2 Years Later, Java Security Still Broken By Faulty Oracle Patch

← Back to Stories (view on slashdot.org)

2 Years Later, Java Security Still Broken By Faulty Oracle Patch

Posted by timothy on Friday March 11, 2016 @03:28PM from the bitter-brew dept.

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

20 of 41 comments (clear)

Min score:

Reason:

Sort:

Again? by jbmartin6 · 2016-03-11 15:42 · Score: 3, Interesting

I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Java security is not broken! by Anonymous Coward · 2016-03-11 15:48 · Score: 5, Interesting

FTA "... a sandbox exploit for Java Web Start applications and Java applets."
Great, just label it all "Java", shall we?
Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
Just say it's a critical flaw in "Java" security. FFS.
PS Don't use Java Web Start or Applets.
1. Re:Java security is not broken! by Anonymous Coward · 2016-03-11 17:32 · Score: 1, Interesting
  
  PS Don't use Java Web Start or Applets.
  Yeah, but that shit was installed and enabled by default for the longest time with what we call "Java", and being that the exploit targets the web facing Java code, it's all the more exploitable and dangerous.
  BTW, are you an Oracle shill? Java is shit, shit. Tripple shit, has always been shit, the register VM design bogus and less efficient than even old ass VMS. Eat dick Sun / Oracle. Java is dead. Android converts Java code into Davlik, and compiles on install into [mostly] machine code (not to mention at-install-time linking, JUST ONCE, NOT EVERY TIME THE PROGRAM IS LOADED {like Java's JIT}, which includes proper byte order re-ordering)... It doesn't even use the full "Must implement this whole damn API to call it Java(TM)", so Android is technically not Java. I've been tap dancing on its grave since that shit was born.
  Hint: Java could have saved us. Java could have been the Web Assembly (if it's VM was worth a damn), but they decided to put the whole fucking kitchen sink into Java Applets (and Web Start / Hotspot), along with the giant attack surface that entails. Sun would still be relevant, and would be a dominant player in OSs / Languages / maybe even chips (fuck, I miss my SPARC RISC w/ no chance of buffer overruns smashing the stack...), but they did NOT make a lean, mean, stripped down Virtual Machine for the Web (they did for mobile, with J2ME -- they should have done a DOM enabled barebones VM -- like Lua for the Web). It's a real shame Java dropped the fucking ball. They had the opportunity, and decided that their API would be the way they leveraged out competition (see also: Oracle vs Google, copyrighting a fucking function list [interface's are now copyrightable, thanks Java]).
  No, you don't get a free pass on this one. The only reason that this exploit isn't so bad is because Firefox has been disabling the Java web plugin by default. Get fucked, fool. If not for Mozilla, this bug would be yet another worm.
2. Re:Java security is not broken! by Anonymous Coward · 2016-03-11 17:35 · Score: 1
  
  , the register VM design bogus
  Shit, I meant Java's STACK based VM is bogus. Register VM, as in Davlik et. al. is god-tier.
3. Re:Java security is not broken! by DamonHD · 2016-03-11 19:57 · Score: 4, Insightful
  
  With regard to your "Java is shit, shit" you are talking nonsense and should take some deep breaths. Really, grow up. And the rude words don't add gravitas either.
  I use and have used many languages over the last 40 years, 30 professionally, and while Java is not perfect *NOR IS ANYTHING ELSE*. I'm having to use C/C++/ASM again at the moment and would much prefer the inherent safety against, for example, buffer overflows from coding errors of Java, but the run-time is too expensive for my current main application.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
4. Re:Java security is not broken! by gnupun · 2016-03-11 23:40 · Score: 1, Troll
  
  Java is shit, shit. Tripple shit, has always been shit... Android converts Java code into Davlik
  BS! Dalvik is just another implementation of Java VM. Android apps are Java -- java language, java API, java VM concepts/features. Just having a different VM implementation does not negate the fact that it's java code. Stop appropriating other people's technology, making small changes, relabeling it and calling it new and novel.
5. Re:Java security is not broken! by Anonymous Coward · 2016-03-12 01:35 · Score: 1
  
  Wow, where to begin.
  Dalvik has been discontinued. Womp womp.
  RISC architectures can certainly have their stacks smashed. You don't understand (a) what a stack-based architecture (e.g. x86) is versus a load-store architecture (e.g. SPARC) is and (b) what stack-smashing actually is.
  If you had a good understanding about these topics, you wouldn't say such stupid things.
  Java (the language) is fairly good, if not quite as expressive as some of the more recent, trendy languages. The JVM itself is actually VERY well designed and implemented. If you don't like Java, you can use one of many other languages and deploy onto the JVM.
  So stop yelling about things and educate yourself instead.
6. Re:Java security is not broken! by Megol · 2016-03-12 04:09 · Score: 1
  
  X86 isn't a stack-based architecture, those architectures are called stack machines which - again - the x86 isn't an example of.
  Very few computers doesn't have stack support either in hardware or as a software convention as it helps make things like re-entrant calls possible.
7. Re:Java security is not broken! by DamonHD · 2016-03-12 06:13 · Score: 1
  
  So, you think I'm American for a start?
  
