If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Great news everyone: there's ANOTHER zero-day exploit for Java that wasn't patched in their latestest fix, and it's being sold online to hackers for a mere $5k   (arstechnica.com) divider line 70
    More: Scary, Java, Brian Krebs, Trend Micro, Oracle, code base  
•       •       •

3106 clicks; posted to Geek » on 16 Jan 2013 at 2:53 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



70 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2013-01-16 01:35:05 PM
Goddammit, Oracle!
 
2013-01-16 02:01:03 PM
If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.
 
2013-01-16 02:18:12 PM

Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.


Boy, I'd love to not use Java; but a lot of the sites we go to use Java. Our freakin' EHR system uses Java. This is gonna screw us over.

Just deployed the .reg file to disable Java. Dammit.
 
2013-01-16 02:58:02 PM
Unless you randomly click links from your spam folder, enjoy visiting Russian piracy websites or go to random porn sites you found after being automatically redirected by clicking on an image during a Google image search you have nothing to worry about.

The people who are affected by this are morons that lack common sense with over privileged user accounts.
 
2013-01-16 02:59:54 PM
So what happens when we're all using HTML5 and our rich content has no 'plug-in' providers?

Instead of an exploit in Java or Flash or Silverlight that we can disable - won't we just have an exploit in how browser X handles some particular aspect of HTML 5 that is exploitable? Then it'll be 'Don't use browser X until patched?'

Or am I misunderstanding?
 
2013-01-16 03:05:53 PM

Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.


Yeah, this was fun this morning dealing with the disabled Java on some systems. Several of our admin consoles use a Java client to operate and suddenly they weren't working because Mozilla disabled the Java plug-in in Firefox remotely.

Tried to downgrade to 6u38, which is what our security team says we have to use, and it didn't work. Finally went to the 7u11 version and it works... but for how long...
 
2013-01-16 03:07:07 PM
It's basically sky is falling chicken little overreaction.

I don't know.. Maybe it's just me and other older folks who grew up with the internet and have a 6th sense about how to avoid internet traps.  I survived all of the 90s without ever being infected by shiat and everything was exploitable and lacked any kind of security. On top of that the web was still the wild wild west back then too. I actually had a copy of Back Orfice on my PC just to fark around with... I learned how it worked to avoid ever being infected by it..
 
2013-01-16 03:11:26 PM

Fark_Guy_Rob: Instead of an exploit in Java or Flash or Silverlight that we can disable - won't we just have an exploit in how browser X handles some particular aspect of HTML 5 that is exploitable?


You already have that risk in browsers, even without HTML5. HTML5 might increase the overall surface area, but by a much smaller margin than loading plugins with their own runtimes would. But there's no particular reason hackers couldn't exploit some quirk of a browser's rendering/javascript engines. Heck, I know there were plenty of exploits like that for ancient versions of IE due to how tightly ActiveX was integrated into the browser (sort of a plugin, sort of not).

All that said, WebGL does actually pose a fairly serious security risk, as it exposes the ability to send commands directly to hardware. At the very least, it creates a DoS vulnerability.
 
2013-01-16 03:14:14 PM

styckx: Unless you randomly click links from your spam folder, enjoy visiting Russian piracy websites or go to random porn sites you found after being automatically redirected by clicking on an image during a Google image search you have nothing to worry about.


Except that shiat-tons of people have Java installed and no real mechanism for finding out about these issues. Remember that these are people who won't install Windows updates because some goofus in their office told them 15 years ago that updates slow down or screw up their computer. These same people aren't going to notice or understand notifications from their security software or take the time to read "techie mumbo-jumbo." They just wanna play that one game they like on Yahoo.

The Firefox answer of silently disabling Java is probably the best we can hope for, for a huge swath of end users who don't have anybody managing their systems for them.
 
2013-01-16 03:16:18 PM
I guess subby would say this is the latestest stain added ot Orcale's record.
 
2013-01-16 03:33:09 PM
Here's to hoping this hits Pogo.com deep in their pockets.
 
2013-01-16 03:36:07 PM
Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.
 
