Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Posted by Soulskill on from the it-just-goes-on-and-on-my-friends dept.

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

29 of 223 comments (clear)

  1. Enough Already by Anonymous Coward · · Score: 5, Insightful

    Someone, please put Java in the browser out of our misery.

    1. Re:Enough Already by CodeReign · · Score: 3, Informative

      That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB

    2. Re:Enough Already by Anonymous Coward · · Score: 3, Interesting

      Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".

      Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
      As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.

    3. Re:Enough Already by Above · · Score: 3, Informative

      I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....

      There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.

      If someone had a good solution for those sorts of things I would dump Java in a heartbeat.

    4. Re:Enough Already by datavirtue · · Score: 3, Funny

      Why, after all this it will be unbreakable. Look at Windows and how it has improved. Hold on, Windows Store, locked down application environment....uh.

      --
      I object to power without constructive purpose. --Spock
    5. Re:Enough Already by Anonymous Coward · · Score: 4, Informative

      in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none

    6. Re:Enough Already by Anonymous Coward · · Score: 3, Insightful

      From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.

    7. Re:Enough Already by robmv · · Score: 3, Insightful

      Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.

      Note: The Java plugin code was never open sourced to OpenJDK, people from IcedTea project developed a new plugin and JNLP engine for Linux. I am starting to think that Sun already knew the bad security quality of the plugin and they decided to never release that code

    8. Re:Enough Already by kbg · · Score: 5, Insightful

      This is one of the very stupid things Java has. The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.

    9. Re:Enough Already by hairyfeet · · Score: 3, Informative

      Well as I posted when the band aid patch that is now busted was put out it could take 2 years to fix the actual problem because the underlying code is "broken" and pretty much needs a full rewrite. We can't really blame Oracle for this as Java was a mess when Sun had it, Oracle merely got stuck with the mess when they bought out Sun.

      The thing I WILL blame Oracle for is the fact that if you update the damned software with the patch it RE-ENABLES the browser plug in unless you know to disable it, along with the usual crapware that comes with everything. Oh and I also blame the jerk that made Minecraft for bringing shitty Java back to the home users, for a good while there I had all but wiped Java out on home users systems, then that damned game came up and here we go again.

      Personally I think Homeland Security should order Oracle to put out a patch that disables the browser plug in and bar them from re-enabling it when they patch as those that actually NEED Java can find out how to turn on the plug in easy enough but those that don't won't know to disable it every. single. time. they have an update.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    10. Re:Enough Already by TopSpin · · Score: 3, Informative

      Java has a very small memory footprint by default.

      Erm. No. Just no.

      class Main { public static void main(String[] args) { while (true); } }

      (jdk 1.7.0.6 x86_64 linux)

      17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.

      The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.

      EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.

      Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion. There has been a project to correct it on the books for almost four years.

      Like everything else with Java, it has been neglected. Supposedly the results will appear in JDK 9..... sometime in 2015.

      And don't cite Android as some exception. Dalvik isn't JRE.

      --
      Lurking at the bottom of the gravity well, getting old
    11. Re:Enough Already by gweihir · · Score: 3, Interesting

      Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).

      Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Interesting by jones_supa · · Score: 4, Interesting

    I still find it odd how Java suddenly caught all the attention regarding security.

    1. Re:Interesting by dalias · · Score: 5, Insightful

      Yes, in some ways I agree it is a "smear campaign", but I don't think it's an unjustified one. When a product has had vulns this serious this many times, yet maintains huge deployment due to market dominance and user lock-in, a huge smear campaign is needed to destroy it. This was the case in the past with products like BIND, Sendmail, WU-FTPD, IIS, IE, etc. and Java is just the latest necessary target.

  3. Re:The same old story by K.+S.+Kyosuke · · Score: 4, Interesting

    Considering that reflection is basically injecting code at runtime

    That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)

    --
    Ezekiel 23:20
  4. Re:Just let it die already by Antipater · · Score: 5, Funny
    To be fair, coding your way out of a paper bag sounds pretty difficult.

    Unless you have a robot with poking capabilities inside the bag with you, of course.

    --
    Everything is better with chainsaws.
  5. Bad stewardship of Java by benjfowler · · Score: 4, Insightful

    Oracle need to be called out on what appears to be an open-and-shut case of negligence.

    Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it. Their approach so far has been unbelievably reckless.

    I certainly hope they don't take that attitude to Oracle Database, which is very expensive indeed, and running inside companies with lots of well paid lawyers.

  6. Enough already by mark-t · · Score: 3, Funny

    While admittedly this could reasonably qualify as news for nerds, the exploits that are being discovered in Java these days are happening with such rapidity now that it truly seems like a complete waste of time and effort to report them all individually. They are so frequent now as to border on spam.

    --
    File under 'M' for 'Manic ranting'
  7. Re:The same old story by Anonymous Coward · · Score: 3, Insightful

    Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...

  8. Re:The same old story by sjames · · Score: 4, Informative

    Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.

  9. Re:Just let it die already by The+Moof · · Score: 3, Informative

    It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.

    Like I said, it's screwy.

  10. Re:The same old story by Bob9113 · · Score: 5, Insightful

    If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.

    Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.

    The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.

    --
    Stop-Prism.org: Opt Out of Surveillance
  11. Re:The same old story by AuMatar · · Score: 3, Informative

    Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  12. Re:Just let it die already by icebike · · Score: 4, Interesting

    Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

    I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.

    The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."

    First, that is very short period of time to find these new flaws, and write a proof of concept.
    Were these flaws in the prior release, or introduced by the Sunday release?
    Did these guys have them in hand prior to the work on sunday's release and hold them back?
    Were they using "research" methods that they refused to share? Fuzzers, code inspection?
    If the researchers didn't find these new flaws until after sunday, why not?

    Just sayin....

    --
    Sig Battery depleted. Reverting to safe mode.
  13. If they keep this up... by mandark1967 · · Score: 4, Funny

    Adobe is gonna get jealous.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  14. Shouldn't the OS prevent the worst of the damage? by overunder · · Score: 4, Interesting

    I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?

  15. For cripes sake... Java Plugin != Java by diarrhea-uh-uh · · Score: 5, Insightful

    So sick of these headlines. Java is fine, it's the barely-used-these-days plugin that's the problem. I expect non-techy sites to omit that detail, but come on /. For those preaching that Java should be donated to Apache, give me a break. It's at the core of all "Enterprise Applications'" tech stack. Never gonna happen, nor should it. Best solution would be to decouple the plugin from the Java install and no longer shove it down people's throats.

  16. Java is not broken by zmooc · · Score: 5, Interesting

    The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

    --
    0x or or snor perron?!
  17. Re:The same old story by K.+S.+Kyosuke · · Score: 3, Informative

    I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).

    --
    Ezekiel 23:20