Slashdot Mirror

← Back to Stories (view on slashdot.org)

2 Years Later, Java Security Still Broken By Faulty Oracle Patch

Posted by timothy on from the bitter-brew dept.

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

7 of 41 comments (clear)

  1. Again? by jbmartin6 · · Score: 3, Interesting

    I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  2. Java security is not broken! by Anonymous Coward · · Score: 5, Interesting

    FTA "... a sandbox exploit for Java Web Start applications and Java applets."
    Great, just label it all "Java", shall we?
    Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
    Just say it's a critical flaw in "Java" security. FFS.

    PS Don't use Java Web Start or Applets.

    1. Re:Java security is not broken! by DamonHD · · Score: 4, Insightful

      With regard to your "Java is shit, shit" you are talking nonsense and should take some deep breaths. Really, grow up. And the rude words don't add gravitas either.

      I use and have used many languages over the last 40 years, 30 professionally, and while Java is not perfect *NOR IS ANYTHING ELSE*. I'm having to use C/C++/ASM again at the moment and would much prefer the inherent safety against, for example, buffer overflows from coding errors of Java, but the run-time is too expensive for my current main application.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
  3. Java fail? That's unpossible! by Lisandro · · Score: 2

    It runs in a virtual machine and my Oracle rep tells me those are bulletproof!

  4. 18 years later, /. still posts nonsense by roman_mir · · Score: 5, Informative

    18 years later and /. still allows nonsensical titles on its front page.

    Java is a bloody language, not a thing that breaks your computer.


    Overview

    Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

    Description
    Per http://www.oracle.com/technetw... 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'

    Java is mostly used as a language and runs on server side JVMs, not in people's browsers.

    Oracle, however, is a piece of shit company and its incompetence is legendary, it is a truly sad situation and as I wrote years ago, I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.

    --
    You can't handle the truth.
  5. This is for Applets/JWS, doesn't really matter by coder111 · · Score: 2

    Hi,

    This vulnerability only applies to Applets or Java Web Start- SANDBOXED environments. It doesn't matter for any real-world scenario- server apps or desktop apps or Android apps.

    Thing is, sandboxed java is insecure, and by this point it's obvious it's pretty much impossible to secure. So applets or JWS will remain insecure, but they should not be used in the first place and they are barely used in real world anyway these days. Today java is used in BigData/backend/server-side/web-server apps, or in some desktop apps, or in Android. Anyone still using Applets or JWS should just stop...

    Shame to Slashdot for clickbait tittle- by now they should know better than to post crap like this.

    --Coder

    1. Re:This is for Applets/JWS, doesn't really matter by ls671 · · Score: 2

      Just consider that running Applets/JWS is just like running a desktop application. Forget about the security manager and its setting in Applets/JWS. Just assume an "allow all" configuration.

      Then, there is still a use for Applets/JWS when you trust the provider as you would trust him to install a desktop application coming from him. Code signing and signature verification is available in both cases. From that perspective, you can still deploy your desktop application through JWS if you wish without any additional security threats for your users compared to a desktop application.

      Basically, it seems that the security manager is broken, assuming an "allow all" configuration makes running JWS no less secure than running a desktop application.

      https://docs.oracle.com/javase...

      --
      Everything I write is lies, read between the lines.