Slashdot Mirror
Latest Java Update Broken; Two New Sandbox Bypass Flaws Found
msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."
Someone, please put Java in the browser out of our misery.
Whoops!
I wonder how many of these vulnerabilities will be found and identified before the top brass at Oracle starts questioning the logic in buying Sun. Could Oracle realistically just come out and say "you know what.. we're done with Java"? Is Oracle really this inept at making stuff secure?
I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature. Not to mention you aren't going to sell your product by saying 'We fixed XYZ vulnerabilities in the last 2 years". Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.
When the last topic about these vulnerabilites was posted I mentioned how I don't trust companies with my security any more than I have to and mentioned that my firewall is now pfsense since Linksys, Netgear, and Dlink don't seem to be interested in security without buying a new router every 2 years. Naturally I got modded down. Let's see how this goes this time...
I still find it odd how Java suddenly caught all the attention regarding security.
Considering that reflection is basically injecting code at runtime
That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)
Ezekiel 23:20
Unless you have a robot with poking capabilities inside the bag with you, of course.
Everything is better with chainsaws.
Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE .
Run that by me, again?
Oracle need to be called out on what appears to be an open-and-shut case of negligence.
Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it. Their approach so far has been unbelievably reckless.
I certainly hope they don't take that attitude to Oracle Database, which is very expensive indeed, and running inside companies with lots of well paid lawyers.
While admittedly this could reasonably qualify as news for nerds, the exploits that are being discovered in Java these days are happening with such rapidity now that it truly seems like a complete waste of time and effort to report them all individually. They are so frequent now as to border on spam.
File under 'M' for 'Manic ranting'
Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...
Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.
It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.
Like I said, it's screwy.
If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.
Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.
The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.
Stop-Prism.org: Opt Out of Surveillance
Reflection in C# is used all the time. If you have written anything more complicated than hello world you have definitely used it. Not directly but the APIs you call use it.
Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.
I still have more fans than freaks. WTF is wrong with you people?
Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.
I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.
The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."
First, that is very short period of time to find these new flaws, and write a proof of concept.
Were these flaws in the prior release, or introduced by the Sunday release?
Did these guys have them in hand prior to the work on sunday's release and hold them back?
Were they using "research" methods that they refused to share? Fuzzers, code inspection?
If the researchers didn't find these new flaws until after sunday, why not?
Just sayin....
Sig Battery depleted. Reverting to safe mode.
Adobe is gonna get jealous.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?
So sick of these headlines. Java is fine, it's the barely-used-these-days plugin that's the problem. I expect non-techy sites to omit that detail, but come on /.
For those preaching that Java should be donated to Apache, give me a break. It's at the core of all "Enterprise Applications'" tech stack. Never gonna happen, nor should it. Best solution would be to decouple the plugin from the Java install and no longer shove it down people's throats.
I've said time and time again that Oracle doesn't get security, they just don't. They have been pulling things like this for a very long time. I never could have imagined saying this 10 years ago or so, but Oracle, you need to look at Microsoft for some pointers on handling security. Since you probably not willing to do that, I'll spell it out for you:
When you find out about a notable security flaw you need to have a patch ready to go within 60 days.
Meaningful notification. The everyday hacks that run IT need to have reasonable notification of security flaws.
Workarounds. If you can't fix it, that's fine, but give me a workaround or I'm going to start uninstalling your product.
How does it the flaw work? If you can't tell me how it works it means I have to reverse engineer it myself and this annoys me.
The difference between theoretical flaws and something that is broken beyond saving is typically 8-10 years.
The bad guys make a lot of money by counting on you dismissing security concerns.
You need to make it easier to administer updates to your products.
You need to make it easier to limit updates to your products. Why does Java 6 automatically update to 7? This is a bad, bad thing.
From a security standpoint I can't think of anything I would wish for more than the death of Java. Every chance I have to get rid of Java I put in my two cents to do exactly that.
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
0x or or snor perron?!
In the first generation of OOP, the focus was on the 'type' of an object, often involving an 'isa' method. For example, A.isa(file) might return true. The problem is that it is far too easy to get a case where something very file like isa(MyVerySpecialFileThing) but returns false for isa(file) because it has no truncate method (even though we don't want or need to truncate).
Duck typing is the idea that the type of an object and where it inherits from is largely irrelevant. We don't care if A isa file, we care if A has a method called read that returns data. We might further care if it can close(), or seek().
In other words, if it swims like a duck, and quacks like a duck, and walks like a duck, it's a duck as far as we care.
See also Wikipedia. To see the difference between 1st class vs. bolt-on, compare the Python and Java examples.
I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).
Ezekiel 23:20
No, not video conferencing, you can't. Not until WebRTC is ready.