If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Great news everyone: there's ANOTHER zero-day exploit for Java that wasn't patched in their latestest fix, and it's being sold online to hackers for a mere $5k   (arstechnica.com) divider line 40
    More: Scary, Java, Brian Krebs, Trend Micro, Oracle, code base  
•       •       •

3108 clicks; posted to Geek » on 16 Jan 2013 at 2:53 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest


Archived thread
2013-01-16 02:58:02 PM  
4 votes:
Unless you randomly click links from your spam folder, enjoy visiting Russian piracy websites or go to random porn sites you found after being automatically redirected by clicking on an image during a Google image search you have nothing to worry about.

The people who are affected by this are morons that lack common sense with over privileged user accounts.
2013-01-17 12:15:53 AM  
2 votes:
JAVA - Just Another Vulnerability Announced.
2013-01-16 08:32:35 PM  
2 votes:
StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.
2013-01-16 04:16:37 PM  
2 votes:
Write once, exploit everywhere!
2013-01-17 10:46:50 AM  
1 votes:

StoPPeRmobile: using SMTP and POP3 to do my gmail stuff starting to look better and better.

thanks, guys, I learned something new today.

I would'nt go running SMTP myself anymore


It's not that bad, I use a SMTP server to forward my linux email to an ISP server via a smarthost route.

Your big problem would be that most blacklists list the subnets that most ISP allocate dynamic IP addresses out of. So many mail receivers would reject you as a probable spammer.

In any case, I was referring to accessing Gmail via means other than its web interface. It supports that at the moment. ( I suppose google could wreck that too)

Enabling POP in Gmail

/hmm, Gmail's help system seems to be pushing IMAP more than SMTP. I hope that's not a bad omen
2013-01-17 10:08:50 AM  
1 votes:

StopLurkListen: Vlad_the_Inaner: lordargent: StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.

Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

using SMTP and POP3 to do my gmail stuff starting to look better and better.

thanks, guys, I learned something new today.


I would'nt go running SMTP myself anymore.
2013-01-16 09:00:31 PM  
1 votes:

lordargent: StopLurkListen: The problem is, and I'm totally willing to admit it, is I have no idea what's a risk. Don't click on suspicious links in emails, even if I don't know the sender? Got it. Hey, why is my email app blocking *images* in emails, too? Don't tell me -- just displaying a picture in an email can do something malicious?

There was a bug in the JPEG libraries, so that reading a specially formed image would cause a bufferoverrun and let an attacker run arbitrary code. But bugs like this are rare in the wild because of the technical difficulty involved.

The real two reasons (OTTOMH) for hiding images in your e-mail is because someone could be sending you a penis in e-mail, OR, the embedded image might refer to a web site (so that when your e-mail client loads the image from the HTTP server, the server can log that the image was read by a particular mail address.


Well, there's also the fact that for HTML email, many images have names something like http://server.whatever/SOMETHING_uniquecharacterstringcreatedjustforhi srecepient,jpg, so when the server sees that URL come in, it knows that recipient got the email Some people don't like being tracked. I'm a bit miffed that while gmail generrally allows you to block that shait, they've apparently sold a bypass for that opt out for places like Sam's Club. I get their images whether I have images off or not.

using SMTP and POP3 to do my gmail stuff starting to look better and better.
2013-01-16 08:20:37 PM  
1 votes:

StopLurkListen: So, what is a normal mortal who uses a computer and can't possibly keep up with the changing news *every* *day* about what is and isn't safe, except to shut off as much as they can, and just leave it off?


Anything your software does involving input you didn't personally give it is exploitable. Period. For mere mortals, you're best off not worrying about it.
2013-01-16 07:43:01 PM  
1 votes:

lordargent: Shazam999: Java is so much more than a "programming language", it is an actual platform where you can do all sorts of things.

Ahh "What is Java" That's an age old question.

Well, you've got your JDK, your JRE, your JVM and your JIT compiler. Throw in some Java cards, some Java Beans, some Java applets and things get a little ME,SE,EE.


H-Hey you guys!

Why do Java developers wear glasses?

BECAUSE THEY CAN'T C#!!!!

/this is now a bad programming joke thread
2013-01-16 06:50:42 PM  
1 votes:
Most people can probably do without Java, I need it to run virtual machines (I don't need a virtual machine, it is just way easier) it is hard for some people to get rid of Java completely and it is very useful, if only it was more secure.

Oracle just need to stay on top of things and try and implement some sort of auto update system the way Adobe has with Flash.
2013-01-16 06:02:21 PM  
1 votes:
Vlad_the_Inaner: Yay! lets all use Perl!

I think you're joking, but the deal with perl is that it's as strict as you want it to be. It's just not strict by default. You want strict references, then enable strict. You want strict datatypes, pull in a module that does that, etc.

A bad perl programmer can't get their program to run under strict.

An OK perl programmer can get their program to run under strict and knows why.

