|
|
Subscribe / Log in / New account

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

[Posted September 12, 2013 by corbet]

This ars technica article predicts some nasty security problems for Java 6 users. "The most visible sign of deterioration are in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7, and using the insights to craft exploits for the older version. Because Java 6 is no longer supported ... those same flaws will never be fixed." See the original blog post for more information.
to post comments

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 2:14 UTC (Thu) by RCL (guest, #63264) [Link] (4 responses)

Every time you decide to implement something in Java God adds a level of indirection between you and Him.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 5:59 UTC (Thu) by ncm (guest, #165) [Link] (1 responses)

Where I work, the hiring staff who triage job applications have been instructed to rate experience developing in Java as equivalent to used-car sales. Having coded Java doesn't actually count as a negative ... yet.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 18:32 UTC (Fri) by jonabbey (guest, #2736) [Link]

Wow. What do you prefer?

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 7:09 UTC (Thu) by jtc (guest, #6246) [Link] (1 responses)

"Every time you decide to implement something in Java God adds a level of indirection between you and Him."

Does that mean that God is a CPU?

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 10:25 UTC (Thu) by sdalley (subscriber, #18550) [Link]

No. According to the FORTRAN IV standard, GOD is real, unless declared integer.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 5:20 UTC (Thu) by eru (subscriber, #2753) [Link] (45 responses)

Aren't security issues like this a problem only if you ill-advisedly attempt to use Java for web applets?

If you use it just as a general-purpose programming language, it should be no worse than Python, Ruby and so on, and probably safer than C or C++, in the sense that many kinds of memory usage errors in them are impossible or caught by the run-time system in Java.

I don't remember the last time I needed to use a Java applet on some web page, it seems to me they have been entirely replaced by JavaScript nowadays. Probably just some legacy in-house horrors remain. (There used to be a really ghastly one for working-hour entry at my previous workplace, but even that got replaced by a much more friendly Ruby-on-Rails based system before I left).

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 6:14 UTC (Thu) by bo (guest, #56215) [Link] (15 responses)

With regards to Java applet usage - Norway has extensive use of a Java-applet (www.bankid.no) for logging in to your bank account or digitally signing official documents such as student loans. It has a two-factor authentication with a one time password and a personal passphrase in order to log in.

It does however make it very difficult to completely get rid of Java. I, for one, just use it for bankID and nothing else.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 6:22 UTC (Thu) by smurf (subscriber, #17840) [Link] (10 responses)

So get the specs and reimplement it in Javascript and HTML5.

Should not take more than two hours. ;-)

(That being said, the way to find a realistic estimate is to multiply the initial estimate by two and go to the next-higher order of magnitude, so it'd be more like a week.)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 6:57 UTC (Thu) by geuder (subscriber, #62854) [Link]

> So get the specs

Come on this is about security, so of course the specs must be kept secret

(sorry could not resist... comment not based on specific facts in the case mentioned, but on general experience)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 7:16 UTC (Thu) by bytelicker (guest, #92320) [Link] (3 responses)

I think you are underestimating how critical it is to implement something like this. Massive amounts of testing is going to be needed. Everything sounds easy on paper. Another important note is that Banks are very paranoid about new technologies; which makes sense. A lot is at stake. Also with a with a HTML5 and Javascript implementation you suddenly rely heavily on browser security. There are many different flavours of browsers out there.

The answer is not an easy one.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 15:08 UTC (Thu) by drag (guest, #31333) [Link] (2 responses)

Nowadays when I see something like this I think of this quote:

"There are two ways of constructing a software design; one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."
-- C.A.R Hoare

Therefore if you want to have a secure login or something like that for a bank the goal is to avoid javascript, java, html5, etc etc.. as much as possible. I don't think there is a way to make these sorts of technologies actually secure.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 19:11 UTC (Tue) by dlang (guest, #313) [Link] (1 responses)

hmm, I've been running modified tivos for over a decade.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 19:12 UTC (Tue) by dlang (guest, #313) [Link]

oops, wrong thread, sorry

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 9:01 UTC (Thu) by ibukanov (subscriber, #3942) [Link] (4 responses)

The main reason BankId cannot be easily replaced by a JavaScript is that, as a signed applet, it can access a lot of stuff, that ordinary JS cannot. BankId implementation uses that to check for common malware infections and to fingerprint the computer. Also, for malware it is harder to subvert their code. Banks do not want to give up on that yet.

