Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18465

Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out

Show key headers only | View raw

In <ei604819trie2avefhs4punmav31tmibuo@4ax.com> Roedy Green wrote:

>  I have heard so much BS about the danger of Java. Crying wolf on that
>  scale should be a criminal offence, or at least get you sued.

On the other hand raising doubt about a acknowledged and severe security
vunerability isn't very wise either.

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

So lets not play this one down. This time it is for real.

>  On the other paw, this update follows fast on the heels of the
>  previous one. That would only normally happen if there were a very
>  important security fix.

Indeed.

>  But they are unusually vague about what the security vulnerability is,
>  ostensibly to avoid giving hints to exploiters. It sounds like it
>  applies only to unsigned applets on malicious websites. It is probably
>  1000 times easier for a malicious website to use JavaScript than this
>  exploit.

Unfortunately I think Oracle are normally vague. If anything, they are less
vague than usual in describing the severity and consequences. I quote:

  "To be successfully exploited, an unsuspecting user running an affected
   release in a browser will need to visit a malicious web page that
   leverages this vulnerability. Successful exploits can impact the
   availability, integrity, and confidentiality of the user's system."

All you have to do is load the wrong web page in your browser. That's it.

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

Further this Java vunerability in it self wouldn't become any less serious
if any javascript engine would have a similar vunerability. Two wrongs does
not make a right.

--
Fredrik Jonson

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 16:44 -0700
  Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:41 -0400
    Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 17:45 -0700
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:52 -0400
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 19:16 -0700
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 06:02 +0000
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 23:29 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:38 -0400
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 20:20 +0000
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-09-01 06:38 +0000
                Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-09-02 02:15 -0700
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-31 15:21 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 19:53 -0400
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:36 -0400

csiph-web