A good perl programmer knows when to turn strict off to do certain things that won't run under strict (and then turn strict back on when they're done).
2013-01-16 05:50:29 PM  
1 votes:

StopLurkListen: which means there has to be some kind of risk above *zero*


Well, the fact that a JavaScript blocker exists does not mean there is some kind of risk above zero. The fact that JavaScript exists is evidence that there's a non-zero risk. That's how software works- if it exists, it's exploitable. Tell me, though? Do you also block CSS? There have been security flaws in CSS. I hope you're running through a proxy that will screen out malicious HTTP headers, too.

The main reason to block JavaScript is that many people feel that it is a nuisance. There is no appreciable security benefit.
2013-01-16 05:46:36 PM  
1 votes:
I just set up a Tomcat server to play around with, so I'm really getting a kick out of these replies.

/ Yes, I know this isn't a server-side thing.
2013-01-16 05:22:12 PM  
1 votes:

Supes: StopLurkListen: I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.

That could have some interesting ramifications. You understand that Java and JavaScript are two entirely different things, right?


Yup. I understand they are unrelated. However, I have a "Javascript blocker" on one browser, which means there has to be some kind of risk above *zero*, and since I'm not completely up-to-the-date-every-day on security risks, by the time I hear about ANY new threat for which I have to shut off yet another thing on my browser it will probably be too late, so why even bother having such a loaded gun on my computer?
2013-01-16 05:21:45 PM  
1 votes:

Brontes: Qt encapsulates a lot of system calls and wraps them into one class.  QFile, QThread, QQueue, etc works across all platforms


Fine, it's an abstraction library with a focus on UI elements. It's essentially the jQuery of client development. It makes it easier to write portable code, but it is still not fair to compare it against Java, any more than we should compare the Unity engine against Java.

gingerjet: there is no real evidence that open source is more 'secure' than closed source and vice versa


Largely because it's difficult to quantify and many closed source vendors tend to handle security vulnerabilities quietly. Even so, the .NET Framework serves a different role than Java does; for all of their similarities, the purpose of .NET is not the purpose of Java.

The big difference here, though, is applets. Applets (and JNLP) allow code to execute, and the JRE has a flaw that lets them do whatever they want on your system. There is no exact equivalent to applets for .NET- Silverlight is close, but Silverlight is explicitly a plugin- it's something separate from the .NET framework. Similarly, ClickOnce is not JNLP- it lets you launch code from the web, but it makes it explicit that it's installing software.

Are there some code-access flaws that would allow Silverlight or ClickOnce code to pwn a system? Probably. But they're a completely different class of flaw from this one.

pacified: i code in Java every day.


I'm sorry.
2013-01-16 05:11:54 PM  
1 votes:
i code in Java every day.
2013-01-16 05:07:41 PM  
1 votes:

lordargent: They made it "easier" by enforcing rigor so that poor programmers wouldn't get anything to compile, and that good programmers would be driven insane by the hoops they have to jump through to do something useful.


Yay! lets all use Perl!
2013-01-16 05:05:49 PM  
1 votes:

uncoveror: Are there any websites or programs that still need Java? Uninstall it already.


I just had to activate it so my kid could play the Minecraft demo in a browser

/yesterday
2013-01-16 05:01:58 PM  
1 votes:

Slaves2Darkness: I never thought I would long for the days when Microsoft controlled VB and Visual C++, but after working in Java for the last 10 years I'm ready to quit this shiat and become a .Net developer.


Because there are no security issues with .NET.  Absolutely none whatsoever.

/there is no real evidence that open source is more 'secure' than closed source and vice versa
2013-01-16 04:55:45 PM  
1 votes:
Generation_D: But this was why they invented Java.

They made it "easier" by enforcing rigor so that poor programmers wouldn't get anything to compile, and that good programmers would be driven insane by the hoops they have to jump through to do something useful.

This also made it "easier" to send java work offshore, where you can get two developers for the price of one onshore one. (but quantity doesn't necessarily == quality).
2013-01-16 04:52:08 PM  
1 votes:

uncoveror: Are there any websites or programs that still need Java? Uninstall it already.


Grr, the android SDK requires it :/
2013-01-16 04:51:59 PM  
1 votes:

StopLurkListen: I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.


That could have some interesting ramifications. You understand that Java and JavaScript are two entirely different things, right?
2013-01-16 04:47:22 PM  
1 votes:
Are there any websites or programs that still need Java? Uninstall it already.
2013-01-16 04:35:34 PM  
1 votes:

t3knomanser: Brontes: I think Qt has the write idea

Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.


Which is really just another indictment of McNealy and the rest of senior Sun leadership.  My contention was that their love affair with Java pulled resources and attention away from the hardware/server business, which they were actually good at.

SunOS / Solaris was a thing of wonderment, probably the most tuned Unix in history.  Oracle knows this.  But Sun's senior leadership in the 1990s and 2000s ignored this and focused on Java.  And every one of them should be held accountable forever.

