File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Java in General and the fly likes New Vulnerability found in Java 7 and web Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "New Vulnerability found in Java 7 and web" Watch "New Vulnerability found in Java 7 and web" New topic
Author

New Vulnerability found in Java 7 and web

Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

http://www.us-cert.gov/cas/techalerts/TA13-010A.html


My buddy just posted this to me, thoughts? Sorry if this shouldn;t be here, not too sure where Java News goes.....
Kathleen Angeles
Ranch Hand

Joined: Aug 06, 2012
Posts: 122

Interesting.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Kathleen Angeles wrote:Interesting.


I thoght I replied to your previous post, but yeah I'msurprised no one is looking at this, nor is Oracle giving us the heads up.


first it seems like a user has to visit a certain site, and then run the applet unknowingly... Then says it can be ran without priveledges?



Description
A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code.
Grant itself.....? That's crazy.

Then it says this
Impact
By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.


So now are we loading it just by the webpage or....?


What bothers me is 3 things.

Whenever I run webstart, applets, or JNLP files I get

1. A Console

2. A question stating "Do you want to run this application" "run now or always run"

3. "This applet has been signed or unsigned blah blah blah, do you want to run?"


So what I want to know is are they able to

1. Get rid of the console so no one knows they are being attacked?(Can it be run without us knowing)?

2. Is there a way to get rid of the accepting signature/run on this site that appears as a dialog and at the top of the browser?



It seems like to me people need to goto a random website, and purposely run this applet to be affected..

The thing is though we've KNOWN this for a LONG time.... It's even in our Applet FAQS about this. Being able to take over an Applet and change the code is nothing new...


Thoughts?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61180
    
  66

More evidence that applets should have died along with the cassette tape. Client-side Java in the browser has always been a disaster, in my opinion. Maybe this will be the final nail in the coffin.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Bear Bibeault wrote:More evidence that applets should have died along with the cassette tape. Client-side Java in the browser has always been a disaster, in my opinion. Maybe this will be the final nail in the coffin.



Haha I figured you'd say something like that . So what would you recommend doing? Should we all now disable Java in our browser, or just don't be an idiot and goto sites you aren't sure about/load applets without a digital signature, etc, etc?


Also the thing about client side in the web I can see for small projects, and things that you're going to want to maybe add a little spice to your site, though I think you could probably do most things using JSP or Javascript right? Most of the applets I see are from Oracle's site, so why exactly do they use them then?


Anything super big I don't see why you would run in your browser when you can run the client/server app, plus I'm sure it will take forever to load... :P
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61180
    
  66

Jay Orsaw wrote:So what would you recommend doing? Should we all now disable Java in our browser

Yes. And stop supporting sites that use applets. And stop writing applets. (I feel the same way about Flash as well, in case you are interested.)

As someone who has expressed so much concern over the future of Java in other posts, you should be 100% behind me, in my opinion. Applets and vulnerabilities like these give the entire Java platform a bad name. I think that it's long passed time they just went away and the whole notion of a JVM in the browser dies.

I like Java as a server-side language, but as a web component I think it's been nothing but a disaster.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Bear Bibeault wrote:
Jay Orsaw wrote:So what would you recommend doing? Should we all now disable Java in our browser

Yes. And stop supporting sites that use applets. And stop writing applets. (I feel the same way about Flash as well, in case you are interested.)

As someone who has expressed so much concern over the future of Java in other posts, you should be 100% behind me, in my opinion. Applets and vulnerabilities like these give the entire Java platform a bad name. I think that it's long passed time they just went away and the whole notion of a JVM in the browser dies.

I like Java as a server-side language, but as a web component I think it's been nothing but a disaster.


I only wrote one applet .

and yeah for sure i don't like it either, but as I mentioned I did just write an applet for someone's site, what would the solution be now? I don't want to scrap the work I've done, nor do I think they want that either :p. It's not for a huge site or anything, so I don't think there will be an issue but you don't know in the end....


Vulnerabilities suck all over .

What's wrong with Flash(besides it's dying) same with Silverlight also?


But again
now are we loading it just by the webpage or....?


What bothers me is 3 things.

Whenever I run webstart, applets, or JNLP files I get

1. A Console

2. A question stating "Do you want to run this application" "run now or always run"

3. "This applet has been signed or unsigned blah blah blah, do you want to run?"