2013-01-16 04:01:19 PM
I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.
 
2013-01-16 04:04:31 PM
Godamnnit all to hell. I do tech support for a university, and while yes, I understand the risks, I don't have a fecking choice but to make sure people use Java to use the software they need to do their online education.
 
2013-01-16 04:09:16 PM
Hasn't this been the case with java since, well forever? why are people running around crazy just recently?
 
2013-01-16 04:16:37 PM
Write once, exploit everywhere!
 
2013-01-16 04:18:14 PM

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.


I think Qt has the write idea: GUI and libraries for almost any system and OS.  Allows for low level access if needed and it is super easy to integrate other code/libraries into projects.
 
2013-01-16 04:23:56 PM
So, if you drink the wrong kind of coffee, they can hack your brain?
 
2013-01-16 04:26:29 PM

Brontes: I think Qt has the write idea: GUI and libraries for almost any system and OS. Allows for low level access if needed and it is super easy to integrate other code/libraries into projects.


And this gives us a sandboxed runtime environment how?
 
2013-01-16 04:27:47 PM

Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.


I was told repeatedly by Java developers that the sandbox is secure.
 
2013-01-16 04:28:49 PM

Brontes: I think Qt has the write idea


Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.
 
2013-01-16 04:29:31 PM

Vlad_the_Inaner: And this gives us a sandboxed runtime environment how?


Pretty much in the same way Java does.
 
2013-01-16 04:30:58 PM

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.


The problem with Java is that it is open source and every farking asshole thinks they need to redevelop the same goddamn wheel only with spinning rims instead of steel ones.

I never thought I would long for the days when Microsoft controlled VB and Visual C++, but after working in Java for the last 10 years I'm ready to quit this shiat and become a .Net developer.
 
2013-01-16 04:31:14 PM

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.



But this was why they invented Java.
 
2013-01-16 04:35:14 PM
 Brontes: I think Qt has the write idea

Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.


That isn't exactly true.  Qt encapsulates a lot of system calls and wraps them into one class.  QFile, QThread, QQueue, etc works across all platforms (tried on OSX, Linux, Windows, not on Android or iOS yet).  Then it is about managing the compiler and cross compiling, which QtDesigner handles well enough.
 
2013-01-16 04:35:34 PM

t3knomanser: Brontes: I think Qt has the write idea

Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.


Which is really just another indictment of McNealy and the rest of senior Sun leadership.  My contention was that their love affair with Java pulled resources and attention away from the hardware/server business, which they were actually good at.

SunOS / Solaris was a thing of wonderment, probably the most tuned Unix in history.  Oracle knows this.  But Sun's senior leadership in the 1990s and 2000s ignored this and focused on Java.  And every one of them should be held accountable forever.

// I miss Sun Solaris.
 
2013-01-16 04:47:22 PM
Are there any websites or programs that still need Java? Uninstall it already.
 
2013-01-16 04:51:59 PM

StopLurkListen: I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.


That could have some interesting ramifications. You understand that Java and JavaScript are two entirely different things, right?
 
2013-01-16 04:52:08 PM

uncoveror: Are there any websites or programs that still need Java? Uninstall it already.


Grr, the android SDK requires it :/
 
2013-01-16 04:55:45 PM
Generation_D: But this was why they invented Java.

They made it "easier" by enforcing rigor so that poor programmers wouldn't get anything to compile, and that good programmers would be driven insane by the hoops they have to jump through to do something useful.

This also made it "easier" to send java work offshore, where you can get two developers for the price of one onshore one. (but quantity doesn't necessarily == quality).
 
2013-01-16 05:01:58 PM

Slaves2Darkness: I never thought I would long for the days when Microsoft controlled VB and Visual C++, but after working in Java for the last 10 years I'm ready to quit this shiat and become a .Net developer.


Because there are no security issues with .NET.  Absolutely none whatsoever.

/there is no real evidence that open source is more 'secure' than closed source and vice versa
 
2013-01-16 05:02:24 PM
25.media.tumblr.com
 
2013-01-16 05:05:49 PM

uncoveror: Are there any websites or programs that still need Java? Uninstall it already.


