New Java 0-Day Vulnerability Being Exploited In the Wild

An anonymous reader writes "Here we go again. A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to 'High' and attempt to avoid executing malicious applets. This latest flaw was first discovered by security firm FireEye, which says it has already been used 'to attack multiple customers.' The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle's plugin."

JAVA - Stands For

[blarkon]

JAVA - Just Another Vulnerability Alert

Re:JAVA - Stands For

Friends don't let friends do "JAVA" (Just Another Viral Affliction)!

Re:JAVA - Stands For

[rmdingler]

Gee, Oracles Sun language is news 'gain.

Re:JAVA - Stands For

Java and Acrobat are two applications black hat hackers and espionage agents everywhere love!

Meanwhile, Larry Ellison

...is busy colonizing Hawaii.

Time to kill Java

When is Oracle finally going to throw in the towel with Java? They have no control over it anymore and they just can't seem to make it secure. What a joke.

Re: Time to kill Java

[jadv]

i am going to fucking kill java! I destroyed l do it again! (throws chair across room)rry ellison before and i willd

Re: Time to kill Java

[jadv]

I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).

Re: Time to kill Java

[RaceProUK]

I am going to fucking kill Java! I destroyed Larry Ellison before and I will do it again! (throws chair across room) Posting again because I messed up the previous post, sent from a smartphone (my first /. post ever from one).

Ballmer? Is that you? :P

Re: Time to kill Java

[jadv]

That was a joke, not a troll, you insensitive clod! It's funny! Laugh! Seems like everybody misunderstood my shameless bid for a "+5 Funny."

Re: Time to kill Java

[RaceProUK]

I know it's a joke, hence I made one of my own :P

ORACLE

One Rich Asshole Called Larry Ellison

Re:ORACLE

One Raging Asshole Called Larry Ellison

FTFY

why they don't

[etash]

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

p.s. I have disabled java in my browser since ages. the only reason i keep still installed is because of ps3mediaserver. I wish it wasn't written in java so I could say goodbye to java once and forever.

Re:why they don't

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

That would be the closed source model. ESR's motto is "given enough eyeballs, all bugs are shallow". Unfortunately, in terms of security, the bugs are shallow for the bad guys as well as the good guys. And the bad guys are better motivated.

Re:why they don't

just set a team of 10-15 experienced programmers to review the code in a period of 3-4 months instead of just-wait-to-see-the-next-exploit-and-fix-just-that-rinse-and-repeat ?

They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base. Another way of saying that is, every time you do this, you'll probably find at least one more bug and the same thing happens when the bad guys do it. Welcome to the world of an impossible task that is never the less very important.

Re:why they don't

They've probably invested considerably more man-months into the problem than that. The problem is that such a procedure will not find all the bugs in a complicated code base.

Really?

The JRE installer is 16 megabytes. That really, really isn't a big complicated code base.

The real problems are:

1. Java is a steaming pile of shit.
2. Oracle doesn't care.

Re:why they don't

[hairyfeet]

What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you want to scream? For the love of God it was almost dead on the desktop! /walks away muttering and sobbing/

Re:why they don't

[Almost-Retired]

Because that would cost (gasp) money, and Larry would have to put off buying the rest of Hawaii for another 3 weeks.

Seriously, from the vantage point of having first coded in assembly back in '78, (also my age now) on an RCA 1802 MPU, one of the things I learned early on was to write a small executable that called the program piece I was working on, feeding it data up to the size of the cpu's registers, and let it run long enough its all been tried, without any crashing or incorrect output.

You can't do that to the whole thing where its tied to machinery you might cause to break or injure people, but you can damned sure stick some leds on the output bus, both as an activity indicator, and as a correctness verification. That means the guy writing the code must also be capable of picking up a soldering iron and fabricating his own test tool hardware, and I don't believe for a millisecond that a coder can call himself a coder or programmer if he can't do that. The hands MUST fit the tools IOW.

Engineering at a tv station was my paycheck for 48 years, and I have played cowboys and electrons for a living since the tail end of the 40's, quitting school to go fix tv's for cigarette money at the end of the 8th grade & still do the hot soldering iron scene but more as an aid to my hobbies, one of which is cnc controlled machining tools.

Some of the code I wrote, to run on hardware I also built, has lasted as long as the technology that required it, in 2 cases in excess of a decade, and one of those 2, the decade was after I had gone on down the road to a greener pasture. Neither ever crashed except when the battery ran down because the power failure was longer than the battery's holdup time.

Yes, dependable code seems like its also secure, but that is achieved by testing that data for validity BEFORE using it to for something so mundane as detecting when someone has gotten up from the shitter and is putting himself back together, at which point you close a switch and effectively pull the flush handle.

What is so difficult about understanding that? Just because your prof in CS101 was a pompous ass and didn't do it, I mean how dare you question MY judgement?, didn't do it, what makes you think you don't need to? I have done things in a higher level language quite a few times, but AFAIAC, that higher level language just makes it that much easier to shoot your code in its one tenuous space connected to reality, aka its foot.

My 2 cents for today.
Cheers, Gene

Re:why they don't

[GodfatherofSoul]

Because Oracle don't give a shit about Java. They snagged Sun probably thinking they'd get Google by the balls. No doubt, the board at Sun had some hand in convincing them of that.

Re:why they don't

[semi-extrinsic]

It's simple. Java was teh hawtness roughly ten years ago. It took four years for university CS departments to catch on, then four years for the first Java-loving graduates to start "entrepreneuring", and then two years for this to significantly influence Java usage. It's a basic convolution-type feedback.

Re:why they don't

[hjf]

I'm a hobby microcontroller programmer. I've made stuff with PICs that runs flawlessly. Written in C and assembly. One is a fan controller (switches 5 different relays and shows the output on a 7-segment display), and it's been running for probably 8 years non stop (well, the fan stops but the controller never does).
Another project was a simple "street block counter" for taxis, which I sold to a friend and he's made hundreds if not thousands of them (i should have asked more money!).

And tens of little projects that more or less work as supposed.

For all those projects, it's easy to validate all inputs and outputs, and follow all code. Since they're simple to understand. Right now my project is a weather station with ethernet and data logging. It's simple on the outside but it's so hard when you realize how much sanitizing you need for all values, and when you test it for different values of VDD and start getting weird readings, and when you deal with a memory chip which can (and will) be interrupted mid-write with a power outage and your data will be corrupted. It's really incredibly hard how you find more and more potential flaws after just a few hundred lines of code (and reasoning).

So while i understand your point, comparing java to a few small systems isn't really fair. Java is a huge monster with a target painted on its back. No system is really secure, and even Mac OS (which was claimed "secure") was proved to be as flawed as anything else. Mac OS used to be something no one cared about, but now that it's gaining a user base, it's being targeted more and more. It's the same with java. And it could be the same with any other language, tool (PDF), OS, SCADA, PLC, anything.

Any system that accepts uncontrolled (by the user) inputs is subject to exploiting.

Re:why they don't

[Almost-Retired]

I'm a hobby microcontroller programmer. I've made stuff with PICs that runs flawlessly. Written in C and assembly. One is a fan controller (switches 5 different relays and shows the output on a 7-segment display), and it's been running for probably 8 years non stop (well, the fan stops but the controller never does).
Another project was a simple "street block counter" for taxis, which I sold to a friend and he's made hundreds if not thousands of them (i should have asked more money!).

And tens of little projects that more or less work as supposed.

For all those projects, it's easy to validate all inputs and outputs, and follow all code. Since they're simple to understand. Right now my project is a weather station with ethernet and data logging. It's simple on the outside but it's so hard when you realize how much sanitizing you need for all values, and when you test it for different values of VDD and start getting weird readings, and when you deal with a memory chip which can (and will) be interrupted mid-write with a power outage and your data will be corrupted. It's really incredibly hard how you find more and more potential flaws after just a few hundred lines of code (and reasoning).

So while i understand your point, comparing java to a few small systems isn't really fair. Java is a huge monster with a target painted on its back. No system is really secure, and even Mac OS (which was claimed "secure") was proved to be as flawed as anything else. Mac OS used to be something no one cared about, but now that it's gaining a user base, it's being targeted more and more. It's the same with java. And it could be the same with any other language, tool (PDF), OS, SCADA, PLC, anything.

Any system that accepts uncontrolled (by the user) inputs is subject to exploiting.

