Slashdot Mirror
New Java 0-Day Vulnerability Being Exploited In the Wild
An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."
JAVA - Just Another Vulnerability Alert
...is busy colonizing Hawaii.
One Rich Asshole Called Larry Ellison
just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?
p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.
C is "secure" now? ...
Surprise, surprise indeed
Aberrations have appeared in my destiny prognostication engine!
Coincidence? Or has Java always had these problems. I don't remember them occurring five years ago.
you must be trolling or you are clueless. C is secure ? you guy serious ?
Sure, it's as secure as you want it to be. Java on the other hand, proves time and time again to be insecure wether you want it to be or not :/
Executing random C code from somewhere on the net in a Browser is even dumber than doing the same with Java. Java at least has a security model, even if it's broken anew every week, and has more holes than a sieve. C on the other hand has nothing. It really is more or less like a portable Assembly Language as it was developed for.
Oh the hipsters have long moved to python. To quote CERN "Thanks to python we're no longer IO bound"
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
c++;
He probably means that you actually have to have a little knowledge to exploit C while Java is just one big sieve.
Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.
What do you think the JVM is written in?
Yeah, C and probably C++.
Grow a brain, you twerp.
So why has Java been in the news so much lately with vulnerabilities? I don't remember this being as big a deal 10 years ago when Java applets were a "thing" on the web, so why now all of a sudden? Has Oracle done something to screw the pooch on security, or has some sort of tipping point of interest in Java exploit research been reached?
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
Nowhere near as secure as Assembler
I think the people exploiting Java has a LONG list of vulternabilities in queue. With each update of Java, fixing the last known holes, they just update their exploit code to utilize the next vulnerability in their queue. This could go on for a long, long time.
And where I work, we have to use Documentum Webtop which requires Java. Now they have us pushing Java updates all the time.
Oracle needs to pay out a bounty for Java vulnerabilities so collect as many as possible so the next fix(es) will be better.
Unfortunately there is no "stupid" moderation. The issue is the Java sandbox which has the goal of letting you run untrusted code (e.g. applets) on your system without any worries. Unfortunately the attack surface of the sandbox is huge because there are so many different API's that are usable and all it takes is a bug in one of them to give you an exploit.
Turn off Java in your browser and you'll be a happy camper. Stop spreading FUD. The Linux kernel still has exploits (http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/).
Oh, and I spent 10 years as a kernel developer in C and another 10 years as a Java developer so I guess I'm a Real Hipster Programmer.
Dude, Python was like eight years ago. Then it was RoR and then Scala. Don't know about today.... Go maybe.
It's like nightclubs in the big city. The place to be seen is always going to change every few years.
Well, then you would both be wrong. C doesn't have a security model to exploit. The security model for loading untrusted code into your C application is "Don't do that" which isn't such a bad idea, really. However, if you remove the stupid idea of trying to run untrusted code in a sandbox within your application, Java is quite secure which is why people write server code in Java. No buffer overflows to start with (a classic exploit of server code written in C)
I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.
I think what he means is that C-security is solely dependent on your code, while Java-security is depended on JVM security in addition to your code security. And the developer has no control over JVM security.
Nice post :-)
Does this effect the iced-tea java plugins too?
Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.
The only failure I see here is your rather ignorant attitude that every language cannot be made just as vulnerable in the hands of the inexperienced.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
The JVM is actually written in C++. Just sayin'
"Little does he know, but there is no 'I' in 'Idiot'!"
"Mutual of Omaha's Wild Security Exploits"?
With a gray haired host that will have "Jim" go out and tackle these security beasts with his bare hands ... on his keyboard?
Nevermind.
Yeah, I'm old.
No, go ahead and stay on my lawn.
And how frelling dare anyone out there make fun of Java after all she's been though!
Leave Java Alone!
Please...
Privacy is terrorism.
Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.
Ok explain why a simple string can buffer overflow? Maybe the latest Gnu C libraries have fixed that now, but damn that is bad as 10 years ago you could! The apis had to be practically rewritten to watch for these like these which explains why it is litered in secure versions of standard function calls.
The problem is you can't really write secure in C unless you know assembly. My simple "give me 2 numbers and I will add them" 10 line program will not look insecure but it is underneath after being compiled (this was 13 years ago I tried this). I know Theo from the OpenBSD tried making secure versions of standard ansi C functions to prevent this. Java at least tries and manages it. I can make the same argument that Java is secure. It is only the programmers who are not etc.
http://saveie6.com/
N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?
Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.
Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.
