Another Critical Security Flaw In Java Appears Before Oracle Has Even Resolved The Last One
-
I find it funny that when it's Java that has a major security flaw, it's a big deal, but the weekly Windows Updates I get that say "fixes a vulnerability that could allow a remote attacker to take over the computer" are not an issue. Maybe I should uninstall Windows too?
It has been ever thus - just as when an OSX or Linux vulnerability is discovered it tends to get more press (in proportion to OS prevalence) than a new Windows vulnerability. Trouble is, Windows is ubiquitous (which makes it more of a target), and has had holes of various sorts for so long, finding more is both expected and not newsworthy. It seems to me that the risk of dropping or replacing Java needs to be assessed against the risk of the incoming system being more vulnerable or less mature... I attended a talk yesterday evening where it was pointed out that the entire country is effectively run entirely by knee-jerk reactions to events. It would be nice to think that our industry isn't like that, but I must admit it's getting very hard to see through these rapidly darkening rose-tinted spectacles!
-
It has been ever thus - just as when an OSX or Linux vulnerability is discovered it tends to get more press (in proportion to OS prevalence) than a new Windows vulnerability. Trouble is, Windows is ubiquitous (which makes it more of a target), and has had holes of various sorts for so long, finding more is both expected and not newsworthy. It seems to me that the risk of dropping or replacing Java needs to be assessed against the risk of the incoming system being more vulnerable or less mature... I attended a talk yesterday evening where it was pointed out that the entire country is effectively run entirely by knee-jerk reactions to events. It would be nice to think that our industry isn't like that, but I must admit it's getting very hard to see through these rapidly darkening rose-tinted spectacles!
Mike Winiberg wrote:
It seems to me that the risk of dropping or replacing Java needs to be assessed against the risk of the incoming system being more vulnerable or less mature...
Indeed, it's so easy to throw the baby out with the bathwater when these decisions are made (often by people without the technical expertise to do so). It's a similar problem to that faced by countries which undergo a coup or revolution and replace the government with a completely new one - historically, the new government has frequently been an utter disaster. And going back to software, I read a nice article a while ago discussing our tendency as programmers to point at dirty old "ball of mud" projects and say "oh what a mess that is, let's throw it out and start from scratch, having learned from those mistakes". But then it turns out that most of that "mess" was there because you (or whoever wrote the code) had discovered and fixed many bugs and corner-case behaviour. So the new "clean" code starts out simple, but as these corner cases are rediscovered, the same thing happens all over again. Two years later, you've moved on and the next programmer arrives, looks at your "clean" codebase and says "tut tut, what a mess... maybe we should..." ;)
-
Clickety[^] [Forbes] If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
I find it funny that when it's Java that has a major security flaw, it's a big deal, but the weekly Windows Updates I get that say "fixes a vulnerability that could allow a remote attacker to take over the computer" are not an issue. Maybe I should uninstall Windows too?
It's not news when it's a Windows box. You'd have no time to report anything else if you treated Windows vulnerabilities as news.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
-
Clickety[^] [Forbes] If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
Hi. It's a shame that this is passing with the "vendor standard" implementation of Java (or being more correct the JVM), but uninstall it is not necessary, what should be done is disable it by default in the web browsers (as it isn't as needed as it used to be), and enable it only on demand and only in some user approved web sites, another "fix" is to take a look at the Open Source implementations of Java and use those instead.
CEO at: - Rafaga Systems - Para Facturas - Modern Components for the moment...
-
And replace it with....? .NET? Oops, it's got the same or worse flaws, even referenced in the same article.
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java. According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java. According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Maybe not, this is what happens when you read far too many of these last week. :) The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit. With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely. So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
-
Maybe not, this is what happens when you read far too many of these last week. :) The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit. With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely. So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS! And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Clickety[^] [Forbes] If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
REMOVE IT ALTOGETHER!!! It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
-
REMOVE IT ALTOGETHER!!! It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
I think you need less coffee - I mean Java. :-D /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
I think you need less coffee - I mean Java. :-D /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
:laugh: Now that you mention it, I really hate the taste of coffee (for real) and rely on energy drinks to get my caffeine dosage. Funny coincidence :)
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson ---- Our heads are round so our thoughts can change direction - Francis Picabia
-
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS! And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
-
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC. For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user." Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC. For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user." Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
How about this one? http://www.osvdb.org/71013 (although I'll note that my system does not appear to be affected, so perhaps it's a local problem?)
OSVDB:
Location: Local Access Required
...could allow a local attacker to execute arbitrary code...
...the attacker would need to be a part of the Power or Domain user group...
So not exactly a remote-code execution vulnerability. ;P I suppose there's a possibility that an unpatched RCE could be used to get code onto the computer which could then take advantage of a local escalation of privilege vulnerability to execute further code as the system user, but that's not specific to .NET, and I'd be surprised if you couldn't do the same thing on a Mac.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
It's not news when it's a Windows box. You'd have no time to report anything else if you treated Windows vulnerabilities as news.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
