Is navigator.javaEnabled() (used in this page) accurate ? I deactivated Java plugin in Chrome's about://plugins (and restarted everything just to be sure), and it still returns true. Did I do something wrong ?
We have a "space" on the black board that's reserved, in the security class I'm taking. It's commonly know as the "java 0-day calendar". Everyone thought it was funny at first. Yet, lately the professors has started whining about not having enough space left for their lectures. Yeah, now it's basically just sad.
"Down" sounds sexier than "up". Also there's a connotation of impending... er... something with a countdown vs. count-up, which I guess makes sense for the anticipation of another vulnerability.
I always thought that, from day one, it was specifically designed to run untrusted code downloaded over the network in a secure sandbox. Java's over 15 years old and has always had the backing of a major company, so it's not like these are the growing pains of a new technology.
You might ask the same thing about Flash. You'd think that after the first dozen or so releases with gaping holes that they'd take a step back and rethink things.
I came up with a hypothesis about this kind of stuff not too long ago. Once your product becomes sufficiently crappy, nobody in their right mind will want to work on it. Good people will leave to get away from it. The project gets to a point where the badness "rubs off on you". Anyone who cares about their reputation will run from it.
Obviously, you can't write code without developers, so you start scraping the bottom of the barrel to get anyone who will work on it. You get people who don't care about their reputations and/or quality and are only there for a paycheck. You get green people fresh out of school who think everything is always nice and happy, and haven't been beaten down by the harsh reality of the industry yet.
The bozos got to the project, and broke it. Once that happened, the only people willing to work on it are more bozos (and the unfortunate ignorant folks who don't know any better).
I dubbed it "The Bozo Loop". I originally only intended for this to describe a specific situation (Flash), but since then it's become quite clear that it can extend to Java and many other things.
I don't think there's anything about Java the language, any more than any plugin.
It is the development and deployment methodology that is dated. Oracle (and the same went for Sun) issues updates on a scale of months. I think this is now turning out to be an unviable strategy for any platform that has to survive in the wild and run untrusted code. It's hard to swallow, but we have to accept:
1. Completely secure code is extraordinarily expensive and difficult to write. All cost effective software is going to contain vulnerabilities
2. The only path to security is aggressive discovery and disclosure followed up with an immediate patch and deploy mechanism
This is the new model which Chrome and various other end-user-facing software is running - silent, rapid updates and a product engineered from the ground up to support that without major regressions. Anybody who wants to be a player in the browser market basically has to adopt this model. If Oracle cares about retaining any presence of their browser plugin in modern browsers they need to drastically change course - but I'm not sure they do.
Because the JVM is written in C, and thus EVERY line of C code in it (which is millions, maybe tens of millions) has to be trusted. That's just the way C is (but not Java, to its credit). Anybody can introduce a security hole at any point, essentially.
There are ways to structure your code to mitigate this, but Java is almost 20 years old, so I'm sure there are a bunch of dark corners in there.
A more secure way to go about it would probably be to bootstrap the language more and write more of the VM in Java. I guess PyPy is exactly that, although I don't know enough to comment on its security.
Someone needs a similar site that contains the 0-day for not only Java, but everything: languages, frameworks, jars, gems, projects, etc. For example, how about one for each currently maintained version of Rails, IE, Firefox, Chromium/Chrome, Opera, Safari, Windows, Linux, OS X, etc. Just a big sortable grid for each category type with name, days since 0-day, and a link and/or description of the last vulnerability, with another link to list all reported vulnerabilities and links to reports. That would be awesome.
At home I have often used not fully patched Windows systems and not fully updated Browser/Plugin stacks. Oh and Java and Flash are always activated. This is the Windows 7 dual boot on my laptop. When really bad news arrives (HN, other tech news) I do updates or other precautions like avoiding crappy web sites, MSIE etc.
Until 2 years ago I even had a Windows XP VM with broken update mechanism and IE6 which I used frequently.
And guess what, never something happened. But speaking for me, I will keep Flash and Java activated for another few years. I'm no security expert but my explanation why this works is this: I don't install any toolbar, in fact I have only the bare minimum of Firefox add-ons. (Why don't they allow me to uninstall MS Office Live-Plugin anyway? Or this Ubuntu thing?) I hate to install Software on Windows, and if, I really make sure I understand what I install and how trustable the vendor is.
Two relatives of mine have been infected with some spam bot net thing more than once. Their systems were like 90% patched, but they were vulnerable through Toolbars. (I think in both cases it was the Yahoo Toolbar.)