I can't make a serious argument that disagrees with that. The major point being that the individual programmer is at the library's author(s) mercy, and in spite of his best efforts, 95% or more of his 10 megabyte masterpiece written in Java, will be spent, not in his code, but in the interpreter which he has no control over.

All they can do, after exercising due diligence, is go ahead and wear the Java T-shirt, the one with the target rings on the back. They have managed to have a working app in 25% of the time it would have taken it to be written in C, or perhaps 10% of the time it would have taken in HLA dialect for that cpu.

It just, to me, confirms that old saw about getting what you pay for, where time to market is the holy grail the payment is judged by. :)

Cheers, Gene

Re:why they don't

[Desler]

The size of the installer says next to nothing about the amount of code. Especially since files in instaers are routinely compressed to save size.

Re:why they don't

A shit stain making shit accusations.

Re:why they don't

Another dumb shit that cannot discern the difference between Java the language and a browser plugin. Shit's like you probably also think Javascript is Java. amirite?

Re:why they don't

[hairyfeet]

Does ANYBODY know how to block ACs without blocking legit users? Anybody? Because frankly all the AC posts here are about THIS level of stupid. Hey moron you DO know that every damned time Oracle puts out an update to java it TURNS THE PLUGIN BACK ON don't you? And that if you don't install Java you don't have Oracle jamming that plugin and crapware down your damned throat?

If the ACs are indicative of the future populace we need another world war like yesterday just to thin the stupid out of the damned herd.

Re:why they don't

I've always posted AC for precisely the opposite reason. That is to say that I've never had an interest in creating a Slashdot account and becoming damned by association with the torrent of complete and utter drivel that gets slopped out by the average poster on a daily basis.

It does make it a lot harder to be heard, but really does instill a sense of accomplishment when a post becomes recognised as insightful despite the obvious prejudices against AC here. If there's any moral to the story it's that you should be debating the message, not the messenger.

Finally, once swearing exceeds emphasis and starts replacing the message, it never indicates an intelligent argument. I'd put your own house in order before condemning others.

Re:why they don't

Actually, there is a way, but you're too dumb of shit to figure it out. One more thing, you stupid twat, if you don't want to use Java in the browser then there's a setting under the Security panel to disable it. And it stays persisted even when you upgrade, you fucking stupid POS.

Re:why they don't

[zixxt]

What sucks is after years of watching Java disappear from the consumer desktop its fucking making a comeback, ARGH! Why is it coming back? Damned Java games like fricking Minecraft that's why. Why oh why did the game designers suddenly decide to start using Java again,is it because of Android? if so the person who came up with Android needs to be shot because this is a fricking nightmare! To give geeks a better understanding imagine if after all these years suddenly IE 6 made a major comeback, wouldn't you want to scream? For the love of God it was almost dead on the desktop! /walks away muttering and sobbing/

Troll much?

Java is the best cross platform language in the world. Billions more devices and computer run Java than Windows. Java is making a comeback because it never went anywhere. If I want my application to reach as many people as possible I use Java.

Re:why they don't

[marcosdumay]

Try the offline installer next time. The default one doesn't come with the JRE, it downloads it at installation time.

Re:why they don't

Hehehe!

Right on, could not agree more.

I have felt the same way for a loooooong time. Everywhere I look, the rise of stupid is around us.

Re:why they don't

[DMUTPeregrine]

Firefox 19. Tools -> Options -> Security:
Warn me when sites try to install add-ons checkbox. Exceptions button.
Block reported attack sites checkbox.
Block reported web forgeries checkbox.
Passwords section.

Nothing to allow disabling Java.
Chrome has no "Security" panel or section of its options.
So, which browser are you using, or are you too much of a "stupid twat" to know that two of the top three browsers (at least, I don't have IE installed) don't have the option you're describing in the location you're describing?

Re:why they don't

[slaingod]

The decline of Flash also has something to do with Java's resurgence.

Re:why they don't

No system is really secure, and even Mac OS (which was claimed "secure") was proved to be as flawed as anything else.

They still are secure when you don't install malware like Java and Flash.

Re:why they don't

[antdude]

I uninstalled Java from all of my machines. I don't use it (e.g., don't play Minecraft). If I do need it, then I will just install it. Then, uninstall it when done. :P

Re:why they don't

Browser? You stupid idiot. Go to the Java control panel. Fucking amateurs. There should be a licence for using the Internet.

Re:why they don't

Some of us comment anonymously because we don't believe in online reputation schemes, my friend.

Re:why they don't

"Java is the best cross platform language in the world"

If you had a clue, you knew that C++ and cross-platform libraries such as WxWidgets, Qt, STL, boost and so on are the "best" cross-platform stuff. Because they are efficient, snappy and effectively incur the same security risks as the current Java implementations.

There are certainly many, many more platforms with a C++ compiler (most of the time it is gcc) than platforms with a Java runtime. Plus, 90% of deployed Java runtimes will brick the entire device, because the phone vendor never bothered to actually make it anywhere near useful.

In the hands of a highly skilled and educated professional engineer, of course. Not a self-trained idiot with two years of work experience.

Re:why they don't

[RaceProUK]

The JRE installer is 16 megabytes. That really, really isn't a big complicated code base.

1. The offline installer is at least twice that

2. Compiled size is not a reliable predictor of codebase size/complexity - a 'Hello World' in a managed language will compile to more code than it would in C, and that's before you start talking about libraries.

Re:why they don't

[RaceProUK]

"Java is the best cross platform language in the world"

If you had a clue, you knew that C++ and cross-platform libraries such as WxWidgets, Qt, STL, boost and so on are the "best" cross-platform stuff.

Depends on the application. If it's a line-of-business app (stock tracking, payroll, etc), Java's probably better, as it abstracts away enough details that you just get on with developing a useful program. However, if you're making something that requires heavy lifting (CAD/CAM, games, 3D modelling etc), then C++ is better, as you can squeeze more performance out of it at the expense of some ease-of-development.

Re:why they don't

[gradinaruvasile]

Go to the plugins page? There you have the plugins and disable what you want. This works probably in any browser. Better yet, use click-to-play. Every worthwile browser has it.

Surprise Surprise

[Murdoch5]

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

Re:Surprise Surprise

[bargainsale]

C is "secure" now?
Surprise, surprise indeed ...

Re:Surprise Surprise

[etash]

you must be trolling or you are clueless. C is secure ? you guy serious ?

Re:Surprise Surprise

Sure, it's as secure as you want it to be. Java on the other hand, proves time and time again to be insecure wether you want it to be or not :/

Re:Surprise Surprise

[cbreak]

Executing random C code from somewhere on the net in a Browser is even dumber than doing the same with Java. Java at least has a security model, even if it's broken anew every week, and has more holes than a sieve. C on the other hand has nothing. It really is more or less like a portable Assembly Language as it was developed for.

Re:Surprise Surprise

Oh the hipsters have long moved to python. To quote CERN "Thanks to python we're no longer IO bound"

Re:Surprise Surprise

[pipatron]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:Surprise Surprise

[amiga3D]

He probably means that you actually have to have a little knowledge to exploit C while Java is just one big sieve.

Re:Surprise Surprise

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

What do you think the JVM is written in?

Yeah, C and probably C++.

Grow a brain, you twerp.

Re:Surprise Surprise

[Murdoch5]

Just to quote the EXCELLENT comment below, it really is the most true statement I've heard in a while.

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Re:Surprise Surprise

Nowhere near as secure as Assembler

Re:Surprise Surprise

[erroneus]

I think the people exploiting Java has a LONG list of vulternabilities in queue. With each update of Java, fixing the last known holes, they just update their exploit code to utilize the next vulnerability in their queue. This could go on for a long, long time.

And where I work, we have to use Documentum Webtop which requires Java. Now they have us pushing Java updates all the time.

Oracle needs to pay out a bounty for Java vulnerabilities so collect as many as possible so the next fix(es) will be better.

Re:Surprise Surprise

[putaro]

Unfortunately there is no "stupid" moderation. The issue is the Java sandbox which has the goal of letting you run untrusted code (e.g. applets) on your system without any worries. Unfortunately the attack surface of the sandbox is huge because there are so many different API's that are usable and all it takes is a bug in one of them to give you an exploit.

Turn off Java in your browser and you'll be a happy camper. Stop spreading FUD. The Linux kernel still has exploits (http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/).

Oh, and I spent 10 years as a kernel developer in C and another 10 years as a Java developer so I guess I'm a Real Hipster Programmer.

