Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Java Vulnerability Found Affecting Java 5, 6, and 7 SE

Unknown Lamer posted about 2 years ago | from the everything-is-compromised dept.

Bug 121

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

cancel ×

121 comments

Sorry! There are no comments related to the filter you selected.

Java runtime vs. .NET runtime (5, Funny)

Nsks (2738937) | about 2 years ago | (#41453915)

What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

Re:Java runtime vs. .NET runtime (4, Funny)

sgrover (1167171) | about 2 years ago | (#41453975)

Dude!!! You almost made pop come out my nose! I laughed so hard!

Pop (1)

Anonymous Coward | about 2 years ago | (#41454043)

Your dad came out of your nose?

http://www.popvssoda.com Fight!

Re:Pop (0)

Anonymous Coward | about 2 years ago | (#41454263)

Sorry, I was laughing so hard I couldn't spell. He almost made *poop* come out my nose. Last night was scat night at the LUG.

Re:Pop (0)

Anonymous Coward | about 2 years ago | (#41455073)

Die in a fire.

Re:Pop (0)

Anonymous Coward | about 2 years ago | (#41455405)

Somebody is pissed that he wasn't invited. Which reminds me: next month our LUG is having a water sports night. Have some pizza, talk about ubuntu, gentoo compiler flags, and, of course, piss play!

Re:Pop (0)

Anonymous Coward | about 2 years ago | (#41455701)

I think he meant "come pop out of [his] nose"

Re:Java runtime vs. .NET runtime (1)

hoggoth (414195) | about 2 years ago | (#41454713)

At first glance I thought you said 'pop corn out of my nose'. I was picturing kernels going in one nostril and fully popped corn shooting out the other.

Re:Java runtime vs. .NET runtime (1)

TeknoHog (164938) | about 2 years ago | (#41455491)

Man, all these years I've wondered what the big boys mean by "compiling the kernel". Thank you sir!

Re:Java runtime vs. .NET runtime (0, Insightful)

Anonymous Coward | about 2 years ago | (#41453989)

Ever hear of activeX?

Re:Java runtime vs. .NET runtime (2)

Joce640k (829181) | about 2 years ago | (#41455141)

What does ActiveX have to do with .Net?

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41453991)

Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

...perhaps because they have the source code for Windows?

Re:Java runtime vs. .NET runtime (1)

Anonymous Coward | about 2 years ago | (#41453997)

Really, somebody better tell Microsoft so they can stop issuing worthless security updates: http://technet.microsoft.com/en-us/security/bulletin/ms12-016

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41454051)

At least they patch it in a timely fashion... How long did it take for oracle to deal with the previous high-publicity exploit?

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41455241)

A patch was out before the exploit was made public.

Re:Java runtime vs. .NET runtime (1)

cbhacking (979169) | about 2 years ago | (#41456987)

Um, no. Not even slightly.

There was a patch for three of the (~20) vulnerabilities that were reported. When Oracle neglected to patch the rest in a timely manner, another 3 of the vulns were chained together to make a full applet-sandbox-bypass exploit. That was in the wild for several days before Oracle finally released an out-of-band patch to fix it... and even then, they haven't yet patched all the other reported issues.

Oracle knew about the vulns, and may even have had an internal patch, bu they did not publish it before a working (on the current released patch level) exploit was published.

Re:Java runtime vs. .NET runtime (4, Informative)

gagol (583737) | about 2 years ago | (#41454039)

You mean like this [cisecurity.org] ?

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41454049)

I think they should learn something from Microsoft's .NET runtime. ...

Hahaha! Nsks is like one of those Bite-N-Smile actors. Fake smiling toward the camera, then crying on the floor in the bathroom a few hours later because they can't wash the feeling off.

Re:Java runtime vs. .NET runtime (4, Interesting)

scorp1us (235526) | about 2 years ago | (#41454087)

Nah, I'd say Flash is the most exploited runtime.

I never liked Java, but .NET is even worse for a web platform as it only supports a fraction of the platforms. Java was invented to be portable, .NET was invented to be less portable Java.

