LWN.net News from the source
The new Java 0Day examined (The H)
Posted Aug 30, 2012 14:17 UTC (Thu) by smurf (subscriber, #17840) [Link]
Why am I not at all surprised?
The new Java 0Day examined (The H)
Posted Aug 30, 2012 14:32 UTC (Thu) by mjw (subscriber, #16740) [Link]
And patches posted to openjdk:
http://thread.gmane.org/gmane.comp.java.openjdk.beans.dev...
The new Java 0Day examined (The H)
Posted Aug 30, 2012 15:26 UTC (Thu) by geuder (subscriber, #62854) [Link]
The new Java 0Day examined (The H)
Posted Aug 30, 2012 16:22 UTC (Thu) by Otus (subscriber, #67685) [Link]
The new Java 0Day examined (The H)
Posted Aug 30, 2012 18:58 UTC (Thu) by dowdle (subscriber, #659) [Link]
The new Java 0Day examined (The H)
Posted Aug 30, 2012 14:59 UTC (Thu) by dashesy (guest, #74652) [Link]
The new Java 0Day examined (The H)
Posted Aug 30, 2012 17:40 UTC (Thu) by Kit (guest, #55925) [Link]
As long as the plugins are distributed via an executable installer, there's not really much of anything Firefox can do about it. Sadly, that just seems to be how it's going to go.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 18:19 UTC (Thu) by dashesy (guest, #74652) [Link]
I agree it does not seem to be straight forward. However if the setting is something user visible in a menu (as opposed to some obscure about:config), and another setting warns about possible outsider intrusions, the user will notice it, and will require bolder plugin developers to sneak in with their installers (and subdue the warning).
As a rule of thumb, any plugin that does not have an easy "uninstall" or "update" should be blacklisted with a big warning (e.g. "Firefox is tainted by ...") somewhere visible (maybe in the caption title) until disabled by user, or fixed by developer.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 22:29 UTC (Thu) by HenrikH (subscriber, #31152) [Link]
Not even crypto signing would work here since the private key must be found on the machine somewhere for Firefox to update it's own profile and the plugin installers would thus also find it.
The new Java 0Day examined (The H)
Posted Aug 31, 2012 7:48 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
From the outset other applications have deliberately tried to sneak past Firefox's built-in restrictions.
That's because those applications are _malware_ and the technical community's failure to react correctly to that is our fault.
When Microsoft did this we got the victim blaming "Firefox should have better defences" as if the application developer can protect their app against the OS vendor. What we should have seen was an outcry until Microsoft put some heads on the block. "My predecessor lost their job for that" is a surprisingly powerful incentive not to behave unethically.
If you could name a handful of senior figures at Microsoft who had left the industry because of that "clever" but quite obviously unethical trick, this wouldn't now be so popular. But instead Windows programmers (for it's always Windows) know that whatever they do to Firefox the technical community will say "Well, Firefox deserved it" and the victim gets the cleanup bill.
The new Java 0Day examined (The H)
Posted Aug 31, 2012 17:02 UTC (Fri) by smurf (subscriber, #17840) [Link]
Reverse Sandboxing would help. I.e. you don't park the plugin into a sandbox (though that's also a good idea, albeit harder to implement), but the part of the browser that stores options and handles authorization.
(Frankly, what would also help is to learn about the difference between "its" and "it's". Just sayin'.)
The new Java 0Day examined (The H)
Posted Sep 17, 2012 15:41 UTC (Mon) by HenrikH (subscriber, #31152) [Link]
There is _nothing_ that Firefox can do to protect itself from this. _Nothing_.
The new Java 0Day examined (The H)
Posted Sep 17, 2012 15:53 UTC (Mon) by khim (subscriber, #9252) [Link]
No it doesn't, since the plugin author has complete control of the computer he can bypass whatever Firefox does, if Firefox implement reverse sandboxing then the plugin will simply do all the steps that Firefox would do when the user clicks the "click OK to really intstall this plugin".
At this point said plugin is in clear violation of DMCA anti-circumvention provision and should be treated as malware: added to AV-databases (which will block it's installation and will be quickly be updated if new version of plugin will be released), etc.