Re:Surprise Surprise

Dude, Python was like eight years ago. Then it was RoR and then Scala. Don't know about today.... Go maybe.

It's like nightclubs in the big city. The place to be seen is always going to change every few years.

Re:Surprise Surprise

[Murdoch5]

In C you can write secure code, in Java you can only write exploitable code. Even trying to write secure java is a joke, every step of the way there are major issues leading to insecurities. C on the other hand gives you as much control as you want, if you want to write an insecure program do it, if you know how to program properly and securly then you can do that to.

Re:Surprise Surprise

[putaro]

Well, then you would both be wrong. C doesn't have a security model to exploit. The security model for loading untrusted code into your C application is "Don't do that" which isn't such a bad idea, really. However, if you remove the stupid idea of trying to run untrusted code in a sandbox within your application, Java is quite secure which is why people write server code in Java. No buffer overflows to start with (a classic exploit of server code written in C)

Re:Surprise Surprise

[Murdoch5]

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

Re:Surprise Surprise

[egr]

I think what he means is that C-security is solely dependent on your code, while Java-security is depended on JVM security in addition to your code security. And the developer has no control over JVM security.

Re:Surprise Surprise

[Murdoch5]

Nice post :-)

Re:Surprise Surprise

[geekmux]

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

The only failure I see here is your rather ignorant attitude that every language cannot be made just as vulnerable in the hands of the inexperienced.

Re:Surprise Surprise

[dkf]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

The JVM is actually written in C++. Just sayin'

Re:Surprise Surprise

[Murdoch5]

Okay granted not every Java programmer is a hipster, I will take that back, just most Java programmers I know are complete fools who have no clue about secure programming. I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable. A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code. All of these things are really annoying features of Java. If I write a program I want to know it's secure because I took the time to make it secure, I don't want the language to have holes because somewhere in the model it's broken.

So I'll admit your probably not a hipster, that wasn't fair to say but in the end I just find a good C programmer an invaluable addition to a team over any Java programmer.

Re:Surprise Surprise

[Billly+Gates]

Yes, C is secure. You can however use C to write buggy software, for example a java virtual machine.

Ok explain why a simple string can buffer overflow? Maybe the latest Gnu C libraries have fixed that now, but damn that is bad as 10 years ago you could! The apis had to be practically rewritten to watch for these like these which explains why it is litered in secure versions of standard function calls.

The problem is you can't really write secure in C unless you know assembly. My simple "give me 2 numbers and I will add them" 10 line program will not look insecure but it is underneath after being compiled (this was 13 years ago I tried this). I know Theo from the OpenBSD tried making secure versions of standard ansi C functions to prevent this. Java at least tries and manages it. I can make the same argument that Java is secure. It is only the programmers who are not etc.

Re:Surprise Surprise

[catchblue22]

Java fails yet again, and really who is surprised. Java was and is a flawed language from the ground up and all of these exploits just help prove it. If you want a good secure system / language just look to C, it does everything you can think of or want, has little to no overhead and runs on almost every device in the world. Real programmers use C, hipster wantabe's use Java.

What do you think the JVM is written in?

Yeah, C and probably C++.

Grow a brain, you twerp.

I've heard it argued that Java is insecure because too much of it is written in C++, poor quality code no doubt. It would have been more secure if a core of commands was written in C++, and the rest was written in Java. Then, more effort could be put into making the core secure.

Re:Surprise Surprise

[dkf]

I agree but I'm a little confused if your agreeing or disagreeing with me. C gives you the power to do what you want, Java on the other hand assumes.

He's not exactly disagreeing or agreeing with you, as you're so thoroughly confused that you manage to say things that aren't cleanly true or false.

C has no security model. At all. This lets you write things that are totally unsafe. For example, you couldn't have browser exploits with either Flash or Java or any other plugin if it wasn't for the NPAPI, which is a C interface! O! M! G!

Java does have a security model; it tries to segregate untrusted code away from trusted code and ensure that the untrusted code can only do very limited operations. This is hard to get right. (Doubly hard when you've got the plugin glue code in the mix; that just makes everything much more complex.) For most applications, this actually doesn't matter very much as they don't load code from untrusted sources at all; Java is doing just great at powering web application servers, and there are some wonderful libraries to help with this. Browser plugins though are a different beast; their whole point is to load untrusted code and execute it, and any mistake is a problem.

Right now, I recommend disabling the Java plugin in all browsers that you use, or even better removing the plugin entirely. If you must have it enabled (for some horrible corporate web application) then only turn it on when strictly necessary. As a bonus, you won't have to suffer from nasty slow Java-implemented ads. (That was why I originally turned it off in my systems; being defended against hacking was a side benefit.) Also, Java tends to look like ass in a browser these days.

Re:Surprise Surprise

[dkf]

Turn off Java in your browser and you'll be a happy camper.

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

Re:Surprise Surprise

You are stupid. That's all I can say because you're beyond help.

Re:Surprise Surprise

[DarkOx]

I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.

Now if you want to discuss topics if interpreters (byte code or otherwise) that enforce certain memory management contracts, so you don't have to express them as part of your program ultimately offer better security or just move the problems that might be a valid topic.

Java is not insecure; security is not even an attribute you could put a value on with regard to Java. The browser plugins that ship with the most popular interpreter and runtime implementation might be insecure. There may be bugs in the interpreter where it does not properly enforce contracts making otherwise correct programs under it vulnerable. One little mistake in a C/C++ programs might result in the same thing though. The traditional argument is whats more likely to result in the best outcome: every programmer our there writes good code or a team of skilled programs writes a universal memory manager, and set of libraries that are solid so other programers don't have to get some of that hard stuff right?

I guess the issue is we are finding out more often than not even teams of very skilled developers are bound to slip here and there with something as large and complex as the Java runtime.

Re:Surprise Surprise

> Yes, C is secure.

The comment is nonsensical. Security is about vectors. The language itself, is really not "secure" because it has to operate within an environment. By integration, it's no more or less secure than the environment AND the program the language was used to write. You really don't understand the implications of the discussion if you think that comment was "excellent".

Re:Surprise Surprise

> A good language should NEVER apply safety's for the programmer

Yeah, fuck type systems!
Every comment you make is a joke. I laugh.

Re:Surprise Surprise

[FlyingGuy]

Please show your work eg: int foo(int x,y){ return x+y};

Re:Surprise Surprise

[Murdoch5]

A language shouldn't have a security model, at least in my opinon it shouldn't. The security model should be the programmer, they're entitled to make a program as secure or insecure as they like. I know a lot of programmers, books, industry professionals, engineers and house wifes are going to disagree with me but I don't care.

If you were a tight rope walker and trusted that someone hung a net under the rope then what happens the one time you fall and the net isn't there or malfunctions? Who do you blame and who is left looking like an idiot? Well the answer is the tight rope walker because he trusted someone else to protect him. Programming should work the same way, don't trust that just beacuse a net should be there it is, and don't trust that just because a net should work it will. Believe everything can fail and write accordingly, there is nothing more foolish then seeing an exploit in a language or system which is caused because a net should of been there. I see it a lot and it makes the programmer look like a child.

Take responsiblity for what you work on, put the net up your self and check it. That way when you fall your should be fine and at least if the net does give out you know exactly why and can jump in and fix it before it's a huge issue. This to me is the difference between languages like C and Java, in Java you trust your assistent to have the net setup and ready, in C you better fucking rig that net yourself because it's a long way to the ground. You only have to fall once in C to learn that trusting anyone is a bad idea.

Re:Surprise Surprise

[CODiNE]

You know that just tells me that javac isn't self-hosting and they never bothered to bootstrap their own compiler. I wouldn't blame C for that.

Re:Surprise Surprise

[mt1955]

It is a poor worker who blames his tools. The language is not the problem, it is what you do with it but still...

YOUR PROGRAMMING TASK: To shoot yourself in the foot.

C: You shoot yourself in the foot.

C++: You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying, "That's me, over there."

Perl: You grep through a list of your body parts, shooting the bits that look like feet. On the first try, you don't shoot anything, and realize that you're matching hashrefs instead of scalars. On the second try, you shoot off your big toe instead of the whole foot (shouldn't have used greedy matching in the regex). Finally, you shoot yourself in the foot, generalize your code to allow it to shoot anyone anywhere, and post it on CPAN as SUICIDE::LITE.