Re:Java runtime vs. .NET runtime (-1)

Anonymous Coward | about 2 years ago | (#41454175)

Never heard of the Mono project and Moonlight? The .NET spec is open, and there are alternate implementations for most platforms. Just like Java, except without an evil corporation yanking the carpet out from under the devs every three months.

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41454279)

How about no?
Does no work for you?

Re:Java runtime vs. .NET runtime (1)

Anonymous Coward | about 2 years ago | (#41454419)

[.NET is] just like Java, except without an evil corporation yanking the carpet out from under the devs every three months.

LOLWUT?

Re:Java runtime vs. .NET runtime (1)

Anonymous Coward | about 2 years ago | (#41454567)

Moonlight is dead. It hasn't been updated in nearly 2 years. Moonlight never supported drms, authentication and such, unlike SilverLight.
I used to belong to Netflix (back when they had a good selection of movies) but couldn't stream movies from their website to Linux.

Re:Java runtime vs. .NET runtime (1)

HiThere (15173) | about 2 years ago | (#41454585)

Have YOU heard about how compatible they were?

If they had been successful, MS had already pledged to sue them "To defend our intellectual property". Now that was only an MS vice-president, so while he's an official spokesman, he might not know the true plan. But it was said, and never denied.

Re:Java runtime vs. .NET runtime (1)

Anonymous Coward | about 2 years ago | (#41454633)

http://www.microsoft.com/openspecifications/en/us/programs/community-promise/default.aspx

Yeah, so much for suing. BTW, care to provide reference to your claim while you're at it?

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41455851)

Heh, I don't see .NET on that list.

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41458037)

I swear, people like you need to be placed into special care until you grow some brains...

From Covered Specifications:

Common Language Infrastructure (CLI) - Ecma-335, 4th Edition and ISO/IEC 23271:2006 - this is the specification that defines the .NET runtime. It's not listed as .NET because that's just a name Microsoft uses of their implementation of the CLI spec.

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41456413)

I think you are confusing version 2.0 of C# and the CLR with ".net." The latest features in 3.5, 4.0 and so on are not in fact open. Because the ECMA spec was never updated. More than that, the library is not open. Sure the core base class library like STring and stuff was included in the Spec. But not WinForms, WCF, ASP.net and so on.

Those things are not open.

There's no credible implementation to .Net or C# on any platform besides windows. Mono is a joke that I don't think anyone really uses for production. Certainly the performance (in memory, etc) is much worse than on Windows. The JVM however is quite competitive on Linux and Windows perfromance wise.

We still use Java for writing Server applications on Linux. These security issues only affect the Java web applet, and are not really a concern to any type of back end programming.

And by the way, are you aware that Microsoft is in fact an "evil corporation yanking the carpet out from under the devs every three months?"

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41456629)

I think you are confusing version 2.0 of C# and the CLR with ".net." The latest features in 3.5, 4.0 and so on are not in fact open. Because the ECMA spec was never updated. More than that, the library is not open

What a cunning way to try and stir up a Java vs C# flame war.

They may not be "open" by Micro$oft's ECMA Specifications, there are open implementations of them.

Sure the core base class library like STring and stuff was included in the Spec. But not WinForms, WCF, ASP.net and so on.

Those things are not open.

Mono has implemented pretty much all of C#, and although you are correct that it doesn't have native WinForms support, it does translate them into Gtk# pretty flawlessly. And regarding WCF, here's a quote from the mono project's homepage: "Nowadays WCF is part of the core Mono"
See http://www.mono-project.com/WCF_Development

There's no credible implementation to .Net or C# on any platform besides windows. Mono is a joke that I don't think anyone really uses for production. Certainly the performance (in memory, etc) is much worse than on Windows. The JVM however is quite competitive on Linux and Windows perfromance wise."

I think your entire post is the joke actually, you provide no references for anything you say, which seems mostly biased from the perspective of a Java developer. I've done both C# and Java development professionally, and have a pretty extensive working knowledge of both.

Look up on google "Mono vs Java performance" and look for a recent comparison, you will see they are nearly identical.
And please look up your "facts" before you type them.

Re:Java runtime vs. .NET runtime (2)

Tharkkun (2605613) | about 2 years ago | (#41454173)

What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

All of the present exploits have come from Sun, prior to being acquired by Oracle. Did you expect Oracle to go back and regression test for exploits? I thought the code being open source would allow these things to be found?

