Java Zero Day

  • (2 Pages)
  • +
  • 1
  • 2

26 Replies - 13289 Views - Last Post: 10 March 2013 - 09:52 PM

#1 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon


Reputation: 1359
  • View blog
  • Posts: 3,425
  • Joined: 28-November 09

Java Zero Day

Post icon  Posted 10 January 2013 - 03:06 PM

Critical Java Zero Day Bug is being massively exploited in the wild via ArsTechnica

... Again?

TL;DR: disable java, and scan for viruses. Fully patched Java? Doesn't matter, you're still shafted.

On a personal note I'm losing faith in Java's capacity to keep their products secure.

This post has been edited by Lemur: 10 January 2013 - 03:26 PM


Is This A Good Question/Topic? 3
  • +

Replies To: Java Zero Day

#2 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 823
  • View blog
  • Posts: 2,533
  • Joined: 29-July 11

Re: Java Zero Day

Posted 10 January 2013 - 05:09 PM

Ah, poor Oracle. They're getting almost as bad as Microsoft. Silverlight, flash, and Java all have vulnerabilities. I won't stop using any of them.
Was This Post Helpful? 0
  • +
  • -

#3 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4332
  • View blog
  • Posts: 12,127
  • Joined: 18-April 07

Re: Java Zero Day

Posted 10 January 2013 - 05:14 PM

Well when you reach a certain critical mass with these languages there are bound to be cracks. Java and C++ have got to some of the most popular and heavily researched languages out there. I don't worry too much given that half the time these are found by security firms doing extensive research so they are not just something anyone can do.

Of course this one made it into hacker kits, so that makes it extra problematic.
Was This Post Helpful? 0
  • +
  • -

#4 jon.kiparsky  Icon User is offline

  • Pancakes!
  • member icon


Reputation: 7640
  • View blog
  • Posts: 12,880
  • Joined: 19-March 11

Re: Java Zero Day

Posted 10 January 2013 - 05:44 PM

This is still the same "zero day" bug that was reported last summer. The new news is that a couple of script kits are now including it.

I don't have the expertise to know how much of an issue it is, but it would be nice to see it closed, just for the sake of tidiness. Surely someone at Oracle can take a little time to look at this?
Was This Post Helpful? 0
  • +
  • -

#5 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon


Reputation: 1359
  • View blog
  • Posts: 3,425
  • Joined: 28-November 09

Re: Java Zero Day

Posted 10 January 2013 - 10:27 PM

View Postjon.kiparsky, on 10 January 2013 - 06:44 PM, said:

This is still the same "zero day" bug that was reported last summer. The new news is that a couple of script kits are now including it.

I don't have the expertise to know how much of an issue it is, but it would be nice to see it closed, just for the sake of tidiness. Surely someone at Oracle can take a little time to look at this?


So it goes from new exploit to old new exploit that just hasn't been patched? Now that's sloppy.

People are reaming rails for its recent exploit? You mean the one that was fixed within days? There's something seriously wrong with Java that an entire company can't be more secure than a group like rails and ruby.

Is it even possible to have real security? Yes, most definitely. Take a look at OpenBSD and its sheer dedication. If Java learned a few things from them we wouldn't see 90% of these issues. The simple fact is they keep patching issues instead of treating the base issue.

Masking symptoms will only do that, and will never truly fix an underlying problem.
Was This Post Helpful? 1
  • +
  • -

#6 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 823
  • View blog
  • Posts: 2,533
  • Joined: 29-July 11

Re: Java Zero Day

Posted 11 January 2013 - 04:16 AM

I guess Lemur has never used Microsoft Windows or ANY of Microsoft's products...
Was This Post Helpful? 0
  • +
  • -

#7 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon


Reputation: 1359
  • View blog
  • Posts: 3,425
  • Joined: 28-November 09

Re: Java Zero Day

Posted 11 January 2013 - 04:57 PM

View Postfarrell2k, on 11 January 2013 - 05:16 AM, said:

I guess Lemur has never used Microsoft Windows or ANY of Microsoft's products...



Psst. Notice the penguin under my avatar?
Was This Post Helpful? 0
  • +
  • -

#8 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 823
  • View blog
  • Posts: 2,533
  • Joined: 29-July 11

Re: Java Zero Day

Posted 11 January 2013 - 06:20 PM

View PostLemur, on 11 January 2013 - 11:57 PM, said:

View Postfarrell2k, on 11 January 2013 - 05:16 AM, said:

I guess Lemur has never used Microsoft Windows or ANY of Microsoft's products...



Psst. Notice the penguin under my avatar?


Yeah. I see it. It reminds me of the Debian ssl bug from a few years ago.
Was This Post Helpful? 0
  • +
  • -

#9 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon


Reputation: 1359
  • View blog
  • Posts: 3,425
  • Joined: 28-November 09

Re: Java Zero Day

Posted 11 January 2013 - 06:33 PM

View Postfarrell2k, on 11 January 2013 - 07:20 PM, said:

View PostLemur, on 11 January 2013 - 11:57 PM, said:

View Postfarrell2k, on 11 January 2013 - 05:16 AM, said:

I guess Lemur has never used Microsoft Windows or ANY of Microsoft's products...



