Java-Gaming.org Hi !
Featured games (83)
games approved by the League of Dukes
Games in Showcase (522)
Games in Android Showcase (127)
games submitted by our members
Games in WIP (591)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Security hole in Java Web Start  (Read 2763 times)
0 Members and 1 Guest are viewing this topic.
Offline Preston

Senior Devvie


Medals: 4



« Posted 2003-12-02 13:41:43 »

Does anybody know an URL to an english article on this topic?

German readers could use this one: http://www.heise.de/newsticker/data/pab-02.12.03-001/
The last sentence reads: "SUN's current recommended workaround to the security issue is not to use Java Web Start 1.4.2_02."

With all that talk on Java Web Start here in the forum I thought let's post this...
Offline kevglass

« JGO Spiffy Duke »


Medals: 197
Projects: 24
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #1 - Posted 2003-12-02 14:14:01 »

Here's something?

http://www.itworld.com/nl/java_sec/08092002/

This seems to be all I can get Google to throw up, seems like a hole in IE more than Web Start.

Kev


Offline endolf

JGO Coder


Medals: 7
Exp: 15 years


Current project release date: sometime in 3003


« Reply #2 - Posted 2003-12-02 15:26:59 »

Hi
 I agree that it sounds like IE is the biggest issue, but maybe ws could help to some exctent by verifying the signature of files *every* run.

Endolf

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Preston

Senior Devvie


Medals: 4



« Reply #3 - Posted 2003-12-02 15:28:54 »

Quote

From 08/09/2002 ?
That's another version probably... :-)

Mine article is from today. Maybe you could use Google's pretty funny translation: http://translate.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fdata%2Fpab-02.12.03-001%2F&langpair=de%7Cen&hl=de&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools
Offline kevglass

« JGO Spiffy Duke »


Medals: 197
Projects: 24
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #4 - Posted 2003-12-02 15:34:03 »

Ah ha, from I can make out from the cool translation the problem is this:

1) An app requests limited security permissions to the users machine.
2) The user agrees to the limited permissions (which are safe)
3) The author then changes the permission requested.
4) Next the user does an update, JWS gets the new permissions and assumes cause the user accepted it the first time they'll accept anything.
5) The Java App now has full security permissions without the user's approval.

If that is the case, that is scary. Although for everything I've seen recently asks for full permissions at the start Smiley

Kev

Offline endolf

JGO Coder


Medals: 7
Exp: 15 years


Current project release date: sometime in 3003


« Reply #5 - Posted 2003-12-02 16:27:13 »

Eep
 in that case, yes, it's a ws bug Smiley

but I too ask for full permissions Smiley

Endolf

Offline swpalmer

JGO Coder


Exp: 12 years


Where's the Kaboom?


« Reply #6 - Posted 2003-12-03 01:44:46 »

I suspected as much.  In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.  Perhaps I've heard that Version 2 has a bug that could destroy my data...  Must I now unplug my network cable whenever I want to launch this Web Start app so I don't get the new version?  If it is marked as requiring a net connection  I can't even do that!

Web Start needs some settings to allow the user to confirm that they wish to get the available updates in the first place.  Sometimes you don' t want to be on the bleeding edge.

Offline Jeff

JGO Coder




Got any cats?


« Reply #7 - Posted 2003-12-03 02:57:00 »

Quote
I suspected as much.  In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.


I'd disagree here,actually.

The question posed is not "do you trust this application" but "do you trust this application provider."  Thats why each provider has a unique certificate, not each app.

JK

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline Preston

Senior Devvie


Medals: 4



« Reply #8 - Posted 2003-12-03 02:57:02 »

Quote
In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.  Perhaps I've heard that Version 2 has a bug that could destroy my data...  Must I now unplug my network cable whenever I want to launch this Web Start app so I don't get the new version?

In the Webstart there's a menu entry "application" with a sub entry named "delete app". This removes a previously loaded app for me. Next time I load that app from a .jnlp file again, it asks for the permission details.
Offline swpalmer

JGO Coder


Exp: 12 years


Where's the Kaboom?


« Reply #9 - Posted 2003-12-03 03:36:15 »

Quote


I'd disagree here,actually.