There is _nothing_ that Firefox can do to protect itself from this. _Nothing_.
Firefox can not, Mozilla foundation can. I'm not sure if they have enough guts to try, but yes, they can prevent that for most plugins.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 16:25 UTC (Thu) by bronson (subscriber, #4806) [Link]
I've been disabling the Java runtime on all my plaforms for at least two years, a span of 3 or 4 0days... I haven't missed it at all.
(It's somewhat ironic how the VM was supposed to keep you sandboxed and safe, and yet it's the VM that keeps giving up the farm...)
-- ex Java developer
The new Java 0Day examined (The H)
Posted Aug 30, 2012 17:07 UTC (Thu) by hpa (guest, #48575) [Link]
sun.awt.SunToolkit.getField()
... sounds like something that was just waiting to be exploited, it is half of a security hole all by itself. It just needed the other half.
Browser Java deprecated ... the enterprise problem
Posted Aug 30, 2012 17:23 UTC (Thu) by kmself (guest, #11565) [Link]
As with much else on the security front, inherently vulnerable and/or poorly maintained technologies (of which Java is increasingly appearing to be both) are often required for legacy business purposes. Specific in-house, or worse, business-partner (buyer / seller / government) apps which are required for operations, one-offs, and often, are difficult to replace.
For the run-of-the-mill user to disable and/or remove browser Java support probably is a no-brainer now. Business users may have other needs, and worse, may not have the administrative rights to modify their configurations.
The rest of us can engage in some self-satisfying "I told you so". After we confirm we've disabled the crud ourselves.
Browser Java deprecated ... the enterprise problem
Posted Aug 30, 2012 17:57 UTC (Thu) by nim-nim (subscriber, #34454) [Link]
I suspect that to transform changed JVM code in something that can be downloaded for Windows/Solaris/Linux Oracle needs its people to click in various GUI tools, drag and drop files from folders to folders, get approval from various management and QA teams (either physically or through some web forms), and that the whole thing is such a manual bureaucratic nightmare they pretty much can only do releases on a schedule prepared months in advance.
The modus operandi of a company like SUN/Oracle is light years away from the one of the Linux kernel, where Linus could freeze operations a few weeks to write git, just because he didn't like his tooling, and wanted something more efficient. At Sun/Oracle some people write code and others transform it in product binaries, and no one in the first group would even dream intruding on what the second group does.
Browser Java deprecated ... the enterprise problem
Posted Aug 30, 2012 19:20 UTC (Thu) by mjw (subscriber, #16740) [Link]
What is weird is that the second group which pushes out proprietary binaries seems to trump the first group which actually creates free software source code (OpenJDK is published under the GPL). Apparently there is now a proprietary binary jdk release from Oracle out there that presumably fixes the issue, but the only code published through OpenJDK is from the IcedTea people (I posted a patch yesterday and only non-Oracle engineers replied and tested it).
It is as if there is a priority reversion where binaries come before publicly reviewed code.
Java is modern cobol thanks to Y2K
Posted Aug 30, 2012 22:14 UTC (Thu) by landley (guest, #6789) [Link]
And that's how a thing that runs in your browser (and might grow to the desktop someday) turned into a Fortune 500 back-end mainframe data shoveler. Of course Cobol Jr. it's all about the enterprise: Browser applets were replaced by flash a decade ago (and Flash is already on its way out).
I doubt we'd even _remember_ Java if it wasn't for Y2K, any more than RealAudio or Visual Basic.
Rob
Java is modern cobol thanks to Y2K
Posted Aug 31, 2012 1:18 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
Mostly because it's the only real (non-toy) cross-platform static language with a performant VM.
Java is modern cobol thanks to Y2K
Posted Aug 31, 2012 2:07 UTC (Fri) by marcH (subscriber, #57642) [Link]
By the way a number of other languages also compile into java bytecode.
Java is modern cobol thanks to Y2K
Posted Aug 31, 2012 9:57 UTC (Fri) by job (guest, #670) [Link]
Android had to be quick to market (built on Linux), and accessible to programmers (Java), in order to present itself as an aquisition target. Had Android been developed inside Google it might very well have been done differently. I often fantasize about an Android built on Python instead.