In the wild, is that the same as in cyberspace?
Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.
What do you think the JVM is written in?
Yeah, C and probably C++.
Grow a brain, you twerp.
I've heard it argued that Java is insecure because too much of it is written in C++, poor quality code no doubt. It would have been more secure if a core of commands was written in C++, and the rest was written in Java. Then, more effort could be put into making the core secure.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?
In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clearly eluded the JVM. Home come?
Apparently it requires browsing as an administrator to exploit this leak.
Just don't do that.
Also it is always a good idea to block execution of programs from user-writable directories, using AppLocker or Software Restriction policies.
I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.
He's not exactly disagreeing or agreeing with you, as you're so thoroughly confused that you manage to say things that aren't cleanly true or false.
C has no security model. At all. This lets you write things that are totally unsafe. For example, you couldn't have browser exploits with either Flash or Java or any other plugin if it wasn't for the NPAPI, which is a C interface! O! M! G!
Java does have a security model; it tries to segregate untrusted code away from trusted code and ensure that the untrusted code can only do very limited operations. This is hard to get right. (Doubly hard when you've got the plugin glue code in the mix; that just makes everything much more complex.) For most applications, this actually doesn't matter very much as they don't load code from untrusted sources at all; Java is doing just great at powering web application servers, and there are some wonderful libraries to help with this. Browser plugins though are a different beast; their whole point is to load untrusted code and execute it, and any mistake is a problem.
Right now, I recommend disabling the Java plugin in all browsers that you use, or even better removing the plugin entirely. If you must have it enabled (for some horrible corporate web application) then only turn it on when strictly necessary. As a bonus, you won't have to suffer from nasty slow Java-implemented ads. (That was why I originally turned it off in my systems; being defended against hacking was a side benefit.) Also, Java tends to look like ass in a browser these days.
"Little does he know, but there is no 'I' in 'Idiot'!"
What do you expect from a bunch of idiots that spend all of their time supporting ONE product - their DB, and it's one that is going down in it's ability to do what it is supposed to do. Most customers are moving to Open Source products since they are just better... I have Java totally disabled - it was once a great language, now it's just crap... Simple...
Turn off Java in your browser and you'll be a happy camper.
It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.
"Little does he know, but there is no 'I' in 'Idiot'!"
it happened after oracle took over java. these big companies just cant understand the product. they just have money to buy and kill it.
Because badly written & maintained software should cease to exist.
Guys you are really funny, I hope all complaining now - and demanding the death of java - have used Linux or FreeBSD when we had Windows-Open-For-Everyone-Alert-Weeks.
MS Blaster - recalling ? Anyone ?!
When you put those arguments in the right perspective the "funny people above me" should have stopped using Windows along with sendmail ;) and Linux yes
there were some local privilige exploits, and unboxing the java sendbox is nothing else, because if you use the right browser(opera) or addon(addblock) then these java-applets aren't executed without your expressed will (click+unblock)
Yes, software is - if no quallity assurance is applied/also a quallity aware develloper counts - unsafe by default because of the complexity and the human factor, usage of many third party libs, time pressure.
But what I see in the last years is that I suspect Oracle of not applying a quallity regime, and supplying java with addware (yes google chrome or whatever is addware, when it is installed without the consent of the user).
"Kill Flash, Kill Java, HTML5 the new king"
Have you ever imagined what killing flash and those applet feature boxes means ?
The predominant inability to use addblockers, because when a site heavily relies on javascript/html5 filtering proxies need time to catch up.
And when you filter all script-tags interwoven js-apps can stop working and cripple your browsing experience. I hunt for adds, 1px images, popups a.s.o. with Privoxy and it get's harder to cope with javascript/html5 because your website isn't that modular anymore it's interwoven To be more specific if you HTTP/GET a website, this isn't the website that will displayed to you because of ajax(server side) and dynamic on the fly html generation on the other side.
Also selective activation/allowing a js/html5 applet to use certain features of your browser (sound/storage/new window) are partly unrestricted.
Flash isn't. You can select not loading an applet! instead of please delete Line 10 of the java script tag .. oh well this kills the dropdown menues necessary to navigate the site.
Flash did a great job and I am sure many flash haters have used youtube without an additional moviedownloader(jdownloader).
Btw.
Yes, this is a flaimbait on flamers flaiming flamingos!
I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.
Now if you want to discuss topics if interpreters (byte code or otherwise) that enforce certain memory management contracts, so you don't have to express them as part of your program ultimately offer better security or just move the problems that might be a valid topic.
