in their 50s). Over three dozen people I used to work with are gone, and there's no decent replacements.

Basically, people used to working "the Sun Way" detested the new "Oracle Way" and decamped en masse between 2009 and 2011. The whole Java division is a shadow of itself, and won't ever recover.

Re:Oracle owns Java now?

[hairyfeet]

The problem is that 2 different security groups have been analyzing the flaws that the malware guys used for the last exploit and say it could be 2 years before a proper fix is in place because the underlying code is "a mess".

Of course any of us who had to deal with Sun's products in the past could have told them this, Sun was pretty piss poor when it came to code and security, this is why I've been saying give the LO guys at least 3 years before we start bitching simply because it'll probably take that long to clean up the mess Sun left.

The monkey in the wrench though, the fly in the ointment, the pain in the ass, is that Java usage was waaay down among consumers....until that fucking game showed up. I hope the guy who wrote Minecraft is happy because just when we had weened a lot of home users away from the tripe that is Java he had to build a hit game on it and drag us all back into the mess. I don't know which is worse, Micecraft bringing shitty Java back to the consumer desktop or that fact Java will add the browser plugin (along with crapware) every time you update the damned thing. But in any case the malware writers are gonna have a field day as all those Minecraft installs are a botnet waiting to happen and if those security researchers are right all Oracle can do is slap band aids on the mess that is Java..

Re:Oracle owns Java now?

Aww. Did a creeper explode your house?

Re:This is insane

[idontgno]

It's so weird. This betrayal at acquisition seems to play out over and over. A great team is disbanded by the heavy-handed and mouth-breathing attitude of the new boss.

I'm reminded of the Easter egg in Amiga OS 1.2, which was a secret message accessible by an obscure sequence of keystrokes, UI mouse clicks, and floppy disk ejection/insertion.

Now press both Alts, both shifts, press F1 and eject DF0: all at once and you'll see:

The Amiga, Born a Champion

Whilst holding this click the left mouse button on the "screen to back" gadget and re-insert the disk. You'll see:

We made Amiga, They fucked it up