back to article New critical Java flaw claimed

Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The new claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions …

COMMENTS

This topic is closed for new posts.

Is it just me or do I get the feeling that Oracle's heart is not really in this? They seem to have done a reasonable job with MySQL, so what's the problem with Java?

1
0
Unhappy

Browser Plugin vs. Server

I wish these articles would specify whether the fault is yet another browser plugin loophole or a real server problem. It only takes a few words and would convert the various scare story headlines into something useful.

No-one I know uses the Java browser plugin or ever has (Cisco kit admin is the only reason anyone would install it and it's easier to just use an F5 instead). Like ActiveX, it's a fundamentally dumb idea from a security point of view. However, server side Java is just a big heap of loveliness that has never let me down.

7
1
Silver badge

Re: Browser Plugin vs. Server

Oracle are still beating a dead horse called JavaFX so they still install the plugin. JavaFX is actually a really powerful environment but since nobody uses it it's also irrelevant and a risk that most people shouldn't be exposed to. The plugin should be optional and not installed by default and if Oracle won't do it then the browsers should special case it and only run it from whitelisted sites. If Oracle hadn't been so busy suing Google they might have realised that JavaFX could have been a goldmine on Android rather than chasing for scraps in browser land.

Java in other roles is awesome. Providing it is coded to properly it really is write once run anywhere and the breadth of roles it is used for demonstrates how powerful it is. Sadly Java is stewarded by a bunch of change averse nincompoops which means Java the language is lagging far behind where it should be right now. It's depressing to compare the evolution of C# vs Java. Fortunately stuff like Groovy, Jython, Scala etc. exist to augment it where appropriate.

3
0
Silver badge

Re: Browser Plugin vs. Server

I wish these articles would specify whether the fault is yet another browser plugin loophole or a real server problem. It only takes a few words and would convert the various scare story headlines into something useful.

I wish before people leveled this sort of complaint they checked the article's sources, so they could see whether the information in question is even available.

It isn't, unless you have another source (like Gowdiak himself). As the article points out, the announcement on Full-Disclosure (also sent to Bugtraq), Gowdiak / Security Explorations haven't released many details.

Despite the comment about Java One (which will be held next week), I believe Gowdiak is still planning to present technical details on at least some of the 50 vulnerabilities he says he's discovered at Devoxx in mid-November.

Now, that said: the language of the announcement, particularly when you compare it with Gowdiak's other announcements, appears to imply that this is a core Java SE bug, and so is not confined to the browser plug-in.

It's also worth noting, though, that the kinds of vulnerabilities Security Explorations seem to be most interested in are the sort where unprivileged code breaks the Java VM security model and gains elevated privileges; so we're generally talking about attack vectors that can only be exploited by executing Java classes, not simply by malformed data. Of course in theory the latter could be a platform for the former, if there's another vulnerability that lets an attacker drop classes on the target and have them executed. But it's not as bad as, say, a SQL injection vulnerability that a remote attacker can exploit with no additional assistance.

0
1

here is the exploit in action "The gift that just keeps giving"

http://www.youtube.com/watch?v=qixpEToz2LU

0
1
Anonymous Coward

Small correction here

The title should say "New critical Java flaw acclaimed".

0
0
This topic is closed for new posts.

Forums