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41454291)

Oracle doesn't fix. They mask. Big difference, lol.

Re:Java runtime vs. .NET runtime (1)

Tough Love (215404) | about 2 years ago | (#41455465)

Congratulations on joining the *whoosh* club for this thread.

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41454507)

You obviously don't pay much attention... There have been many security patches for the diarrhea that goes by the name of .NET.

Re:Java runtime vs. .NET runtime (1)

Joce640k (829181) | about 2 years ago | (#41455101)

I certainly hope .Net is secure...because the '.Net security updates' utterly fail to install themselves on any machine I own. Doesn't matter what version (v1.0 to whatever they're at now), doesn't matter what OS version (I've got XP and 7), I don't think a single one has ever installed. These days I don't even bother trying unless I'm already in a bad mood.

Re:Java runtime vs. .NET runtime (0)

Anonymous Coward | about 2 years ago | (#41455275)

Check to see if ur nets were replaced by tubes

Re:Java runtime vs. .NET runtime (2)

shutdown -p now (807394) | about 2 years ago | (#41455809)

.NET actually has a bigger attack surface when it comes to sandbox exploits, because its type system is much more complicated, and so its bytecode verifier has to be more complex as well to deal with that, with more corner cases that it can potentially get wrong. For example, .NET has the concept of managed pointers (aka byref) for parameter passing. It also has the concept of vararg methods on VM level (with a variable number of argument actually being pushed on the execution stack - not like Java array-based varargs). I was exoerimenting in that area to do something unrelated, and found an exploit where you could pass a byref-to-byref (something that's normally verboten, verifier just didn't catch it that time) to a vararg method, and mutate the reference to point to the stack frame that's about to be teared down - eventually letting you to hijack an object's vtable pointer, for example, and execute arbitrary code.

IcedTea, anyone? (1)

Anonymous Coward | about 2 years ago | (#41453963)

As with previous exploits, what about IcedTea (OpenJDK)? Are Linux users yet again kicking back and enjoying the show?

Re:IcedTea, anyone? (1)

Tough Love (215404) | about 2 years ago | (#41455581)

IcedTea is really, really close to being a viable replacement for Oracle's JRE. Some crappy webapps from vendors who should know better (Juniper, looking at you) fail on IcedTea probably because of stupid reasons that could be fixed instantaeously if the vendor bothered with even the slighted QA on the open JRE. This issue is rapidly elevating to critical because as everybody can see, relying on Oracle for anything is just bad business.

Every big SW package has bugs (2)

davidwr (791652) | about 2 years ago | (#41454029)

While I commend their efforts, they could've reduced unneeded panic, FUD, and distraction by giving Oracle a few weeks to patch it before the big announcement.

Now customers everywhere will be concerned about this bug instead of the disclosed-to-the-vendor-only bug that gives you full administrative rights but which won't be made public until a reasonable time after the vendor was notified.

Apologies in advance if Oracle was notified a few weeks before this was made public and didn't disclose it themselves.

Re:Every big SW package has bugs (0)

Anonymous Coward | about 2 years ago | (#41455415)

Judging by the inflammatory language used in the announcement, I doubt they gave Oracle such a courtesy.

The way this played out it looks like someone with deep-seed hate for everything Oracle wanted to stick it to them.

Report exploits to Debian and Red Hat too (4, Insightful)

David Gerard (12369) | about 2 years ago | (#41454031)

The OpenJDK teams at Debian (who also do Ubuntu) and Red Hat are good people to notify as well. Unlike Oracle, they won't sit on bugs.

Re:Report exploits to Debian and Red Hat too (0)

Anonymous Coward | about 2 years ago | (#41457355)

The OpenJDK releases suffer from a critical security flaw: they're shipped as packages which mandates you to be root to be able to install them (the one single most brainf*cked stuff in the Debian / Red Hat world and this comes from a big, big, big Linux fan and long time user).

This is a showstopper in my book: there are way too many Java exploits out there that I'll ever risk installing such a package in anything else than a user directory. I don't care how the install script supposedly are at constraining Java-the-nasty so that it doesn't act like the gigantic security issue it is: I'm not switching to root to install Java.