Java is not insecure; security is not even an attribute you could put a value on with regard to Java. The browser plugins that ship with the most popular interpreter and runtime implementation might be insecure. There may be bugs in the interpreter where it does not properly enforce contracts making otherwise correct programs under it vulnerable. One little mistake in a C/C++ programs might result in the same thing though. The traditional argument is whats more likely to result in the best outcome: every programmer our there writes good code or a team of skilled programs writes a universal memory manager, and set of libraries that are solid so other programers don't have to get some of that hard stuff right?
I guess the issue is we are finding out more often than not even teams of very skilled developers are bound to slip here and there with something as large and complex as the Java runtime.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
For fuck's sake, can people please specify that the APPLET has vulnerabilities?
> Yes, C is secure.
The comment is nonsensical. Security is about vectors. The language itself, is really not "secure" because it has to operate within an environment. By integration, it's no more or less secure than the environment AND the program the language was used to write. You really don't understand the implications of the discussion if you think that comment was "excellent".
> A good language should NEVER apply safety's for the programmer
Yeah, fuck type systems!
Every comment you make is a joke. I laugh.
Please show your work eg: int foo(int x,y){ return x+y};
Hey KID! Yeah you, get the fuck off my lawn!
But these things aren't its fault. This is a problem of bad OS design. Is they that should be patched, or better, redesigned from scratch.
You know that just tells me that javac isn't self-hosting and they never bothered to bootstrap their own compiler. I wouldn't blame C for that.
Cwm, fjord-bank glyphs vext quiz
It is a poor worker who blames his tools. The language is not the problem, it is what you do with it but still...
YOUR PROGRAMMING TASK: To shoot yourself in the foot.
C: You shoot yourself in the foot.
C++: You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying, "That's me, over there."
Perl: You grep through a list of your body parts, shooting the bits that look like feet. On the first try, you don't shoot anything, and realize that you're matching hashrefs instead of scalars. On the second try, you shoot off your big toe instead of the whole foot (shouldn't have used greedy matching in the regex). Finally, you shoot yourself in the foot, generalize your code to allow it to shoot anyone anywhere, and post it on CPAN as SUICIDE::LITE.
Python: You want to shoot the toes off your foot. You ask your foot to tell you about all of your toes, but to please pause for a while after each one so you can shoot it. After you shoot, your foot begins where it left off.
FORTRAN: You shoot yourself in each toe, iteratively, until you run out of toes, then you read in the next foot and repeat. If you run out of bullets, you continue with the attempts to shoot anyways because you have no exception-handling capability.
Pascal: The compiler won't let you shoot yourself in the foot.
Ada: After correctly packing your foot, you attempt to concurrently load the gun, pull the trigger, scream, and shoot yourself in the foot. When you try, however, you discover you can't because your foot is of the wrong type.
COBOL: Using a COLT 45 HANDGUN, AIM gun at LEG.FOOT, THEN place ARM.HAND.FINGER on HANDGUN.TRIGGER and SQUEEZE. THEN return HANDGUN to HOLSTER. CHECK whether shoelace needs to be re-tied.
LISP: You shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds...
FORTH: Foot in yourself shoot.
BASIC: Shoot yourself in the foot with a water pistol. On large systems, continue until entire lower body is waterlogged.
Java: You find that Microsoft and Oracle have released incompatible class libraries both implementing Gun objects. You then find that although there are plenty of feet objects implemented in the past, you cannot get access to one. But seeing as Java is so cool, you don't care and go around shooting anything else you can find.
I'm pretty sure the semicolon should come before the closing curly brace...
C is neither secure nor insecure. Well, it's secure just like a hammer is secure (if you're building a house).
A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.
Fuck you. Not all of us want spend the time rigging nets, managing memory and the like. Some of us just want to get shit done and not reinvent the wheel every time. Most of us aren't writing drivers or embedded code. A language being good is dependent on the domain and the needs of the programmer. C is good for what it was intended for, which is systems programming. It's not so good for a lot of other kinds of programming.
A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.
Safey's what? You put an apostrophe before the "s", so surely it must be a possessive... but safety's what?
The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.
Comes down to who's programmers you trust more - your own, or Oracle's ?
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
Your java code is almost certainly running in a jvm written in c or c++, running on an OS written almost exclusively in c. Buffer overflows are caused by poor code, they are not forced by the language.
No, honestly, writing evil code in C is easy. You can open files without restrictions, modify them without restrictions, and so on, all with the power of the running user. Executing untrusted C code is NOT SECURE.