  --
  http://m.earth.org.uk/
8. Re:Java security is not broken! by DamonHD · 2016-03-14 02:53 · Score: 1
  
  Well, I guess if mere actual facts don't get in your way, life is so much more simple...
  Anyway, no more feeding the trolls for me today.
  
  --
  http://m.earth.org.uk/
Java fail? That's unpossible! by Lisandro · 2016-03-11 15:56 · Score: 2

It runs in a virtual machine and my Oracle rep tells me those are bulletproof!
Larry Ellison by Anonymous Coward · 2016-03-11 15:59 · Score: 1

is the single worst human being on the entire face of the earth.
I don't use his software, and neither should anyone else.
CAPTCHA: Opulent. You can't make this shit up....
Sun, come back! by Anonymous Coward · 2016-03-11 16:18 · Score: 1

I wish Sun Microsystems hadn't been sold to Oracle. It was necessary, but still it's a pity.
A lot of smart people were at Sun. James Gosling, Jon Bosak, ... I hate to see collections of really smart people get broken up.
1. Re:Sun, come back! by HiThere · 2016-03-12 10:53 · Score: 1
  
  Maybe. But I still wish Java had non-object structs. I like being able to save binary images to disk without a bunch of serialization...and pull them back without a bunch of deserialization.
  For that matter, if they're going to add so many features into the language, why don't they add a persistent storage B+Tree. I rarely need or want SQL, but a built in B+Tree would be immensely useful. And I don't mean one elaborated the way libdb (SleepyCat) is...more like the way it was, only built into the language so it could automatically handle non-reference based data. C has a good reason for not including that, it's emphasis is minimalism. C++....well, there are decent libraries you can use, but I'm not convinced. Still, they put their emphasis on libraries with minimal-to-no runtime overhead. Java doesn't have those excuses. (OK, originally it was aimed as an embedded language, and then it was going to be a language that ran totally in browsers...but when they gave up on those choices...)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
18 years later, /. still posts nonsense by roman_mir · 2016-03-11 16:36 · Score: 5, Informative

18 years later and /. still allows nonsensical titles on its front page.
Java is a bloody language, not a thing that breaks your computer.

Overview
Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Description
Per http://www.oracle.com/technetw... 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'
Java is mostly used as a language and runs on server side JVMs, not in people's browsers.
Oracle, however, is a piece of shit company and its incompetence is legendary, it is a truly sad situation and as I wrote years ago, I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.

--
You can't handle the truth.
1. Re:18 years later, /. still posts nonsense by thegarbz · 2016-03-11 21:23 · Score: 1
  
  18 years later and /. still allows nonsensical titles on its front page.
  People don't like change.
successfully exploited in a server env and GAE by Anonymous Coward · 2016-03-11 17:13 · Score: 1

You didn't read the article didn't you?
Oct 2013 indicated that Issue 69 could "be
exploited only through sandboxed Java Web Start applications and sandboxed
Java applets". This is not true. We verified that it could be successfully
exploited in a server environment as well such as Google App Engine for
Java [4].
Thank you.
big deal by ooloorie · 2016-03-11 17:43 · Score: 1, Flamebait

Java security has pretty much always been broken in one way or another anyway, so who cares?
This is for Applets/JWS, doesn't really matter by coder111 · 2016-03-12 09:30 · Score: 2

Hi,

This vulnerability only applies to Applets or Java Web Start- SANDBOXED environments. It doesn't matter for any real-world scenario- server apps or desktop apps or Android apps.

Thing is, sandboxed java is insecure, and by this point it's obvious it's pretty much impossible to secure. So applets or JWS will remain insecure, but they should not be used in the first place and they are barely used in real world anyway these days. Today java is used in BigData/backend/server-side/web-server apps, or in some desktop apps, or in Android. Anyone still using Applets or JWS should just stop...

Shame to Slashdot for clickbait tittle- by now they should know better than to post crap like this.

--Coder
1. Re:This is for Applets/JWS, doesn't really matter by ls671 · 2016-03-12 23:49 · Score: 2
  
  Just consider that running Applets/JWS is just like running a desktop application. Forget about the security manager and its setting in Applets/JWS. Just assume an "allow all" configuration.
  Then, there is still a use for Applets/JWS when you trust the provider as you would trust him to install a desktop application coming from him. Code signing and signature verification is available in both cases. From that perspective, you can still deploy your desktop application through JWS if you wish without any additional security threats for your users compared to a desktop application.
  Basically, it seems that the security manager is broken, assuming an "allow all" configuration makes running JWS no less secure than running a desktop application.
  https://docs.oracle.com/javase...
  
  --
  Everything I write is lies, read between the lines.