Java flaw could lead to Windows, Linux attacks
Posted by JCAP on 23 November 2004 - 22:34 · 33 comments & 2721 views
About the Author
Full name: Unknown
Forum name: JCAP
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: JCAP
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(2 replies)
#1 Posted by Soleen on 23 Nov 2004 - 22:40
- Exploit? yes, found? yes, Patched? yes.
why posting it? Dunno..
-
#1.1 Posted by bucko on 23 Nov 2004 - 22:44
- Did you even read the artical? "The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun Microsystems, but its details were not made public until Tuesday" Which is today
-
#2 Posted by noyb on 23 Nov 2004 - 22:43
- Im curious to see if OS X is vulnerable, Sun said it was unlear but i wouldn't mind some follow up.
-
(1 reply)
#3 Posted by Andareed on 23 Nov 2004 - 22:56
- If you upgraded to JDK/JRE 1.5/5.0 you are not affected.
-
(1 reply)
#4 Posted by ripgut on 23 Nov 2004 - 23:25
- *martin voice*
"HAHA"
-
(6 replies)
#5 Posted by xpgeek on 23 Nov 2004 - 23:40
- If this is such a big security vulnerability, then why, when i check for updates with the java i have installed, which is 1.4.2_05, it says no updates. And, the link to download java on the main page of java.com, still is for 1.4.2_05.
I have downloaded J2SE 5.0 JRE, and J2SE v 1.4.2_06 JRE, but I don't understand what the differance is between the 2. Which one do I upgrade to ? -
#5.1 Posted by xpgeek on 24 Nov 2004 - 00:47
QUOTE I have downloaded J2SE 5.0 JRE, and J2SE v 1.4.2_06 JRE, but I don't understand what the differance is between the 2. Which one do I upgrade to ?
Well I figured since I had 1.4.2_05 the correct choice was 1.4.2_06. Still don't understand the differance tho.
And still seems weird to me, acording to this, 1.4.2_05 and earlier is affected by this, and 1.4.2_06 and later is not. So why did it say no updates when I manually checked for updates with 1.4.2_05, there clearly was an update, but it said there was not. And the links to get java on java.com still point to 1.4.2_05.
I'm, kinda confused, but am running 1.4.2_06 now so at least know I am secure.-
#5.2 Posted by gahbmwM5 on 24 Nov 2004 - 04:57
- Yes, I understand your confusion, as I too 'had' Java2 RE SE v1.4.2_05, and when trying to update through the WinXP Control Panel Java Plugin icon, (Java Plugin Control Panel) it too reported "You have the latest version"...
So I read your 'Sun Security Java Version' link and then proceeded to install Java2 RE SE v1.4.2_06, which (according to the Security Report) is 'not affected by the flaw...
So thanks...as I would think that Sun would at least have a more detailed, accurate approach on the matter, so at least you wouldn't have to D/L the entire 15MB program again...should be an updated patch...
From the Java.com site:
"What is Java Update?
The Java Update feature checks to see if there are any new patches available for the Java™ Runtime Environment (JRE). A patch is a revision to the software.
Java Update installs patches to the JRE and does NOT upgrade to a new version of the JRE. A patch version has a underscore in the version number. (ie: JRE 1.4.2_x
. For example, if JRE 1.4.2 is installed on the system and Java Update detects that a patch is available on Java.com (ie: JRE 1.4.2_01), it will notify the user of the update. It will not upgrade from JRE 1.4.2 to JRE 1.5 since JRE 1.5 is a completely new version."
So technically we both should have received a update icon in our systray for JRE v1.4.2_06...
Also it looks as though Java2-RE Standard Edition 5.0 is JRE v1.5.0 (which is still a beta/maybe more buggy) but more updated then JRE 1.4.2_06...
As I then went to java.com---->Question: What is the latest Java software...? And one link stated that I had the latest version of Java, while another link--->Question: To Test Your Java Software...? Stated there is another more updated version...
Last edited by 45594 on 24 Nov 2004 - 06:09 -
#5.3 Posted by Daybreak on 24 Nov 2004 - 13:01
- JRE 5.0 (aka Java 1.5, Sun has this weird naming scheme) is the latest. If youre using Java only for applet support, you won't see much difference. Most of the changes are geared towards the developers.
I'd suggest using 1.4.2_06 for the time being until the first updates to Java 5 come out though. -
#5.4 Posted by gahbmwM5 on 24 Nov 2004 - 18:29
- Daybreak,
Thank you for your reply as I just D/L JRE 5.0 (aka 1.5), but have not installed it...Yes, I utilize Java only for the applet support...ie: Pogo Games...ect...A member @another forum suggested this:
"Why use ver 5.0 over 1.4.2_05? Well my experience shows substantially faster plugin load which was one of the major complaints in the past. Also, Java apps should run faster, as well. You may have both versions installed, 1.4.2x and 5.0 in case you don't feel like experimenting"
But I think that I will stick with JRE 1.4.2_06 for now... -
#5.5 Posted by leojei on 25 Nov 2004 - 15:28
- glad Sun got the Update section to let you check which to update and which not.
QUOTE JRE 5.0 (aka Java 1.5, Sun has this weird naming scheme)
Yes, Sun definitely needs to think harder with their names. I lost track of which version I'm using, I just know that my IE downloaded it last night~ -
#5.6 Posted by hosebeast on 27 Nov 2004 - 08:55
- Yes, Daybreak, the changes in JRE 5.0 are geared towards the developers who have to fix their code after Sun has broken it.