So what I want to know is are they able to

1. Get rid of the console so no one knows they are being attacked?(Can it be run without us knowing)?

2. Is there a way to get rid of the accepting signature/run on this site that appears as a dialog and at the top of the browser?



It seems like to me people need to goto a random website, and purposely run this applet to be affected..

The thing is though we've KNOWN this for a LONG time.... It's even in our Applet FAQS about this. Being able to take over an Applet and change the code is nothing new...


Thoughts?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41797
    
  62
As Bear said, you should have disabled Java in your browser a long time ago (along with everybody else). It seems that every new Java release fixes another client-side vulnerability, and it'll continue to be that way. Just another reason why client-side Java is dead (even if this concerns only code running in the browser).


Ping & DNS - my free Android networking tools app
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61180
    
  66

I'm not going to debate Flash here. That's a dead horse.

Jay Orsaw wrote:I did just write an applet for someone's site, what would the solution be now?

Without knowing what the applet does, cannot say. Is it something that interacts with a machine in a way that JavaScript does not allow? Or did you just do it in Java to avoid the HTML/CSS/JavaScript stack?

It's not for a huge site or anything, so I don't think there will be an issue but you don't know in the end....

It depends upon the users of the site. If they disable, or have already disabled, Java in the browser, your customer will be out of luck.

The DHS has recommended that everyone disable browser Java and Mozilla and Apple have done it automatically.

I believe that it really is well passed the time to acknowledge that java in the browser is a failed idea and move on.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

I've been ranting saying that no one should be using applets over in the applet forum for ages now. Courses and textbooks should remove their material on applets.

Applets were a marginal idea when they were invented back in 1996 or so, and they have never worked reliably. They are a bad idea, and a solution that modern systems don't need solved.

Our @bear is not the first person to also include Flash in the "bad ideas that we should never look at again." as Apple's Steve Jobs banned Flash from all IOS devices. There was a lot of whining from people with Flash heavy websites, but the sun still rises in the East.

We are better off without Flash and applets.

I wish we could kill off Javascript, not because its a giant virus delivery vector, but because I just don't like the language -- its too like Java (in style and name) and too unlike Java (functional programming stuff) at the same time. Give me a cleanly designed language any day over this designed by committee disaster.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61180
    
  66

I agree 100% with Pat on Java in the browser and Flash. But I will respectfully, but vehemently, disagree with him about JavaScript. For those that take the time to really learn it, it's actually quite a nice little language, well suited to its intended purpose. Sure, some people have a hard time adjusting to it -- especially if they are coming to it from Java, because they try to write it as if it were Java -- but that's not the language's fault. The decision to rename it JavaScript from LiveScript was, however, a lamentable choice.

And unlike applets and Flash, I don't think that it's going away anytime soon.

However, that's off topic for this thread.

Getting back to applets, my credit union's website uses an applet to let members scan checks at their computers and upload them for deposit. It's a cantankerous and ill-mannered beast of a thing. I've never been able to get it successfully hooked up the scanner, it's UI is horrible, trying to navigate through it frequently causes it to reset, and heaven help you if you make an error during data entry. That is, when it loads at all.

Luckily, they also have a mobile app for the iPhone, where all I have to do is take a picture of the check. Much easier.

Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Bear Bibeault wrote:I'm not going to debate Flash here. That's a dead horse.

Jay Orsaw wrote:I did just write an applet for someone's site, what would the solution be now?

Without knowing what the applet does, cannot say. Is it something that interacts with a machine in a way that JavaScript does not allow? Or did you just do it in Java to avoid the HTML/CSS/JavaScript stack?

It's not for a huge site or anything, so I don't think there will be an issue but you don't know in the end....

It depends upon the users of the site. If they disable, or have already disabled, Java in the browser, your customer will be out of luck.

The DHS has recommended that everyone disable browser Java and Mozilla and Apple have done it automatically.

I believe that it really is well passed the time to acknowledge that java in the browser is a failed idea and move on.


It's basically a calculator that when you enter certain values will change a scroll pane from a single picture with verticle scroll disabled, to enabled with a jpanel with a couple of options.

Then there i a jtable that you can grab the values of the textfields, and then it throws it into a JavaFX graph I made.

So unless I am able to control a graph, table and the interaction I have with the scroll pane(one scroll pane switches Jpanels of info) I'll have to stick with the Applet....

It's not really that Iw ant to avoid JS and HTML and CSS(I use CSS in FX, as well as XML) it's just I figured


SOrry I had this typed out hours ago and forgot to submit .



