Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Java Exploit For Sale

Posted by samzenpus on from the a-new-flavor dept.

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

3 of 150 comments (clear)

  1. Kill it with FIRE by Billly+Gates · · Score: 5, Insightful

    Oracle needs to give up on browser plugins. I realize there are some mission critical business apps and a few cases where it is needed just like IE 6. We need to start pressuring the vendors to stop distributing it like we did with obsolete browsers.

    With javascript and HTML 5 and CSS 3 there is no reason to keep such 20th century technology on the modern web. Consumer sites no longer even use it anymore.

    With IE 6 and IE 7 gone by 2014 our eyes should focus on Java as the next technology that threatens the security of our networks that needs to bye bye. We need to do our part as IT professionals and inform PHB it is bad security just like IE 6 and demand app vendors to drop it.

    --
    http://saveie6.com/
  2. Java Sandbox Exploit, Not Java Exploit by Bob9113 · · Score: 5, Informative

    This is not a bug in Java. It is a bug in the Java browser plugin, called a sandbox exploit.

    The Java Virtual Machine (JVM) has access to the filesystem and can fork processes. In an attempt to make this safe to use in a browser, Sun wrote a sandbox, that is supposed to block access to the filesystem and to process execution. The sandbox doesn't work, and may never work. Disabling the Java plugin in your browser is a good thing. It might have been nice if the sandbox worked, but it doesn't. Don't run untrusted code in the JVM, whether in a browser or otherwise -- just like not running untrusted C code.

    You can Java on a server, open a port, expose that port to the Internet, and as long as you haven't written a hole, nothing bad will happen. That is because this is not a Java exploit. It is a Java sandbox exploit.

    --
    Stop-Prism.org: Opt Out of Surveillance
  3. Re:Actually, the opposite by Billly+Gates · · Score: 5, Insightful

    You are looking at it as a developer. Not a user nor IT support professional.
    Java is:
    -butt ugly
    -take 30 seconds to a minute to load
    -can't run on mobile platforms
    - fonts and widgets are not native and look weird. Are LCD fonts in yet? Ubuntu and debian have the old school non font hinting which is a horrible eye sore
    - Security risk
    - Not every computer has it and those that do have different versions
    - No one uses it that much

    Users hate it and think they are ugly and look like something from the 1980s while Flash is all pretty and fancy and loads instantly. People do not want applications in browsers. They use applets for that on their phones or tablet operating systems hence why Windows 8 was made whether you hate it or not. The browser is for simple logic and a gui platform.

    You may feel the web is horribly wrong but I.T. loves it via the cloud and salesforce.com apps. No need to install software on 5,000 computers anymore.

    --
    http://saveie6.com/