back to article 'Mark-of-the-Beast' bug topples Java apps

A bug in Oracle's Java programming framework causes computers to freeze when they encounter certain numerical values with large numbers of decimal places, a flaw that makes websites susceptible to highly efficient denial-of-service attacks. The vulnerability in the latest version of Java is similar to a flaw discovered last …

COMMENTS

This topic is closed for new posts.
Go

Reported 10 years ago

The issue was reported 10 years ago in 2001:

http://bugs.sun.com/view_bug.do?bug_id=4421494

(The bug report also contains a suggested fix.)

There is a test for this issue in the Free Software Jacks mauve testsuite:

http://sourceware.org/mauve/jacks.html

So none of the free software java implementations had this bug since they

ran this testsuite. But apparently the Sun java implementation was never tested

against it.

Luckily now that OpenJDK is available under the GPL someone already posted

a fix to the core-libs mailinglist last week:

http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html

1
0
Unhappy

Thanks Oracle

"This bug is not available"

:(

1
0
Unhappy

not to worry oracle are helping

since update 23 the html delegator freezes up on reload making anything with a html content (JTextPane, JEditorPane et al.) break with a null pointer exception. This obviously breaks a lot of web applets - I've read reports of banks applets being completely useless. Bug was in the last update (23?) from October and no fix is coming. Did Oracle fire the Java team?

Talk about a game breaker. We've had to code around it but txt vs rtf vs html... html wins, rtf is a pain and txt is just not fluffable enough for the designers. *le sigh*

0
0

or parse input via BigDecimal...

BeanShell 2.0b4 - by Pat Niemeyer (pat@pat.net)

bsh % import java.math.*;

bsh % bd = new BigDecimal("2.225073858507201E-208");

bsh % print (bd);

2.225073858507201E-208

bsh % print (bd.doubleValue());

2.225073858507201E-208

bsh % double d = bd.doubleValue();

bsh % print (d);

2.225073858507201E-208

bsh %

:-)

Ironically a few days before this broke, I was asked if we could optimise out the use of BigDecimals to hold and move typical price values in a legacy product we needed to make faster. Luckily it wasn't going to be easy enough to do immediately...

0
0

I'll remember this.

The next time someone suggests that writing OSs in Java would help security and stability I'll be sure to point them here.

OK, I know it's more complicated than one bug -- but this goes to show that no language is without flaws.

1
2
Silver badge
WTF?

@ Cameron "point them here"

Next time someone suggests that writing OSs in Java would help ANYTHING, or that Java is without flaws, you should point them to the nearest asylum, not here.

7
0
Anonymous Coward

hmmm

is this why i've had problems with opening hotmail emails in my inbox the last couple days through firefox /ubuntu ? having to use seamonkey to read and delete anything.

0
0

No. It isn't.

I can't imagine anything less likely than Microsoft using Java applets for you to read your Hotmail emails in a browser. Perhaps you're confusing Java with JavaScript? Think of the differences between Java and JavaScript as being the same as the differences between jam and jamboree, or microscope and Microsoft.

0
0
This topic is closed for new posts.

Forums