Wanna be safe with Java on Linux ? It's trivial: fetch the good old Oracle Java .tar file and install Java in a separate user account. Of course only ever do that if you're a Java developer and actually need Java. Otherwise there's zero reason for running Java on your Linux system.

Should your online banking website mandate Java, then use a live Linux CD to connect to your bank (it's only good practice anyway).

On Windows? You *must* be admin to install Java. I pity them.

Re:Report exploits to Debian and Red Hat too (2, Insightful)

Anonymous Coward | about 2 years ago | (#41458005)

you do realize that installing a package as root does not automatically cause the binary to be run AS root. I could chown every file on a linux system to be owned by root:root and still be able to run programs as a non-privileged account.

I don't know if you're trolling or misinformed, but there is nothing inherently insecure about installing packages as root. RUNNING them as root is something completely different.

The Captha was "Audited" ... funny.

Re:Report exploits to Debian and Red Hat too (0)

Anonymous Coward | about 2 years ago | (#41458189)

It's obvious you have no idea what you are talking about but I'll clue you in: You must be root or a privileged account to install packages. File permissions and ownership do not dictate under what permissions the program is run. If there is a binary with permissions 755 owned root:root and I run it as the user "jack" this does not give me root access through that program, the only permissions available to "jack" are those that "jack" has.

On another note, you can install security updates automatically - so even if someone with root isn't around the packages needing security updates will be installed as soon as they are available.

"Wow, thanks a lot Oracle." (5, Insightful)

Anonymous Coward | about 2 years ago | (#41454055)

Release of Java 5: September 30, 2004
Oracle's acquisition of Sun: January 27, 2010

I know it's fun to hate on Oracle (commencing Ellison yacht joke in 5, 4, 3...), but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.

Shouldn't we at least wait until after we find out that Oracle knew all about this for months on end, chose to tell no one, and then ported it forward into Java 7 before we lambaste them?

Re:"Wow, thanks a lot Oracle." (2, Insightful)

Anonymous Coward | about 2 years ago | (#41454167)

No! Fuck Oracle! They are the 1%!

Re:"Wow, thanks a lot Oracle." (2)

znrt (2424692) | about 2 years ago | (#41454331)

Release of Java 5: September 30, 2004but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.

bought the bugs too.

Re:"Wow, thanks a lot Oracle." (4, Informative)

Nimey (114278) | about 2 years ago | (#41454599)

Java 5 was even EOL'd well before Oracle bought Sun.

Re:"Wow, thanks a lot Oracle." (0)

Anonymous Coward | about 2 years ago | (#41454853)

On server side, Java 1.4 is still alive and kicking (barely, like an infected zombie) because some companies don't want to upgrade (or even update) their application servers... Java truly is the new Cobol.

Re:"Wow, thanks a lot Oracle." (2)

Billly Gates (198444) | about 2 years ago | (#41455355)

Worse I have to clean machines which use Java 1.4.2 on the clients using IE 7. They get infected ALOT but use them for their banking apps online. Can't upgrade them because the 9 year old Kronos app is not compatible with any other version and this would hurt the shareprice.

Re:"Wow, thanks a lot Oracle." (1)

afidel (530433) | about 2 years ago | (#41455727)

Hell one of those companies is Oracle themselves. In fact the current version of several of the products we use still have the JRE 1.5.0 as the bundled version.

Re:"Wow, thanks a lot Oracle." (1)

Billly Gates (198444) | about 2 years ago | (#41456369)

How much do you want to bet vendors like Oracle and others will still be selling software that requires XP long after the EOL on 3/2014?

Re:"Wow, thanks a lot Oracle." (4, Insightful)

Cid Highwind (9258) | about 2 years ago | (#41454825)

Number of fscks Larry Ellison has given about Java since finding out owning it doesn't mean Google owes him a ton of money for Dalvik: 0

Re:"Wow, thanks a lot Oracle." (2)

LourensV (856614) | about 2 years ago | (#41454931)

Actually, after the acquisition Sun Microsystems, Inc. and Oracle USA, Inc. were merged to form Oracle America, Inc. So strictly speaking, Oracle is Sun. I wholly agree though that we need to know for how long they knew about this before passing judgement.