Still, given how bad the situation with Java, I would not be surprised that after few successful fraud attempts against big customers, banks change their mind.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 16:54 UTC (Thu) by pboddie (guest, #50784) [Link]

The "check for common malware infections and to fingerprint the computer" is one reason why I always run BankID in some kind of sandbox. I presume that as an implementer one can always make an argument for sniffing around on a person's computer for "security" reasons and to "look after them" in this way, but it's obviously intrusive especially when the actual operations being performed are kept secret (reverse engineering notwithstanding).

The dialogue that gets shown when one has to accept the elevated privileges of the signed applet under certain versions of the Java VM says it all when it tells you that the applet needs access to your system including your webcam. Naturally, the webcam thing is an artefact of Java's "cool" multimedia past, but in this situation it just underlines the creepy nature of a banking login mechanism wanting to poke around on a user's computer.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 22:43 UTC (Thu) by khim (subscriber, #9252) [Link]

Still, given how bad the situation with Java, I would not be surprised that after few successful fraud attempts against big customers, banks change their mind.

A few banks already did that and now instead of Java applet offer… regular .exe binary which must be installed with Admin privileges because it basically stops everything else on a system while it's running (it disables most network interfaces, removes all routes except routes needed to reach the server, freezes “suspicious programs”, etc).

This looks onerous, but I can kind of understand why they are doing this: my sister is accountant and she sometimes enlist my help in fixing the computers of her fellow accountants. Usually they are infected by literally dozens of viruses and trojans which, of course, makes them somewhat slower. AV software is installed and usually even tries to complain but is silenced “because it's popups make work impossible”.

Frankly this picture makes me sad: we are talking about backdoors and weaknesses in cryptographic standards but what does it change if people are this ignorant?

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 6:24 UTC (Fri) by eru (subscriber, #2753) [Link] (1 responses)

BankId implementation uses that to check for common malware infections and to fingerprint the computer. Also, for malware it is harder to subvert their code. Banks do not want to give up on that yet.

Sounds surprisingly complex, is that really needed?

The Finnish bank I use (Nordea) has used for decades an authentication that can be implemented with a bare HTML form (or with a TTY for that matter, it actually started that way): For login, a userid, and a single-use 4-digit code stored offline (you pick the next one from a piece of paper the bank sends you now and then). Transactions also require a final confirmation code, which is not single-use, but chosen from a set of 18 (the bank sends you a single letter as a challenge, you respond with the corresponding 4-digit code from the aforementioned piece of paper). Pretty low-tech, no applets needed. Most other Finnish banks also use something similar.

I have not yet heard of any attack against this that did not involve social engineering. A few years ago, a phishing mail managed to persuade some people to send their id, the next 10 or so login codes and the confirmation codes (this has always surprised me, because it is a lot of work to enter that much data, one would have expected warning bells to start ringing in the mind of the "mark" around entering the 5. code or so).

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 6:50 UTC (Fri) by ibukanov (subscriber, #3942) [Link]

> Sounds surprisingly complex, is that really needed?

It is useless... Successful attacks against Norwegian banks often involved malware that just replaced the HTML on the login page with own form that sends the login credentials to a remote server. There an operator manually enter the login information into own browser window and do the payment. Then, to confirm a payment, they tricked the user to enter an extra credentials claiming a security check.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 7:40 UTC (Thu) by dottedmag (subscriber, #18590) [Link] (1 responses)

The salvation is near: https://www.bankid.no/Presse-og-nyheter/Nyhetsarkiv/2013/...

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 9:05 UTC (Thu) by ibukanov (subscriber, #3942) [Link]

When the last time in Norway a big IT project involving many banks was finished on time? So "near" can very well imply that pure JS BankId will be implemented few years later....

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 10:24 UTC (Fri) by Lennie (subscriber, #49641) [Link]

Just be glad you don't live in South Korean, I believe banks still use ActiveX there.

Here is an article from 2008 that described what it was like:
http://asia.cnet.com/blogs/google-chrome-will-support-act...

I don't know if it has been solved, but the problem still existed at the end of 2012:
http://en.wikinews.org/wiki/South_Korean_presidential_can...

It might even be one of the reasons WebCrypto workgroup exists:
http://www.w3.org/2012/webcrypto/

http://www.w3.org/community/webcryptoapi/2012/03/28/a-dra...

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 18, 2013 16:14 UTC (Wed) by Arker (guest, #14205) [Link]

They should really look at Nordea's system and borrow it somehow instead of reinventing the wheel, badly.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 6:18 UTC (Thu) by smurf (subscriber, #17840) [Link] (16 responses)

Arguably, Java _is_ worse than e.g. Python, because the amount of boilerplate you need to write, e.g. for stuff like a simple iterator, easily dwarfs the code which actually does something.

For me, coding in Java has been the least productive exercises in programming ever. On par with COBOL ("ADD 1 TO FOO"), I'd say.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 10:37 UTC (Thu) by the.wrong.christian (guest, #73127) [Link] (5 responses)

Arguably, Java _is_ worse than e.g. Python, because the amount of boilerplate you need to write, e.g. for stuff like a simple iterator, easily dwarfs the code which actually does something.
Map<K,V> amap = ...;

for(K key: amap.keySet()) {
// Do something with key
}

String [] strings = ...;
for(String string: strings) {
// Do something with string
}
Not much boilerplate for simple iterators. With a decent IDE, Java can be quite productive.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 11:53 UTC (Thu) by HelloWorld (guest, #56129) [Link] (4 responses)

It's not using iterators that's hard, it's writing one. In Python, this is trivial due to the yield statement.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 16, 2013 16:51 UTC (Mon) by ThinkRob (guest, #64513) [Link] (3 responses)

It's not using iterators that's hard, it's writing one.
It's not hard. It's three methods, and one of those (#remove()) is optional. Here's an implementation of an array iterator. Works for any array: 
public class ArrayIterator<T>
implements Iterator<T>
{
	private int index = 0;
	private final T[] array;
	
	public ArrayIterator(T[] array)
	{
		this.array = array;
	}
	
	@Override
	public boolean
	hasNext()
	{
		return this.index < this.array.length;
	}
	
	@Override
	public T 
	next()
	{
		if (this.index < this.array.length)
		{
			return this.array[this.index++];
		}
		
		throw new NoSuchElementException();
	}
	
	@Override
	public void
	remove()
	{
		throw new UnsupportedOperationException();
	}
}
Not too difficult. Wordy, perhaps, but certainly not hard to write.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 16, 2013 22:51 UTC (Mon) by HelloWorld (guest, #56129) [Link] (2 responses)

I'm sorry, you Java fanboys are just pathetic. Here's the C# source code to do the same thing: 
public static IEnumerator<T> foo<T>(T[] bar) {
  foreach(var x in bar)
    yield return bar;
}
And of course it's easy to write this if all you're doing is iterating over an array. But things become much harder if you actually write an iterator that does something interesting. The C# (or Python) compiler actually helps you to get the control flow right, while Java is just in the way.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 8:40 UTC (Tue) by jezuch (subscriber, #52988) [Link]

> I'm sorry, you Java fanboys are just pathetic. Here's the C# source code to do the same thing:

Giving an example that is easier does not mean that the original example is not easy.

Now, the *real* problem with the original example is that it's a simple adapter. If the iterator is supposed to do some filtering, then it becomes significantly less easy. That's when I long for yield in Java :) But the upcoming lambda support in Java 8 is supposed to make this much, much easier and effectively eliminate the need for implementing iterators thus making yield insignificant.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 19, 2013 15:27 UTC (Thu) by ThinkRob (guest, #64513) [Link]

Apparently simply writing in a language makes me a fanboy. Who knew?

