

Java flaw allows “complete” bypass of security sandbox - scottfr
http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

======
brown9-2
The actual announcement: <http://seclists.org/fulldisclosure/2012/Sep/170>

~~~
chuppo
I like the guy who responded to that with "Full disclosure? This is touching
yourself in public."

And for sure it is, on a fulldisclosure list, nothing is revealed. My monocle
dropped in my morning Java.

~~~
majke
The "guy" is Chris Evans. He works at Google in Chrome Security Team.

* <http://scarybeastsecurity.blogspot.co.uk/> * <http://www.scary.beasts.org/security/>

------
boyter
This isn't that surprising really. Microsoft's focus on security 10 or so
years ago has paid off and its hard to find flaws in their OS now. The next
most common platform is probably the JVM so its the new attack vector.

I would imagine we are going to see more and more of these exploits unless
Oracle takes the same approach that Microsoft took, and even then it will be
years before the benefits are felt.

~~~
stephen
So, if MS is doing so well, why didn't this exploit stop at the Java process
level?

(Not trying to rag on MS.)

~~~
daeken
The attack did stop at the Java process level. But once you're into that, you
have the same privileges as anything else the user is running, by design.
That's the same model taken by, well, every other OS out there effectively;
it's not a problem as long as long as you have a separation of user account
levels.

~~~
illumen
Yeah, most java apps do not use OS level security features. Which is a shame,
since layers of security do actually help.

~~~
dmm
Interestingly Android does use system users to isolate applications. The
android vm, Dalvik, is completely different however.

------
foohbarbaz
Another browser plugin hole? Yawn. It's disabled in Firefox and Chrome anyway.
Let them disable it for good and enable by exception.

Who uses Java in browser anyway? WebEx and some weird VPN solutions?

~~~
ComputerGuru
And - get this - banks.

Chase requires Java to see pending Checks for business banking w/ fraud
protection which lets you OK or reject checks before they're detected from
your account.

Whereas they have scanned JPEGs for account history check images, the pending
fraud control check images require Java.

~~~
dools
What's more surprising: banks using Java in the browser or people using
_cheques_ in 2012!

~~~
sukuriant
Checks allow for instant transfer of money between two banks, for free. That's
what I still use them for.

~~~
steveh73
Don't they take several days? Does the US seriously not having something
equivalent to direct credit?

~~~
MikeCodeAwesome
Checks are frequently turned into ACH transactions. You may be interested in
[http://www.occ.gov/topics/consumer-protection/depository-
ser...](http://www.occ.gov/topics/consumer-protection/depository-
services/writing-check.html#whatshappening).

------
blinkingled
It almost sounds like Oracle managed to shoo away all good folks from the JVM
team and all they are left with is a bunch of B players. I dont remember it
being this bad.

~~~
brown9-2
If the vulnerability exists in Java 5, 6 and 7, it seems likely that the
underlying problem is pretty old and not a recent development. Version
1.5.0_22 seems to have been released some time around 2009, and that was the
end-of-life release for "Java 5" - it's earlier versions were years before
this.

~~~
blinkingled
Good point - but still, isn't it taking Oracle longer to patch the
vulnerabilities? (Last one they knew for what - 4 months?)

~~~
eckyptang
This is normal for Oracle and has been for at least 20 years. They are too
busy milking people for new contracts rather than looking after their existing
customers.

------
unabridged
Java (and flash) should only be ran inside a virtual machine. You have to be a
fool to have that installed on your bare computer.

~~~
iso8859-1
So you're saying that I shouldn't compile my Java code with GCJ and execute
it? Hardly anyone is doing that.

~~~
finnw
I think he meant VM as in emulator (e.g. vmware), not as in the Java runtime.

------
snambi
who runs java in browser these days?

~~~
SageRaven
Anyone who manages hardware via remote console, such as Dell's iDRAC. HP and
and Fujitsu have similar systems, and I imagine many more.

It's a major pain in the ass, and it sucks, but it's true.

~~~
jermy
Supermicro's equivalent IPMI remote access (iKVM) is also Java

