Slashdot Mirror

← Back to Stories (view on slashdot.org)

2 Years Later, Java Security Still Broken By Faulty Oracle Patch

Posted by timothy on from the bitter-brew dept.

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

4 of 41 comments (clear)

  1. Again? by jbmartin6 · · Score: 3, Interesting

    I can't find the details, but I vaguely recall Oracle doing this with other 'patches' as well, simply blacklisting the exploit instead of fixing the vulnerability.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  2. Java security is not broken! by Anonymous Coward · · Score: 5, Interesting

    FTA "... a sandbox exploit for Java Web Start applications and Java applets."
    Great, just label it all "Java", shall we?
    Never mind that neither the JREs nor server JDKs running countless web applications around the world are vulnerable. Never mind that Android is not vulnerable just for using Java. Ignore the existence of OpenJDK entirely.
    Just say it's a critical flaw in "Java" security. FFS.

    PS Don't use Java Web Start or Applets.

    1. Re:Java security is not broken! by DamonHD · · Score: 4, Insightful

      With regard to your "Java is shit, shit" you are talking nonsense and should take some deep breaths. Really, grow up. And the rude words don't add gravitas either.

      I use and have used many languages over the last 40 years, 30 professionally, and while Java is not perfect *NOR IS ANYTHING ELSE*. I'm having to use C/C++/ASM again at the moment and would much prefer the inherent safety against, for example, buffer overflows from coding errors of Java, but the run-time is too expensive for my current main application.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
  3. 18 years later, /. still posts nonsense by roman_mir · · Score: 5, Informative

    18 years later and /. still allows nonsensical titles on its front page.

    Java is a bloody language, not a thing that breaks your computer.


    Overview

    Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

    Description
    Per http://www.oracle.com/technetw... 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'

    Java is mostly used as a language and runs on server side JVMs, not in people's browsers.

    Oracle, however, is a piece of shit company and its incompetence is legendary, it is a truly sad situation and as I wrote years ago, I bet the likes of IBM and Google are sorry now that they didn't manage to buy out SUN's assets before Oracle did.

    --
    You can't handle the truth.