Python: You want to shoot the toes off your foot. You ask your foot to tell you about all of your toes, but to please pause for a while after each one so you can shoot it. After you shoot, your foot begins where it left off.

FORTRAN: You shoot yourself in each toe, iteratively, until you run out of toes, then you read in the next foot and repeat. If you run out of bullets, you continue with the attempts to shoot anyways because you have no exception-handling capability.

Pascal: The compiler won't let you shoot yourself in the foot.

Ada: After correctly packing your foot, you attempt to concurrently load the gun, pull the trigger, scream, and shoot yourself in the foot. When you try, however, you discover you can't because your foot is of the wrong type.

COBOL: Using a COLT 45 HANDGUN, AIM gun at LEG.FOOT, THEN place ARM.HAND.FINGER on HANDGUN.TRIGGER and SQUEEZE. THEN return HANDGUN to HOLSTER. CHECK whether shoelace needs to be re-tied.

LISP: You shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds the gun with which you shoot yourself in the appendage which holds...

FORTH: Foot in yourself shoot.

BASIC: Shoot yourself in the foot with a water pistol. On large systems, continue until entire lower body is waterlogged.

Java: You find that Microsoft and Oracle have released incompatible class libraries both implementing Gun objects. You then find that although there are plenty of feet objects implemented in the past, you cannot get access to one. But seeing as Java is so cool, you don't care and go around shooting anything else you can find.

Re:Surprise Surprise

[ByteSlicer]

I'm pretty sure the semicolon should come before the closing curly brace...

Re:Surprise Surprise

God. You are missing the point entirely. How fucking stupid are you? The JVM security model is because I don't trust YOUR code not to fuck up everything. This isn't a case of writing code that does something bad by accident. This is a case of a user running malicious code and the malicious code executing, you stupid twat. If I wrote a c program that installs a key logger and your dumb ass was stupid enough to run it, it instals. Java's security model is designed to try to make sure it doesn't install, or is limited to that one java app. It's not a crutch for the programmer, it's an attempt to let an end user do something without having to hand verify every goddamn app on the planet.

Fuck. Ignorance like yours is inexcusable.

Re:Surprise Surprise

C is neither secure nor insecure. Well, it's secure just like a hammer is secure (if you're building a house).

Re:Surprise Surprise

A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.

Fuck you. Not all of us want spend the time rigging nets, managing memory and the like. Some of us just want to get shit done and not reinvent the wheel every time. Most of us aren't writing drivers or embedded code. A language being good is dependent on the domain and the needs of the programmer. C is good for what it was intended for, which is systems programming. It's not so good for a lot of other kinds of programming.

Re:Surprise Surprise

A good language should NEVER apply safety's for the programmer, It should never preform memory cleaning for you and it should never manage your code.

Safey's what? You put an apostrophe before the "s", so surely it must be a possessive... but safety's what?

Re:Surprise Surprise

[craznar]

The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.

Comes down to who's programmers you trust more - your own, or Oracle's ?

Re:Surprise Surprise

Your java code is almost certainly running in a jvm written in c or c++, running on an OS written almost exclusively in c. Buffer overflows are caused by poor code, they are not forced by the language.

Re:Surprise Surprise

[cbreak]

No, honestly, writing evil code in C is easy. You can open files without restrictions, modify them without restrictions, and so on, all with the power of the running user. Executing untrusted C code is NOT SECURE.

Re:Surprise Surprise

[History's+Coming+To]

These days it's about using as many different languages as possible, ideally in the wrong place. Big desktop application? JavaScript hosted on a remote server sounds ideal! Website to display a list of your mobile phone apps? Show off your 1337 Java skillz by making the whole thing a plugin! A quick script to verify the format of an email address? To the Assembler!

Re:Surprise Surprise

Most of us aren't writing drivers or embedded code.

You're doin' it wrong, brother.

Re:Surprise Surprise

The main difference between C and Java, is that in C you code the bugs personally - in Java, that functionality is baked into to the JVM.

Comes down to who's programmers you trust more - your own, or Oracle's ?

What happens if your C program uses external libraries ? Can you GUARANTEE that they don't do something nefarious ? Unless your programming stops at hello world complexity programs, you're going to have vulnerabilities wether you want them or not. The JVM is a C++ program and it has vulnerabilites.
So in the end languages that enforce a security model are good. Unfortunately for us, neither C nor C++ do. They are archaic languages that still do damage to this day. And to be clear I'm not a Java programer, but to say that C or C++ safe languages is pure idiocy.

Re:Surprise Surprise

[phantomfive]

Strings don't overflow in C, unless you use them wrong.

And you never know, there might be a vuln in the Java string library. Unless you've audited it, I wouldn't say there isn't, since it seems there are vulnerabilities everywhere else.

Re:Surprise Surprise

Hot Dog - a return to the good old days!!!
I remember when, wayyy back when, the arguement against C was that
when using machine code (pdp/11 | vax11/780 in my case) the programmer was
responsible for all of those tasks that C worked to solve and the machine
code programmes were better for it.
HA HA HA - ROTFLMAO wiping tears from my senile old eyes!

Re:Surprise Surprise

[AmiMoJo]

All the major browsers have click-to-play for plug-ins now, so even if you have it installed you should be safe from drive-by infections if you have it enabled.

Actually I don't know if IE10 supports click-to-play, but surfing the net with IE is like licking the toilet seat down the pub - inadvisable at best.

Re:Surprise Surprise

[AmiMoJo]

It's a shame there isn't a really good open source alternative to Oracle's JVM that people could switch to. At least with the endless stream of Adobe Reader vulnerabilities you can just witch to Sumatra PDF or one of the many other free viewer applications.

As far as I can can tell most of the free JVMs are either abandoned or don't run on Windows.

Re:Surprise Surprise

[hairyfeet]

And sadly this means I have to defend oracle even though I think Larry is a douchebag...whose fault is that? the answer is NOT oracle, it is SUN that is to blame! lets face it Sun never did release decent programs, just look at how long its taking the ODF to modularize Libre office and clean out the cruft.

Now if you want to blame Oracle for not shitcanning a good chunk of Java and starting over? that I might agree with you about but even then it would take time to come up with new code that would allow the JVM to run older programs written for it without having the gaping security issues but considering how buggy Java was under Sun I really don't think oracle deserves the blame here, they just got the mess when they bought the company, like buying a piece of property only to find out it was built on a garbage dump.

Re:Surprise Surprise

[Curupira]

It would be nice if we could have the JRE as a completely separate product from the plugin. I could happily live without the plugin (and do!) but the JRE itself is useful for other apps.

After this horrible sequence of 0-day exploits, I've finally disabled the Java plugin in ALL my browsers. There you are, instructions for removal of the Sun (or IBM) Java browser plugin on Windows, without removing the JRE. :)

Re:Surprise Surprise

Because the hotspot JVM is the BEST virtual machine currently in existence. Period. And no, these vulnerabilities has nothing to do with it.

Stop spreading bullshit.

Re:Surprise Surprise

[gtall]

And who writes their whole program in using just their own code? We have massive C libraries because we cannot reinvent the wheel every time. And it isn't possible to exhaustively check the code in those libraries due to time constraints and sheer complexity.

Re:Surprise Surprise

Okay, now I am really pissed off.

Just compare the number of exploits ever discovered for a given time period for Apache http server or Apache Tomcat. It seems to me that there are less exploits baked in the JVM than people put personally in their C code.

Sheesh, I love C, love Assembly, even Verilog, and I love the JVM (various languages), but I hate these one-bit idiots like you.

Re:Surprise Surprise

[egr]

I totally agree with it. Using plain C does not solve anything, does not make life easier, and does not provide anything to replace for example Java applet functionality.

Re:Surprise Surprise

No, it Just Doesn't Work(tm). The premise that the you can constrain abusive or malicious code inside the JVM is, itself, flawed and always hasn't. And we are never going to *catch up* with all the Java vulnerabilities because it's being used to provide "enhanced features" which have no business running locally without actually getting explicit permission, rather than being a ubiquitous and generally permitted behavior for web applications.

Think I'm kidding? Take a good look at the Java based remote console software software built into IP based KVM's. It's all Java based VNC under the hood, and it should have been an X server. But *no-o-o-o", the authors of VNC thought they could be smarter than the authors of X and stuff it in a pointless Java wrapper to "enhance" it. The result is complete craziness.

Re:Surprise Surprise

[bill_mcgonigle]

The JVM might be wonderful but, empirically, the browser plugin is a pile of junk, at least in terms of code quality.

