2 Years Later, Java Security Still Broken By Faulty Oracle Patch

← Back to Stories (view on slashdot.org)

2 Years Later, Java Security Still Broken By Faulty Oracle Patch

Posted by timothy on Friday March 11, 2016 @03:28PM from the bitter-brew dept.

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

41 comments

Min score:

Reason:

Sort:

Again? by jbmartin6 · 2016-03-11 15:42 · Score: 3, Interesting

I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Java security is not broken! by Anonymous Coward · 2016-03-11 15:48 · Score: 5, Interesting

FTA "... a sandbox exploit for Java Web Start applications and Java applets."
Great, just label it all "Java", shall we?
Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
Just say it's a critical flaw in "Java" security. FFS.
PS Don't use Java Web Start or Applets.
1. Re:Java security is not broken! by Anonymous Coward · 2016-03-11 17:32 · Score: 1, Interesting
  
  PS Don't use Java Web Start or Applets.
  Yeah, but that shit was installed and enabled by default for the longest time with what we call "Java", and being that the exploit targets the web facing Java code, it's all the more exploitable and dangerous.
  BTW, are you an Oracle shill? Java is shit, shit. Tripple shit, has always been shit, the register VM design bogus and less efficient than even old ass VMS. Eat dick Sun / Oracle. Java is dead. Android converts Java code into Davlik, and compiles on install into [mostly] machine code (not to mention at-install-time linking, JUST ONCE, NOT EVERY TIME THE PROGRAM IS LOADED {like Java's JIT}, which includes proper byte order re-ordering)... It doesn't even use the full "Must implement this whole damn API to call it Java(TM)", so Android is technically not Java. I've been tap dancing on its grave since that shit was born.
  Hint: Java could have saved us. Java could have been the Web Assembly (if it's VM was worth a damn), but they decided to put the whole fucking kitchen sink into Java Applets (and Web Start / Hotspot), along with the giant attack surface that entails. Sun would still be relevant, and would be a dominant player in OSs / Languages / maybe even chips (fuck, I miss my SPARC RISC w/ no chance of buffer overruns smashing the stack...), but they did NOT make a lean, mean, stripped down Virtual Machine for the Web (they did for mobile, with J2ME -- they should have done a DOM enabled barebones VM -- like Lua for the Web). It's a real shame Java dropped the fucking ball. They had the opportunity, and decided that their API would be the way they leveraged out competition (see also: Oracle vs Google, copyrighting a fucking function list [interface's are now copyrightable, thanks Java]).
  No, you don't get a free pass on this one. The only reason that this exploit isn't so bad is because Firefox has been disabling the Java web plugin by default. Get fucked, fool. If not for Mozilla, this bug would be yet another worm.
2. Re:Java security is not broken! by Anonymous Coward · 2016-03-11 17:35 · Score: 1
  
  , the register VM design bogus
  Shit, I meant Java's STACK based VM is bogus. Register VM, as in Davlik et. al. is god-tier.
3. Re:Java security is not broken! by DamonHD · 2016-03-11 19:57 · Score: 4, Insightful
  
  With regard to your "Java is shit, shit" you are talking nonsense and should take some deep breaths. Really, grow up. And the rude words don't add gravitas either.
  I use and have used many languages over the last 40 years, 30 professionally, and while Java is not perfect *NOR IS ANYTHING ELSE*. I'm having to use C/C++/ASM again at the moment and would much prefer the inherent safety against, for example, buffer overflows from coding errors of Java, but the run-time is too expensive for my current main application.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
4. Re:Java security is not broken! by gnupun · 2016-03-11 23:40 · Score: 1, Troll
  
  Java is shit, shit. Tripple shit, has always been shit... Android converts Java code into Davlik
  BS! Dalvik is just another implementation of Java VM. Android apps are Java -- java language, java API, java VM concepts/features. Just having a different VM implementation does not negate the fact that it's java code. Stop appropriating other people's technology, making small changes, relabeling it and calling it new and novel.
5. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 00:50 · Score: 0
  