Re:"Wow, thanks a lot Oracle." (4, Insightful)

Trepidity (597) | about 2 years ago | (#41455277)

They've owned the product for almost three years now, so I'd say that bugs in current versions are their fault for not doing sufficient QA to find/fix, regardless of where they originated. When you own something, you own the responsibility too.

Re:"Wow, thanks a lot Oracle." (0)

Anonymous Coward | about 2 years ago | (#41458727)

I would say the only thing you own is the responsibility. What else?

Re:"Wow, thanks a lot Oracle." (2)

Billly Gates (198444) | about 2 years ago | (#41455287)

Part of this is not Oracle's or Sun's fault. It is the customers who uses 10 year old software that relies on these exploits to provide functionality like COM integration with Excel and other useless features.

The more Oracle plugs these holes the more users will demand to keep XP and Java 1.4.2 around the office. Corporate customers hate change and fixes make them nervous.

Java does run on every platform. The problem is it does not run on past versions of itself and like ancient versions of IE they create lockin. Most regular users do not use it as an applet. Chrome and Firefox wont even let you run Java applets believe it or not by default if you have Java installed. Just IE because no one uses it.

Sadly I use eclipse and Aptana and I know many users who use Vuze for bittorents so java i snot going away but at least most of us can upgrade. I use the insecure version but double check to make sure it wont work on my browser so I am good.

Re:"Wow, thanks a lot Oracle." (0)

Anonymous Coward | about 2 years ago | (#41455615)

Dude, chill. It's not worth bringing it up. The person who wrote the summary is probably also one of the people who spins the old Motorola Mobility patenting issues and other transgressions of theirs from years ago as "thanks to Google", when, last I knew, that buyout hasn't even been finalized yet. You're not going to get through to them. Ever.

Seriously, best to just let the loonies wander around the prison^H^H^H^H^H^Hasylum until they burn themselves out. Then we can process them for fuel. Best part is, there'll always be more fuel.

Is Java the new Flash? (4, Funny)

blahbooboo (839709) | about 2 years ago | (#41454085)

Please discuss.

Re:Is Java the new Flash? (-1, Troll)

_xeno_ (155264) | about 2 years ago | (#41454205)

Is Java the new Flash?

No.

Flash used to be useful.

Re:Is Java the new Flash? (0)

Anonymous Coward | about 2 years ago | (#41454411)

Flash was the new Java.

Re:Is Java the new Flash? (3, Funny)

Anonymous Coward | about 2 years ago | (#41454541)

No, Java is the old Flash.

Re:Is Java the new Flash? (0)

Anonymous Coward | about 2 years ago | (#41454797)

No. Flash was designed to run in browsers, Java was designed as an execution framework. Java is not designed for "web applets". That's where the problem lies.

Re:Is Java the new Flash? (1)

malignant_minded (884324) | about 2 years ago | (#41454811)

I can't I'm verklempt

Re:Is Java the new Flash? (1)

Anonymous Coward | about 2 years ago | (#41454927)

wabbit season

Re:Is Java the new Flash? (1)

X0563511 (793323) | about 2 years ago | (#41455157)

Post subjects are like headlines:

If they end with a question mark, the answer is always "no."

Is Betteridge's Law of Headlines Ever True? (1)

TeknoHog (164938) | about 2 years ago | (#41455533)

No?

Re:Is Java the new Flash? (2)

Chris Mattern (191822) | about 2 years ago | (#41455311)

He'll save every one of us!

Re:Is Java the new Flash? (1)

Tough Love (215404) | about 2 years ago | (#41455653)

Not that bad but could be better. Unfortunately, in Oracle's hands its more likely to get worse.

Actually, Javascript needs to be the new Java. Which seems to actually be happening. Sure, Javascript sucks seriously in its own way and can't touch Java in performance, but it does the job, blows Java out of the water in responsivess, and has multiple implementations not under the control of any one company.

Re:Is Java the new Flash? (2)

dkf (304284) | about 2 years ago | (#41456599)

Actually, Javascript needs to be the new Java. Which seems to actually be happening.

Shit. Swapping something that's extremely well defined (even anal-retentively so) for something with as... err... whimsical set of variations as Javascript is such a huge step forward. Not.

