Here we go again: Critical flaw found in just-patched Java Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday. The company would not disclose specific details on the nature of the new vulnerability …
I remember reading somewhere that some of the previous bugs (or similar) did exist in at least one other JVM (an OSS one) but had been squashed when they were found. I cannot remember where I read it or which JVM, so you might want to do some fact-checking, but there you have it.
As this new one apparently arises from Oracle's poor patch, they should be specific to Oracle's JVM.
I did not really check seriously though, as I try to avoid using Java whenever possible -still have it installed on most of my machines, natch- and I would certainly never allow it to run within a web browser, ever.
(I know, some persons kind of have to, but in that case I made my own luck really: that was one of my criteria when choosing a bank, and I did rewrite some stuff at work -in python mostly, and I had a webmonkey bake some PHP also. He dislikes Java as much as I do so it did not take much persuasion, I just gave him an excuse in case someone higher up the food chain would throw a hissy fit over it. And yes, I know, Python and PHP are not perfect yadda yadda yadda. Watch me not giving the slightest hint of a fuck. At least they're not Oracle's, to list only the top reason)
The main vulnerability (something asinine like allowing removesecurity() to run without checking permissions) that led to this patch was specific to Oracle's official distro of 1.7 - versions 1.6 and OpenJDK (the default version of Java for most Linux distros) were not vulnerable.
Of course, that's one of 20+ vulnerabilities reported earlier this year. Odds are that most of them are not new regressions to the Oracle stream... as for which of these are present in OpenJDK who knows.
"I did rewrite some stuff at work -in python mostly, and I had a webmonkey bake some PHP also. He dislikes Java as much as I do so it did not take much persuasion"
> Wants to get rid of Java apparently for no good reason whatsoever expect it's Java
> Rewrites "some stuff" at work in Python/PHP with a webmonkey on the side
> 100% sure he hasn't upgraded the attack surface, possibly to "access all areas"
Mfw
I wouldn't place the entire blame, actually very little, on Oracle nor Sun. Fundamentally it comes down to reflection and security contexts, especially the inheritance of security contexts. Inheritance, and their idiotic reliance on reflection to make things *easier*, is true of many (most?) software language designs today. Dump reflection, since dumping inheritance would be considered too extreme, would fix this. Then again, some people might have to really *think* about the class of problems that reflection was supposed to help with.
I've seen the languages come and go, quite often taken out of the game by, in relection (pun intended), a desired feature with major unintended consequences.
Maybe they are still thinking that all publicity is good publicity.
I don't like Java, but I'm pretty sure that this is a problem of the run-time not the language.
"The revolution will not be fixed in the next release."
-Very nice, quotable statement. I'd probably get fired if I said that at work (they would think I was talking the company product) :P
Which Frank? I hate Java too, but its not me.
Hell, I dont even have Java installed on any of my machines anymore except the one I use for Army Knowledge Online because the Army's dumb enough to require Java for damned near everything on AKO. Its really dumb considering some of the information that goes across that network.
My first language was basic on an Atari 800 XL, then Turbo Pascal in High School, at the university level Fortran, then Modula-2.
After the first introduction to programming class, people finished their assignment in whatever language they wanted. Everyone learned C and at least some C++, Java was less popular. If you actually wanted to be taught a language it was a 1 credit hour pass/fail class, but people only took that when they needed more credits to reach full time status.
Obviously the class on x86 required assembly language and a lot of the Knowledge Based Systems/A.I. classes used languages like Scheme and LISP.
I don't think the languages you learn has much importance, unless your the type to learn just enough to get by then stop.
I personally wasn't that great a C++ programmer, until I read a couple good book on design patterns.
I'm kind of sick of half-open things becoming de facto standard. In a way, it's worse than having fully closed things like Windows, because Oracle pretends it to be open. I'd really like a nice W3C approved binary/VM web standard.
On the Web-Java side we have IcedTea which doesn't work much. On Flash, we have Flashdevelop, Haxe, and Gnash, which doesn't work much. Oracle has Java sewn up, like Adobe has with Flash. HTML 5 is very limited as to the binary you can stream at the moment. Something completely different might be called for. These latest security blips are just convincing me more.
Anyone know of anything like that? I wouldn't mind forcing my users to download a "plugin" if I knew it was GPL'd, and cross-platform W3C standard (and it worked!)
I wonder if all (/some of) these "mission critical" programs written in java could be saved by compiling java code to native machine code (I believe compilers do exist).
Might allow people/companies to keep using the java programs they rely on and have invested time and money in, but without all the risks of leaky-bucket java runtime.
Of course. It's similar to how Android works with it's Dalvik version of Java (java bytecode is compiled closer to machine code on package installation).
And it's easy to do yourself anywhere: http://en.wikipedia.org/wiki/GNU_Compiler_for_Java
But the GNU version a bit on the flakey side, and cannot compile everything. There is a 'commercial' option that works more relaibly, but it costs: http://www.excelsior-usa.com/jet.html
Also, be aware that compiling to machine code in advance can actually *decrease* execution speed, since the JVM watches how the code is executed to gather information on how methods should be compiled for optimal efficiency, especially when the JVM is run in 'server' mode using the -server flag to enable way more aggressive optimization.
But none of these options will have any effect on the bugs in this article, since they all appear to only have any effect on 'sandboxed' applications run in a web browser. Applications run directly are not placed in a sandbox, just as straight machine code isn't.
With all the patent litigation flying around the tech sector, it's nice to see a part of the IT community where real, genuine competition still thrives. Oracle is competing with Adobe to make the most insecure, vulnerable software available, and we as computer users reap the bountiful rewards of that competition.
From Friday, 31 Aug 2012:
http://seclists.org/fulldisclosure/2012/Aug/388
"... Today we sent a security vulnerability report along with a Proof of
Concept code to Oracle. The code successfully demonstrates a complete
JVM sandbox bypass in the environment of a latest Java SE software
(version 7 Update 7 released on Aug 30, 2012). The reason for it is
a new security issue discovered, that made exploitation of some of
our not yet addressed bugs possible to exploit again."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