These days it's about using as many different languages as possible, ideally in the wrong place. Big desktop application? JavaScript hosted on a remote server sounds ideal! Website to display a list of your mobile phone apps? Show off your 1337 Java skillz by making the whole thing a plugin! A quick script to verify the format of an email address? To the Assembler!
Please consider this account deleted, I just can't be bothered with the spam anymore.
Most of us aren't writing drivers or embedded code.
You're doin' it wrong, brother.
The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.
Comes down to who's programmers you trust more - your own, or Oracle's ?
What happens if your C program uses external libraries ? Can you GUARANTEE that they don't do something nefarious ? Unless your programming stops at hello world complexity programs, you're going to have vulnerabilities wether you want them or not. The JVM is a C++ program and it has vulnerabilites.
So in the end languages that enforce a security model are good. Unfortunately for us, neither C nor C++ do. They are archaic languages that still do damage to this day. And to be clear I'm not a Java programer, but to say that C or C++ safe languages is pure idiocy.
Strings don't overflow in C, unless you use them wrong.
And you never know, there might be a vuln in the Java string library. Unless you've audited it, I wouldn't say there isn't, since it seems there are vulnerabilities everywhere else.
"First they came for the slanderers and i said nothing."
Hot Dog - a return to the good old days!!!
I remember when, wayyy back when, the arguement against C was that
when using machine code (pdp/11 | vax11/780 in my case) the programmer was
responsible for all of those tasks that C worked to solve and the machine
code programmes were better for it.
HA HA HA - ROTFLMAO wiping tears from my senile old eyes!
All the major browsers have click-to-play for plug-ins now, so even if you have it installed you should be safe from drive-by infections if you have it enabled.
Actually I don't know if IE10 supports click-to-play, but surfing the net with IE is like licking the toilet seat down the pub - inadvisable at best.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
It's a shame there isn't a really good open source alternative to Oracle's JVM that people could switch to. At least with the endless stream of Adobe Reader vulnerabilities you can just witch to Sumatra PDF or one of the many other free viewer applications.
As far as I can can tell most of the free JVMs are either abandoned or don't run on Windows.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And sadly this means I have to defend oracle even though I think Larry is a douchebag...whose fault is that? the answer is NOT oracle, it is SUN that is to blame! lets face it Sun never did release decent programs, just look at how long its taking the ODF to modularize Libre office and clean out the cruft.
Now if you want to blame Oracle for not shitcanning a good chunk of Java and starting over? that I might agree with you about but even then it would take time to come up with new code that would allow the JVM to run older programs written for it without having the gaping security issues but considering how buggy Java was under Sun I really don't think oracle deserves the blame here, they just got the mess when they bought the company, like buying a piece of property only to find out it was built on a garbage dump.
ACs don't waste your time replying, your posts are never seen by me.
It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.
After this horrible sequence of 0-day exploits, I've finally disabled the Java plugin in ALL my browsers. There you are, instructions for removal of the Sun (or IBM) Java browser plugin on Windows, without removing the JRE. :)
Because the hotspot JVM is the BEST virtual machine currently in existence. Period. And no, these vulnerabilities has nothing to do with it.
Stop spreading bullshit.
And who writes their whole program in using just their own code? We have massive C libraries because we cannot reinvent the wheel every time. And it isn't possible to exhaustively check the code in those libraries due to time constraints and sheer complexity.
Okay, now I am really pissed off.
Just compare the number of exploits ever discovered for a given time period for Apache http server or Apache Tomcat. It seems to me that there are less exploits baked in the JVM than people put personally in their C code.
Sheesh, I love C, love Assembly, even Verilog, and I love the JVM (various languages), but I hate these one-bit idiots like you.
I totally agree with it. Using plain C does not solve anything, does not make life easier, and does not provide anything to replace for example Java applet functionality.
The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?
The JVM might be wonderful but, empirically, the browser plugin is a pile of junk, at least in terms of code quality.
Could somebody, e.g. Apache, incubate a project to replace the Oracle Java web plugin? I don't use Windows but imagine if each company was willing to pay $2/user/year for a better plugin for their mission critical apps. The IcedTea plugin on Linux seems to be in a decent state these days, after quite a rough start - perhaps it could be a basis for a new Windows Java plugin.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's it. I'm done with Java. For good.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Linus, is that you?
"Strings don't overflow in C, unless you use them wrong. "
Unless you are a proven-correct computer program generating the C code, you WILL write serious exploitable bugs in C. Especially when your boss is sitting in your neck and asks for status updates every 4 hours.