Sure, Javascript sucks seriously in its own way and can't touch Java in performance, but it does the job, blows Java out of the water in responsivess, and has multiple implementations not under the control of any one company.

On the other hand, the main reason that JS is responsive is that it's got a fully warmed up engine going by the time your browser actually loads any script code. There's a large class of things that you can't do in JS (well, not the JS that's in browsers) and the multiple implementations vary in subtle ways that bite you on the ass.

It isn't just manipulating graphics or DOM trees that people want to do in browsers.

Re:Is Java the new Flash? (1)

Tough Love (215404) | about 2 years ago | (#41456851)

See, Javascript sucks but Java fails. Pick your poison.

Re:Is Java the new Flash? (0)

Anonymous Coward | about 2 years ago | (#41458669)

Actually, Javascript needs to be the new Java.

I can assure you that you don't wanna see that happen.

the java plugin? (0, Flamebait)

tero (39203) | about 2 years ago | (#41454491)

So when was the last time you actually needed that Java-plugin in your browser?

Applets have been dead tech for years now - for most people there's no need at all to have Java plugin enabled in their browser.

Uninstall the plugin already, I bet you won't even see the difference.

Re:the java plugin? (2)

rbrausse (1319883) | about 2 years ago | (#41454679)

So when was the last time you actually needed that Java-plugin in your browser?

10 minutes ago. even twice (Barracuda's SSL VPN tunneling thingy is based on Java, and our web-based CPOE [wikipedia.org] uses Java to print barcodes*)

If you have an IT job you might need it. (4, Interesting)

Anonymous Coward | about 2 years ago | (#41454727)

Java plugins won't help you flip burgers, but if you work in a large corporation you will find about fifty mission-critical apps you definitely will need that plug-in for.

And the sysadmins hate EVERY SINGLE ONE OF THEM.

Because they SUCK to admin... end users who don't have to use or admin the codebase love them, because they are pretty and sound like coffee.

Re:the java plugin? (0)

Anonymous Coward | about 2 years ago | (#41454851)

So when was the last time you actually needed that Java-plugin in your browser?

Almost every day, unfortunately. The USPTO uses it as part of their certificate authentication for Private PAIR (access to patent information) and their Electronic Filing System. (see, e.g., https://ppair.uspto.gov).

Re:the java plugin? (3, Informative)

codealot (140672) | about 2 years ago | (#41455133)

I just RTFA, from what I can tell this affects anyone who needs to run untrusted code in a JVM with a SecurityManager, not just applets.

That said, I can't think of any reason to do that besides applets, so most vulnerable users are those with browser plugins. Virtually everyone I know who runs Java deploys it within a servlet container where untrusted code is not normally a concern. Given that, the story seems a bit overblown.

Thank you! (1)

wurp (51446) | about 2 years ago | (#41455759)

Now I don't have to RTFA. IMO that simple statement "this only applies to running untrusted code in a JVM with a SecurityManager" is the most important thing to say about this exploit; sad it wasn't in the summary.

Re:the java plugin? (1)

Billly Gates (198444) | about 2 years ago | (#41455185)

You haven't supported corporate America yet.

Java and ancient browsers are EVERYWHERE. Worse they all use Java 1.4.2 which is like the holy grail of CISCO equipment and some bank websites. It wont work on any other browser besides IE 6/7 with that java combo. Unless of course you want to upgrade ... HA that would cost money silly.

Re:the java plugin? (1)

Chris Mattern (191822) | about 2 years ago | (#41455337)

So when was the last time you actually needed that Java-plugin in your browser?

Today. I use on a daily basis browser-based Java software that I could not do my job without.

Re:the java plugin? (2)

fa2k (881632) | about 2 years ago | (#41455789)

The good thing about the plugin is that Java is the only credible cross-platform sanboxed execution environment, and by having the plugin there's a large incentive to find any bugs in the sandbox. With every breach fixed, Java gets more secure.

Re:the java plugin? (1)

i_ate_god (899684) | about 2 years ago | (#41456651)

Cisco AnyConnect :(

Re:the java plugin? (1)

MysteriousPreacher (702266) | about 2 years ago | (#41456929)

So when was the last time you actually needed that Java-plugin in your browser?