I just had to activate it so my kid could play the Minecraft demo in a browser

/yesterday
 
2013-01-16 05:07:41 PM

lordargent: They made it "easier" by enforcing rigor so that poor programmers wouldn't get anything to compile, and that good programmers would be driven insane by the hoops they have to jump through to do something useful.


Yay! lets all use Perl!
 
2013-01-16 05:11:54 PM
i code in Java every day.
 
2013-01-16 05:21:45 PM

Brontes: Qt encapsulates a lot of system calls and wraps them into one class.  QFile, QThread, QQueue, etc works across all platforms


Fine, it's an abstraction library with a focus on UI elements. It's essentially the jQuery of client development. It makes it easier to write portable code, but it is still not fair to compare it against Java, any more than we should compare the Unity engine against Java.

gingerjet: there is no real evidence that open source is more 'secure' than closed source and vice versa


Largely because it's difficult to quantify and many closed source vendors tend to handle security vulnerabilities quietly. Even so, the .NET Framework serves a different role than Java does; for all of their similarities, the purpose of .NET is not the purpose of Java.

The big difference here, though, is applets. Applets (and JNLP) allow code to execute, and the JRE has a flaw that lets them do whatever they want on your system. There is no exact equivalent to applets for .NET- Silverlight is close, but Silverlight is explicitly a plugin- it's something separate from the .NET framework. Similarly, ClickOnce is not JNLP- it lets you launch code from the web, but it makes it explicit that it's installing software.

Are there some code-access flaws that would allow Silverlight or ClickOnce code to pwn a system? Probably. But they're a completely different class of flaw from this one.

pacified: i code in Java every day.


I'm sorry.
 
2013-01-16 05:22:12 PM

Supes: StopLurkListen: I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.

That could have some interesting ramifications. You understand that Java and JavaScript are two entirely different things, right?


Yup. I understand they are unrelated. However, I have a "Javascript blocker" on one browser, which means there has to be some kind of risk above *zero*, and since I'm not completely up-to-the-date-every-day on security risks, by the time I hear about ANY new threat for which I have to shut off yet another thing on my browser it will probably be too late, so why even bother having such a loaded gun on my computer?
 
2013-01-16 05:46:36 PM
I just set up a Tomcat server to play around with, so I'm really getting a kick out of these replies.

/ Yes, I know this isn't a server-side thing.
 
2013-01-16 05:50:29 PM

StopLurkListen: which means there has to be some kind of risk above *zero*


Well, the fact that a JavaScript blocker exists does not mean there is some kind of risk above zero. The fact that JavaScript exists is evidence that there's a non-zero risk. That's how software works- if it exists, it's exploitable. Tell me, though? Do you also block CSS? There have been security flaws in CSS. I hope you're running through a proxy that will screen out malicious HTTP headers, too.

The main reason to block JavaScript is that many people feel that it is a nuisance. There is no appreciable security benefit.
 
2013-01-16 06:02:21 PM
Vlad_the_Inaner: Yay! lets all use Perl!

I think you're joking, but the deal with perl is that it's as strict as you want it to be. It's just not strict by default. You want strict references, then enable strict. You want strict datatypes, pull in a module that does that, etc.

A bad perl programmer can't get their program to run under strict.

An OK perl programmer can get their program to run under strict and knows why.

A good perl programmer knows when to turn strict off to do certain things that won't run under strict (and then turn strict back on when they're done).
 
2013-01-16 06:43:02 PM

lordargent: Vlad_the_Inaner: Yay! lets all use Perl!

I think you're joking, but the deal with perl is that it's as strict as you want it to be. It's just not strict by default. You want strict references, then enable strict. You want strict datatypes, pull in a module that does that, etc.

A bad perl programmer can't get their program to run under strict.

An OK perl programmer can get their program to run under strict and knows why.

A good perl programmer knows when to turn strict off to do certain things that won't run under strict (and then turn strict back on when they're done).


Java is so much more than a "programming language", it is an actual platform where you can do all sorts of things.

