Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (477)
Games in Android Showcase (107)
games submitted by our members
Games in WIP (535)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2
  ignore  |  Print  
  Yet another security issue with applets  (Read 4521 times)
0 Members and 1 Guest are viewing this topic.
Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Posted 2012-08-28 22:00:07 »

Quote
Disable Java NOW, users told, as 0-day exploit hits web
A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.
http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

Why is it so hard to make unbreakable sandboxes?  Roll Eyes

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Offline gouessej
« Reply #1 - Posted 2012-08-28 22:34:45 »

I'm not surprised by The Register, it is always the same behavior... Why not disabling Flash, Silverlight and .NET too?

Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Reply #2 - Posted 2012-08-28 22:54:00 »

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be "safe".

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Online Riven
« League of Dukes »

JGO Overlord


Medals: 744
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #3 - Posted 2012-08-28 23:04:45 »

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be "safe".

No such luck...
  • There are already virii that hijack guest OSes, for example, through VMware.
  • There are already virii that hijack the current OS and virtualize it, to stay under the radar of anti-virus software.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Reply #4 - Posted 2012-08-28 23:10:29 »

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be "safe".

No such luck...
  • There are already virii that hijack guest OSes, for example, through VMware.
  • There are already virii that hijack the current OS and virtualize it, to stay under the radar of anti-virus software.
OH GOD!!!!  Grin

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Offline Cero
« Reply #5 - Posted 2012-08-28 23:58:14 »

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be "safe".

No such luck...
  • There are already virii that hijack guest OSes, for example, through VMware.
  • There are already virii that hijack the current OS and virtualize it, to stay under the radar of anti-virus software.
Thats crazy.

However I am absolutely convinced that developing a perfect sandbox IS possible.
I have looked at a lot of console design/architecture, primarily XBox, XBox 360 and PS3 - which is very related, because trying to keep people from hacking the consoles is a similar problem to keeping sandboxes secure.

What I'm certain is that, you need to keep the code minimal, very robust, test it throughly... only really required stuff; try to hack it; use principle of least privilege...

I'm very excited to see PS4 and XBox 720 in this regard...
Although I generally dislike Microsoft, XBox 360 has a very good architecture

I think also that one of the main problems with sandbox design like these are, basically old codebases: either legacy-code, or new code combined with legacy code... Only designing it from scratch would be secure

Offline gouessej
« Reply #6 - Posted 2012-08-29 01:07:53 »

However I am absolutely convinced that developing a perfect sandbox IS possible.
Every human creation can be improved. Therefore, your sandbox will have to be created by an intelligent being but not a human being  Grin

Offline sproingie

JGO Kernel


Medals: 202



« Reply #7 - Posted 2012-08-29 02:42:39 »

Quote
virii

I work in the AV industry.  No one uses this word.
Offline Jimmt
« League of Dukes »

JGO Kernel


Medals: 128
Projects: 4
Exp: 3 years



« Reply #8 - Posted 2012-08-29 02:46:56 »

Quote
virii
I work in the AV industry.  No one uses this word.

Yup.
http://stason.org/TULARC/security/computer-virus/14-Is-it-viruses-virii-or-what.html
http://english.stackexchange.com/questions/3838/viruses-or-virii
Offline jonjava
« Reply #9 - Posted 2012-08-29 02:55:13 »

Mmm. But virii is a lot cuter.

Much like snow bears are a lot cuter than polar bears.

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Best Username Ever

Junior Member





« Reply #10 - Posted 2012-08-30 00:41:41 »

Yep. I've heard "Java isn't used for anything, you should disable it" or "Java isn't secure" and other things along that line. For me, the number of websites using Java applets outnumber Flash embeds by over two to one. (Ignoring Flash ads and websites that force the user to use a plugin to watch video.) The same people argue against disabling Silverlight, even though one can count the number of websites that use it on one hand. There's good reason to disable those types of things, including Flash, Java, Silverlight, and definitely Javascript, but that type of discussion revolves around which one has the better brand image.
Offline delt0r

JGO Knight


Medals: 26
Exp: 18 years


Computers can do that?


« Reply #11 - Posted 2012-08-30 09:05:27 »

With current hardware and OS i don't think you can do a "perfect sandbox". Fact is that modern computers are total crap when it comes to security, and no amount of dressing on the top can change that fundamental fact. Security is hard to get right. Its even harder to slap it onto things that where not designed with security in the first place.

I have no special talents. I am only passionately curious.--Albert Einstein
Offline Damocles
« Reply #12 - Posted 2012-08-30 09:18:02 »

If you worry about security, especially vīra, just use Linux as browsing and eBanking System.

I wonder how much effort into security applications and fear people invest,
just to keep using Windows for their critical Tasks. (Online Banking, online purchases, processing personal documents etc..)

The standard tasks all work fine in the mainstream Linux distros.
Plus its still natively much securer.

I use Windows mainly for gaming then.

Offline gimbal

JGO Knight


Medals: 25



« Reply #13 - Posted 2012-08-30 10:12:14 »

Its all pointless anyway. No matter how many holes are plugged in software, the biggest security hole is still floating between the keyboard and the chair. Its not the tiny cracks in a piece of software the provide the most misery, its the keyloggers installed on so many systems of oblivious users that are the real deal. They don't go away by pointing a finger at others.
Offline Damocles
« Reply #14 - Posted 2012-08-30 10:25:15 »

I just hope this Java FauxPas dows not reduce the installments of Java too much.

Would be bad news for Applets and Javagaming in general.

Good that Mincecraft keeps Java as gamingengine well in Public view.