About an hour ago. Still plenty of enterprise applications reliant upon Java. For home use, never. My only personal usage of Java comes from a Java remake of Dungeon Master.

Who cares? (0)

Anonymous Coward | about 2 years ago | (#41454533)

Another hole in browser plugin. Who cares? Disable the plugin and forget. It's not used for anything these days.

Again, this has nothing to with "Java" but with "a Java plugin for specific browsers".

Java, it's the new Flash (2)

BLToday (1777712) | about 2 years ago | (#41454647)

for malware.

Not Java's fault! (0, Troll)

Anonymous Coward | about 2 years ago | (#41454813)

The OS should sandbox the damn thing, at least somewhere in userland. This is bullshit. The OS is soft as mush to let this crap keep on happening. GOD! Our computers are shit!

use instead? (0)

Anonymous Coward | about 2 years ago | (#41454863)

What would you use instead? Ruby on rails? Python? html5 ? perl? maybe this kind of dynamic content is just bad?

Useless platform (0, Insightful)

Anonymous Coward | about 2 years ago | (#41454937)

Java is a useless platform, along with Flash Actionscript and whatever other web-based multimedia api is out there. If people would start coding pages without those additional pieces of garbage, the amount of malware on the internet would drop tremendously.

The joke's on you! (0)

Anonymous Coward | about 2 years ago | (#41455089)

I'm running version 1.7.0_07, so I'm not affected!

Wowzers (5, Funny)

Billly Gates (198444) | about 2 years ago | (#41455155)

Good thing we use Java 1.4.2 at work. Looks like I am safe

Rethinking the Sun Acquisition (0)

Anonymous Coward | about 2 years ago | (#41455181)

I am wondering if Larry is rethinking the Sun acquisition considering how much Java is costing them!

java is an abomination (0)

Anonymous Coward | about 2 years ago | (#41455211)

worst tech of a lifetime

Oracle, did you learn from last time? (4, Insightful)

onyxruby (118189) | about 2 years ago | (#41455705)

Oracle, did you learn from last time?

1. Have you publicly acknowledged the exploit?
2. Have you given at least some idea of how it works?
3. Have you given any mitigation instructions or will people simply have to uninstall your product since your not saying how to mitigate this?
4. Have you given any type of public communication along the lines of "were working on it"?
5. Are you giving any type of eta for a hot fix?
6. Have you learned that saying, we'll fix a critical exploit on one billion machines at the regular quarterly update schedule is not acceptable?

Home sick today or I would have been neck deep in this all bloody day. Haven't had a chance to look and see if they learned from their last royal clusterfuck or not.

Re:Oracle, did you learn from last time? (1)

Anonymous Coward | about 2 years ago | (#41455995)

Answer:
They dropped all the vulnerable functions and re-added them with new names. As such, the exploits no longer work.

Fixed!

(And for the newbs who think this is a joke... guess again, true story. Thanks, Oracle!)

ImageJ alternatives? (0)

Anonymous Coward | about 2 years ago | (#41456359)

Times like this, I really wish ImageJ wasn't written in Java. Does anyone know of an alternative research-oriented image tool?

Not that anyone is affected (1)

Hentes (2461350) | about 2 years ago | (#41456445)

Java was replaced by Flash long ago, and now even Flash is being replaced by HTML5. I have always disabled Java browser plugins exactly because it's unsecure. Five years ago this discovery may still have had some impact, but hardly anyone uses Java applets these days.

Re:Not that anyone is affected (0)

Anonymous Coward | about 2 years ago | (#41458049)

You, sir, are quite funny!

Thanks a lot Oracle? (1)

i_ate_god (899684) | about 2 years ago | (#41456637)

I didn't realize Oracle made Java 5

enterprise (0)

Anonymous Coward | about 2 years ago | (#41458489)

Ok. So it is even in old versions. How about a way for companies to replace the JRE in a corporate environment? No? Wonder why people have old versions on computers. Maybe they should look into click once. Think how chrome updates.

Java SE 5/6/7 + Windows only? (0)

Anonymous Coward | about 2 years ago | (#41458737)

Anyone knows if it affects *nix / BSD / Mac users?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?