

Two new vulnerabilities found in Oracle's latest Java patch - ternaryoperator
http://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717

======
IvyMike
Christ, as someone who wrote some Java software long, long ago: Does Oracle
not care how damaging this stuff is to the already battered Java "brand"?

When Firefox brings up a "Java is a potentially malicious plugin" dialog by
default, you should be trying to turn that ship around.

~~~
fuzzix
Perhaps this is the excuse to generate more critical updates, increasing the
number of accidental Ask toolbar installs.

Oracle doesn't believe in "free".

~~~
grhino
Java in the browser has been battered for a while. It's been supplanted by
Flash for the most part which will be replaced by Javascript in the browser.
Oracle is expecting Java VM's to disappear from the browser altogether and is
glad to wring out as much cash as possible in the meantime.

------
jtheory
To be clear -- neither of these vulnerabilities is likely to cause much damage
in the wild for anyone who has installed the new version.

Applets don't run anymore unless you explicitly click through to authorize
them.

If you aren't expecting your game to run, etc., you click "no".

I'm disappointed about all this (particularly since it's on its way to
destroying my side business, which relies on applets), but I'm also frustrated
by the reporting -- Java applets are still more secure than ActiveX used to
be, right? There's a sandbox, and now applets won't even run at all without
explicit permission from the user.

That's pretty close to "don't go to shady websites and install software they
offer you" at this point.

~~~
kunil
If my mom sees a pop up while browsing, she will always click yes.

~~~
jtheory
If she clicks yes to all popups, then Java is a risk to her even with all
security bugs patched, because I can request permission to _get out of the
sandbox_ with a signed applet, and if she approves I can do whatever I like
with her computer.

Of course, if she's opening odd-looking links in her email anyway (which is
how she'd _get_ to a site that might include a dangerous applet) there are
likely all kinds of attack vectors that she's vulnerable to.

------
spajus
I was a Java developer, and when Sun was acquired by Oracle, I knew it's time
to move on. Now I'm coding Ruby, and whenever I look back, I see Oracle raping
Java - suing the good guys, adding malware to Java installers, increasingly
introducing new security holes. It's such a sad sight...

~~~
martinced
To be honest a lot of the major security bugs were actually inherited by
Oracle from Sun when they bought Java. In 2011 we had two major Denial of
Service working on any Java webapp server that were present since more than
ten years in Java (one of them was a known-but-never-fixed bug and the other
was unknown-but-already-existing).

The Java applet SNAFU is totally Sun's fault and the wasted time and energy
spent making these applets work (and hence making Java plugins for the various
browsers) should have been spent by everyone for most interesting purposes.

Regarding the "time to move on", I hardly think so: Java is still increasingly
popular and it's very hard to find a big company not using Java anywhere in
its stack.

And you mentioning Ruby in response to security holes is particularly ironic
seen that lately Ruby hasn't exactly been proved rock-solid from a security
standpoint ; )

~~~
krrrh
The big "ruby" vulnerabilities that came up recently were issues in rails. I
don't think that there's much irony here since the response from the rails
core team was fast and professional, as was action taken by the community to
patch existing web apps. Oracle sat on known vulnerabilities and didn't
scramble out a fix until the department of homeland security got involved.
Obviously we're comparing applets and oranges here, but Oracle deserves a heap
of criticism over how it's handling these issues, and it really brings the
future of their Java codebase into question.

------
huhtenberg
More vulnerabilities - more toolbars! What's not to like.

------
Uchikoma
Most of these vulnerabilities are break outs of the security manager. A lot of
other VMs do not have security managers ("think of eval").

------
saosebastiao
Oracle is becoming a parody of itself. Can they just hand off the entire Java
platform to a capable 3rd party already?

~~~
tptacek
Did Oracle introduce these bugs?

~~~
gchpaco
Have they been permitting anyone who isn't oracle affiliated to work on the
sandbox? I was under the impression that the core development and compiler
work was all in house.

~~~
tptacek
Are you sure these bugs are new? The Java Applet Sandbox doesn't exactly have
a spotless security history.

~~~
saurik
One of the bugs is fairly old, the other (which is required for the overal
exploit) is new-ish (introduced in Java 7), but probably not as new as
saosebastiao was implying (as the title of this HN post can be parsed as "the
bugs were introduced by the patch attempting to fix the other bugs", which is
definitely not the case, AFAICT).

> Issue 51 affects both Java SE 6 and 7. Issue 52 is for Java SE 7 only. Since
> both issues are required for the attack to succeed, we treat it as Java 7
> specific only.

\-- <http://seclists.org/fulldisclosure/2013/Jan/195>

------
jy-p
maybe oracle would fix my javas if i paid them for a support contract.

it's only USD 10 mln :P