As for your banks applet yeah, I can see what an applet doesn't work it's a PAIN, but if it works I don't see what's so bad about them . I'm sure you can do most things with JSP, so I really need to go check out that LearnJavaNow videos I bought .

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

Jay Orsaw wrote:It's basically a calculator that when you enter certain values will change a scroll pane from a single picture with verticle scroll disabled, to enabled with a jpanel with a couple of options.


That is no justification for using dead technology such as applets. See http://www.coderanch.com/t/572824/Applets/java/interest-lots-questions-applets

You can do a calculator in Javascript without any of the problems that applets and this vulnerability bring.

Its a doctor, doctor issue.

Patient: Doctor, Doctor, it hurts when I do this.
Doctor: then don't do that.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Pat Farrell wrote:
Jay Orsaw wrote:It's basically a calculator that when you enter certain values will change a scroll pane from a single picture with verticle scroll disabled, to enabled with a jpanel with a couple of options.


That is no justification for using dead technology such as applets. See http://www.coderanch.com/t/572824/Applets/java/interest-lots-questions-applets

You can do a calculator in Javascript without any of the problems that applets and this vulnerability bring.

Its a doctor, doctor issue.

Patient: Doctor, Doctor, it hurts when I do this.
Doctor: then don't do that.



Yes, but I need a table, as well as the graph.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

Jay Orsaw wrote:Yes, but I need a table, as well as the graph.

You can do tables and graphs in Javascript.
You can do tables in HTML.

There is no justification for using applets for new work in 2013. None. Its like using scriptletts in JSP pages, acceptable technology a decade or more ago, but not how modern applications are built.

The schools need to stop teaching applets, the textbooks need to remove the chapters on applets.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61180
    
  66

Jay Orsaw wrote: I'm sure you can do most things with JSP

You mean "I'm sure you can do most things with HTML, JavaScript and CSS". JSP is just a templating technology for creating HTML pages. If you are hoping that JSP allows Java in the browser, you will be disappointed. Read this article to understand how JSP operates.

Jay Orsaw wrote:Yes, but I need a table, as well as the graph.

You don't need applets for those.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Pat Farrell wrote:
Jay Orsaw wrote:Yes, but I need a table, as well as the graph.

You can do tables and graphs in Javascript.
You can do tables in HTML.

There is no justification for using applets for new work in 2013. None. Its like using scriptletts in JSP pages, acceptable technology a decade or more ago, but not how modern applications are built.

The schools need to stop teaching applets, the textbooks need to remove the chapters on applets.


I never learned applets in school :P.

Bear Bibeault wrote:
Jay Orsaw wrote: I'm sure you can do most things with JSP

You mean "I'm sure you can do most things with HTML, JavaScript and CSS". JSP is just a templating technology for creating HTML pages. If you are hoping that JSP allows Java in the browser, you will be disappointed. Read this article to understand how JSP operates.

Jay Orsaw wrote:Yes, but I need a table, as well as the graph.

You don't need applets for those.


No HTML is the devil >( :p.

Yeah I meant HTML, CSS, JSP, etc mixed...

I know there is GWT for Java web stuff...



Now the last question is if I wanted to not use an Applet would I be able to use my existing SE/FX code elsewhere, because I'm not really looking to recode everything....
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10091
    
164

FWIW, there's now a release which supposedly contains a fix http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

[My Blog] [JavaRanch Journal]
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

Jay Orsaw wrote:Now the last question is if I wanted to not use an Applet would I be able to use my existing SE/FX code elsewhere, because I'm not really looking to recode everything....


You really want to not use applets. You want to stop using them today.

Its impossible to tell from a distance how much of your existing code will work, probably not a lot of the FX. If your SE code using AWT or Swing, not a lot there either.

Sometimes, recoding is not that painful. You know exactly what you want to do, all you need is to learn the new tools to implement it. Languages change, technology changes, software engineering practices change. What was once a best practice may fairly quickly be considered evil, as applets are today.

A lot of the younger engineers here on the 'ranch seem to think that learning Java, and Java's future are important. Well, learning to do it well is important, but that goes for any technology. I've been paid to write programs in about 20 different languages, some radically different from others. Sometimes its good to re-implement something with new tools. Sometimes, you decide that what you were doing is wrong, and you re-implement a whole new approach.

Embrace change. Its gonna change anyway.
 
wood burning stoves
 
subject: New Vulnerability found in Java 7 and web