Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Update Implements Whitelists To Combat 0-Day Hacks

Posted by timothy on from the let's-see-your-invitation dept.

kylus writes "The Register is reporting that Oracle's new Java 7 update 40 release comes complete with a new 'Deployment Rule Set' capability which allows administrators to define which particular applets and Java Web Start applications ('Rich Internet Applications') are permitted to run on a given machine. Not a complete solution for the recent trend of Java hacks that have cropped up, but good news for enterprises that have to run this in their environment." Update: 09/19 20:08 GMT by U L : There's an introduction to deploying rule sets on the Java platform group weblog too.

14 of 55 comments (clear)

  1. Good by Anonymous Coward · · Score: 4, Informative

    This is a good thing for my company. We need java web start for only one application: the social security wage reporting "AccuWage" software. So whitelisting that is easy.

  2. About time by benjfowler · · Score: 5, Insightful

    Like it or not, a lot of crap line-of-business/enterprise software still uses old, hacked-together garbage applets, and they need to be supported.

    There's quite a few games out there written as applets too (e.g. Minecraft, the Jin Chess Client), and speaking for myself, I want to run one or two of them without feeling like I'm holidaying in Baghdad.

    1. Re:About time by Anonymous Coward · · Score: 2, Interesting

      DotNet/NGWS is better, but still a layer of pointlessness originally created for no other reason than MS didn't like Sun - if you're going to write platform-specific code, might as well use Win32 - then write your own cross-platform layers if needed so absolutely everything looks *native* and integrates beautifully on each target, something that every existing cross-platform library fails fucking hard at.

      Creating line of of business applications whose purpose is to automate previously manual processes is much faster when utilizing Java or .NET. Entire frameworks are already at your disposal without have to reinvent something as simple as sorting an array. Suggesting that everyone just use Win32 because Windows Forms or WPF or Swing doesn't "look nice" with the rest of the OS windowing system is rather shortsighted. Things cost money to create. Time is expensive. Look and feel is not always the most important thing that those with money care about.

      Once again, this is where Apple got it right: fuck web apps, because you want people to take advantage of your own platform. Hence the iOS SDK. And Android followed.

      Apple certainly didn't invent mobile frameworks and development kits, so I'm not sure where you're going with this point.

      This is why phones and tablets are succeeding while PCs are dying - because people are actually developing for the former, but they've given up on the latter in favour of "the web", where everything is third rate.

      Succeeding at what? Consumer sales? Enterprise sales? Games? Applications? PCs are hardly dead and most of the decline can be attributed to the fact that people have no need to upgrade their PC every couple of years. I have boxes going strong after 7-8 years without any real need to upgrade. As for your final point, I don't even know what it means. You claim that people gave up on PCs and instead are developing web applications. Except...PCs can use web applications too! Web applications have a developer appeal because they can easily target a broad audience.

      And just as a tip, cussing doesn't help emphasize your point. It makes you look childish and uninformed.

  3. Re:Walked away from Applets long time ago by benjfowler · · Score: 2

    "Write once, test everywhere"

  4. Re:Whitelists mean nothing by Joining+Yet+Again · · Score: 4, Funny

    What if you're wearing a condom but your one night stand has a knife? Did you even think that through?

  5. Re:Whitelists mean nothing by kylus · · Score: 3, Insightful

    As I said at the end of the summary, this really isn't a complete solution and you're right about a whitelisted applet/RIA being vulnerable. However this is a good piece of 'defense in depth' to prevent random Java crap from executing without authorization if (when) another bug crops and is somehow exploited. If the stuff you're whitelisting has problems, you need to revisit your coding quality checks, or talk to whatever vendor is supplying it to you.

    --
    --Kylus
    Idiot-proof something, and Life will build a better Idiot.
  6. Statement from Oracle by Anonymous Coward · · Score: 2, Insightful

    "We give up. We're too incompetent to fix the bugs, so we'll just foist a huge inconvenience on our customers who are locked in to our platform."

  7. Re:Whitelists mean nothing by JustOK · · Score: 3, Funny

    My night stand doesn't have a knife. Toe nail clippers, phone charger, box of kleenex, clock radio, lamp: those are the things my night stand has.

    --
    rewriting history since 2109
  8. Re:pointless by h4rr4r · · Score: 5, Insightful

    No everyone has not. There are a great many enterprise apps that companies rely on that need this. Normal users will not know to turn it on, nor to turn it off.

  9. Re:Oracle are fab by Joce640k · · Score: 3, Insightful

    Finally, an admission that they'll never be able to make it secure, that blacklisting everything by default is the only way forward.

    --
    No sig today...
  10. Blacklists and signing applets by Anonymous+Brave+Guy · · Score: 2

    blacklisting everything by default is the only way forward.

    That's fine as long as I, as the user and sometimes developer of applets, can change that default when I want to.

    Today I installed Java 7 update 40 and Firefox 24, and for the first time in several weeks I can test our web application running from a local disk without Firefox refusing to even load it, regardless of any lowering of security settings. I suspect this was actually Firefox's fault, because the same application worked fine, applet and all, in other browsers on the same system, but in any case it was a pain in the backside for testing.

    However, we don't sign our applications, and for a good reason: they will ultimately be running on embedded systems where there is no way to update them, and the signing certificates you can buy from established CAs are all prohibitively time-limited. I notice that with this release of Java, the scary warning message has been changed to say that in a future release this will be completely blocked.

    If that refers only to running from a local system without needing to fire up a web server, that will be an inconvenience for testing again, and helping no-one here. It's not as if an applet we just compiled from our own code is a security risk.

    However, if it refers to blocking any unsigned applets, it's going to instantly and permanently break numerous existing installations on embedded systems. Applets are used more than a lot of people realise, and one significant use case is web-based control panels for network-accessible devices. Those devices probably have a working lifetime of many years and if they all stop working overnight because Oracle broke Java, it's not going to go down well.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:Blacklists and signing applets by Joce640k · · Score: 2

      However, if it refers to blocking any unsigned applets ....

      Let's hope so.

      it's not going to go down well.

      Why? Is clicking 'allow' the first time you visit a page too much effort for you?

      (assuming that's what it does)

      I imagine most people can just whitelist one or two domains then everything will be business as usual (except the entire world-wide-web won't be a minefield any more...)

      --
      No sig today...
    2. Re:Blacklists and signing applets by Anonymous+Brave+Guy · · Score: 2

      (assuming that's what it does)

      Unfortunately, it isn't.

      Recent Java updates, for around the past year or so, have been increasingly draconian in their security measures. We are now reaching the point where you can't run code that you know is perfectly safe, in ways that have worked for years, even if you are willing to turn down the security settings and accept any associated risk. Much of this is Java's fault, although well-intentioned but buggy browser updates have also broken essential functionality at various points within that time frame.

      Security that actually stops you doing your job isn't an improvement, it's just broken.

      Also, the idea that merely signing an applet significantly improves the safety of running it is rather strange. Which is really safer to run, an applet I just compiled right there on my own system from our own code using a tried-and-tested build process, or an applet downloaded from a web site I never visited before that could be anything but is signed with a certificate that anyone with a bit of cash and a bit of time can easily obtain?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  11. Re:Why only applets? by swilver · · Score: 3, Insightful

    I'd recommend installing a better firewall instead.