I've kept Java turned OFF on all of our computers for a long, long time. It's a pig. It hogs computer resource units. I have not not once run into anything that requires it. Just say no to Java.
Yeah I noticed that right AFTER I hit submit. Yet another /. non-feature, even though I do understand why.
Hey KID! Yeah you, get the fuck off my lawn!
Fuck this. Fuck plugins, fuck JS and fuck them. I realize they're in the minority, but these asshats are ruining anything web-related. Perhaps they're all luddites trying to get people back to using Lynx or perhaps they all smoke crack - I don't know - I don't care - all I do know is that I run browsers inside a vm with everything disabled with no shares to the host.
Welcome to the futures.
The point is that buffer overflows are an easy mistake to make. Using languages that prevent it is like using a seat belt.
you must be trolling or you are clueless. C is secure ? you guy serious ?
The Linux kernel is written in C. I believe the BSDs are written n C. How much more secure can you get?
With C the vulnerability of you program to expliots or other bugs (an exploit is just a bug after all) is exactly what you wrote into it, nothing more nothing less.
However in Java land (and others) you are depending on a huge pile of abstractions underneath your code which may or may not be vulnerable/buggy. How would you know?
Do rethink your statement.
You can do the same in Java, Python, hell any other language. If I, as a user have permission to write to a file then so does any program I run. This is not any fault of C as such. Running untrusted code is the problem. But then, if you don't trust it why are you running it?
>If you want a good secure system / language just look to C
The stupidity is palpable.
As others have pointed out, every major piece of software, including the Linux Kernel is full of vulnerabilities. Java is not any more vulnerable than these other packages and implying otherwise reeks of subjective politics, not facts.
The JVM is actually written in C++. Just sayin'
That explains a lot...
Do you grasp how ignorant you really are? I'm guessing a post secondary education wasn't in the cards for you. I'm also doubting whether you completed high school.
The difference is that C CAN be secure if you code it right. In Java, even the most trivial thing you write remains dependent on the JVM to be actually secure.
That doesn't mean your C code WILL be secure, but if it's not it is your fault and entirely up to you to fix it.
Cars don't crash unless you drive them wrong...
with the COBOL plugin.
Except that but for trivial software, writing secure C code is nearly inhumanly difficult.
is IcedTea affected as well?
I don't know that I'd say inhumanly difficult, but it's fair to say it is challenging and failures are plenty.
I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).
Hum... No, a simple string can not buffer overflow. You a word here or what?
Also, of course you must know how computers work to program in C. It's a shame that people think they don't need to learn that for coding in other languages (they do, but they'll build a lot of rope before they discover they are just hanging themselves).
Rethinking email
No computer is as restricted as a turing machine. For one thing, a turing machine doesn't do IO.
In fact, information security has no relevance for turing machines, as they can't compromisse any kind of information.
Rethinking email
This is just a pissing match on my language is better argument which is dumb. WHo modded the grandparent to +5?
Whether your compiler is VM like Java or converts it to assembly is the fact that the programmer is not in control. It is not the programmers fault if he or she uses an api that does not handle safety of data types. Historically Java has been years ahead of C until the last decade where Theo had to write secure versions of simple data handling functions as a strong or data type can easily overlfow by default and run malicious code. Even a hello world program can run malicious code when I did this 12 years ago! Why should this have been my fault?
That should be a strike against C and C++. I am not a professional programmer in these languages so I surely hope that is no longer the case. It is why Unix and Windows were so insecure agaisnt MacOS classic and VMS. Every datatype can overflow with stack smashes inside it. The ansi standard functions are not secure by default and each implementation had to rewrite these same things to securely check each data type at compile time.
http://saveie6.com/
The designers of the seat belt are expected to have a degree of skill as engineers and it should pass some form of quality control. This is where Java fails.
Unfortunately, the users of a seat belt are not expected to have any degree of skill or knowledge, and frequently wrap it around their own neck. This is where those writing in languages like Java often fail.
IBM J9 is 10% faster on any workload, on mine it is more like 30%
Yes, yes. Panic! There's a Java 0day! Dear Lord forfend! Of course, as you read this you are probably running Windows, with tons of extensions and software. You're probably using Flash. You probably have a web browser - heck, obviously you have a web browser. Well, not to worry: After disabling Java you will be completely safe.