  It seems that Stackoverflow hasn't lost it's edge when finding people to gripe about Java.
  It is the most popular language to program in today. It performs very, very well for a hybrid compiled / interpreted byte code machine, with optimizations allowing it speed comparable to C++ (more so than any other language). It has added feature after feature to appeal to programmers that have complained "Java lacks X". It has the highest amount of choice available among libraries, etc., and still people act like it's bad.
  At this point in time, it is as if you are complaining that Oxygen is bad, and it shouldn't exist.
  Grow up, the truth is that you don't need to use it, AND you don't need to berate it. Java programmers are not smug, because they are not turning their noses up at a wildly popular programming language. They are not hypocritical, because they are not acting like one very useful tool has no value at all. They are not dishonest because they don't promote a truth that has useful tools portrayed as not being worth anything. Can you say the same for yourself?
6. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 01:19 · Score: 0
  
  That wasn't my point at all. The thing is, the original AC apparently had it with Java, something I can fully sympathize with, so he vented a bit. BFD. However, the first thing that happens when someone finally had enough of something which is really bad, and face it java is bad. That doesn't mean it's all bad, but even a blind hen occasionally finds some corn.
  My point however, is as soon as someone gives his honest opinion, the hypocritical, passive aggressive "American grown up" brigade, who can't tell the truth about anything, and simply can't stand hearing it to the point where they just have to silence those speaking it, shows up. Well represented btw, by my previous post, which is currently at -1. Way to make my point.
  And that's the third thing: I wasn't talking about "java programmers", I was referring to the type of persons who post the kind of reply I was answering. In case you're one and the same, don't try to hide behind the class "java programmers", it's dishonest, and disingenuous to pretend my post reads that way.
7. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 01:29 · Score: 0
  
  So, this post is a novel, just because I write it in English?
  Dalvik byte-code isn't java byte-code. What you're arguing is that a text in German is actually English, if was written in English with the intention of being machine-translated into German and distributed that way. Which is utter stupidity.
8. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 01:35 · Score: 1
  
  Wow, where to begin.
  Dalvik has been discontinued. Womp womp.
  RISC architectures can certainly have their stacks smashed. You don't understand (a) what a stack-based architecture (e.g. x86) is versus a load-store architecture (e.g. SPARC) is and (b) what stack-smashing actually is.
  If you had a good understanding about these topics, you wouldn't say such stupid things.
  Java (the language) is fairly good, if not quite as expressive as some of the more recent, trendy languages. The JVM itself is actually VERY well designed and implemented. If you don't like Java, you can use one of many other languages and deploy onto the JVM.
  So stop yelling about things and educate yourself instead.
9. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 03:33 · Score: 0
  
  grow up
10. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 04:09 · Score: 0
  
  Android apps are Java -- java language, java API, java VM
  No, Java VM, JVM is not Android's VM. And in order for a language to call itself "Java", it must (by Java's License) support the entire API (which Oracle has relaxed from somewhat, allowing subsets now, but Android is still not able to be called "Java(TM)", and is explicitly prohibited from being called "Java" by Java's owners, I think they have more standing as to what is Java than you...). Furthermore To be licensed as an implementation of the JVM you must also support backward compatibility for a host of deprecated which Android does not. There is a small core API that is shared between Java and Android APIs, and a syntax. The two langauges are not the same neither technically or practically. They are similar in some respects.
  It would be like trying to argue that C is actually C++ or vise versa. Android bytecode is translated to machine code AT INSTALL TIME. Java VM does JIT (just in time) compilation AT RUN TIME. Android also relaxes some of the strict guarantees about numeric representation that make Java VMs slower (but more usable in finance & business logic).
  
  Stop appropriating other people's technology, making small changes, relabeling it and calling it new and novel.
  You're a moron. Google bought Harmony which was a full independent VM which is register based, and has a completely different codebase and compilation strategy than Java VM -- You can't even Java bytecode on Android. It would be like you arguing that ARM is just a ripoff of Intel x86 because they both run C programs (even though the programs are translated to two different representations and an ARM compiler is completely different than a x86 compiler, and the chips are fundamentally different from opposing design perspectives of RISC vs CISC). This is literally what you are doing. JVM = RISC-y since it uses a minimal stack based design, whereas Android = CISC since they support a more complex bytecode which more easily maps to hardware registers.
  "small changes", HAHA, no. This is what Oracle shills actually believe...
11. Re:Java security is not broken! by Megol · 2016-03-12 04:09 · Score: 1
  
  X86 isn't a stack-based architecture, those architectures are called stack machines which - again - the x86 isn't an example of.
  Very few computers doesn't have stack support either in hardware or as a software convention as it helps make things like re-entrant calls possible.
12. Re:Java security is not broken! by DamonHD · 2016-03-12 06:13 · Score: 1
  
  So, you think I'm American for a start?
  