Could somebody, e.g. Apache, incubate a project to replace the Oracle Java web plugin? I don't use Windows but imagine if each company was willing to pay $2/user/year for a better plugin for their mission critical apps. The IcedTea plugin on Linux seems to be in a decent state these days, after quite a rough start - perhaps it could be a basis for a new Windows Java plugin.

Re:Surprise Surprise

Linus, is that you?

Re:Surprise Surprise

"Strings don't overflow in C, unless you use them wrong. "

Unless you are a proven-correct computer program generating the C code, you WILL write serious exploitable bugs in C. Especially when your boss is sitting in your neck and asks for status updates every 4 hours.

Re:Surprise Surprise

[FlyingGuy]

Yeah I noticed that right AFTER I hit submit. Yet another /. non-feature, even though I do understand why.

Re:Surprise Surprise

[sourcerror]

The point is that buffer overflows are an easy mistake to make. Using languages that prevent it is like using a seat belt.

Re:Surprise Surprise

you must be trolling or you are clueless. C is secure ? you guy serious ?

The Linux kernel is written in C. I believe the BSDs are written n C. How much more secure can you get?

With C the vulnerability of you program to expliots or other bugs (an exploit is just a bug after all) is exactly what you wrote into it, nothing more nothing less.

However in Java land (and others) you are depending on a huge pile of abstractions underneath your code which may or may not be vulnerable/buggy. How would you know?

Do rethink your statement.

 

Re:Surprise Surprise

You can do the same in Java, Python, hell any other language. If I, as a user have permission to write to a file then so does any program I run. This is not any fault of C as such. Running untrusted code is the problem. But then, if you don't trust it why are you running it?

Re:Surprise Surprise

>If you want a good secure system / language just look to C

The stupidity is palpable.

Re:Surprise Surprise

[sjames]

The JVM is actually written in C++. Just sayin'

That explains a lot...

Re:Surprise Surprise

Do you grasp how ignorant you really are? I'm guessing a post secondary education wasn't in the cards for you. I'm also doubting whether you completed high school.

Re:Surprise Surprise

[sjames]

The difference is that C CAN be secure if you code it right. In Java, even the most trivial thing you write remains dependent on the JVM to be actually secure.

That doesn't mean your C code WILL be secure, but if it's not it is your fault and entirely up to you to fix it.

Re:Surprise Surprise

[sjames]

Cars don't crash unless you drive them wrong...

Re:Surprise Surprise

Except that but for trivial software, writing secure C code is nearly inhumanly difficult.

Re:Surprise Surprise

[sjames]

I don't know that I'd say inhumanly difficult, but it's fair to say it is challenging and failures are plenty.

Re:Surprise Surprise

[marcosdumay]

Hum... No, a simple string can not buffer overflow. You a word here or what?

Also, of course you must know how computers work to program in C. It's a shame that people think they don't need to learn that for coding in other languages (they do, but they'll build a lot of rope before they discover they are just hanging themselves).

Re:Surprise Surprise

[marcosdumay]

I would say discussion of if a Turing complete is secure or not is off base. You can express any computable algorithm and if you get it wrong it may or may not behave in undesired ways when presented with input you did not anticipate.

No computer is as restricted as a turing machine. For one thing, a turing machine doesn't do IO.

In fact, information security has no relevance for turing machines, as they can't compromisse any kind of information.

Re:Surprise Surprise

[Billly+Gates]

This is just a pissing match on my language is better argument which is dumb. WHo modded the grandparent to +5?

Whether your compiler is VM like Java or converts it to assembly is the fact that the programmer is not in control. It is not the programmers fault if he or she uses an api that does not handle safety of data types. Historically Java has been years ahead of C until the last decade where Theo had to write secure versions of simple data handling functions as a strong or data type can easily overlfow by default and run malicious code. Even a hello world program can run malicious code when I did this 12 years ago! Why should this have been my fault?

That should be a strike against C and C++. I am not a professional programmer in these languages so I surely hope that is no longer the case. It is why Unix and Windows were so insecure agaisnt MacOS classic and VMS. Every datatype can overflow with stack smashes inside it. The ansi standard functions are not secure by default and each implementation had to rewrite these same things to securely check each data type at compile time.

Re:Surprise Surprise

The designers of the seat belt are expected to have a degree of skill as engineers and it should pass some form of quality control. This is where Java fails.

Unfortunately, the users of a seat belt are not expected to have any degree of skill or knowledge, and frequently wrap it around their own neck. This is where those writing in languages like Java often fail.

Re:Surprise Surprise

IBM J9 is 10% faster on any workload, on mine it is more like 30%

Re:Surprise Surprise

[smash]

You're still relying on the C library to be secure. Many/most are not.

Re:Surprise Surprise

[smash]

A lot more secure. Linux and the BSDs have holes found in them all the time, along with everything else. Pascal would be a lot more secure than C.

Re:Surprise Surprise

[DMUTPeregrine]

Your C code still relies on the standard library and your compiler to be secure.

Re:Surprise Surprise

[sjames]

It CAN (and usually does) rely on libc, but doesn't have to. The compiler mis-compiling the code is quite a different class of problem, but since you have the source, you can validate the results.

In the bad old days, I actually debugged a case where the compiler mis-compiled the code.

Re:Surprise Surprise

[sjames]

I have done projects that did NOT include libc.

Re:Surprise Surprise

[phantomfive]

The obvious question is how are you using your strings that makes it so difficult to avoid overflows? It's not hard once you know how to do it.

Re:Surprise Surprise

[sjames]

It is perfectly possible to use strings safely in C, but at the same time, there are functions in libc that invite disaster, in some cases with an engraved invitation and a bottle of champagne. Gets, for example, needs to go. So much so that I wouldn't mind it's use being promoted from warning to error unless you use the switch --goatse-me.

Even if you use the right functions but screw up passing the allocated size to the functions, you can get in trouble, just like if you fiddle with the radio when you should be watching the road.

Re:Surprise Surprise

[putaro]

I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.

All this statement proves is that you aren't qualified to have a opinion on this subject. I brought up Linux kernel exploits because the Linux kernel is coded in C. The Java exploits that I have seen are all related to breakouts from the sandbox. The kernel and the Java sandbox are equivalent because both are supposed to be able to run untrusted code and keep that untrusted code from doing things it is not supposed to. If you wrote a POSIX compliant kernel using Java you would not use the sandbox to keep untrusted code from doing bad things and it would be about as likely to have exploits as a kernel coded in C. The problem with the sandbox is that the attack surface is just too large to be secured effectively.

Some languages, like PHP, have features that actively work against security. Other than the sandbox (don't use the sandbox to contain untrusted code) Java doesn't have many features like that. C does have features that have to be applied carefully or used carefully (unchecked array bounds, int->pointer conversions).

So I'll admit your probably not a hipster, that wasn't fair to say but in the end I just find a good C programmer an invaluable addition to a team over any Java programmer.

You may as well say "good programmer" because lousy C programmers can make a mess incredibly quickly.

Re:Surprise Surprise

Unfortunately, the car in which the seat belt is placed is a piece of rust. Sure, the seat belt might look impressive, but it's not really secured to anything.

Re:Surprise Surprise

[Murdoch5]

I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel. I've also done enough Java programming to know I'm never going back to it. However you do bring up an interest concept about writing a fully posix complient kernel in Java, it would be interesting to see it actually being done. It would have to be Java from the very base of the system, including IDT and GDT table init. It would be interesting to benchmark against.

Re:Surprise Surprise

[phantomfive]

Yes, but how often do you screw up passing the allocated size? I'm not sure that happens often.

If it's something you are really having trouble with, you can declare a struct with the size and buffer together, then create wrapper functions around the standard library functions that use your struct. Then you only have to verify that your passing is correct within those wrapper functions, and not mess with the size anywhere else.

Re:Surprise Surprise

[sjames]

Really, I don't have a problem with it, however, the most common source of problems in general is probably the off by 1 thinko. Like forgetting to count the terminating null. Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.

Re:Surprise Surprise

[phantomfive]

Next up is probabvly cases where the programmer forgets that there are circumstances where the trailing null might NOT get written.

Yeah, that one's really annoying. strcat() has a lot of special cases that are annoying as well. I usually encapsulate that one into a custom function where I only have to deal with all that once because it's so bad. Although it's not the most commonly used function.