"No sane man will dance." -- Marcus Tullius Cicero
I was entertained that Larry Ellison attached crapware to their security updates, which have to be specifically turned off in the installation, and their stupid toolbar turns off popup windows, but that disables Oracle's Discoverer product, and it works differently than the IE popup blocker, by not looking for user configurable exceptions. So for pennies per user, Oracle collects from the toolbar makers for every installation. And they're alienating IT departments. I hate working with them-- they're more mafia-like every year. End of complaint.
Everything I've ever learned the hard way was based on a statistically invalid sample.
You're still relying on the C library to be secure. Many/most are not.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
A lot more secure. Linux and the BSDs have holes found in them all the time, along with everything else. Pascal would be a lot more secure than C.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Your C code still relies on the standard library and your compiler to be secure.
Not a sentence!
It CAN (and usually does) rely on libc, but doesn't have to. The compiler mis-compiling the code is quite a different class of problem, but since you have the source, you can validate the results.
In the bad old days, I actually debugged a case where the compiler mis-compiled the code.
I have done projects that did NOT include libc.
The obvious question is how are you using your strings that makes it so difficult to avoid overflows? It's not hard once you know how to do it.
"First they came for the slanderers and i said nothing."
It is perfectly possible to use strings safely in C, but at the same time, there are functions in libc that invite disaster, in some cases with an engraved invitation and a bottle of champagne. Gets, for example, needs to go. So much so that I wouldn't mind it's use being promoted from warning to error unless you use the switch --goatse-me.
Even if you use the right functions but screw up passing the allocated size to the functions, you can get in trouble, just like if you fiddle with the radio when you should be watching the road.
I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.
All this statement proves is that you aren't qualified to have a opinion on this subject. I brought up Linux kernel exploits because the Linux kernel is coded in C. The Java exploits that I have seen are all related to breakouts from the sandbox. The kernel and the Java sandbox are equivalent because both are supposed to be able to run untrusted code and keep that untrusted code from doing things it is not supposed to. If you wrote a POSIX compliant kernel using Java you would not use the sandbox to keep untrusted code from doing bad things and it would be about as likely to have exploits as a kernel coded in C. The problem with the sandbox is that the attack surface is just too large to be secured effectively.
Some languages, like PHP, have features that actively work against security. Other than the sandbox (don't use the sandbox to contain untrusted code) Java doesn't have many features like that. C does have features that have to be applied carefully or used carefully (unchecked array bounds, int->pointer conversions).
So I'll admit your probably not a hipster, that wasn't fair to say but in the end I just find a good C programmer an invaluable addition to a team over any Java programmer.
You may as well say "good programmer" because lousy C programmers can make a mess incredibly quickly.
Unfortunately, the car in which the seat belt is placed is a piece of rust. Sure, the seat belt might look impressive, but it's not really secured to anything.
Sometimes, the "anti-windows" stuff notes it (Linux = secure / Windows != secure b.s. especially) - nowadays, that crap doesn't "wash" here OR anyplace else...
Thus, in fact?
Heh - I often TRULY SUSPECT that it's the folks that RUN THIS PLACE doing it (vs. plain idiot trolls - even THEY are NOT THAT STUPID nowadays, @ least, I hope not...)!
Merely "spurring debate", thus pageviews, by doing what you dislike, and rightfully so on YOUR part (& yes, mine too because I can't STAND spreading "fud", which you and I have seen for YEARS here on this particular site), simply since its spouting utter falsehoods, doing it!
(Which again, of course, means more pageviews/hits = MONEY for them)
It ends up getting reactions like yours that lead to more views of this site!
On disliking it? Hey - I'm not much better!
Lately though - I have been thinking it over per my subject-line & what I wrote you in email about it and am restating now, on it being the folks that run this place doing it, rather than mere trolls (even THEY are NOT THAT STUPID), & simply for the reasons I just reiterated here now...
(The "main motivator" = "The Holy Dollar"!).
Why? Easy - oldest motivator there is: "playing folks" for the LOVE of money!
* Think about it - "Food 4 Thought"...
Sometimes I have even said to myself "How on EARTH could anyone be THAT STUPID nowadays to keep that stale disproven crap going online, since it's EASY to disprove with facts + common sense?"!
The answer is, they're not stupid:
It's ALL about the "benjamins" man, & taking advantage of your psyche + character to be 'the clever boy'...
(Clever boy = noted in detail below!).
APK
P.S.=> Seriously - DO think it over: I mean, I agree here - Especially on the account of NOBODY, especially nowadays (imo @ least) is as DUMB as some of the statements of pure "FUD" b.s. I see spouted around here @ times!
