This isn't that surprising really. Microsoft's focus on security 10 or so years ago has paid off and its hard to find flaws in their OS now. The next most common platform is probably the JVM so its the new attack vector.
I would imagine we are going to see more and more of these exploits unless Oracle takes the same approach that Microsoft took, and even then it will be years before the benefits are felt.
The attack did stop at the Java process level. But once you're into that, you have the same privileges as anything else the user is running, by design. That's the same model taken by, well, every other OS out there effectively; it's not a problem as long as long as you have a separation of user account levels.
the flaw would be exploitable on any machine with Java 5,
6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X,
Linux, or Solaris
[...]
“An attacker could then install programs, view, change,
or delete data with the privileges of a logged-on user.”
In short, you can rag on modern operating system design because whatever permissions you grant to the Java process (regardless of operating system) are the same permissions which get inherited by the exploit. If you run the Java process under sudo on Linux, then the exploit runs under sudo as well.
Unable to comment intelligently on this, I am not familiar with the exploit. I can only comment on the fact that Microsoft has spent a huge chunk of cash and time fixing their code. Most exploits on the Windows side are from applications running on it these days.
Taking a guess I would imagine its because the JVM is doing something it shouldn't be, similar to how Adobe products continually have flaws found in them, which isn't the fault of the OS.
If that's the case blaming Microsoft would be like blaming the Linux kernel for being exploited when the actual attack was against a service like Apache running under the root account. Unless you intelligently run things under proper accounts all the OS security in the world won't save you if there is a flaw in something running on it.
While it's possible that Java just hasn't been as much of a target, the difference between Windows and IE (which are the two M$ products that particularly got them into trouble with security flaws) and Java's JVM, other than one being an OS, one being a browser, and the other being a runtime environment, is that the former two started off being buggy and got better, and the JVM has been in the news for more security problems since Oracle took over. I think the finger to point is at Oracle. From what I have heard about how things went when they were taking over, I think the issue is that they are too "enterprise" for their own good. Sun's lawyers were pretty awful (or too good depending on whether you like suing) too though, so maybe some was inherited.
One other thing before I go- are other JVM languages affected by these bugs?
First, this bug existed at least for a year before Oracle acquired Sun. Same with almost all the other bugs that have plagued the JVM in recent years. I don't think pointing the finger at Oracle is worthwhile here.
Second, the parent wasn't comparing the products but the security practices followed; MS's hardcore security practices are well known and have served them very well over the last decade. The products they make have little to nothing to do with this.
Lastly, the language you use has absolutely nothing to do with this bug -- it's a JVM bug itself.
In a sense none of the "JVM languages" are affected: apparently it's a bug in the Web applets sandbox implementation. It's not something used by standalone Java (or whatever) programs. It only matters if you are running Java applets off a web page.
Chase requires Java to see pending Checks for business banking w/ fraud protection which lets you OK or reject checks before they're detected from your account.
Whereas they have scanned JPEGs for account history check images, the pending fraud control check images require Java.
Some banks are researching into extending that functionality too - creating effectively a disposable browser inside your browser to help mitigate against keylogging and screenshotting account details.
We use ACH direct deposits for all our transactions when possible, but when not, check is really the only other option. Credit card fees are far too expensive for the recipient (3-5%) for large amounts.
We are typically asked to write checks by lawyers :) Everyone else has moved to electronic banking.
Checks are also handy for one-off payments to people (not companies!) you don't know and won't meet again.
Many banks will instantly deposit checks up a certain amount (say $500), and deposit some percentage of large checks immediately, with the rest deposited after the check has cleared the writer's bank.
Which credit union would that be? Given that my cube mate just refinanced his Mortgage at 3.375%, no points, I sense there is an arbitrage opportunity here somewhere.
I am willing to wager your credit union is not paying you 3.5% APY on your checking account. That is, if you had $10,000 in your checking account at the end of the year, and you just left it there, you would not have $10,375 at the end of year.
There is a restriction/surcharge in there that you haven't mentioned.
You would lose that wager. The restriction is that there's an upper-bound on the amount you can earn that interest rate on ($15,000), and you must have at least X number of check card and ACH transactions per month, but there are no fees or surcharges. I also get ATM fee refunds up to $12/mo when I need to use out-of-network ATMs.
This is why I don't understand why people keep going back to banks and getting screwed every single time. The bank is there to make money off its customers; the credit union, by definition, is there to make money for its customers.
I'm happy to hook you up with my cube-mate's mortgage broker. He isn't bearing any of the costs, no points, not even an appraisal fee. This is a 30 year fixed mortgage. His position is basically, "I'll refinance if you bear 100% of the service charges and I don't give you any money for anything." [Edit - Oh. Australia. :-)]
My bank does that to. I can only make online payments on my bank website if I install a browser java applet they call an "anti-virus". I stopped using it when they did it.
Any 10+ year old web applications (then called 'applets') that wanted to avoid the single browser nature of ActiveX or the mediocre performance of Flash.
We used it to read bar codes from connected barcode scanners. It worked fine since 2004 but with all the security issues around, I developed another solution this summer which doesn't rely on Java.
Of course in the Enterprise where about 50% of our end-users are, it's still easier to tell them that they should install Java rather than something they don't know.
Whenever we need to access some hardware (printers, smart cards, cameras, automate file updloads and downloads) we have to rely on a Java applet or Flash. The user must agree to the Java security warning before. Until browsers don't give us a better multi-browser and multi-plataform solution, we still need to use Java. Some of the html5 specs are to solve these issues.
It almost sounds like Oracle managed to shoo away all good folks from the JVM team and all they are left with is a bunch of B players. I dont remember it being this bad.
If the vulnerability exists in Java 5, 6 and 7, it seems likely that the underlying problem is pretty old and not a recent development. Version 1.5.0_22 seems to have been released some time around 2009, and that was the end-of-life release for "Java 5" - it's earlier versions were years before this.
This is normal for Oracle and has been for at least 20 years. They are too busy milking people for new contracts rather than looking after their existing customers.
Given what I've seen lately, this is just false. The Java team under Oracle, despite my trollish expectations, is actually doing really well.
That they've inherited a huge, complex codebase is unfortunate.
I think any program or VM, Ruby, Flash, Python, whatever would end up with the same number of security holes if it had the user base to attract attention from hackers.
Not to diminish your point about Oracle's handling of their inherited codebase (too much). I kindof agree...
But, it bears mentioning that Ruby and Python aren't a mainstream part of browsers. And Flash (under Adobe) has actually done some pretty impressive stuff recently with regard to sandboxing.