Psst. Notice the penguin under my avatar?


Yeah. I see it. It reminds me of the Debian ssl bug from a few years ago.


Psst. User title.

EDIT

Actually, I'll save you the time. OpenBSD head, or OpenBSD user.

http://openbsd.org/

What's that red line underneath the banner?

Only two remote holes in the default install, in a heck of a long time!

Research that a bit and get back to me. Don't lecture me on security.

------------------

Now as far as being back on topic, the issue is not having bugs, but fixing them in a timely manner and making sure they stay plugged. Java isn't doing a good job of this, and that needs to be accented.

This post has been edited by Lemur: 11 January 2013 - 06:38 PM

Was This Post Helpful? 1
  • +
  • -

#10 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 823
  • View blog
  • Posts: 2,533
  • Joined: 29-July 11

Re: Java Zero Day

Posted 11 January 2013 - 07:11 PM

You miss the point. What OS you personally run is irrelevant. The point is that nothing is secure.
Was This Post Helpful? 0
  • +
  • -

#11 jon.kiparsky  Icon User is offline

  • Pancakes!
  • member icon


Reputation: 7640
  • View blog
  • Posts: 12,880
  • Joined: 19-March 11

Re: Java Zero Day

Posted 11 January 2013 - 07:21 PM

View Postfarrell2k, on 11 January 2013 - 09:11 PM, said:

You miss the point. What OS you personally run is irrelevant. The point is that nothing is secure.


That seems a little disingenuous. Nothing is secure, yes. The C compiler you use to compile your linux install from source might have a little bitty worm in it that tweaks your install and inserts a hole in it. Anything could go wrong.

I think we can agree on that? Fine.

Now, Java havs a known hole in it which is known to be exploited by people who like to find holes and try to use them to get into machines for no benefit to the owners of those machines.

There's a difference between the ubiquitous potential insecurity and the known insecurity.

We can probably agree on that as well.

Finally, Oracle has known about this since at least this summer, and as far as I know there has been no patch issued and I know of no scheduled patch or even a scheduled announcement of when a patch might be scheduled to start being worked on.

There's a difference between being security-conscious and that.

We can maybe agree on that?
Was This Post Helpful? 0
  • +
  • -

#12 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon


Reputation: 1359
  • View blog
  • Posts: 3,425
  • Joined: 28-November 09

Re: Java Zero Day

Posted 11 January 2013 - 07:23 PM

I don't miss the point of that. Where did I say anything was totally secure? What I'm saying is that Java does a crap job of being secure, and things such as OpenBSD take it to epicly paranoid levels.
Was This Post Helpful? 0
  • +
  • -

#13 jon.kiparsky  Icon User is offline

  • Pancakes!
  • member icon


Reputation: 7640
  • View blog
  • Posts: 12,880
  • Joined: 19-March 11

Re: Java Zero Day

Posted 11 January 2013 - 07:29 PM

So to try to bring us back around to the topic: can anyone help me figure out exactly what's at risk here?
As far as I can tell, the exploit targets the browser plug-in. The java developer who doesn't run random applets faces no added security risk for having java on their machine. I may be wrong, but this is how I'm reading what I'm reading. So since applets are a pretty moribund creature, I'm not sure this is a great inconvenience to the Java user.

Of course, this is not a very deep or searching analysis. If anyone can correct it or added, I would welcome friendly amendments to this summary of the status quo.

EDIT: After I typed this, I read this post on the Java Posse mailing list. I don't listen to the podcast, but the mailing list is an interesting collection of JAva developers arguing more or less good-naturedly about the language. One of them posted this:

Quote

It's the first time, over the last couple of JRE bugs, that my bank officially on their front page, is now issuing a warning against running Java 7 (which is a bit of a problem, as using Java is pretty much mandatory with our contry's SSO solution).


So apparently in Denmark they think this is pretty rotten, but it still seems we're only exposed at the browser.

This post has been edited by jon.kiparsky: 11 January 2013 - 07:36 PM

Was This Post Helpful? 0
  • +
  • -

#14 xclite  Icon User is offline

  • LIKE A BOSS
  • member icon


Reputation: 902
  • View blog
  • Posts: 3,163
  • Joined: 12-May 09

Re: Java Zero Day

Posted 11 January 2013 - 07:36 PM

JVM: Write once, exploit everywhere.

Kind of makes me less excited to learn a JVM language with promises of portability (lol) when that portability brings with it head-in-the-sand security.
Was This Post Helpful? 0
  • +
  • -

#15 jon.kiparsky  Icon User is offline

  • Pancakes!
  • member icon


Reputation: 7640
  • View blog
  • Posts: 12,880
  • Joined: 19-March 11

Re: Java Zero Day

Posted 11 January 2013 - 07:39 PM

View Postxclite, on 11 January 2013 - 09:36 PM, said:

JVM: Write once, exploit everywhere.


So do you know of non-browser exploits? Every alert I read cites the browser specifically as the vector of attack. I haven't run an applet in a couple of years, and my browsers are set to ask me to run applets, so I think I'd know.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2