Java is modern cobol thanks to Y2K
Posted Aug 31, 2012 14:13 UTC (Fri) by drag (guest, #31333) [Link]
Java is still extraordinarily popular language for enterprise server applications.
That is because it's the only real VM and it is the only significant competitor to .NET.
Java is modern cobol thanks to Y2K
Posted Aug 31, 2012 16:20 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
Android-on-Python would have been even more slower (Java is a _fast_ interpreted language) and without possibility for enhancements (JITs for Java are commonplace, JITs for Python are not).
And of course, lack of static typing.
Java is modern cobol thanks to Y2K
Posted Sep 1, 2012 23:06 UTC (Sat) by anselm (subscriber, #2796) [Link]
Android-on-Python would have been even more slower (Java is a _fast_ interpreted language) and without possibility for enhancements (JITs for Java are commonplace, JITs for Python are not).
PyPy is supposed to be very good indeed.
Java is modern cobol thanks to Y2K
Posted Sep 2, 2012 3:28 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]
We're using a lot of Python (and numpy) code in our R&D and so I've tested all possible ways to make Python work faster. They all suck in various ways.
Java is modern cobol thanks to Y2K
Posted Sep 7, 2012 13:33 UTC (Fri) by pboddie (guest, #50784) [Link]
Within Google - I'm guessing that you and another prominent commenter on LWN work there given the numerous "nod and wink" references to various projects - there have apparently been a number of projects to improve Python performance and/or predictability, some being very widely known and others only barely surfacing on the radar of the most central Python core developers (many of whom also seem to be at Google), so I'd be interested to hear what you've looked at.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 23:08 UTC (Thu) by cma (guest, #49905) [Link]
What males you think there is no need of há ing java ru time on any client? Se have been deploying java based solution for financial markets focusing los latency clientes for morder and risk management systems...no problemas so far concerning security contraints compared to a C/C++ or .NET based solutions. Bugs exista on any tecnology or enviroment. Besides security you should falso be concerne on performance, and manteinability of the product as well multiplatform deployment. Java exceeds on any of those even on security constrained enviroment. And that's why java is the facto enterprise and mobile platform... Rgrds. Edu
The new Java 0Day examined (The H)
Posted Aug 30, 2012 23:28 UTC (Thu) by cma (guest, #49905) [Link]
Dammit android's auto correct...sorry below the corrected post: What makes you think there is no need in having java runtime on any client? We have been deploying java based solution for financial markets focusing low latency clients for order and risk management systems...no problemas so far concerning security contraints compared to a C/C++ or .NET based solutions. Bugs exists on any tecnology or enviroment. Besides security you should also be concerned on performance, and manteinability of the product as well multiplatform deployment. Java exceeds on any of those even on security constrained enviroments. And that's why java is the facto enterprise and mobile platform... Rgrds. Edu
The new Java 0Day examined (The H)
Posted Aug 30, 2012 17:27 UTC (Thu) by reddit (guest, #86331) [Link]
As far as I can tell, they are directly acting to help the activities of criminals and organized crime all around the world.
Oh, and maybe they should be forced to pay a reparation of $100k at least (or an equal share of their assets after they declare bankruptcy due to this) for every person they intentionally put in danger of getting all their personal data stolen and/or destroyed.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 18:10 UTC (Thu) by pr1268 (subscriber, #24648) [Link]
Why isn't there criminal prosecution for the managers of companies that leave vulnerabilities unpatched?
Negligence can be a crime, but ignorance and stupidity aren't. At least not yet. Many PHBs simply pull the wool over their eyes and pretend their company/organization couldn't possibly be the target of maliciousness. Sigh.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 19:19 UTC (Thu) by mpr22 (subscriber, #60784) [Link]
Why isn't there criminal prosecution for the managers of companies that leave vulnerabilities unpatched?