Re:Surprise Surprise

[sjames]

I have always thought that in cases where n is exceeded, [n-1] should get the null terminator. I usually do that explicitly just to be safe. I don't like unterminated strings.

Re:Surprise Surprise

[phantomfive]

agreed

Re:Surprise Surprise

And the reason these things are written in C instead of Pascal is much the same reason as why most martial arts do not involve the use of mittens.

Re:Surprise Surprise

[putaro]

I never said a C programmer can't make a mess of code, I also never still never mentioned anything about the Java sandbox or the Linux kernel.

No, what you said is:

I never mentioned about the Linux kernel being non exploitable, but if it was writen in Java it would be much more exploitable.

The reason I mention the sandbox is because that is where the exploits are. Would you care to bring up another Java language feature that's a security hole?

I've also done enough Java programming to know I'm never going back to it.

You're welcome to use the tools you like. And you're welcome to criticize the tools I like, if your criticism is based on facts. All I ask is that you not spread falsehoods.

Re:Surprise Surprise

[Trogre]

Recent builds (since around about JRE 1.7u11) add a checkbox in the Security tab in the Control Panel applet (control.exe C:\Windows\System32\javacpl.cpl) titled, "Enable web content in browser". Uncheck that and never see another Java applet again.

about:plugins in your browser's location bar will verify Java isn't there.

Re:Surprise Surprise

[smash]

This is an exceedingly small percentage of development.

Re: Surprise Surprise

Oh come on, Pascal has always had full ability to code right down to the bit level, with even better inline assembler capabilities in many implementations. Parent's point was that Pascal has always used counted-length strings (which in addition to being more secure, avoids many expensive calls to strlen()). Lack of popularity does not equate to lack of ability.

Is it just me ...

.. or has all these exploits come about following on from the Oracle takeover of Sun?

Coincidence? Or has Java always had these problems. I don't remember them occurring five years ago.

Re:Is it just me ...

[erroneus]

A few things are different:

1. People dislike Oracle as a company
2. The purposes/reasons for exploiting have shifted significantly
3. Sun was likely more friendly to people presenting information about bugs to be fixed.

Why in the news so often lately?

So why has Java been in the news so much lately with vulnerabilities? I don't remember this being as big a deal 10 years ago when Java applets were a "thing" on the web, so why now all of a sudden? Has Oracle done something to screw the pooch on security, or has some sort of tipping point of interest in Java exploit research been reached?

Re:Why in the news so often lately?

[aahzmandius]

The tipping point is the many, many, many devices that probably aren't running other anti-virus (smartphones and tablets).

Re:Why in the news so often lately?

No it isn't. Smartphones and Tablets don't support java anyways. Android can only run special java code, it doesn't run random java applets from the web. Neither does iOS. The tipping point was when Apple and Facebook got hacked through Java. They made a big deal about it.

Re:Why in the news so often lately?

[hairyfeet]

Nope its the damned games. Minecraft and Pogo and a shitload of other damned Java games have been released and become REAL popular which means a shitload of java installs that can be pwned. Its a damned shame, I saw Java practically disappear from the non corporate desktop only to see java all over the damned place now.

Re:Why in the news so often lately?

[sourcerror]

Some browsers now have a white-list regarding the Java plugin (Chrome does it, not sure about Firefox), as it always should have been. (And it should be that way with Flash too.)

Re:Why in the news so often lately?

[hairyfeet]

Band Aids on bullet wounds friend, Band Aids on bullet wounds. what we NEED is for Java to die on the consumer desktop until oracle has enough sense to rewrite the thing from the ground up, looking at the OO.o source you can see Sun seriously sucked when it came to code for the desktop and the trouble Java is having now goes back to Sun and the trouble THEY had and the simple fact is ITS NOT NEEDED as you can do the same damned thing in Visual C++ as far as games go and not force home users to get stuck with Java.

Java has its place and that is the enterprise backend NOT the consumer desktop. When practically everybody and their dog and their dog's chewtoy has C++ runtimes already sticking with Java which has so many zero days is irresponsible and bad practice, I don't see how anybody could argue different. in the enterprise Java is too deeply used for anybody to change and from what I've been told its ability to handle so many users at once reliably makes the risk bearable and hey, I get that, I really do. But forcing consumers to install Java just to play a video game? bad form game devs, bad form.

Iced-Tea affected?

Does this effect the iced-tea java plugins too?

Anybody else read the headline and think ...

"Mutual of Omaha's Wild Security Exploits"?

With a gray haired host that will have "Jim" go out and tackle these security beasts with his bare hands ... on his keyboard?

Nevermind.

Yeah, I'm old.

No, go ahead and stay on my lawn.

Boohoooooo

[Fuzzums]

And how frelling dare anyone out there make fun of Java after all she's been though!
Leave Java Alone!
Please...

And this matters ...

[stevez67]

N.O.T. All software has vulnerabilities. No system if safe from hacking and attack, especially spear-fishing. So, it's news every time some dipswitch downloads pr0n and gets infected? Or opens an unsolicited email attachment and installs malware? Please ... post something that's actually news and stop the "bashing every company just because" merry-go-round. Who's next to be bashed incessantly?

Firefox and Android not vulnerable

Firefox now turns off the plug-in and you have to enable it when you visit a site that uses it. Each time BTW, it asks me every site, every time I open the browser.

Android doesn't permit Java in webpages at all, even though it uses Davlik itself (a Java engine) internally.

In the wild

[arnodf]

In the wild, is that the same as in cyberspace?

Why does this VM have so many vulnerabilities?

I'm not a Java developer, but I do have a strong interest in engineering and reliability, and the reason for all these Java faults puzzles me. Could an experienced Java developer please explain (or at least suggest) why this particular virtual machine has suffered so many vulnerabilities?

In principle, a virtual machine is just the implementation of a specific FSM, very tightly constrained and therefore fairly easy to program for total correctness, unlike most other applications. Such correctness has clearly eluded the JVM. Home come?

Re:Why does this VM have so many vulnerabilities?

[Wookie+Monster]

Primary reason: Punching holes in the security sandbox. A lot of the code in the JVM itself needs to grant itself "privileged access", but upon doing so it may have accidentally done so for user code as well. This is the greatest flaw in the Java security architecture, not because it doesn't work, but because it's hard to use correctly.

Re:Why does this VM have so many vulnerabilities?

[tobia.conforto]

AFAIK all these issues are not in the VM.

The JVM has been stable for many years and is the foundation of countless information systems: websites, money exchange, traffic control, you name it they all run server-side software on the JVM, which by itself is rock-solid.

The issue is with the "sandboxing" feature of the Java browser plugin. The plugin was engineered to allow executing arbitrary, untrusted JVM bytecode, which would include outward calls to Java's extensive standard library, while still preserving some high-level definition of isolation between the untrusted code and the host OS. Given that Java's standard library is full of classes that do very insecure things by design (including running native code, opening network sockets, and so forth) this security model has proven to be a complete nightmare. They will keep finding sandbox-related bugs in the Java standard library for as long as it exists.

Oracle should do one of these things:

• – just dismiss the damned plugin altogether, or
• – severely restrict it to running signed code or some other kind of host-based whitelist, for the few companies that still need it, or
• – write a new standard library from scratch that does not include any unsafe code.

Re:Why does this VM have so many vulnerabilities?

Thank you, Wookie and Tobia. Very informative answers.

It seems then that the Java sandbox, while sounding plausable on paper, in practice cannot delivery what it seemed to promise.

Security by wishful thinking?

Re:Why does this VM have so many vulnerabilities?

[gtall]

Oracle cannot dismiss the damned plugin altogether, they have too much that relies on it, Oracle Forms for one. I'm unsure how that relates to their databases. Are they storing mobile code in their databases for use in their OF crap? OF seems particularly brain dead and I wouldn't mind them blowing it away and replacing it with native apps...but then they'd probably only produce them for MS's rinky-dink OS or Linux which doesn't have much use on the desktop.

Re:Why does this VM have so many vulnerabilities?

> Oracle cannot dismiss the damned plugin altogether

They can and they should.

Re:Why does this VM have so many vulnerabilities?

[_xeno_]

AFAIK all these issues are not in the VM.

If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

The issue is with the "sandboxing" feature of the Java browser plugin.

The sandboxing feature isn't unique to the Java plugin. It's a built-in part of the Java runtime. Any Java code can place other Java code into a security context and enable the Java sandbox for that code. It's just that about the only place you'll ever actually see this done is for applets.