This is certainly not meant as a general advice, but I guess the lesson is being minimal and careful is as valuable as keeping your system patched. Oh and yes, I do always have an up-to-date Virus scanner.
I've given up trying to keep OSX java up to date. I can still use Libreoffice. I just keep the plugins disabled in the browsers. Oracle has made it, or rather left it, unusable.
Interesting thought ... have there been any _high profile_ Windows OS vulnerabilities in recent times? I mean, I'm sure there are, there are still tons of patches rolled out on a regular basis. But they're not getting nearly as much media focus as they once were; at least, not in any media that I'm consuming.
Is it a case of the OS now really being way more secure than it once was? Lost interest by malware writers? A bigger focus on vulnerabilities in specific products (ie. Browsers)?
It's a case of the OS being way more secure than it once was. The new kernel that came out with vista helped quite a bit, as well as the constant stream of updates.
Because the OS is more secure, other parts of the system (ie browsers, flash, java) are now (in comparison to the OS) easier to exploit than they were.
Are there any more sites like this, for other languages or frameworks? This and others like it would be a great addition to our chatbot's morning news update. :)
About ten years ago, a guy named Thor Larholm used to maintain a page of unpatched MSIE vulnerabilities. Anyone could go there and read about 20-30 vulnerabilities currently exploitable at any given time.
In those days, browser exploits were not really seen as something of value. Everyone thought, "You have to trick the victim into visiting your web page? Pff". That's when hacking was still done by silently hitting vulnerable services, with no user interaction. Crazy how times have changed...
(Sorry, not what you were asking for, but reminded me of that page.)
Java the language is not insecure, nor is having the JVM installed. The issue comes from the Java browser plugin, which has been a security disaster to the point that it's being disabled in browsers automatically.
Yup, instructors of my brother's Java oriented courses still keep that rhetoric going. Really that statement kept confused me from day 1 since examples to the contrary are easily found via google:
And that one is years prior to when I went to school. People can believe whatever they want about the security of their preferred platform but basically any large project is going to have some sort of vulnerability. All it takes is someone with enough gumption to find it.
[+] [-] peterwwillis|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] Wilya|13 years ago|reply
[+] [-] mike_esspe|13 years ago|reply
http://stackoverflow.com/a/13648431/507072
[+] [-] kurd_debuggr|13 years ago|reply
[+] [-] speedyrev|13 years ago|reply
[+] [-] michaelwww|13 years ago|reply
[+] [-] UnoriginalGuy|13 years ago|reply
[+] [-] X-Istence|13 years ago|reply
[+] [-] icambron|13 years ago|reply
[+] [-] a1a|13 years ago|reply
[+] [-] bra1n|13 years ago|reply
Edit: original page title is "Java 0day countdown".
[+] [-] eksith|13 years ago|reply
[+] [-] free652|13 years ago|reply
http://www.zdnet.com/pwn2own-down-go-all-the-browsers-700001...
[+] [-] iopq|13 years ago|reply
[+] [-] fjarlq|13 years ago|reply
Also, nobody compromised Safari at Pwn2own last year.
[+] [-] csense|13 years ago|reply
I always thought that, from day one, it was specifically designed to run untrusted code downloaded over the network in a secure sandbox. Java's over 15 years old and has always had the backing of a major company, so it's not like these are the growing pains of a new technology.
[+] [-] rachelbythebay|13 years ago|reply
I came up with a hypothesis about this kind of stuff not too long ago. Once your product becomes sufficiently crappy, nobody in their right mind will want to work on it. Good people will leave to get away from it. The project gets to a point where the badness "rubs off on you". Anyone who cares about their reputation will run from it.
Obviously, you can't write code without developers, so you start scraping the bottom of the barrel to get anyone who will work on it. You get people who don't care about their reputations and/or quality and are only there for a paycheck. You get green people fresh out of school who think everything is always nice and happy, and haven't been beaten down by the harsh reality of the industry yet.
The bozos got to the project, and broke it. Once that happened, the only people willing to work on it are more bozos (and the unfortunate ignorant folks who don't know any better).
I dubbed it "The Bozo Loop". I originally only intended for this to describe a specific situation (Flash), but since then it's become quite clear that it can extend to Java and many other things.
