Weekly Edition
Return to the Security page
| |||||||||||||
Oracle patches critical Java bugs used to commandeer computers (ars technica)
Ars technica reports
that Oracle has issued an update for critical vulnerabilities in Java.
"The vulnerabilities addressed in the update include those designated
as CVE-2012-4681. Among those Oracle credited was Adam Gowdiak of
Poland-based Security Explorations, who said he alerted Oracle engineers to
the vulnerabilities in April. A brief analysis of the patch by the Immunity
security firm found that at least two other vulnerabilities are fixed as
well. A post on Oracle's security blog said the patch addressed three "distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers." The flaws also included CVE-2012-1682, and CVE-2012-3136."
(Log in to post comments)
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 1, 2012 9:35 UTC (Sat) by pjdc (subscriber, #6906) [Link] Ars Technica further reports that the cure may be worse than the disease.
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 3, 2012 15:18 UTC (Mon) by Trou.fr (subscriber, #26289) [Link]
No, it's clearly not worse.
It's still vulnerable, but to other bugs, which are not (presumably) yet exploited in the wild.
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 4, 2012 0:13 UTC (Tue) by mikov (subscriber, #33179) [Link]
It is really ironic how many commenters equate vulnerabilities in running applets (arbitrary downloadable code from the Internet) with vulnerabilities of the language itself. The idiocy has reached so high that people are calling for abandoning Java entirely ... in favor of C++ :-)
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 4, 2012 1:51 UTC (Tue) by alankila (subscriber, #47141) [Link]
Also, in this case it appears that the applet runtime simply acts as vector to carry the interesting payload that actually compromises the system.
That being said, I was disappointed to learn how the applet security manager is put together, as it appears to simply trust call sites in the system framework packages. Given the size of the software, it seems likely that bugs like this will be discovered for years and years, and that every new API level will supply new bugs, unless this aspect of its evolution is strenuously reviewed.
Then again, if you just sign your applet, and socially engineer the user to run it, the security manager is turned off in any case, opening the door to further exploits just the same. If applets are to be salvaged -- and it is not clear to me anybody wants that -- then the operating system must be hardened to not allow browser to act as user's agent, i.e. with his privileges.
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 5, 2012 13:20 UTC (Wed) by ibukanov (subscriber, #3942) [Link]
In Norway many banks use Java applets with elevated privileges on their netbanking pages. With browsers automatically and user manually disabling the Java due to unpatched vulnerabilities that created a support nightmare and rathger negative altitude towards Java in general.
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 6, 2012 16:55 UTC (Thu) by pboddie (subscriber, #50784) [Link]
I tried to find out why the BankID "detector applet" wanted full access to the host system (the stock message in the security dialogue mentions access to devices including the webcam, which is surely a reminder of the days when Java was the hot new toy for Internet-based entertainment) when it is portraying itself as something that is merely checking for Java and presumably loading the appropriate payload (because, of course, Java portability on the client was such a huge success), and the only response I recall now was along the lines of "because it needs it".
In fact, the architecture seems to involve the "applet" (in fact, an "application" if one uses the dot-com era terminology) calling out to other Internet addresses and performing some kind of authentication dance. Of course, all this is in vain if the system is down, which then means you can just use the old-fashioned login mechanisms instead. Which the banks have kept around because BankID does go down every now and again.
My feeling is that a bunch of people got a budget to develop their own local solution in the hope that they could make it a more broadly adopted standard. However, every nation's banking sector probably have their eyes on the same prize, so those dreams will never play out. They were influenced enough to make it work only with a single vendor's technology - it's what the consultants know, after all - and the consequence of that is that everyone is now exposed to that vendor's fantastic track record in fixing security issues in a timely fashion.
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 6, 2012 20:24 UTC (Thu) by ibukanov (subscriber, #3942) [Link]
> why the BankID "detector applet" wanted full access to the host system
It tries to detect presence of common malware and to fingerprint the system so in case of an infection it would be possible to black-list the customer's PC until Windows is reinstalled. In any case, running strace against browser displaying a page with BankID is rather entertaining.
> They were influenced enough to make it work only with a single vendor's technology
If banks would now about the amount of support calls they would receive about banking site not working on IPad, BankID would be dead on arrival. And banks could easily predict that state of affairs by trying to run BankId at the moment it appears on Linux and other non-mainstream systems with browser installed. That is, BankId has not even been a cross-platform solution. Indeed, those "were influenced enough"...
|
|||||||||||||