Yes, C# requires fewer lines. I wasn't playing code golf though; I was responding to the claim that it was hard to write an iterator. It's not. It may not be as few lines as you'd like, but it's not hard -- or at least it shouldn't be for anyone who knows the language well enough to be writing more than Hello World in it.

It's worth noting that C# isn't burdened by the same backwards-compatibility requirements that Java is. There's a *lot* of parts of Java that could be better if they were allowed to introduce breaking changes (the Collections API comes to mind), but that's the curse of being first I suppose.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 21:12 UTC (Thu) by juhah (subscriber, #32930) [Link] (8 responses)

I'd like to point out that Java 8 will improve syntax little in some cases:
Arrays.asList(1,2,3,4,5,6).stream().map(n -> n * n);

That said, Java syntax will still be far from python elegance, in general.

What is perhaps more interesting is JVM, not Java. Go checkout Clojure and Scala if you haven't heard of them yet. And how they all compare:
http://benchmarksgame.alioth.debian.org/

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 18:25 UTC (Fri) by jonabbey (guest, #2736) [Link] (7 responses)

I hear a lot of great things about Scala, including from some of my co-workers who are developing with it.

For myself, I'd preferentially choose to work with Clojure, but most of my Java work is in Ganymede, an open source network directory management framework, and I don't want to scare away the few people that seem inclined to adopt it by making them grok Lisp.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 16, 2013 23:25 UTC (Mon) by HelloWorld (guest, #56129) [Link] (6 responses)

The problem with Scala and Clojure is that they are hampered by the inadequacies of the JVM.
  • Structural types in Scala are slow (use introspection because the JVM doesn't allow for a class to retroactively implement an interface (Sun's "fix" for that is java.lang.reflect.Proxy, which is really just an ugly hack))
  • generics on the JVM suck
    • introspection is broken, something like foo instanceof Bar<Baz> doesn't work)
    • crazy inefficiencies due to boxing (an ArrayList<Byte> requires around 4 machine words per byte of payload) leading to hacks like GNU Trove or Scala's
  • no support for value types, so crazy inefficient if your objects are small (and let's not talk about the fact that every object carries around a lock, even if it's never accessed concurrently)
  • the type system is fucked up (covariant mutable arrays, wtf? And they have covariant return types, but no contravariant argument types (except if the argument happens to be this, yeah, that makes sense. Not.))
  • No tail call optimization, so compiler authors need to work around that, which is basically impossible except for simple cases
And that list isn't even exhaustive.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 5:15 UTC (Tue) by peter-b (guest, #66996) [Link] (5 responses)

> No tail call optimization, so compiler authors need to work around that, which is basically impossible except for simple cases

Makes it literally impossible to implement a Scheme on top of the JVM, for example (the Scheme spec *requires* tail call optimization).

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 10:34 UTC (Tue) by eru (subscriber, #2753) [Link] (3 responses)

Makes it literally impossible to implement a Scheme on top of the JVM, for example (the Scheme spec *requires* tail call optimization).

Now I'm curious: How can the JVM prevent tail call optimization? After all, it is just a matter of updating the variables that correspond to the parameters of the function, and then executing a goto to its start. And the JVM (being a low level language) has a goto.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 11:50 UTC (Tue) by peter-b (guest, #66996) [Link]

There's an interesting question on Stack Overflow that covers this:

http://stackoverflow.com/questions/105834/does-the-jvm-pr...

Don't forget that "true" tail call optimization implies that *any* tail call can be optimized, not just the self-recursion<->loop case.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 12:04 UTC (Tue) by HelloWorld (guest, #56129) [Link]

That's the kind of workaround I was referring to, it breaks for non-trivial cases, for example when it's not known at compile time which function implementation a call will end up in. 
scala> import scala.annotation.tailrec
import scala.annotation.tailrec