You're invited to suggest answers to the following questions:
The new Java 0Day examined (The H)
Posted Aug 30, 2012 20:30 UTC (Thu) by richmoore (guest, #53133) [Link]
Don't forget:
The new Java 0Day examined (The H)
Posted Aug 30, 2012 20:48 UTC (Thu) by mpr22 (subscriber, #60784) [Link]
Not paying anything might cover civil liability, but criminal liability's another kettle of fish.
The new Java 0Day examined (The H)
Posted Aug 31, 2012 14:17 UTC (Fri) by drag (guest, #31333) [Link]
Because that would be damn stupid thing to do.
> As far as I can tell, they are directly acting to help the activities of criminals and organized crime all around the world.
So does roads and airports, but nobody is trying to prosecute them.
> Oh, and maybe they should be forced to pay a reparation of $100k at least (or an equal share of their assets after they declare bankruptcy due to this) for every person they intentionally put in danger of getting all their personal data stolen and/or destroyed.
Or you could just take responsibility for your own life and not use shitty software.
The new Java 0Day examined (The H)
Posted Sep 2, 2012 1:30 UTC (Sun) by gmaxwell (guest, #30048) [Link]
Or you could just take responsibility for your own life and not use shitty software.Meh. Everything else you said was great— but software, certainly closed source binary software, is something of a lemon market. The authors may know that the software was rushed, untested, and shoddy, but the users can only tell after the fact. It's not right to blame the victims, even if it also isn't right to hold the perpetrators accountable.
Perhaps it might be more realistic to establish disclosure requirements— thus delemoning the market and reducing the incentives to be dishonest about your poor software quality— than it would be to make people responsible for unreliable and poorly maintained code?
The new Java 0Day examined (The H)
Posted Sep 7, 2012 10:23 UTC (Fri) by ortalo (subscriber, #4654) [Link]
The "culprit" will be the one who tries to exploit (maybe even the one who finds/talks about it), not the one that leaves everything exploitable.
For me, this situation is not satisfying; however, Very Serious People usually think it is.
The new Java 0Day examined (The H)
Posted Aug 30, 2012 17:44 UTC (Thu) by pheldens (guest, #19366) [Link]
The new Java 0Day examined (The H)
Posted Aug 30, 2012 18:48 UTC (Thu) by juhah (subscriber, #32930) [Link]
The new Java 0Day examined (The H)
Posted Aug 31, 2012 7:26 UTC (Fri) by ogj (subscriber, #3024) [Link]
The new Java 0Day examined (The H)
Posted Aug 31, 2012 5:18 UTC (Fri) by CChittleborough (subscriber, #60775) [Link]
Java sandboxes untrusted applets by having library methods that do possibly-dangerous things check for permission first. It's a tedious, finicky approach that requires programmers who work on low-level library classes to think carefully about security. That the Oracle team either ignored the security implications ofExpression.execute() or bungled the checking says something very bad about Oracle's project management. Erk.
And still can't save.
Posted Sep 1, 2012 5:35 UTC (Sat) by gmatht (guest, #58961) [Link]
Incidentally, since BicaVM came fairly close to creating a JavaScript JVM, I wonder if we could compile a JVM into NaCl to eliminate additional risk from Java plugins?
And still can't save.
Posted Sep 2, 2012 1:20 UTC (Sun) by khim (subscriber, #9252) [Link]
Incidentally, since BicaVM came fairly close to creating a JavaScript JVM, I wonder if we could compile a JVM into NaCl to eliminate additional risk from Java plugins?
Well, Mono and V8 both work with NaCl so it's perfectly possible. The devil is in details, as usual. NaCl does not support all the APIs Java plugin supports (no synchronous API at all) so you can not create drop-in replacement. You can embed NaCl in the usual Java plugin instead... but this will be huge mess so it's not clear if it'll be an advantage or not.
0Day? Too late
Posted Sep 7, 2012 14:02 UTC (Fri) by man_ls (guest, #15091) [Link]
In the interest of pedantry, this is not a 0-day vulnerability. If it has been known to Oracle since April, and it is now widely known, then the vendor has had several days (or months) to patch it, so it is a regular unpatched vulnerability. 0-day means that the malicious party has a head-start over everyone else, including the vendor.
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds