Have they been permitting anyone who isn't oracle affiliated to work on the sandbox? I was under the impression that the core development and compiler work was all in house.
One of the bugs is fairly old, the other (which is required for the overal exploit) is new-ish (introduced in Java 7), but probably not as new as saosebastiao was implying (as the title of this HN post can be parsed as "the bugs were introduced by the patch attempting to fix the other bugs", which is definitely not the case, AFAICT).
> Issue 51 affects both Java SE 6 and 7. Issue 52 is for Java SE 7 only. Since both issues are required for the attack to succeed, we treat it as Java 7 specific only.
These bugs may have been added to the source code by Sun before Oracle acquired Sun. However, the first released version of Java that came with these bugs was done by Oracle.
Just to add I'm referring to latest zero day bugs and not the ones found by Gowdiak.
I was a Java developer, and when Sun was acquired by Oracle, I knew it's time to move on. Now I'm coding Ruby, and whenever I look back, I see Oracle raping Java - suing the good guys, adding malware to Java installers, increasingly introducing new security holes. It's such a sad sight...
To be honest a lot of the major security bugs were actually inherited by Oracle from Sun when they bought Java. In 2011 we had two major Denial of Service working on any Java webapp server that were present since more than ten years in Java (one of them was a known-but-never-fixed bug and the other was unknown-but-already-existing).
The Java applet SNAFU is totally Sun's fault and the wasted time and energy spent making these applets work (and hence making Java plugins for the various browsers) should have been spent by everyone for most interesting purposes.
Regarding the "time to move on", I hardly think so: Java is still increasingly popular and it's very hard to find a big company not using Java anywhere in its stack.
And you mentioning Ruby in response to security holes is particularly ironic seen that lately Ruby hasn't exactly been proved rock-solid from a security standpoint ; )
The big "ruby" vulnerabilities that came up recently were issues in rails. I don't think that there's much irony here since the response from the rails core team was fast and professional, as was action taken by the community to patch existing web apps. Oracle sat on known vulnerabilities and didn't scramble out a fix until the department of homeland security got involved.
Obviously we're comparing applets and oranges here, but Oracle deserves a heap of criticism over how it's handling these issues, and it really brings the future of their Java codebase into question.
Java in the browser has been battered for a while. It's been supplanted by Flash for the most part which will be replaced by Javascript in the browser. Oracle is expecting Java VM's to disappear from the browser altogether and is glad to wring out as much cash as possible in the meantime.
To be clear -- neither of these vulnerabilities is likely to cause much damage in the wild for anyone who has installed the new version.
Applets don't run anymore unless you explicitly click through to authorize them.
If you aren't expecting your game to run, etc., you click "no".
I'm disappointed about all this (particularly since it's on its way to destroying my side business, which relies on applets), but I'm also frustrated by the reporting -- Java applets are still more secure than ActiveX used to be, right? There's a sandbox, and now applets won't even run at all without explicit permission from the user.
That's pretty close to "don't go to shady websites and install software they offer you" at this point.
If she clicks yes to all popups, then Java is a risk to her even with all security bugs patched, because I can request permission to get out of the sandbox with a signed applet, and if she approves I can do whatever I like with her computer.
Of course, if she's opening odd-looking links in her email anyway (which is how she'd get to a site that might include a dangerous applet) there are likely all kinds of attack vectors that she's vulnerable to.
21 comments
[ 3.4 ms ] story [ 60.5 ms ] thread> Issue 51 affects both Java SE 6 and 7. Issue 52 is for Java SE 7 only. Since both issues are required for the attack to succeed, we treat it as Java 7 specific only.
-- http://seclists.org/fulldisclosure/2013/Jan/195
Just to add I'm referring to latest zero day bugs and not the ones found by Gowdiak.
The Java applet SNAFU is totally Sun's fault and the wasted time and energy spent making these applets work (and hence making Java plugins for the various browsers) should have been spent by everyone for most interesting purposes.
Regarding the "time to move on", I hardly think so: Java is still increasingly popular and it's very hard to find a big company not using Java anywhere in its stack.
And you mentioning Ruby in response to security holes is particularly ironic seen that lately Ruby hasn't exactly been proved rock-solid from a security standpoint ; )
Actually, the ask.com Toolbar has always been part of the installer.
increasingly introducing new security holes
FYI One of these two definitely is pre-Oracle.
When Firefox brings up a "Java is a potentially malicious plugin" dialog by default, you should be trying to turn that ship around.
Oracle doesn't believe in "free".
Applets don't run anymore unless you explicitly click through to authorize them.
If you aren't expecting your game to run, etc., you click "no".
I'm disappointed about all this (particularly since it's on its way to destroying my side business, which relies on applets), but I'm also frustrated by the reporting -- Java applets are still more secure than ActiveX used to be, right? There's a sandbox, and now applets won't even run at all without explicit permission from the user.
That's pretty close to "don't go to shady websites and install software they offer you" at this point.
Of course, if she's opening odd-looking links in her email anyway (which is how she'd get to a site that might include a dangerous applet) there are likely all kinds of attack vectors that she's vulnerable to.
it's only USD 10 mln :P