Java security flaw...

[MagiaOscura]

Just wondering if anyone has any input on the subject...

[digip]

Yeah. Don't use Java.

[MagiaOscura]

But how could such a major flaw arise in the first place? Lazy coding?

[digip]

Um, are you new to computers and software? And no, I highly doubt lazy had anything to do with it, as much as it is Java in general, that is widely used, so a huge target for attackers. IE: The more people that use it, the more people that will attack it, like Windows. Much of that landscape is changing today, in that we are seeing more and more attacks, for things like OSX, Android, iPhones, Cell Phones in general, and all languages and operating systems. Java is no different. All software has bugs.

[MagiaOscura]

Ya, pretty new. I have just been pursuing a hobby the past few weeks. And it seems like this is a pretty big flaw though...oracle could of probably caught it if they were on their toes.

[digip]

0days come out, and flaws in Java are rampant in general. Has been this way with Java for YEARS and why I always tell people to remove it from their PC, Install it for when they need it specifically(like taking an online interview, class, etc) then immediately uninstall it afterwards. I yell at my own mother all the time for using it, and remove it from her PC all the time, but she needs it for her work, so its a double edged sword. Get owned, or get work done.

Problem is, Java is also embedded into devices, that can not be easily updated, so flaws in it, will remain for years until they can update firmware on specific devices, or in some cases, have to replace the entire device, depending on the type of device.

To this day, there are cash registers in the world, that STILL run Windows 3.1, and that was decommissioned YEARS ago.

Java, Adobe Acrobat, Flash, Internet Explorer, and a slew of others are at the top of the field for being attacked. The bigger you are and more widely used, the more probability people will attack it. Has nothing to do with being on your toes. Software as big as Java, or the Windows Operating system for instance, is constantly evolving, and as such, so do new attacks for doing things with software, no one had thought to try before. If anything, the attacks help raise awareness, and bring new security features that benefit not just Java, but other software developers and security researchers in helping secure more than just Java down the road, but in the short term, its a painful reality, that all things will fall at some point. Nothing is bullet proof. Even if your code itself has no flaw, taking the side door in via another piece of software is usually one way to make something happen, ie: Windows base when setup properly, is generally secure, until you add say, Quicktime plugin to the browser, or Acrobat Reader to your browser, and even FireFox can be hacked, if there is an 0day for Flash, since its not FireFox's responsibility to check Adobe's code, if you want to hack FireFox to get at users data, you take a side channel or 3rd party piece of software to gain access to the underlying target. Java is no different.

The bad thing about java is its most useful feature though. Its cross platform, which means it runs on nearly every OS and device, and can even run native machine code to get to the hardware itself, so you want to take over a server, or windows workstation, Java lets you in and gives you access to disable Anti-virus, patch kernels in memory, and run any code you want. Its the nature of the beast, and won't be changing any time soon.

[overwraith]

Some software security flaws are generated by lazy coding practices though. Nearly all hacks prey on coding flaws. A buffer overflow (most prevalent in C and C++ languages) for instance is a case where a coder has neglected to check the length of a users input to the program. The data is written without checking whether or not it will overwrite things after the allocated buffer space, thus rewriting a return address after the buffer. If input is cleverly crafted, a buffer overflow situation can be used to run code that the programmer of the victim program didn't code. This is done by injecting shellcode into the buffer, and a return address which is written after the buffer to point back into the buffer, thus redirecting the flow of execution. I think java is probably written in C/C++ or something, as all our computer languages have a hierarchy of evolution. Machine code was first, then came Assembly, and then came compiled languages, which are sometimes used to write more complex compiled languages. Improper verification is also the cause of several more modern types of attacks including cross site scripting, SQL Injection, and XML injection. It can be difficult to catch all coding flaws before release, because of the sheer size of the source code. Programs can be hundreds to thousands of lines. Format String Exploits, also prevalent in C and C++ are also an error associated with incorrect input verification. Format String Exploits involve allowing the user to input '%' symbols into a printf format string.

[whitehat]

What major flaw were we talking about? But yea -- vulnerabilities are so numerous and widespread I'm kinda surprised that the OP was surprised about a new vuln.

If it really was a 0day yesterday I'd like to know though :)

I concur with what overwraith said, though I'd add that programs can actually be even (much) longer than thousands of lines. Even programs written in a short amount of time may be millions of lines long, depending on what approach is taken by the person writing them (if you weren't very parsimonious, at least).

Edited January 13, 2013 by whitehat

[pasteeywhitecoder]

Is it just the browser Java plugin? Not the actual compiler/interpreter?

[digip]

The main flaw being used is browser based, but it could be any other kind of attack, based on other safe executables that do things on a system running Java, and so on. The flaw is in the Java software, sometimes only effects one OS, like the one that hit MAC users months back, but often, its cross platform, and thats also more the appeal for attackers, if the flaw can get to kernel level and has payloads for each OS or embedded device, depending on the flaw and what its meant to do.