21 comments

[ 3.4 ms ] story [ 60.5 ms ] thread
Oracle is becoming a parody of itself. Can they just hand off the entire Java platform to a capable 3rd party already?
Did Oracle introduce these bugs?
Have they been permitting anyone who isn't oracle affiliated to work on the sandbox? I was under the impression that the core development and compiler work was all in house.
Are you sure these bugs are new? The Java Applet Sandbox doesn't exactly have a spotless security history.
One of the bugs is fairly old, the other (which is required for the overal exploit) is new-ish (introduced in Java 7), but probably not as new as saosebastiao was implying (as the title of this HN post can be parsed as "the bugs were introduced by the patch attempting to fix the other bugs", which is definitely not the case, AFAICT).

> Issue 51 affects both Java SE 6 and 7. Issue 52 is for Java SE 7 only. Since both issues are required for the attack to succeed, we treat it as Java 7 specific only.

-- http://seclists.org/fulldisclosure/2013/Jan/195

These bugs may have been added to the source code by Sun before Oracle acquired Sun. However, the first released version of Java that came with these bugs was done by Oracle.

Just to add I'm referring to latest zero day bugs and not the ones found by Gowdiak.

I was a Java developer, and when Sun was acquired by Oracle, I knew it's time to move on. Now I'm coding Ruby, and whenever I look back, I see Oracle raping Java - suing the good guys, adding malware to Java installers, increasingly introducing new security holes. It's such a sad sight...
Raping? Is that a technical term?
To be honest a lot of the major security bugs were actually inherited by Oracle from Sun when they bought Java. In 2011 we had two major Denial of Service working on any Java webapp server that were present since more than ten years in Java (one of them was a known-but-never-fixed bug and the other was unknown-but-already-existing).

The Java applet SNAFU is totally Sun's fault and the wasted time and energy spent making these applets work (and hence making Java plugins for the various browsers) should have been spent by everyone for most interesting purposes.

Regarding the "time to move on", I hardly think so: Java is still increasingly popular and it's very hard to find a big company not using Java anywhere in its stack.

And you mentioning Ruby in response to security holes is particularly ironic seen that lately Ruby hasn't exactly been proved rock-solid from a security standpoint ; )

The big "ruby" vulnerabilities that came up recently were issues in rails. I don't think that there's much irony here since the response from the rails core team was fast and professional, as was action taken by the community to patch existing web apps. Oracle sat on known vulnerabilities and didn't scramble out a fix until the department of homeland security got involved. Obviously we're comparing applets and oranges here, but Oracle deserves a heap of criticism over how it's handling these issues, and it really brings the future of their Java codebase into question.
adding malware to Java installers

Actually, the ask.com Toolbar has always been part of the installer.

increasingly introducing new security holes

FYI One of these two definitely is pre-Oracle.

More vulnerabilities - more toolbars! What's not to like.
Christ, as someone who wrote some Java software long, long ago: Does Oracle not care how damaging this stuff is to the already battered Java "brand"?

When Firefox brings up a "Java is a potentially malicious plugin" dialog by default, you should be trying to turn that ship around.

Perhaps this is the excuse to generate more critical updates, increasing the number of accidental Ask toolbar installs.

Oracle doesn't believe in "free".

Java in the browser has been battered for a while. It's been supplanted by Flash for the most part which will be replaced by Javascript in the browser. Oracle is expecting Java VM's to disappear from the browser altogether and is glad to wring out as much cash as possible in the meantime.
To be clear -- neither of these vulnerabilities is likely to cause much damage in the wild for anyone who has installed the new version.

Applets don't run anymore unless you explicitly click through to authorize them.

If you aren't expecting your game to run, etc., you click "no".

I'm disappointed about all this (particularly since it's on its way to destroying my side business, which relies on applets), but I'm also frustrated by the reporting -- Java applets are still more secure than ActiveX used to be, right? There's a sandbox, and now applets won't even run at all without explicit permission from the user.

That's pretty close to "don't go to shady websites and install software they offer you" at this point.

If my mom sees a pop up while browsing, she will always click yes.
She needs reprogramming. May I suggest using a 2x1.
If she clicks yes to all popups, then Java is a risk to her even with all security bugs patched, because I can request permission to get out of the sandbox with a signed applet, and if she approves I can do whatever I like with her computer.

Of course, if she's opening odd-looking links in her email anyway (which is how she'd get to a site that might include a dangerous applet) there are likely all kinds of attack vectors that she's vulnerable to.

Most of these vulnerabilities are break outs of the security manager. A lot of other VMs do not have security managers ("think of eval").
maybe oracle would fix my javas if i paid them for a support contract.

it's only USD 10 mln :P