I use a voicemail service called AccessLine which has an applet for playing messages on the web. With JRE 5.0, it acts like it is playing, but nothing happens. I reported it on October 1, it was acknowledged by the AccessLine programmers within 3 days, but they haven't been able to fix it yet.
At work, we've got a 5-month-old Nortel phone system. It is managed by a Java app called Business Communications Manager, and we've got Nortel's latest patches for it. It works fine when run from a computer with JRE 1.4.2 but it constantly times out and freezes when run from a computer with JRE 5.0.
Oh, and there is a visible difference that end-users will notice: JRE 5.0 has a fancy new Sun Java logo which displays while an applet is loading (if the page has not been coded to display something specific during loading). It's cheesy-looking enough that I've had a few end-users comment on it, thinking it might be coming from spyware!
-
(5 replies)
#6 Posted by rrtn on 24 Nov 2004 - 00:41
- Damn it. << removed >>. In October i got some bull**** spyware/trojan after visiting some site and blamed my firewall. << removed >> Java and Flash are the 2 worst << removed >> on the net!
Next time, calm down before posting.
Last edited by 36818 on 24 Nov 2004 - 02:46 -
#6.1 Posted by MegaManXcalibur on 24 Nov 2004 - 01:11
- Thank you for sharing those strong emotions with us. Now that you have shared your complete hatred of Java and Flash with use could you go into some detail as of why (granted you gave a minor reason for Java but you never even mentioned why you dislike Flash).
Or do you feel like posting something intelligent isn't nearly as much fun as trolling? -
#6.2 Posted by matt74441 on 24 Nov 2004 - 02:42
- I can see people hating Flash (myself included), but Java? Theres nothing wrong with it, its a perfectly good language to use and develop in.
-
#6.3 Posted by HellBender on 24 Nov 2004 - 02:44
- Yeah, there's nothing wrong with Java at all. This trojan/spyware you got was not from Java, as this is one of the very, very few vulnerabilities (I can't remember the last one). Java applets, by definition, have very little permission to do anything on your computer.
Besides, there's a lot more to Java than web applets. There are so many public apps out that were made in Java, and coding server-side stuff for Java is a lot more efficient than C++ et al.
So get your head out << removed >> and quit whining.
-
(4 replies)
#7 Posted by LVirus on 24 Nov 2004 - 09:52
- Its Pynnönen, not Pynnonen. Why is it so hard for amerikans to type other letters than their standard ones?!
-
#7.1 Posted by quintesse on 24 Nov 2004 - 10:38
- I'm Dutch and our language has al kinds of accented letters as well and even I find it very difficult to type those letters so I hardly ever bother.
Yes, I know you can select an international keyboard but I hate that system whith all those dead keys. I wish MS would just put into the OS what they put into Word: hold CTRL to type accented chars. -
#7.2 Posted by hornetfighter on 24 Nov 2004 - 11:57
- basically it is too hard, unless you happen to know the character code (and can type it using Alt + <code>
, it requires using Character Map. Most English speakers wouldn't be able to render the difference in sound in any case, whether the accent was present or not! -
#7.3 Posted by Billprozac on 24 Nov 2004 - 13:49
- Why is it so hard for you to type AMERICANS correctly?
-
(2 replies)
#8 Posted by yannis on 24 Nov 2004 - 09:59
- Another reason for me not to run any Java on my PC
-
#9 Posted by SVT on 24 Nov 2004 - 14:04
QUOTE Schwartz noted that Java hasn't been afflicted by a single Java virus.
Java is just as poplular as ActiveX, and there are tons of ActiveX viruses. I guess everyone who says MS software has the most viruses because its the most popular have pie on their face now!
SVT
-
#10 Posted by _dandy_ on 24 Nov 2004 - 14:20
- Finally, Java lives up to its "write once, run everywhere" claim...
-
(1 reply)
#11 Posted by Zenith on 25 Nov 2004 - 10:46
- it wouldn't take a flaw in Java to create weaknesses in Windows
"It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a "critical" classification," Pynonnen stated in an e-mail interview with CNET News.com. "The same exploit could also be used against various operating systems and browsers, which makes it more serious," he added. The vulnerability can be used to attack systems running on Windows or Linux, for example, and using major browser software such as Microsoft's Internet Explorer and Firefox--meaning a large number of systems are vulnerable to attack.
Cont...
"Natural challenges with finalizing all the key features and localization issues across worldwide territories have led to the difficult choice of pushing back the release date," SCEA said in a statement, "in order to ensure that Gran Turismo 4 lives up to the exacting standards of the 36 million-plus fans worldwide that have purchased previous versions."
The delay leaves egg on the face of Sony, who only last week held a high profile party in Tokyo to celebrate the "completion" of the game, and which previously removed the much-vaunted online functionality from the title in order to ensure that it came out in time for Christmas.
There's some speculation that this fresh delay - which may also have a knock-on impact on the launch date of the European version, which had already been delayed into Q1 2005 - will give the firm time to reintegrate the online component, but Sony has so far not commented on this possibility, and is still officially planning to launch a separate online-enabled Gran Turismo product later next year.