The question posed is not "do you trust this application" but "do you trust this application provider."  Thats why each provider has a unique certificate, not each app.

JK


Yes, I see your point, and it makes sense to use the provider level of granularity from a security standpoint..  I guess it still stands that this bug of allowing more priviledges than you initially agreed is not right though.

I also think the idea of not accepting upgrades is entirely different  from that of security.  I don't trust a single one of you to give me code that has no bugs Smiley - but I routinely accept the self signed Web Start apps that are posted.  I trust you guys enough that I believe you will not be malicious.. but if I have a program that is working just fine for me, I don't necessarily want to jump straight to the next version.   I like that Web Start gives me that ability to stay up to date - I don't like that it forces the latest version on me, with no option of going back.

I believe that is a design flaw in the current Web Start client. The JNLP in general appears to be fine.  If the client kept the last version in the cache so I could step back it would be great.  Hmm.  I smell a RFE brewing...

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline swpalmer

JGO Coder


Exp: 12 years


Where's the Kaboom?


« Reply #10 - Posted 2003-12-03 03:39:03 »

Quote

In the Webstart there's a menu entry "application" with a sub entry named "delete app". This removes a previously loaded app for me. Next time I load that app from a .jnlp file again, it asks for the permission details.


Yes... that covers security issues.. but that means losing Version 1 so it doesn't cover the forced early adopters issue.  (i.e. you will use the latest, even if it is broken on your system.)

Offline Jeff

JGO Coder




Got any cats?


« Reply #11 - Posted 2003-12-03 04:47:07 »

Quote


Yes, I see your point, and it makes sense to use the provider level of granularity from a security standpoint..  I guess it still stands that this bug of allowing more priviledges than you initially agreed is not right though.


That I'd agree with assuming the report is accurate Smiley

Quote

I also think the idea of not accepting upgrades is entirely different  from that of security.  I don't trust a single one of you to give me code that has no bugs Smiley - but I routinely accept the self signed Web Start apps that are posted.  I trust you guys enough that I believe you will not be malicious.. but if I have a program that is working just fine for me, I don't necessarily want to jump straight to the next version.   I like that Web Start gives me that ability to stay up to date - I don't like that it forces the latest version on me, with no option of going back.


Thats an interesting and legitimate comment.  i hadn't really thought about it before.  In the enterprise, the JWS way makes sense because IT wants uniformity, but its quite possible that a better client for supplying individual uses could be written.

Thats actually one of webstart's virtues, that its really a protocol definition (jnlp et al).  JWS is just one example of a client. Others could be written.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline kevglass

« JGO Spiffy Duke »


Medals: 197
Projects: 24
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #12 - Posted 2003-12-03 05:01:15 »

Yeah.. check out OpenJNLP. Its bulky and interface is horrible.. but other than that its a new implementation Smiley

Kev

Offline Preston

Senior Devvie


Medals: 4



« Reply #13 - Posted 2003-12-06 11:04:37 »

http://developer.java.sun.com/developer/bugParade/bugs/4961543.html

Bug closed. It's not a bug. It's a feature. :-)

Has the bug report been a bug itself?
Offline Jeff

JGO Coder




Got any cats?


« Reply #14 - Posted 2003-12-16 19:50:57 »

Yup. Looks like this person was confused as well about granting permissions, thinking it was per app rather then what it really is-- per certificate.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

trollwarrior1 (34 views)
2014-11-22 12:13:56

xFryIx (73 views)
2014-11-13 12:34:49

digdugdiggy (52 views)
2014-11-12 21:11:50

digdugdiggy (46 views)
2014-11-12 21:10:15

digdugdiggy (40 views)
2014-11-12 21:09:33

kovacsa (66 views)
2014-11-07 19:57:14

TehJavaDev (70 views)
2014-11-03 22:04:50

BurntPizza (68 views)
2014-11-03 18:54:52

moogie (83 views)
2014-11-03 06:22:04

CopyableCougar4 (82 views)
2014-11-01 23:36:41
Understanding relations between setOrigin, setScale and setPosition in libGdx
by mbabuskov
2014-10-09 22:35:00

Definite guide to supporting multiple device resolutions on Android (2014)
by mbabuskov
2014-10-02 22:36:02

List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!