(E.G.-> Especially the "Pro-*NIX" &/or "Pro-'Open SORES'" crap you see regularly along with "Anti-Microsoft" &/or "Anti-Windows" b.s. too)...
I.E.-> So, once more: It makes sense the owners or forums admins do those idiotic replies!
(Just to get YOU 'worked up' & replying IF NOT going into a "mile long" debate over it - which again, = money in their pockets! NOT MINE, of course - you know why (hosts))
"The clever boy gets others to make him money instead of having to work for it..." & by doing almost a Sun Tzu method of using YOUR TENDENCIES & those of others, even myself, against you!
Doing so, thinking they're "clever" in pulling b.s. like I allude to above (and yes, I think THAT is the cause of it, as well as the motivator)
... apk
"Band Aids on bullet wounds friend, Band Aids on bullet wounds." - by hairyfeet (841228) > on Saturday March 02, @06:50PM (#43057145)
You're "biting off my style", lol, by "pinching" that turn of a phrase (from yours truly)... admit it (lol)!
* :)
("Imitation is the sincerest form of flattery")
APK
P.S.=> Going to send you an email on this too, kind of important & just helping you out on it!
(It's something I stumbled on regarding the YouTube "lag" you noted lately when we had our recent email exchanges... It *may* even "cure" it... it actually sounds reasonable, & is EASY TO "UNDO" if you need to & it doesn't work for you!)
See - my "lag" with it's gone, long gone in fact, but IF you're still seeing it? So - This MAY help you with that YouTube "lag" you complained of -> http://mitchribar.com/2013/02/time-warner-cable-sucks-for-youtube-twitchtv/
Good luck - hope it helps!
&
Do check this out too, another reply of mine to you (since it frustrated you & has MYSELF also @ times, more than a FEW TIMES, lol, as you know)
AND
I stated it, since I do HONESTLY suspect that is the case here -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43060679
... apk
I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel. I've also done enough Java programming to know I'm never going back to it. However you do bring up an interest concept about writing a fully posix complient kernel in Java, it would be interesting to see it actually being done. It would have to be Java from the very base of the system, including IDT and GDT table init. It would be interesting to benchmark against.
Yes, but how often do you screw up passing the allocated size? I'm not sure that happens often.
If it's something you are really having trouble with, you can declare a struct with the size and buffer together, then create wrapper functions around the standard library functions that use your struct. Then you only have to verify that your passing is correct within those wrapper functions, and not mess with the size anywhere else.
"First they came for the slanderers and i said nothing."
...i have always had high hope for Java, but it seems that it turning into a security risk that almost equals Windoze. Anyone know why? Is Oracle doing the kind of sloppy ass stuff that Micro$oft has make into an industry standard?
Really, I don't have a problem with it, however, the most common source of problems in general is probably the off by 1 thinko. Like forgetting to count the terminating null. Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.
Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.
Yeah, that one's really annoying. strcat() has a lot of special cases that are annoying as well. I usually encapsulate that one into a custom function where I only have to deal with all that once because it's so bad. Although it's not the most commonly used function.
"First they came for the slanderers and i said nothing."
I have always thought that in cases where n is exceeded, [n-1] should get the null terminator. I usually do that explicitly just to be safe. I don't like unterminated strings.
agreed
"First they came for the slanderers and i said nothing."
Hey APK, your posts are as bad as Windows is insecure. Keep doing the good job of associating yourself to M$ products.
Java is simply too complex by now to be secure.
And the reason these things are written in C instead of Pascal is much the same reason as why most martial arts do not involve the use of mittens.
Just Another Viral Anus
Just Another Vaginal Anus
Just Anal Vaginal Anomolies
I can answer this one: : Back in my rock and roll days a girl I lived with, I was a tall blond "party girl" type, y'know, the kind that likes to "play blonde".. and you'd never quite know if she was acting or not. One particularly hot set, one of the folks I was playing with had one of those headstock-less Steinberg guitars , where the tuning pegs are down by the body of the guitar.. She apparently did not notice, or at least claimed not to notice, and after the set, said for all to hear "Wow! The music was so good the top of the guitar fell off!!" ;-) ;-) ;-) The press folks just stared at each other,and so did anyone else with this weird look like I've never seen before.. more than your typical "here we go again".. Nobody's really sure if it was a blonde moment or a remark of pure genius.. as everybody STILL remembers that gig!!