  --
  http://m.earth.org.uk/
13. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 22:37 · Score: 0
  
  You show all the signs. Of course you could come from somewhere else, but you'd probably fit right in with the other slippery and fake yes men.
14. Re:Java security is not broken! by DamonHD · 2016-03-14 02:53 · Score: 1
  
  Well, I guess if mere actual facts don't get in your way, life is so much more simple...
  Anyway, no more feeding the trolls for me today.
  
  --
  http://m.earth.org.uk/
Java fail? That's unpossible! by Lisandro · 2016-03-11 15:56 · Score: 2

It runs in a virtual machine and my Oracle rep tells me those are bulletproof!
Larry Ellison by Anonymous Coward · 2016-03-11 15:59 · Score: 1

is the single worst human being on the entire face of the earth.
I don't use his software, and neither should anyone else.
CAPTCHA: Opulent. You can't make this shit up....
1. Re:Larry Ellison by Anonymous Coward · 2016-03-11 16:17 · Score: 0
  
  you're just jealous you can't charge millions for kludgy software.
Sun, come back! by Anonymous Coward · 2016-03-11 16:18 · Score: 1

I wish Sun Microsystems hadn't been sold to Oracle. It was necessary, but still it's a pity.
A lot of smart people were at Sun. James Gosling, Jon Bosak, ... I hate to see collections of really smart people get broken up.
1. Re:Sun, come back! by Anonymous Coward · 2016-03-11 16:53 · Score: 0
  
  Come back sun! Yeah just a few days until northern hemisphere equinox. Everything is OK then.
2. Re:Sun, come back! by Anonymous Coward · 2016-03-11 17:17 · Score: 0
  
  If sun had actually had a few more smart people they wouldn't have needed to be sold in the first place. Sun had a "few" great people, they had a shitload more mediocre people.
3. Re:Sun, come back! by Anonymous Coward · 2016-03-11 20:58 · Score: 0
  
  Sun was more done in by market movements. Their people were fine.
4. Re:Sun, come back! by Anonymous Coward · 2016-03-11 21:07 · Score: 0
  
  Which means they were stuck in the old way of doing things and could not evolve (fast enough).
5. Re:Sun, come back! by HiThere · 2016-03-12 10:53 · Score: 1
  
  Maybe. But I still wish Java had non-object structs. I like being able to save binary images to disk without a bunch of serialization...and pull them back without a bunch of deserialization.
  For that matter, if they're going to add so many features into the language, why don't they add a persistent storage B+Tree. I rarely need or want SQL, but a built in B+Tree would be immensely useful. And I don't mean one elaborated the way libdb (SleepyCat) is...more like the way it was, only built into the language so it could automatically handle non-reference based data. C has a good reason for not including that, it's emphasis is minimalism. C++....well, there are decent libraries you can use, but I'm not convinced. Still, they put their emphasis on libraries with minimal-to-no runtime overhead. Java doesn't have those excuses. (OK, originally it was aimed as an embedded language, and then it was going to be a language that ran totally in browsers...but when they gave up on those choices...)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
18 years later, /. still posts nonsense by roman_mir · 2016-03-11 16:36 · Score: 5, Informative

18 years later and /. still allows nonsensical titles on its front page.
Java is a bloody language, not a thing that breaks your computer.

Overview
Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Description
Per http://www.oracle.com/technetw... 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'
Java is mostly used as a language and runs on server side JVMs, not in people's browsers.
Oracle, however, is a piece of shit company and its incompetence is legendary, it is a truly sad situation and as I wrote years ago, I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.

--
You can't handle the truth.
1. Re:18 years later, /. still posts nonsense by thegarbz · 2016-03-11 21:23 · Score: 1
  
  18 years later and /. still allows nonsensical titles on its front page.
  People don't like change.
2. Re:18 years later, /. still posts nonsense by Anonymous Coward · 2016-03-11 22:52 · Score: 0
  
  You could read TFA for a change. It clearly says that Oracle is wrong with their assessment, and that the vulnerability affects server JDKs such as the one used by Google Cloud Engine.
3. Re:18 years later, /. still posts nonsense by Anonymous Coward · 2016-03-12 18:06 · Score: 0
  
  I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.
  So are the SUN assets...
successfully exploited in a server env and GAE by Anonymous Coward · 2016-03-11 17:13 · Score: 1

You didn't read the article didn't you?
Oct 2013 indicated that Issue 69 could "be
exploited only through sandboxed Java Web Start applications and sandboxed
Java applets". This is not true. We verified that it could be successfully
exploited in a server environment as well such as Google App Engine for
Java [4].
Thank you.
big deal by ooloorie · 2016-03-11 17:43 · Score: 1, Flamebait

Java security has pretty much always been broken in one way or another anyway, so who cares?
Disclosure Policy by Anonymous Coward · 2016-03-11 17:53 · Score: 0

On Mar 07, 2016 Security Explorations modified its Disclosure Policy [1].
As a result, we do not tolerate broken fixes any more. If an instance
of a broken fix for a vulnerability we already reported to the vendor
is encountered, it gets disclosed by us without any prior notice.
How considerate of them. Shouldn't you expect a company that's producing buggy software to also be able to produce buggy fixes? Eventually nail the company sure, but give the junior QA guy a break.
Might as well keep it themed by Anonymous Coward · 2016-03-11 19:01 · Score: 0

I love the IBM ads at the top of the screen.... We all know Slashdot was purchased... Well, at least they keep the page themed :)
Yes, an anonymous lurker, but it does seem to show why certain companies are targeted like this.
A security company should tell someone if their fix doesn't work, not spam the exploit mechanism for publicity. At best it might get a fix( so would an email ), at worst it hurts folks and potentially allows something to get compromised. Why this makes the front page... oh yeah, the IBM ads.
So, more buggy C code in the JVM by Anonymous Coward · 2016-03-11 20:23 · Score: 0

Too bad they have to use C to interface with the OS...
Oracle rant by Anonymous Coward · 2016-03-12 02:13 · Score: 0

I have this hate now for everything Oracle. With the exception of their database, everything else is terrible. While they make strides to consolidate everything into using Weblogic, the different application teams don't have a roadmap to combine everything. What ends up happening is you have multiple instances of Weblogic as the versions are different within a release (ODI OBIEE) or they just aren't configured to work together. We have 4 WL instances for one product because they couldn't figure out how to consolidate them.
I like how they say they are cloud based when in reality nothing they do is cloud based. Ever tried to bring up some of their apps in another site without having to re-configure 100 different things?
Java oh how I hate thee. It's slow response from most of the applets that I use...always has been this way. I am constantly fighting to install/uninstall different versions since some older applets don't work on newer versions of Java.
Their support is also the worst out of anything I have ever used. How is it acceptable to have a ticket opened for a month with no response. I literally updated the ticket 5 times asking for an update within a month to no response.
This is for Applets/JWS, doesn't really matter by coder111 · 2016-03-12 09:30 · Score: 2

Hi,

This vulnerability only applies to Applets or Java Web Start- SANDBOXED environments. It doesn't matter for any real-world scenario- server apps or desktop apps or Android apps.

Thing is, sandboxed java is insecure, and by this point it's obvious it's pretty much impossible to secure. So applets or JWS will remain insecure, but they should not be used in the first place and they are barely used in real world anyway these days. Today java is used in BigData/backend/server-side/web-server apps, or in some desktop apps, or in Android. Anyone still using Applets or JWS should just stop...

Shame to Slashdot for clickbait tittle- by now they should know better than to post crap like this.

--Coder
1. Re:This is for Applets/JWS, doesn't really matter by ls671 · 2016-03-12 23:49 · Score: 2
  
  Just consider that running Applets/JWS is just like running a desktop application. Forget about the security manager and its setting in Applets/JWS. Just assume an "allow all" configuration.
  Then, there is still a use for Applets/JWS when you trust the provider as you would trust him to install a desktop application coming from him. Code signing and signature verification is available in both cases. From that perspective, you can still deploy your desktop application through JWS if you wish without any additional security threats for your users compared to a desktop application.
  Basically, it seems that the security manager is broken, assuming an "allow all" configuration makes running JWS no less secure than running a desktop application.
  https://docs.oracle.com/javase...
  
  --
  Everything I write is lies, read between the lines.