Re:Why does this VM have so many vulnerabilities?

[amorsen]

If you read the article, this is a buffer overflow in the VM itself, overwriting internal VM structures. In previous cases you'd be correct, but this is an actual JVM flaw.

It is likely that there are similar vulnerabilities in other VMs. People generally do not worry about them, because they are not made for untrusted code. You can crash the Python VM with python -c "from ctypes import string_at; string_at(0xDEADBEEF)". That is fine, because Python does not have sandboxing.

Re:Why does this VM have so many vulnerabilities?

[putaro]

The sandbox was designed back in the mid '90's. I don't think anyone realized just how hard securing things really is. One of my friends worked with Ed Felten at CMU back then and that team showed a number of exploits for the sandbox. When he showed me how some of them worked I was impressed - because my mind doesn't bend into pretzels that way to figure out exploits.

The best thing Oracle could do at this point would be to just shoot applets in the head (probably not going to happen). Second place would go to running each applet in a separate process and it's own OS contained sandbox the same way everybody else is. The attack surface of the OS is smaller and better tested.

Re:Why does this VM have so many vulnerabilities?

The sandboxing function you attribute to the applet plugin is just using the core security features of the VM. The applet plugin is just the main user of it. Most application server vendors use several of these features to separate applications within the server.

Exploit

Apparently it requires browsing as an administrator to exploit this leak.
Just don't do that.

Also it is always a good idea to block execution of programs from user-writable directories, using AppLocker or Software Restriction policies.

Re:Exploit

[hairyfeet]

Or if you are on Vista or better just use any of the Chromium based browser or IE as those automatically run in low rights mode and not administrator. Why oh why can't Mozilla support low rights mode when its over 6 years old now is beyond me but the fact that FF runs with the same privilege as the user while the Chromium browsers don't was enough for me to replace Firefox with Comodo Dragon on all my installs, you should always use least privilege and FF just won't do that. Ironically the only "how to" on using LRM with FF actually undermines LRM until its worthless, so if you use Java don't use Firefox, use Chrome, Dragon, SWIron, any of the Chromium based will give you better security.

Re:Exploit

[smash]

Same reason Firefox doesn't support DHCP based WPAD despite having patches submitted for such support in 2006.

Typical of any Oracle Product

What do you expect from a bunch of idiots that spend all of their time supporting ONE product - their DB, and it's one that is going down in it's ability to do what it is supposed to do. Most customers are moving to Open Source products since they are just better... I have Java totally disabled - it was once a great language, now it's just crap... Simple...

oracle

it happened after oracle took over java. these big companies just cant understand the product. they just have money to buy and kill it.

Why is it time to kill java ?

[burni2]

Because badly written & maintained software should cease to exist.

Guys you are really funny, I hope all complaining now - and demanding the death of java - have used Linux or FreeBSD when we had Windows-Open-For-Everyone-Alert-Weeks.

MS Blaster - recalling ? Anyone ?!

When you put those arguments in the right perspective the "funny people above me" should have stopped using Windows along with sendmail ;) and Linux yes
there were some local privilige exploits, and unboxing the java sendbox is nothing else, because if you use the right browser(opera) or addon(addblock) then these java-applets aren't executed without your expressed will (click+unblock)

Yes, software is - if no quallity assurance is applied/also a quallity aware develloper counts - unsafe by default because of the complexity and the human factor, usage of many third party libs, time pressure.

But what I see in the last years is that I suspect Oracle of not applying a quallity regime, and supplying java with addware (yes google chrome or whatever is addware, when it is installed without the consent of the user).

"Kill Flash, Kill Java, HTML5 the new king"

Have you ever imagined what killing flash and those applet feature boxes means ?

The predominant inability to use addblockers, because when a site heavily relies on javascript/html5 filtering proxies need time to catch up.
And when you filter all script-tags interwoven js-apps can stop working and cripple your browsing experience. I hunt for adds, 1px images, popups a.s.o. with Privoxy and it get's harder to cope with javascript/html5 because your website isn't that modular anymore it's interwoven To be more specific if you HTTP/GET a website, this isn't the website that will displayed to you because of ajax(server side) and dynamic on the fly html generation on the other side.

Also selective activation/allowing a js/html5 applet to use certain features of your browser (sound/storage/new window) are partly unrestricted.

Flash isn't. You can select not loading an applet! instead of please delete Line 10 of the java script tag .. oh well this kills the dropdown menues necessary to navigate the site.

Flash did a great job and I am sure many flash haters have used youtube without an additional moviedownloader(jdownloader).

Btw.
Yes, this is a flaimbait on flamers flaiming flamingos!

Here we go

For fuck's sake, can people please specify that the APPLET has vulnerabilities?

Yes, JAVA is lame and should die

But these things aren't its fault. This is a problem of bad OS design. Is they that should be patched, or better, redesigned from scratch.

Security Setting

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?

Re:Security Setting

[gnomff]

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?

Didn't realize I wasn't logged in when I made that post

Enough

[zieroh]

That's it. I'm done with Java. For good.

Re:Enough

[notknown86]

If you apply that philosophy to all software that has had or will have more than one zero day vulnerability, your computer will end up being pretty useless.

Re:Enough

If you apply that philosophy to all software that has had or will have more than one zero day vulnerability per week, your computer will end up being pretty secure.

FIFY

Re:Enough

[smash]

FInd me something else that has had 65 vulnerabilities patched and a zero day in the wild within 30 days, AFTER several months of exploits in the wild, and I'll shit-can that software too.

Muhahaha

C is NOT memory-safe, as it is a kind of portable assembler. In the real world you have things like the HPUX "ping of death" from an "illegally" sized ping packet. Because the developers forgot to check the length of the packet for YEARS.

In the real world you have thousands if not tens of thousands of exploitable C and C++ related bugs in things like Windows, Acrobat Reader, Flash player and so on.

C++ can(!) be better if used diligently, but has the same general issues.

Here's a memory safe C++ variant:

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/manual.pdf

http://sourceforge.net/projects/sappeurcompiler/

And yeah, take it with some salt, I am the inventor of Sappeur.

Java? Isn't that a drink? Or a place?

[pubwvj]

I've kept Java turned OFF on all of our computers for a long, long time. It's a pig. It hogs computer resource units. I have not not once run into anything that requires it. Just say no to Java.

Re:Java? Isn't that a drink? Or a place?

[DMUTPeregrine]

I use Java for Wuala, Falstad's circuit simulator, Freenet, Minecraft, Minecraft Structure Planner, and Enigma's LoL Item Changer. 3 of those are games or related to games, so not totally necessary. Freenet I run out of a sense of patriotism/civic duty as a US citizen, Wuala could be replaced by Spideroak or similar, and Falstad's circuit sim is just for helping people learn about circuits without needing to teach them LTSPICE or similar first.

I use the Java plugin for absolutely nothing. I've not once run into anything useful that requires it. I've kept it disabled for a long, long time.

Ya know what

Fuck this. Fuck plugins, fuck JS and fuck them. I realize they're in the minority, but these asshats are ruining anything web-related. Perhaps they're all luddites trying to get people back to using Lynx or perhaps they all smoke crack - I don't know - I don't care - all I do know is that I run browsers inside a vm with everything disabled with no shares to the host.

Welcome to the futures.

This is all political

As others have pointed out, every major piece of software, including the Linux Kernel is full of vulnerabilities. Java is not any more vulnerable than these other packages and implying otherwise reeks of subjective politics, not facts.

This would never happen

[Lawrence_Bird]

with the COBOL plugin.

Is this Oracle's java only or

is IcedTea affected as well?

Vulnerability? In software?

[archatheist]

Yes, yes. Panic! There's a Java 0day! Dear Lord forfend! Of course, as you read this you are probably running Windows, with tons of extensions and software. You're probably using Flash. You probably have a web browser - heck, obviously you have a web browser. Well, not to worry: After disabling Java you will be completely safe.

Oracle is losing their class

[abirdman]

I was entertained that Larry Ellison attached crapware to their security updates, which have to be specifically turned off in the installation, and their stupid toolbar turns off popup windows, but that disables Oracle's Discoverer product, and it works differently than the IE popup blocker, by not looking for user configurable exceptions. So for pennies per user, Oracle collects from the toolbar makers for every installation. And they're alienating IT departments. I hate working with them-- they're more mafia-like every year. End of complaint.