scala> class Test {
     |   @tailrec def apply { apply }
     | }
<console>:9: warning: method apply in class Test does nothing other than call itself recursively
         @tailrec def apply { apply }
                              ^
<console>:9: error: could not optimize @tailrec annotated method apply: it is neither private nor final so can be overridden
         @tailrec def apply { apply }
                      ^
It fails even for simple mutually recursive definitions: 
scala> @tailrec def even(x: Int): Boolean = x == 0 || odd(x - 1); @tailrec def odd(x: Int): Boolean = x != 0 && even(x - 1)
<console>:10: error: @tailrec annotated method contains no recursive calls
       @tailrec def even(x: Int): Boolean = x == 0 || odd(x - 1); @tailrec def odd(x: Int): Boolean = x != 0 && even(x - 1)
                    ^
<console>:10: error: @tailrec annotated method contains no recursive calls
       @tailrec def even(x: Int): Boolean = x == 0 || odd(x - 1); @tailrec def odd(x: Int): Boolean = x != 0 && even(x - 1)
It's not just about tail *recursion* optimization, it's about general tail *call* optimization. JVM modifications are needed to make this kind of thing work.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 17, 2013 18:56 UTC (Tue) by jonabbey (guest, #2736) [Link]

The StackOverflow link does a good job talking about the problem. Clojure gets around this by having explicit loop and recur statements that the Clojure compiler uses to set up trampolines as needed for recursion.

Without having JVM-level support, though, you do lose some tooling support and flexibility. It would make a very nice addition to the JVM, albeit more work to do than the invokedynamic feature that was added in Java 7 to support dynamic languages on the JVM.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 21, 2013 7:27 UTC (Sat) by Per_Bothner (subscriber, #7375) [Link]

Of course it's not literally impossible to implement full tail-call optimization on the JVM - it's just harder. Kawa has long done so. It uses a special calling convention, using a thread-specific CallContext object. This calling convention is optional, because it is slower, and doesn't interoperate with "native" Java as directly - you enable it using an optional --full-tailcalls flag. (Note you can mix code compiled with --full-tailcalls and --no-full-tailcalls.) (Also note that Kawa even with full tailcalls enabled is still generally faster than Clojure.)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 14, 2013 10:25 UTC (Sat) by alankila (guest, #47141) [Link]

Here's a stupid anecdote against Python I ran into recently. Last thursday, I thought to write a little TCP server in Python. Unix command output was to be sent over tcp socket. It boiled down to something like this:

>>> import subprocess, gzip; subprocess.Popen(args="/bin/ls", stdout=gzip.GzipFile("testfile", "wb")).communicate()
(None, None)

The intent of code is hopefully clear. I should have a gzipped output 'testfile' of the command of /bin/ls. Unfortunately to me, Popen() calls fileno() on GzipFile and steals the handle from it, and writes uncompressed data bracketed by gzip gunk for 0-byte file. So, GzipFile shouldn't implement fileno(), or someone shouldn't play fast and loose with Popen and should rather read from the stdout/stderr pipes during communicate() and use the correct abstraction of file.write to write when a file object is passed in.

At least java's abstractions generally work correctly...

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 7:25 UTC (Thu) by geuder (subscriber, #62854) [Link] (2 responses)

> I don't remember the last time I needed to use a Java applet on some web page

One of the bigger Finnish banks is just replacing it in their online banking these days (and they got it when they were bought by a Danish bank, so probably they had it, too). The German tax administration has it in their online services. (Although it's only mandatory in Windows XP and it actually blocks old JRE versions so people are forced to upgrade at least a bit). It appears that similar examples are found from many countries, guaranteeing that 100s of millions of users need it. And even if they need it only once a year, most of them will not disable it.

I think most conference systems use it for screen sharing, Big Blue Button, screenleap, webhuddle. (Skype being a positive exception in this respect)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 14:47 UTC (Fri) by smurf (subscriber, #17840) [Link] (1 responses)

> The German tax administration has it in their online services

Happily, for the most common uses this Java thing can be avoided; there is an implementation of the Elster protocol (which for the most part is actually documented(!!!)) which does the same thing in HTML5 and JS, as a Firefox app ("Geierlein").