// I miss Sun Solaris.
2013-01-16 04:35:14 PM  
1 votes:
 Brontes: I think Qt has the write idea

Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.


That isn't exactly true.  Qt encapsulates a lot of system calls and wraps them into one class.  QFile, QThread, QQueue, etc works across all platforms (tried on OSX, Linux, Windows, not on Android or iOS yet).  Then it is about managing the compiler and cross compiling, which QtDesigner handles well enough.
2013-01-16 04:31:14 PM  
1 votes:

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.



But this was why they invented Java.
2013-01-16 04:29:31 PM  
1 votes:

Vlad_the_Inaner: And this gives us a sandboxed runtime environment how?


Pretty much in the same way Java does.
2013-01-16 04:28:49 PM  
1 votes:

Brontes: I think Qt has the write idea


Qt is just a a GUI library, though. It's not a language. It's not the same sort of thing to compare.

Java's core issue was that it started out too heavily focused on being "pure", eschewing things like generics and on the enterprise side, focusing more on configuration over everything else. Tying together a J2EE app through JNDI is a complete clusterfark. With huge variations between containers and hosts and clients, the whole promise of "write-once..." failed utterly.

Just as Java was starting to be pressured to modernize and join us in reality, Sun started shiatting the bed. Oracle has no interest in improving Java, or honestly, even in distributing it. Oracle will use it in their own products, but they mostly bought Sun for Solaris, anyway.

Long story short: Java started by handicapping itself and just when it really needed the most support from its owners, they decided to ignore it.
2013-01-16 04:27:47 PM  
1 votes:

Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.


I was told repeatedly by Java developers that the sandbox is secure.
2013-01-16 04:26:29 PM  
1 votes:

Brontes: I think Qt has the write idea: GUI and libraries for almost any system and OS. Allows for low level access if needed and it is super easy to integrate other code/libraries into projects.


And this gives us a sandboxed runtime environment how?
2013-01-16 04:18:14 PM  
1 votes:

lordargent: Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.


I think Qt has the write idea: GUI and libraries for almost any system and OS.  Allows for low level access if needed and it is super easy to integrate other code/libraries into projects.
2013-01-16 04:09:16 PM  
1 votes:
Hasn't this been the case with java since, well forever? why are people running around crazy just recently?
2013-01-16 04:04:31 PM  
1 votes:
Godamnnit all to hell. I do tech support for a university, and while yes, I understand the risks, I don't have a fecking choice but to make sure people use Java to use the software they need to do their online education.
2013-01-16 04:01:19 PM  
1 votes:
I just hit threat/risk saturation when I was installing this morning's Java update, cancelled out of it when instead of "update" the UI had a button for "install", and I just deleted/disabled everything on my PC with the word java, script, oracle, or sun in it.
2013-01-16 03:36:07 PM  
1 votes:
Supes : If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.

I would like to see some modern language that supercedes it.

As a developer, Java was great in concept. But in implementation, it seemed like a giant PITA to me (coming from a perl/C background).

We need a modern language and tools that make it much easier for the programmer to develop code.

Anyone that's dealt with maven when it shiats itself on your project for no particular reason can attest to this.

// If I never see another java stack trace or have to edit a POM file by hand again, it will still be too soon.
2013-01-16 03:14:14 PM  
1 votes:

styckx: Unless you randomly click links from your spam folder, enjoy visiting Russian piracy websites or go to random porn sites you found after being automatically redirected by clicking on an image during a Google image search you have nothing to worry about.


Except that shiat-tons of people have Java installed and no real mechanism for finding out about these issues. Remember that these are people who won't install Windows updates because some goofus in their office told them 15 years ago that updates slow down or screw up their computer. These same people aren't going to notice or understand notifications from their security software or take the time to read "techie mumbo-jumbo." They just wanna play that one game they like on Yahoo.

The Firefox answer of silently disabling Java is probably the best we can hope for, for a huge swath of end users who don't have anybody managing their systems for them.
2013-01-16 02:59:54 PM  
1 votes:
So what happens when we're all using HTML5 and our rich content has no 'plug-in' providers?

Instead of an exploit in Java or Flash or Silverlight that we can disable - won't we just have an exploit in how browser X handles some particular aspect of HTML 5 that is exploitable? Then it'll be 'Don't use browser X until patched?'

Or am I misunderstanding?
2013-01-16 02:18:12 PM  
1 votes:

Supes: If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.


Boy, I'd love to not use Java; but a lot of the sites we go to use Java. Our freakin' EHR system uses Java. This is gonna screw us over.

Just deployed the .reg file to disable Java. Dammit.
2013-01-16 02:01:03 PM  
1 votes:
If someone doesn't have Java disabled already, I'd say it's their own fault. But yeah it's increasingly looking like it's past time to rewrite Java from the ground up.
2013-01-16 01:35:05 PM  
1 votes:
Goddammit, Oracle!
 
Displayed 40 of 40 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter





In Other Media


Report