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #15 - Posted 2012-08-30 14:03:19 »

The above security issue is pretty serious, trivial to exploits (even by java noobs) and works crossplatform, as the source code of a working example shows here.

Sadly even if the above is fixed there are probably tons more yet undiscovered ways to do the above. Just looking at the list of critical Java security bugs fixed in the last few years there have literally been hundreds of similar ones.

A majority of these exploits (including the above) simply find various crafty ways to replace the default applet/JWS security manager, e.g. System.setSecurityManager(null).

Simply making it impossible in the VM to replace the default Security manager (even with elevated permissions) when running as applet or JWS should make it more difficult to beat the sandbox and reduce some of the problems.

The Java plugin is currently a major attack vector (much more so than Flash ever was) and is being rightly criticised. If Oracle are serious or care about continuing to have a Java plugin they need to take some radical action to secure it down (likely even more browsers will block it by default). Plus it doesn't help that Oracle are completely silent (seeming they are doing nothing) even though almost every security/tech site out there is currently bashing it.
Offline gimbal

JGO Knight


Medals: 25



« Reply #16 - Posted 2012-08-30 14:07:53 »

The Java plugin is currently a major attack vector (much more so than Flash ever was) and is being rightly criticised. If Oracle are serious or care about continuing to have a Java plugin they need to take some radical action to secure it down. Plus it doesn't help that Oracle are completely silent (seeming they are doing nothing) even though almost every security/tech site out there is currently bashing it.

Actually they have, there have been so many harsh security fixes done to for example the applet core that plenty of applications just failed to work after a certain update. Now they get pissed on by both the developers AND the so called security experts Smiley

I agree that Oracle keeping silent is really highly annoying. You just don't know what is going on behind those towering walls of theirs.
Offline princec

JGO Kernel


Medals: 343
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #17 - Posted 2012-08-30 14:15:12 »

Not just silent but negligent as well. Holes from bugs are to be expected; ignored holes are not. Grrr.

Cas Smiley

Offline Cero
« Reply #18 - Posted 2012-08-30 14:44:24 »

you get my point with example like these: trying to fix a current sandbox like this is like trying to fix a broken ship on the high sea in a storm

when they were first developed, none of these issues were apparent... it was not designed with with todays performance, stability and security aspects in mind

Offline gimbal

JGO Knight


Medals: 25



« Reply #19 - Posted 2012-08-30 15:26:36 »

Not just silent but negligent as well. Holes from bugs are to be expected; ignored holes are not. Grrr.

Very true, but yeah. Name me one large multinational that was not guilty of this exact same crime at least once but probably multiple times. They're all too busy looking for the one ring.
Offline BoBear2681

JGO Coder


Medals: 18



« Reply #20 - Posted 2012-08-30 15:29:05 »

Just got an email at work about this one.  It's the first they've ever sent out a mass-distribution email about a Java security problem.  Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #21 - Posted 2012-08-30 23:07:40 »

and Oracle has surprisingly released an update to fix the above.

Java 7 update 7.

To think how much bad publicity and uncertainty they could have saved themselves, if only they had made an announcement earlier that they were in the process of rushing out an update.  Roll Eyes
Offline Best Username Ever

Junior Member





« Reply #22 - Posted 2012-08-31 05:39:02 »

Just got an email at work about this one.  It's the first they've ever sent out a mass-distribution email about a Java security problem.  Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.

That's terrible advice. No one can possibly know what sites can actually be "trusted" and you still have to worry about ads and invisible third party code.
Offline BoBear2681

JGO Coder


Medals: 18



« Reply #23 - Posted 2012-08-31 19:10:20 »

Yep.  Working at a large software company, you think we'd know better.
Online Riven
« League of Dukes »

JGO Overlord


Medals: 744
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #24 - Posted 2012-08-31 19:15:56 »

Assuming that level of competence, you probably have a huge list of addresses in the CC field. Why not send your personal warning+advice to your coworkers? (remember to spoof both the MAIL FROM * and From: * SMTP fields.)

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #25 - Posted 2012-08-31 23:12:50 »

Eh oh, another zero day remotely executable flaw discovered on latest Java 7 update 7

http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/
Offline Cero
« Reply #26 - Posted 2012-08-31 23:14:15 »

rushing

flaw

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #27 - Posted 2012-09-26 00:34:30 »

Oh and yet another http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #28 - Posted 2012-09-26 10:24:28 »

For the average user (the kind that visit any website it can find and would get viruses within a day if it wasn't for the virus scanner) it's probably good advice to disable java in the browser.
Sadly, Oracle seems to be perfectly happy with that.

Offline Z-Man
« Reply #29 - Posted 2012-09-26 22:50:18 »

Just got an email at work about this one.  It's the first they've ever sent out a mass-distribution email about a Java security problem.  Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.

That's terrible advice. No one can possibly know what sites can actually be "trusted" and you still have to worry about ads and invisible third party code.
Woo Click-to-Play on plugins Grin One of the features I love in Google Chrome.
Pages: [1] 2
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

Riven (2 views)
2014-07-29 12:53:52

Dwinin (7 views)
2014-07-29 10:59:34

E.R. Fleming (20 views)
2014-07-29 03:07:13

E.R. Fleming (8 views)
2014-07-29 03:06:25

pw (39 views)
2014-07-24 01:59:36

Riven (39 views)
2014-07-23 21:16:32

Riven (26 views)
2014-07-23 21:07:15

Riven (28 views)
2014-07-23 20:56:16

ctomni231 (59 views)
2014-07-18 06:55:21

Zero Volt (51 views)
2014-07-17 23:47:54
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!