Aside: "Elster" is supposed to be an acronym. It is also the German name for the magpie, a bird _not_ known for leaving your belongings alone, esp. small shiny valuable ones. It's a mystery how the IT people at the (normally quite humor-challenged) German tax office got away with that.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 18, 2013 12:10 UTC (Wed) by Arker (guest, #14205) [Link]

For the best bank interface I have seen look at nordea.se. Very secure logins and works fine with plain old html - www - browser technology requiring neither plugins nor ecmascript.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 7:58 UTC (Thu) by joib (subscriber, #8541) [Link] (1 responses)

AFAICT many GUI remote console features on servers are implemented in Java (or ActiveX, which is useless if you do your management from a non-Windows box). Perhaps from a security standpoint this isn't such a huge deal in the sense that if you expose your ipmi network to the outside world you're an idiot anyway. ;-/ But, it's a usability issue, as these remote console almost invariably tend to be crappy and work properly at best only half the time. As they seem to be implemented on top of VNC anyway, I can't figure out why server vendors don't let users just connect via any damn VNC client they please instead of having to use their crappy applet. /rant

(The "proper" solution, I guess, is to just use the standard IPMI serial-over-lan console and forget about the proprietary GUI console. But that typically requires enabling the serial console in the BIOS and then setting up grub/whatever to do console redirection, so it's a few extra steps..)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 11:16 UTC (Thu) by dskoll (subscriber, #1630) [Link]

I can't figure out why server vendors don't let users just connect via any damn VNC client they please instead of having to use their crappy applet.

+1 to that. I manage a number of SuperMicro servers and while the ability to rebuild a server 200km away from bare metal is impressive, the Java console applet really is painful and horrible. Just let me use my normal VNC client!

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 8:32 UTC (Thu) by skitching (guest, #36856) [Link] (6 responses)

These are all security issues related to the Java sandbox. Server-side Java applications don't usually bother with setting up a sandbox, so these issues are irrelevant for them.

A server-side app can *potentially* use the sandbox to isolate possibly hostile code running within the same process (eg an app running plugins provided by customers, which might try to mess with the app's internals). Oracle's database allows stored procedures to be implemented in Java; I wouldn't be too surprised to find that the database uses a sandbox to prevent such stored procedures from messing with too much. However the vulnerability linked to in the article (related to the 2D graphics API) is unlikely to be available ;-)

The sandbox is used extensively for applets, and this is where users can be bitten by these issues. However very few mainstream language even *attempt* to provide a sandbox environment in which totally untrusted code can be run; javascript in a browser is one - and that also has a regular stream of problems.

ActiveX doesn't bother with a sandbox at all. ActiveX relies on users "trusting" the publisher of the signed plugin; Java supports this model too : *plus* a sandbox.

Re the "banking applets" discussion below: presumably these applets are all *signed* by the bank that provides them. There is therefore no real issue; the user can trust the bank, and the sandbox is actually irrelevant. If a bank customer doesn't trust their bank sufficiently to install software signed by them, they should move to a different bank.

So in short: these security issues only bite people who install applets which are unsigned or signed by untrustworthy providers which *then* exploit a sandbox hole.

Having said that, I am partially guilty of the above from time to time. In particular, some concert/theatre ticket selling companies and airlines use graphical Java applets for seat-selection. Not all these applets are properly signed, and the providers aren't "high trust" companies like banks. However even then, I mostly trust these companies.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 16:01 UTC (Thu) by luto (guest, #39314) [Link]

This is, unfortunately, barely true. Did you know that, when you run a signed Java Web Start app, there's no sandbox at all? I didn't for quite a while, because the UI appears to have been designed by ActiveX engineers. (Why IcedTea isn't better is a mystery to me.)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 17:50 UTC (Thu) by dps (guest, #5725) [Link] (3 responses)

The support for signed applets in Java is at least potentially better than what active X did. Active X always provided all privileges to the code, which was trusted by default if a company signed it.

Instead Java allows you to decide which privileges on a small list the signature should confer: you could allow a signed applet to use your printer but not access your hard disc, modulo UI designers deeming this too complex for normal users and only supporting something simpler. This might mean that even a signed applet can print but can't find your M$ money installation and bill your credit card.

