2 Years Later, Java Security Still Broken By Faulty Oracle Patch

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

Again?

[jbmartin6]

I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.

Java security is not broken!

FTA "... a sandbox exploit for Java Web Start applications and Java applets."
Great, just label it all "Java", shall we?
Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
Just say it's a critical flaw in "Java" security. FFS.

PS Don't use Java Web Start or Applets.

Re:Java security is not broken!

PS Don't use Java Web Start or Applets.

Yeah, but that shit was installed and enabled by default for the longest time with what we call "Java", and being that the exploit targets the web facing Java code, it's all the more exploitable and dangerous.

BTW, are you an Oracle shill? Java is shit, shit. Tripple shit, has always been shit, the register VM design bogus and less efficient than even old ass VMS. Eat dick Sun / Oracle. Java is dead. Android converts Java code into Davlik, and compiles on install into [mostly] machine code (not to mention at-install-time linking, JUST ONCE, NOT EVERY TIME THE PROGRAM IS LOADED {like Java's JIT}, which includes proper byte order re-ordering)... It doesn't even use the full "Must implement this whole damn API to call it Java(TM)", so Android is technically not Java. I've been tap dancing on its grave since that shit was born.

Hint: Java could have saved us. Java could have been the Web Assembly (if it's VM was worth a damn), but they decided to put the whole fucking kitchen sink into Java Applets (and Web Start / Hotspot), along with the giant attack surface that entails. Sun would still be relevant, and would be a dominant player in OSs / Languages / maybe even chips (fuck, I miss my SPARC RISC w/ no chance of buffer overruns smashing the stack...), but they did NOT make a lean, mean, stripped down Virtual Machine for the Web (they did for mobile, with J2ME -- they should have done a DOM enabled barebones VM -- like Lua for the Web). It's a real shame Java dropped the fucking ball. They had the opportunity, and decided that their API would be the way they leveraged out competition (see also: Oracle vs Google, copyrighting a fucking function list [interface's are now copyrightable, thanks Java]).

No, you don't get a free pass on this one. The only reason that this exploit isn't so bad is because Firefox has been disabling the Java web plugin by default. Get fucked, fool. If not for Mozilla, this bug would be yet another worm.