Yet another security issue with applets

appel · August 28, 2012, 8:00pm

[quote]Disable Java NOW, users told, as 0-day exploit hits web
A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle’s Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

[/quote]
Why is it so hard to make unbreakable sandboxes? :

gouessej · August 28, 2012, 8:34pm

I’m not surprised by The Register, it is always the same behavior… Why not disabling Flash, Silverlight and .NET too?

appel · August 28, 2012, 8:54pm

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be “safe”.

Riven · August 28, 2012, 9:04pm

No such luck…
[x]There are already virii that hijack guest OSes, for example, through VMware.
[x]There are already virii that hijack the current OS and virtualize it, to stay under the radar of anti-virus software.

appel · August 28, 2012, 9:10pm

OH GOD!!! ;D

Cero · August 28, 2012, 9:58pm

Thats crazy.

However I am absolutely convinced that developing a perfect sandbox IS possible.
I have looked at a lot of console design/architecture, primarily XBox, XBox 360 and PS3 - which is very related, because trying to keep people from hacking the consoles is a similar problem to keeping sandboxes secure.

What I’m certain is that, you need to keep the code minimal, very robust, test it throughly… only really required stuff; try to hack it; use principle of least privilege…

I’m very excited to see PS4 and XBox 720 in this regard…
Although I generally dislike Microsoft, XBox 360 has a very good architecture

I think also that one of the main problems with sandbox design like these are, basically old codebases: either legacy-code, or new code combined with legacy code… Only designing it from scratch would be secure

gouessej · August 28, 2012, 11:07pm

Every human creation can be improved. Therefore, your sandbox will have to be created by an intelligent being but not a human being ;D

sproingie · August 29, 2012, 12:42am

I work in the AV industry. No one uses this word.

Jimmt · August 29, 2012, 12:46am

Yup.
http://stason.org/TULARC/security/computer-virus/14-Is-it-viruses-virii-or-what.html

jonjava · August 29, 2012, 12:55am

Mmm. But virii is a lot cuter.

Much like snow bears are a lot cuter than polar bears.

Best_Username_Ever · August 29, 2012, 10:41pm

Yep. I’ve heard “Java isn’t used for anything, you should disable it” or “Java isn’t secure” and other things along that line. For me, the number of websites using Java applets outnumber Flash embeds by over two to one. (Ignoring Flash ads and websites that force the user to use a plugin to watch video.) The same people argue against disabling Silverlight, even though one can count the number of websites that use it on one hand. There’s good reason to disable those types of things, including Flash, Java, Silverlight, and definitely Javascript, but that type of discussion revolves around which one has the better brand image.

delt0r · August 30, 2012, 7:05am

With current hardware and OS i don’t think you can do a “perfect sandbox”. Fact is that modern computers are total crap when it comes to security, and no amount of dressing on the top can change that fundamental fact. Security is hard to get right. Its even harder to slap it onto things that where not designed with security in the first place.

Damocles · August 30, 2012, 7:18am

If you worry about security, especially vīra, just use Linux as browsing and eBanking System.

I wonder how much effort into security applications and fear people invest,
just to keep using Windows for their critical Tasks. (Online Banking, online purchases, processing personal documents etc…)

The standard tasks all work fine in the mainstream Linux distros.
Plus its still natively much securer.

I use Windows mainly for gaming then.

gimbal · August 30, 2012, 8:12am

Its all pointless anyway. No matter how many holes are plugged in software, the biggest security hole is still floating between the keyboard and the chair. Its not the tiny cracks in a piece of software the provide the most misery, its the keyloggers installed on so many systems of oblivious users that are the real deal. They don’t go away by pointing a finger at others.

Damocles · August 30, 2012, 8:25am

I just hope this Java FauxPas dows not reduce the installments of Java too much.

Would be bad news for Applets and Javagaming in general.

Good that Mincecraft keeps Java as gamingengine well in Public view.

kappa · August 30, 2012, 12:03pm

The above security issue is pretty serious, trivial to exploits (even by java noobs) and works crossplatform, as the source code of a working example shows here.

Sadly even if the above is fixed there are probably tons more yet undiscovered ways to do the above. Just looking at the list of critical Java security bugs fixed in the last few years there have literally been hundreds of similar ones.

A majority of these exploits (including the above) simply find various crafty ways to replace the default applet/JWS security manager, e.g. System.setSecurityManager(null).

Simply making it impossible in the VM to replace the default Security manager (even with elevated permissions) when running as applet or JWS should make it more difficult to beat the sandbox and reduce some of the problems.

The Java plugin is currently a major attack vector (much more so than Flash ever was) and is being rightly criticised. If Oracle are serious or care about continuing to have a Java plugin they need to take some radical action to secure it down (likely even more browsers will block it by default). Plus it doesn’t help that Oracle are completely silent (seeming they are doing nothing) even though almost every security/tech site out there is currently bashing it.

gimbal · August 30, 2012, 12:07pm

Actually they have, there have been so many harsh security fixes done to for example the applet core that plenty of applications just failed to work after a certain update. Now they get pissed on by both the developers AND the so called security experts

I agree that Oracle keeping silent is really highly annoying. You just don’t know what is going on behind those towering walls of theirs.

princec · August 30, 2012, 12:15pm

Not just silent but negligent as well. Holes from bugs are to be expected; ignored holes are not. Grrr.

Cas

Cero · August 30, 2012, 12:44pm

you get my point with example like these: trying to fix a current sandbox like this is like trying to fix a broken ship on the high sea in a storm

when they were first developed, none of these issues were apparent… it was not designed with with todays performance, stability and security aspects in mind

gimbal · August 30, 2012, 1:26pm

Very true, but yeah. Name me one large multinational that was not guilty of this exact same crime at least once but probably multiple times. They’re all too busy looking for the one ring.