I think they're what I suspected in email to you

Sometimes, the "anti-windows" stuff notes it (Linux = secure / Windows != secure b.s. especially) - nowadays, that crap doesn't "wash" here OR anyplace else...

Thus, in fact?

Heh - I often TRULY SUSPECT that it's the folks that RUN THIS PLACE doing it (vs. plain idiot trolls - even THEY are NOT THAT STUPID nowadays, @ least, I hope not...)!

Merely "spurring debate", thus pageviews, by doing what you dislike, and rightfully so on YOUR part (& yes, mine too because I can't STAND spreading "fud", which you and I have seen for YEARS here on this particular site), simply since its spouting utter falsehoods, doing it!

(Which again, of course, means more pageviews/hits = MONEY for them)

It ends up getting reactions like yours that lead to more views of this site!

On disliking it? Hey - I'm not much better!

Lately though - I have been thinking it over per my subject-line & what I wrote you in email about it and am restating now, on it being the folks that run this place doing it, rather than mere trolls (even THEY are NOT THAT STUPID), & simply for the reasons I just reiterated here now...

(The "main motivator" = "The Holy Dollar"!).

Why? Easy - oldest motivator there is: "playing folks" for the LOVE of money!

* Think about it - "Food 4 Thought"...

Sometimes I have even said to myself "How on EARTH could anyone be THAT STUPID nowadays to keep that stale disproven crap going online, since it's EASY to disprove with facts + common sense?"!

The answer is, they're not stupid:

It's ALL about the "benjamins" man, & taking advantage of your psyche + character to be 'the clever boy'...

(Clever boy = noted in detail below!).

APK

P.S.=> Seriously - DO think it over: I mean, I agree here - Especially on the account of NOBODY, especially nowadays (imo @ least) is as DUMB as some of the statements of pure "FUD" b.s. I see spouted around here @ times!

(E.G.-> Especially the "Pro-*NIX" &/or "Pro-'Open SORES'" crap you see regularly along with "Anti-Microsoft" &/or "Anti-Windows" b.s. too)...

I.E.-> So, once more: It makes sense the owners or forums admins do those idiotic replies!

(Just to get YOU 'worked up' & replying IF NOT going into a "mile long" debate over it - which again, = money in their pockets! NOT MINE, of course - you know why (hosts))

"The clever boy gets others to make him money instead of having to work for it..." & by doing almost a Sun Tzu method of using YOUR TENDENCIES & those of others, even myself, against you!

Doing so, thinking they're "clever" in pulling b.s. like I allude to above (and yes, I think THAT is the cause of it, as well as the motivator)

... apk

Knew I had to "patent" that saying... lol! apk

"Band Aids on bullet wounds friend, Band Aids on bullet wounds." - by hairyfeet (841228) > on Saturday March 02, @06:50PM (#43057145)

You're "biting off my style", lol, by "pinching" that turn of a phrase (from yours truly)... admit it (lol)!

* :)

("Imitation is the sincerest form of flattery")

APK

P.S.=> Going to send you an email on this too, kind of important & just helping you out on it!

(It's something I stumbled on regarding the YouTube "lag" you noted lately when we had our recent email exchanges... It *may* even "cure" it... it actually sounds reasonable, & is EASY TO "UNDO" if you need to & it doesn't work for you!)

See - my "lag" with it's gone, long gone in fact, but IF you're still seeing it? So - This MAY help you with that YouTube "lag" you complained of -> http://mitchribar.com/2013/02/time-warner-cable-sucks-for-youtube-twitchtv/

Good luck - hope it helps!

&

Do check this out too, another reply of mine to you (since it frustrated you & has MYSELF also @ times, more than a FEW TIMES, lol, as you know)

AND

I stated it, since I do HONESTLY suspect that is the case here -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43060679

... apk

This is sad...

...i have always had high hope for Java, but it seems that it turning into a security risk that almost equals Windoze. Anyone know why? Is Oracle doing the kind of sloppy ass stuff that Micro$oft has make into an industry standard?

Re:I think they're what I suspected in email to yo

Hey APK, your posts are as bad as Windows is insecure. Keep doing the good job of associating yourself to M$ products.

Featureitis

Java is simply too complex by now to be secure.

Hmm backdoor or front? Both?

Just Another Viral Anus
Just Another Vaginal Anus
Just Anal Vaginal Anomolies

Re:I think they're what I suspected in email to yo

[doccus]

I can answer this one: : Back in my rock and roll days a girl I lived with, I was a tall blond "party girl" type, y'know, the kind that likes to "play blonde".. and you'd never quite know if she was acting or not. One particularly hot set, one of the folks I was playing with had one of those headstock-less Steinberg guitars , where the tuning pegs are down by the body of the guitar.. She apparently did not notice, or at least claimed not to notice, and after the set, said for all to hear "Wow! The music was so good the top of the guitar fell off!!" ;-) ;-) ;-) The press folks just stared at each other,and so did anyone else with this weird look like I've never seen before.. more than your typical "here we go again".. Nobody's really sure if it was a blonde moment or a remark of pure genius.. as everybody STILL remembers that gig!!

My posts must be pretty good then!

"Hey APK, your posts are as bad as Windows is insecure." - by Anonymous Coward on Sunday March 03, @04:54PM (#43063595)

See my subject-line above, this data below, & "eat your words":

---

Vulnerability Report: Microsoft Windows Server 2012:

http://secunia.com/advisories/product/42761/

Unpatched = 0% (0 of 18 Secunia advisories)

---

Vulnerability Report: Microsoft SQL Server 2012:

http://secunia.com/advisories/product/40664/

Unpatched = 0% (0 of 1 Secunia advisories)

---

Vulnerability Report: Microsoft Exchange Server 2010:

http://secunia.com/advisories/product/28234/

Unpatched = 0% (0 of 3 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x:

Unpatched = 0% (0 of 7 Secunia advisories)

---

Vulnerability Report: Microsoft .NET Framework 4.x:

http://secunia.com/advisories/product/29592/

Unpatched = 0% (0 of 18 Secunia advisories)

---

Vulnerability Report: Microsoft DirectX 10.x:

http://secunia.com/advisories/product/16896/

Unpatched = 0% (0 of 3 Secunia advisories)

---

Vulnerability Report: Microsoft Visual Studio 2012:

http://secunia.com/advisories/product/42480/

Unpatched = 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Explorer 10.x:

http://secunia.com/advisories/product/43073/

Unpatched = 0% (0 of 3 Secunia advisories)

---

Vulnerability Report: Microsoft Office 2013:

http://secunia.com/advisories/product/43263/

Unpatched = 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft SharePoint Server 2010:

http://secunia.com/advisories/product/29809/

Unpatched = 0% (0 of 8 Secunia advisories)

---

Vulnerability Report: Microsoft Forefront Unified Access Gateway (UAG) 2010:

http://secunia.com/advisories/product/32977/

Unpatched = 0% (0 of 3 Secunia advisories)

---

* Would you like more, OR, will THAT do to make you "eat your words" from Microsoft's "top of the line" product offerings for business development?

(Oh, I am SURE it will be enough to "silence you" easily, troll, so thus, I suppose you can ignore that question since it made my point easily vs. yours, blowing yours clean away with facts!)

APK

P.S.=>

" Keep doing the good job of associating yourself to M$ products." - by Anonymous Coward on Sunday March 03, @04:54PM (#43063595)

Thank-You - I absolutely will!

Especially since this still "holds true" -> http://stats.kwsn.net/team.php?proj=sah&teamid=26482&sort_order=name&sort_direction=ASC (see "#9"/AlecStaar there since that's my SETI 'handle/nickname' & has been since 1999, & also see the team description above it - might explain a few things for you!).

---

Hey - MS is #1 worldwide overall on PC desktops + Servers combined... + their stuff is "bulletproof & bugfree" as you can see above from a reputable enough source for security vulnerability data also!

(Especially based on the above securit

Whoops, minor correction

Missed posting this link in my last post I am replying to now correcting that minor omission on my part -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43064117

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x:

http://secunia.com/advisories/product/17543/

Unpatched = 0% (0 of 7 Secunia advisories)

---

* There, all done...

APK

P.S.=> One MUST be thorough in one's "dusting" of trolls, as I am completely NOW, & with exacting data, in response to the AC troll that came in here 'ribbing on' my posts & yes, Microsoft too, here -> http://developers.slashdot.org/comments.pl?sid=3509641&cid=43063595

... apk