"Hey APK, your posts are as bad as Windows is insecure." - by Anonymous Coward on Sunday March 03, @04:54PM (#43063595)
See my subject-line above, this data below, & "eat your words":
---
Vulnerability Report: Microsoft Windows Server 2012:
http://secunia.com/advisories/product/42761/
Unpatched = 0% (0 of 18 Secunia advisories)
---
Vulnerability Report: Microsoft SQL Server 2012:
http://secunia.com/advisories/product/40664/
Unpatched = 0% (0 of 1 Secunia advisories)
---
Vulnerability Report: Microsoft Exchange Server 2010:
http://secunia.com/advisories/product/28234/
Unpatched = 0% (0 of 3 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x:
Unpatched = 0% (0 of 7 Secunia advisories)
---
Vulnerability Report: Microsoft .NET Framework 4.x:
http://secunia.com/advisories/product/29592/
Unpatched = 0% (0 of 18 Secunia advisories)
---
Vulnerability Report: Microsoft DirectX 10.x:
http://secunia.com/advisories/product/16896/
Unpatched = 0% (0 of 3 Secunia advisories)
---
Vulnerability Report: Microsoft Visual Studio 2012:
http://secunia.com/advisories/product/42480/
Unpatched = 0% (0 of 0 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Explorer 10.x:
http://secunia.com/advisories/product/43073/
Unpatched = 0% (0 of 3 Secunia advisories)
---
Vulnerability Report: Microsoft Office 2013:
http://secunia.com/advisories/product/43263/
Unpatched = 0% (0 of 0 Secunia advisories)
---
Vulnerability Report: Microsoft SharePoint Server 2010:
http://secunia.com/advisories/product/29809/
Unpatched = 0% (0 of 8 Secunia advisories)
---
Vulnerability Report: Microsoft Forefront Unified Access Gateway (UAG) 2010:
http://secunia.com/advisories/product/32977/
Unpatched = 0% (0 of 3 Secunia advisories)
---
* Would you like more, OR, will THAT do to make you "eat your words" from Microsoft's "top of the line" product offerings for business development?
(Oh, I am SURE it will be enough to "silence you" easily, troll, so thus, I suppose you can ignore that question since it made my point easily vs. yours, blowing yours clean away with facts!)
APK
P.S.=>
" Keep doing the good job of associating yourself to M$ products." - by Anonymous Coward on Sunday March 03, @04:54PM (#43063595)
Thank-You - I absolutely will!
Especially since this still "holds true" -> http://stats.kwsn.net/team.php?proj=sah&teamid=26482&sort_order=name&sort_direction=ASC (see "#9"/AlecStaar there since that's my SETI 'handle/nickname' & has been since 1999, & also see the team description above it - might explain a few things for you!).
---
Hey - MS is #1 worldwide overall on PC desktops + Servers combined... + their stuff is "bulletproof & bugfree" as you can see above from a reputable enough source for security vulnerability data also!
(Especially based on the above securit
Missed posting this link in my last post I am replying to now correcting that minor omission on my part -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43064117
---
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x:
http://secunia.com/advisories/product/17543/
Unpatched = 0% (0 of 7 Secunia advisories)
---
* There, all done...
APK
P.S.=> One MUST be thorough in one's "dusting" of trolls, as I am completely NOW, & with exacting data, in response to the AC troll that came in here 'ribbing on' my posts & yes, Microsoft too, here -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43063595
... apk
I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel.
No, what you said is:
I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.
The reason I mention the sandbox is because that is where the exploits are. Would you care to bring up another Java language feature that's a security hole?
I've also done enough Java programming to know I'm never going back to it.
You're welcome to use the tools you like. And you're welcome to criticize the tools I like, if your criticism is based on facts. All I ask is that you not spread falsehoods.
Recent builds (since around about JRE 1.7u11) add a checkbox in the Security tab in the Control Panel applet (control.exe C:\Windows\System32\javacpl.cpl) titled, "Enable web content in browser". Uncheck that and never see another Java applet again.
about:plugins in your browser's location bar will verify Java isn't there.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
This is an exceedingly small percentage of development.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).
Ballmer? Is that you? :P
No colour or religion ever stopped the bullet from a gun
That was a joke, not a troll, you insensitive clod! It's funny! Laugh! Seems like everybody misunderstood my shameless bid for a "+5 Funny."
I know it's a joke, hence I made one of my own :P
No colour or religion ever stopped the bullet from a gun
Oh come on, Pascal has always had full ability to code right down to the bit level, with even better inline assembler capabilities in many implementations. Parent's point was that Pascal has always used counted-length strings (which in addition to being more secure, avoids many expensive calls to strlen()). Lack of popularity does not equate to lack of ability.