Security update breaks A LOT OF STUFF!

General Discussions
#21

Does it though? Because when I read the actual attack / proof of concept it seemed to be that javaws was being run without validating the command line arg, which allows an attacker to pass their own -J param and path, and so boot with an additional jar.

Oracle seem to have ‘fixed’ the wrong thing - they’re trying to load the jar file and sandbox it after the fact with classloader hackery. But it strikes me that the proper root-cause fix would be to properly sanitise the command line before passing it to javaws so that rouge jar paths can’t be introduced in the first place.

That, combined with the no-beta quick roll out, has all the hallmarks of a non-technical manager throwing a hissy fit and forcing through such a colossally broken and ill-thought-out fix.

Edit: for reference, this is the original exploit doc I believe: http://seclists.org/fulldisclosure/2010/Apr/119

#22

sorry but cant understand what security hole they have fixed with the mixed-code restriction and scary popup, once you got a selfsigned library you can do whatever you want, so absolutly no need to prevent the user there will also be an unsigned code running with the selfsigned library: the selfsigned can already do what it want do to, so absolutly useless & understandable to have done such modification.

anyway they should have better validate (or at least validate…) this update before releasing, breaking existing applications is not really a way to go for web technologies.

#23

I have just update the Applet booter to enable signed/unsigned mixing with only one “standard” security popup (implemented a custom URLClassloader) this seems to work well…

the signed booter is here http://demo.dzzd.net/BootV2Signed/signedBoot.jar

with it you can use HTML code like this :

<applet
	archive = "signedBoot.jar"
	code	= "Boot"
	width	= "500"
	height	= "300">
	<PARAM NAME="BOOTCLASS" VALUE="jar.MyJarApplet">
	<PARAM NAME="BOOTJARS" VALUE="signedJar.jar;unsigned.jar">				
</applet>

it will give Applet all right or not depending on user response to security popup but the nice thing is that it wont show any secondary popup, it will also start imediatly and load jars asynchronously after boot applet start and then will launch the given sub-applet. if you dont requiere any special right than dont sign the booter and it will just run as fine.

more informations in this thread http://www.java-gaming.org/index.php/topic,22239.msg184109/topicseen.html#msg184109

EDIT: anyone interrested in investigate a certificat ? 50$ each :slight_smile:

#24

i download update 20, anyone know if it fixes and issues?

edit: still getting the ugly mixed code popup, with older applets. Anyone know about the other issues yet?

#25

http://java.sun.com/javase/6/webnotes/6u20.html

At first glance, it looks even a tiny bit tighter on security, breaking more JNLP apps.

#26

update 20 is even worst than update19 …

I got now three popups now ?! for some applets that was not showing any popup before, that’s crazy…

the new popup is this applet requiere and ol java version…

#27

all applet are now showing a dialog even unsigned , now I am really thinking of going away from java, Oracle sucks…

#28

Ouch, that’s really, really bad. I can’t imagine how on earth this got approved at Oracle.

#29

It make me become completly made… absolutly crazy… that’s juste incredible every single Applet around the world will then show a popup ??? how is it possible to be so stupid ?

they try to kill the java plugin ?

#30

java4k applet show popup, same on java.net and same on sun.com website, I just cannot find any website where there is not this popup

seems that Oracle just break in two updates all the efforts made by Sun last years to make the plugin appears more userfriendly, it is really impossible to rely on Java technologie expecially if Oracle is in the game, they always have produce poor quality tools and always focused on money

#31

I tested this and it is not true for my unsigned applets in 6u20

#32

I guess (!) you have modified your Java settings, I get no popups on the mentioned sites.

#33

not true

so try this one maybe :

http://www.java4k.com/index.php?action=games&method=view&gid=302
http://www.java4k.com/index.php?action=games&method=view&gid=291

also if you use webmin to manage a server try it !

or maybe some demo applet from sun ? http://java.sun.com/applets/

or some lwjgl applets demo maybe http://lwjgl.org/applet/

#34

at least you get the popup - firefox insta crashes, chrome shows a blank page and ie shows:
“Internet Explorer has stopped trying to restore this website. It appears that the website continues to have a problem.”

[quote]>java -version
Error occurred during initialization of VM
java/lang/NoClassDefFoundError: java/lang/Object

java -fullversion
java full version “1.6.0_20-b02”
[/quote]
:persecutioncomplex:

#35

I did not change anything between u19 and u20 but I got the warning just after I installed u20 not before, so could you point me the setting I may have changed ?

#36

I even put an exclamation mark after ‘guess’ … no need to get irritated.

#37

All I can say is that for me it works just like in 6u19

#38

sorry this is not you, I am just really irritated by last two java updates

#39

I got this one everywhere now (see image enclosed to this post), so maybe the update did something wrong and whenged my setting ? do am I alone ?

“it say the application requiere an older java version, do you want ot continue ?”

#40

re-install fixed my issues ???