animationnation mission statementunited we brandanimationnation facebook
  • If you can dream it, you can do it. -Walt Disney

  • Quality is a great business plan. -John Lasseter

  • Let's make some funny pictures. -Tex Avery

  • I never considered a difference of opinion in politics, in religion, in philosophy, as cause for withdrawing from a friend. -Howard Zinn

  • When critics sit in judgment it is hard to tell where justice leaves off and vengeance begins. -Chuck Jones

  • And what do you benefit if you gain the whole world but lose your own soul? -Jesus

  • A man should never neglect his family for business. -Walt Disney

  • What's most important in animation is the emotions and the ideas being portrayed. -Ralph Bakshi

  • Once you have heard a strange audience burst into laughter at a film you directed, you realize what the word joy is all about. -Chuck Jones

  • Before enlightenment: chop wood, carry water. After enlightenment: chop wood, carry water. -Buddhist Proverb

Critical bug in newest Java

News and events from around the world

Critical bug in newest Java

Postby skynet » Sat Sep 01, 2012 2:26 pm

Watch out if you use Java. I'm sure there will be a fix for it though.


Researchers said they've uncovered a flaw in the Java 7 update released by Oracle on Thursday that allows attackers to take complete control of end-user computers.

The flaw in Java 7 Update 7, which Oracle released to stop in-the-wild attacks that silently install malware on end-user machines, is the latest black eye for the security of the widely used software framework. It comes after revelations that Oracle learned of the vulnerabilities under attack in April, four months before the exploits were detected. Oracle has yet to explain the delay in fixing the bugs.

The latest bug "facilitates full Java sandbox bypass on latest Java 7 Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations, wrote in an e-mail to Ars. His team developed proof-of-concept code and delivered it on Friday to Oracle engineers. The discovery of the new critical bug was reported earlier by IDG News. There are no reports that it is being exploited online.

"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."

Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."

An Oracle spokeswoman responding to a request for comment referred Ars to this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.

This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as confirmed by at least two Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also disagreed with the advice.)

Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.

Read More: Critical bug in newest Java gives attackers complete control of PCs
User avatar
Posts: 1146
Joined: Wed May 12, 2010 9:17 pm

Return to Current Events