In terms of seat booking and similar application I can't see the need to do anything not permitted inside the sandbox. What beyond communicating with the originating server and drawing a pretty picture, which is activity allowed inside the sandbox, do these applications need? Most banking applications probably should not be doing much beyond that too.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 21:17 UTC (Thu) by luto (guest, #39314) [Link] (2 responses)

Really? The *app* can decide on what privileges it wants, but (unlike Android, for example), the user doesn't seem to get any indication of what the app requested.

(I'm talking about JNLP apps here, which are more common in my industry. Actual applets are probably better.)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 18:34 UTC (Fri) by jonabbey (guest, #2736) [Link] (1 responses)

Try running 'jcontrol' on your box, it's a seldom-noticed Java control panel that lets you adjust what kind of security permissions you're willing to give away to JNLP apps and etc.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 21, 2013 10:57 UTC (Sat) by luto (guest, #39314) [Link]

jcontrol appears to be part of a speech recognition package. There's itweb-settings.itweb, which is some combination of useless and incomprehensible.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 13, 2013 18:32 UTC (Fri) by jonabbey (guest, #2736) [Link]

Starting in the Java update that Oracle put out this week (Java 7.0_40), all JNLP apps that are not code-signed using a cert from a recognized CA get big scary warning dialogs whenever you run them, with no way to say that you accept the cert on an ongoing basis.

The same dialog warns that in a future release of Java, non-signed / self-signed JNLP apps will just not work anymore. We've been self-signing our Ganymede client and admin console JNLP apps all along in the lab, but that's not going to be enough going forward.

It seems that Oracle has had enough bad press about Java, and are getting serious about tightening things up.

It'll be a hassle for us, having to get a code-signing cert, but maybe folks will change their mind about the safety / reliability of Java?

(spoiler: I don't really believe those who like to slam Java will change their minds ever at this point).

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 14:20 UTC (Thu) by jhhaller (guest, #56103) [Link] (6 responses)

The real problem with applets is that if one needs to use an applet, Java needs to be enabled in the browser, which subjects one to drive-by-downloads. Unless one has a click-to-activate policy which is always enforced, unlike the Firefox approach of "we don't know of any vulnerabilities in this version of Java yet, so lets run the applet from trojanhorsespyware.com", drive-by downloads are still a problem. It's too much to expect people to only enable Java applets just for the sites that need it, then to immediately disable them.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 20:44 UTC (Thu) by luya (subscriber, #50741) [Link]

Which version of Firefox? On Windows version, Java is automatically disabled due to its vulnerability. I don't know about Linux version because my system only runs openjdk based Java.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 12, 2013 22:47 UTC (Thu) by khim (subscriber, #9252) [Link]

Well, if you use Java6 with recent version of Firefox then Java applets are permanently disabled but you can enable them on specific website if you notice red lock in the location bar. This actually makes Java6 safer choice then Java7 for the users who only need Java for banks :-)

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 14, 2013 1:17 UTC (Sat) by marcH (subscriber, #57642) [Link] (3 responses)

> Unless one has a click-to-activate policy...

I only recently found the "click to play" feature in Chrome. I heard about it by chance. Whereas this perfect feature should be enabled by default it's completely buried way down in the settings: ridiculous.

On Firefox it's much worse since you have install the FlashBlock plugin. Is there even a "JavaBlock" Firefox plugin or better, a generic "click to play" plugin?

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 14, 2013 2:19 UTC (Sat) by Fowl (subscriber, #65667) [Link] (1 responses)

Click to play is on by default for many plugins and configurable for all in current versions of Firefox.

https://blog.mozilla.org/security/2013/01/29/putting-user...

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 14, 2013 19:55 UTC (Sat) by marcH (subscriber, #57642) [Link]

Excellent news (to me), thanks!

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Oct 16, 2013 16:08 UTC (Wed) by wookey (guest, #5501) [Link]

The (arguably misnamed) quickjava plugin gives you a row of buttons to quickly enable/disable any of javascript, java, silverlight, images, flash, cookies, animations and styles/css. I find this exceedingly useful.

Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Posted Sep 21, 2013 19:40 UTC (Sat) by gnu_andrew (guest, #49515) [Link]

It should be noted that this is implicitly referring to the proprietary Oracle JDK 6. OpenJDK 6 still gets updates from us at Red Hat.


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds