Java bug exposes users to serious code-execution risk
Researchers have discovered a flaw in the latest version of Oracle's Java runtime environment that attackers can exploit to remotely execute malicious code on end user machines. The bug in the Java Web Start component has been confirmed exploitable on all recent versions of Windows by Tavis Ormandy, a security researcher who …
I tried the demo and got a blank white page--and nothing else. No apps, no warnings, no popups, zilch.
IE8/Vista here.
What do you mean you have to have Java installed? Oh, so now I have to install something to get infected? :)
I never got around to installing Java when I set up my current XP workstation last August. The only time I even noticed was when I followed a link to a satellite tracking applet on a NASA site.
I actually have 2 administration tools installed that are written in Java, and that actually have a JRE installed in their own subdirectories. 2 different versions, of course, because "write-once, run anywhere" apparently has certain what you might call limitations!
Just say no to Java!
I have not used Java for ages and ages now. I see not point in downloading it and is a pain when all the updates come out for it.
Oracle doesn't care because they make most of their money on Java on the backend. This just shows what a fail Sun was the last year of the 5+ year coma. First that users that didn't install Java didn't notice a lack of functionality and those that did got pwned. RIP Sun the world will hardly miss you.
Stick Java where the Sun doesn't shine!
(sorry, but someone had to do it)
...because they might need to, oh, I don't know, administer Cisco devices?
Retarded rhetorical question is retarded.
The people who don't really do anything sure come out of the woodwork on these.
... must have done this. An excellent example of the broken security philosophy of commercial entities. Open Source does have its shares of problems, but normally someone is shamed into really quick action to fix the issue.
I could could a couple of tales here about the practices of a software company that served banks and insurances companies here.
Just a few questions
* why should you fix a bug that might mix up an account number ?
* why can't you use rand() to create a "secret" session identifier ?
etc etc
BIG FAT FAIL.
It's just as well no one has Java installed these days.
there are 10's of millions of jre downloads every month, so clearly Java is used. If you surf the web you are using Java, maybe not on the desktop but on the back end it is in wide spread use. But I do also run into java on the web all the time, I have the console open so I see when it's running.
Standford University Network software is their "SUNWSpro" debugger.
A piece of sluggish Java mated with the dbx debugger. If you want to perform a couple of quick single-steps through your code, you have to wait for the debugger...
And then it might simply lock up because of reasons I don't understand. Only killing the java process of the debugger and a restart fixes this.
You can say whatever you like about Microsoft, but their VisualStudio 2008 is a nearly perfect product compared to the SUNCrap.
Hopefully Oracle will fix this....
Good question. So I have disabled it as of now. Doesn't Open Office use it? Oh well, no loss. Maybe Steve's right when he disses Java and won't have it on the iPhone. Who am I kidding? "Maybe" - of course he's right.
Java is not important for OpenOffice and, in fact, I normal disable it on a new install as it's one of the best ways of speeding up the start time.
It's only used for a few wizards I think
Steve's real reason for not allowing Java (or Flash for that matter) has nothing to do with security - although that's a very convenient excuse for him to use - but has everything to do it being possible to run apps or play games via Java (or Flash for that matter) without paying for it via the App Store. Anyone that thinks any differently is delusional.
when did the merged Sun/Oracle rebrand Java (and all of Sun's other products) under the Oracle name?!?! Why wouldn't they keep the Sun name and brand the database product as Sun Oracle database? That makes a lot more sense to me. Anybody in the IT industry knows what a PITA Oracle's products can be. Despite recent developments, Sun is still a more-trusted brand name.
If this is a Java Web Start issue then it's not really "Java in the Browser" - it's a way of downloading and installing Java applications (not applets) from a website onto the Desktop in a standard format. Why would you want this? Ever done a rollout to 10,000 desktops?
Java's natural home is definitely on the server, but a lot of changes in 1.6.0_16 make the applet experience much better than the crappy "Nervous Text" type stuff you may remember from 5 years ago - startup is much quicker and easier than it was, although still not as transparent as Flash.
Having said all that Java Web Start still has issues - we've modified our App to work with it but it does feel a bit beta stilll - and this story isn't too surprising. Sun really, really cocked up Java on the Desktop.
Anyone who needs java. I have it installed for ADVFN, KGS and ThinkingRock. For the sites I use NoScript and similar blockers by default so only those domains I permit are able to touch it. I'm not seeing any issues, either in the admin and maintenance of the jre or in site access.
,,,those using a bank that takes security a bit more seriously than average. Or do their netbanking from a non-MS OS.
At least this was simple to fix. No patching necessary, just "sudo chmod a-x `which javaws`" and it's blocked. Nice. Hopefully the next "update" from Sun/Oracle is not going to break anything...
You only need ssh. Their GUIs are a lesson in how not to do them - their mantra seems to be 'Write once, fail everywhere'.
The latest cisco GUI requires flash *and* java (and a specific version of that as well), and is handily packaged in a windows specific MSI file (with a broken installer that requires hand-fixing).
It's *way* easier to learn the little IOS you need to get started than install their piece of junk attempts at a GUI app.
and then come back and tell us how it's going.
Larry got rid of one of the Academics of the Stanford University Network:
http://www.heise.de/newsticker/meldung/Java-Erfinder-verlaesst-Oracle-974930.html
There is hope that real engineers are responsible now. Maybe we will get refcounting for Strings and Stack allocation and destructors. Basically a safe C++.
So that you can run all of those natty JavaFX applets of course :D
I finally found out how to fix the Java problems: Just use dbx without the Java crap on top. A nice piece of C software that is a little uncomfortable, but 100% reliable and fast.
@Larry Ellision:
Could you please execute:
$ssh root@sourcerepository.oracle.com
$ find / -name "*.java" |xargs -n 100 rm -f
Thank you. Your help is appreciated.
Also, please make funding for a GTK-based dbx GUI available. Or at least something curses-based, similar to gdbtui.
Sign up, sign up for The Register's weekly IT security newsletter - click here