Anyhoo you're way too good looking to get mad at.
 
2013-01-16 06:50:42 PM
Most people can probably do without Java, I need it to run virtual machines (I don't need a virtual machine, it is just way easier) it is hard for some people to get rid of Java completely and it is very useful, if only it was more secure.

Oracle just need to stay on top of things and try and implement some sort of auto update system the way Adobe has with Flash.
 
2013-01-16 07:00:40 PM

lordargent: A good perl programmer knows when to turn strict off to do certain things that won't run under strict (and then turn strict back on when they're done).


Meh.

If you can't do it at the shell with -lne, it isn't worth doing in Perl.

And if it isn't worth doing in Perl, it isn't worth doing at all.
 
rpm
2013-01-16 07:05:40 PM

Brontes: uncoveror: Are there any websites or programs that still need Java? Uninstall it already.

Grr, the android SDK requires it :/


It doesn't need to be enabled in the browser to use the Android SDK.
 
2013-01-16 07:16:34 PM

Faddy: Most people can probably do without Java, I need it to run virtual machines (I don't need a virtual machine, it is just way easier) it is hard for some people to get rid of Java completely and it is very useful, if only it was more secure.

Oracle just need to stay on top of things and try and implement some sort of auto update system the way Adobe has with Flash.


There is an auto-update system and just like Adobe's Flash updates it's useless for a huge swath of installs.

Because of the way both Java and Flash install it requires a local administrator account to perform updates so any competently-run organization is going to turn auto-update off because 90% of users aren't running with admin privileges on their machine.

For two things that are mostly used as browser plugins, that's pretty unforgivable. Fortunately, both, with a little unnecessary extra effort, can be installed via GPOs on a corporate network.

/ Adobe and Sun can both blow me... their apps are terrible, insecure, volatile disasters and the people who make them need to DIAF
 
2013-01-16 07:17:03 PM
Shazam999: Java is so much more than a "programming language", it is an actual platform where you can do all sorts of things.

Ahh "What is Java" That's an age old question.

Well, you've got your JDK, your JRE, your JVM and your JIT compiler. Throw in some Java cards, some Java Beans, some Java applets and things get a little ME,SE,EE.
 
2013-01-16 07:19:51 PM
Vegan Meat Popsicle: / Adobe and Sun can both blow me.

To be fair to adobe, they didn't make flash (they ate Macromedia to get it).

OTOH, Acrobat Reader!!!
 
2013-01-16 07:41:55 PM

t3knomanser: StopLurkListen: which means there has to be some kind of risk above *zero*

Well, the fact that a JavaScript blocker exists does not mean there is some kind of risk above zero. The fact that JavaScript exists is evidence that there's a non-zero risk. That's how software works- if it exists, it's exploitable. Tell me, though? Do you also block CSS? There have been security flaws in CSS. I hope you're running through a proxy that will screen out malicious HTTP headers, too.

The main reason to block JavaScript is that many people feel that it is a nuisance. There is no appreciable security benefit.


The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

So, what is a normal mortal who uses a computer and can't possibly keep up with the changing news *every* *day* about what is and isn't safe, except to shut off as much as they can, and just leave it off?
 
2013-01-16 07:43:01 PM

lordargent: Shazam999: Java is so much more than a "programming language", it is an actual platform where you can do all sorts of things.

Ahh "What is Java" That's an age old question.

Well, you've got your JDK, your JRE, your JVM and your JIT compiler. Throw in some Java cards, some Java Beans, some Java applets and things get a little ME,SE,EE.


H-Hey you guys!

Why do Java developers wear glasses?

BECAUSE THEY CAN'T C#!!!!

/this is now a bad programming joke thread
 
2013-01-16 08:20:37 PM

StopLurkListen: So, what is a normal mortal who uses a computer and can't possibly keep up with the changing news *every* *day* about what is and isn't safe, except to shut off as much as they can, and just leave it off?


Anything your software does involving input you didn't personally give it is exploitable. Period. For mere mortals, you're best off not worrying about it.
 
Displayed 50 of 70 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report