[+] [-] zmmmmm|13 years ago|reply
1. Completely secure code is extraordinarily expensive and difficult to write. All cost effective software is going to contain vulnerabilities
2. The only path to security is aggressive discovery and disclosure followed up with an immediate patch and deploy mechanism
This is the new model which Chrome and various other end-user-facing software is running - silent, rapid updates and a product engineered from the ground up to support that without major regressions. Anybody who wants to be a player in the browser market basically has to adopt this model. If Oracle cares about retaining any presence of their browser plugin in modern browsers they need to drastically change course - but I'm not sure they do.
[+] [-] chubot|13 years ago|reply
There are ways to structure your code to mitigate this, but Java is almost 20 years old, so I'm sure there are a bunch of dark corners in there.
A more secure way to go about it would probably be to bootstrap the language more and write more of the VM in Java. I guess PyPy is exactly that, although I don't know enough to comment on its security.
[+] [-] logn|13 years ago|reply
Java downloaded an executable with a misleading '.jpg' extension and then executed it (it was a trojan that downloads other malware: http://go.eset.com/us/threat-center/encyclopedia/threats/win... ).
[+] [-] darec1|13 years ago|reply
Maybe java security research just had a breakthrough and they found some new attack vector/methodology which uncovers all these vulnerabilites?
[+] [-] lrobb|13 years ago|reply
[+] [-] GhotiFish|13 years ago|reply
http://gcc.gnu.org/java/
Personally I didn't think a project like that existed until you mentioned it.
[+] [-] hakaaaaak|13 years ago|reply
[+] [-] blablabla123|13 years ago|reply
Until 2 years ago I even had a Windows XP VM with broken update mechanism and IE6 which I used frequently.
And guess what, never something happened. But speaking for me, I will keep Flash and Java activated for another few years. I'm no security expert but my explanation why this works is this: I don't install any toolbar, in fact I have only the bare minimum of Firefox add-ons. (Why don't they allow me to uninstall MS Office Live-Plugin anyway? Or this Ubuntu thing?) I hate to install Software on Windows, and if, I really make sure I understand what I install and how trustable the vendor is.
Two relatives of mine have been infected with some spam bot net thing more than once. Their systems were like 90% patched, but they were vulnerable through Toolbars. (I think in both cases it was the Yahoo Toolbar.)
This is certainly not meant as a general advice, but I guess the lesson is being minimal and careful is as valuable as keeping your system patched. Oh and yes, I do always have an up-to-date Virus scanner.
[+] [-] darkchasma|13 years ago|reply
[+] [-] yakiv|13 years ago|reply
[+] [-] aj700|13 years ago|reply
[+] [-] CodeCube|13 years ago|reply
Is it a case of the OS now really being way more secure than it once was? Lost interest by malware writers? A bigger focus on vulnerabilities in specific products (ie. Browsers)?
[+] [-] EvanKelly|13 years ago|reply
MS08-067 was certainly the goto XP exploit for the longest time. I still find computers vulnerable to that nearly 5 years later.
Disclaimer: I only dabble in security and am basically limited to metasploit for my knowledge, so corrections are welcome.
[+] [-] joshAg|13 years ago|reply
Because the OS is more secure, other parts of the system (ie browsers, flash, java) are now (in comparison to the OS) easier to exploit than they were.
[+] [-] Legion|13 years ago|reply
[+] [-] lawnchair_larry|13 years ago|reply
Check wayback for http://www.pivx.com/larholm/unpatched around 2002 to see some samples.
In those days, browser exploits were not really seen as something of value. Everyone thought, "You have to trick the victim into visiting your web page? Pff". That's when hacking was still done by silently hitting vulnerable services, with no user interaction. Crazy how times have changed...
(Sorry, not what you were asking for, but reminded me of that page.)
[+] [-] gph|13 years ago|reply
Should remove either the "ever" or "yet" from that sentence. Unless it's a redundancy feature :D
[+] [-] tobyjsullivan|13 years ago|reply
There! All fixed.
[+] [-] benmmurphy|13 years ago|reply
[+] [-] tobyjsullivan|13 years ago|reply
[+] [-] solistice|13 years ago|reply
[+] [-] yati|13 years ago|reply
[+] [-] ZoFreX|13 years ago|reply
[+] [-] Moto7451|13 years ago|reply
http://www.symantec.com/security_response/writeup.jsp?docid=...
And that one is years prior to when I went to school. People can believe whatever they want about the security of their preferred platform but basically any large project is going to have some sort of vulnerability. All it takes is someone with enough gumption to find it.
[+] [-] solistice|13 years ago|reply
[+] [-] younata|13 years ago|reply
[+] [-] j45|13 years ago|reply
[+] [-] swalkergibson|13 years ago|reply
[+] [-] Natsu|13 years ago|reply