kgs and java security hole

[hyperpape]

Macs seem to be covered right now: http://www.macrumors.com/2013/01/11/app ... ty-threat/ (I won't comment about whether this is a good idea or not).

[speedchase]

You guys seem to have misunderstood my point. It wasn't that This isn't a problem, It is. I wasn't that they shouldn't fix it, they should and they will. My point was that people blow problems with Java out of proportion because they are much harder to find then problems with other platforms, or because they just don't like Java. Most browsers as well as anything running on Mac OS X blocked Java, so the average user shouldn't worry too much about this.

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised. This Java issue is just another easier way to do something that anyone can already do.

[xed_over]

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised.

this is true of almost all security vulnerabilities regardless of core technology used.

just don't go to those bad sites, and you won't have to worry.

[Ellyster]

Edit: I think it is also worth noting that in order for you to be affected by this, you have to go to a website that is malicious, or has been compromised.

this is true of almost all security vulnerabilities regardless of core technology used.

just don't go to those bad sites, and you won't have to worry.

Is not that easy... good sites are constantly being hacked, so the people who want to attack the vulnerability can upload his code to a popular web and get as many infected visitors as possible.

Feeling safe because you don't go to "bad sites" is extremely naive. If that were the case, 0 days vulnerabilities would not be a big deal, to start with.

[Kirby]

People shouldn't hate on Java so much. C, C++ and C# are all much worse when it comes to security, there are literally millions of virus attacks in Windows executable files, and Microsoft's Activex framework is a joke. The only reason people publish articles like this is because they see it as a challenge to try to crack Java's security mechanisms, there is no interest in other frameworks because it is so easy. All security issues in Java are fixed quickly.

Is C#'s security that bad (wih the latest .net framework)? Can you elaborate?

Fwiw, I'm a java fan, too, but i also like C#. (Well, on that note, I like C++, too... I don't really dislike many languages...)

[speedchase]

Is C#'s security that bad (wih the latest .net framework)? Can you elaborate?

Fwiw, I'm a java fan, too, but i also like C#. (Well, on that note, I like C++, too... I don't really dislike many languages...)

my point was more that if people can run programs on your computer, your screwed regardless of what the programming language tries to do to protect you. The only thing this vulnerability allows, if for java programmers to break out of the Java Virtual Machine, and run code directly on your computer. For other languages, there isn't a virtual machine in the first place, so there is no protection to break out from. This issue only stands to make Java more like other programming languages in terms of what a programmer can do to your computer. This is only a big deal because many browsers let Java programs run without asking the user, which is a bad idea in the first place.

Simply put, don't run programs on your computer that you don't know where they came from. The problem is that Java programs can be set up to run automatically. Shame on the browsers for that.

[AmyTS]

It doesn't matter if the site is trusted. The exploit is being deployed through ad networks. If the trusted site uses an ad network that has been compromised with the exploit, and you view that site, and you have a vulnerable version of Java, arbitrary code can be executed on your processor. This doesn't affect the downloaded KGS client, nor does it affect the applet version of KGS, since KGS does not use an ad network.

It's a good idea to disable Java in your browser until you're on a site on which you actually need it (like playing a game).

[Kirby]

Is C#'s security that bad (wih the latest .net framework)? Can you elaborate?

Fwiw, I'm a java fan, too, but i also like C#. (Well, on that note, I like C++, too... I don't really dislike many languages...)

my point was more that if people can run programs on your computer, your screwed regardless of what the programming language tries to do to protect you. The only thing this vulnerability allows, if for java programmers to break out of the Java Virtual Machine, and run code directly on your computer. For other languages, there isn't a virtual machine in the first place, so there is no protection to break out from. This issue only stands to make Java more like other programming languages in terms of what a programmer can do to your computer. This is only a big deal because many browsers let Java programs run without asking the user, which is a bad idea in the first place.

Simply put, don't run programs on your computer that you don't know where they came from. The problem is that Java programs can be set up to run automatically. Shame on the browsers for that.

I think i agree with the principles from which you speak, but perhaps analogous to the jvm, the clr utilized by .net provides security, and c# code isnt run directly, but is constructed into il. So i personally agree that java is not the root problem at times, but it may be a generalization to say its security is superior to. Net's.

I personally find java's power in its portability. Security isnt obviously superior to. Net's imho.

[Mef]

Is C#'s security that bad (wih the latest .net framework)? Can you elaborate?

Fwiw, I'm a java fan, too, but i also like C#. (Well, on that note, I like C++, too... I don't really dislike many languages...)

my point was more that if people can run programs on your computer, your screwed regardless of what the programming language tries to do to protect you. The only thing this vulnerability allows, if for java programmers to break out of the Java Virtual Machine, and run code directly on your computer. For other languages, there isn't a virtual machine in the first place, so there is no protection to break out from. This issue only stands to make Java more like other programming languages in terms of what a programmer can do to your computer. This is only a big deal because many browsers let Java programs run without asking the user, which is a bad idea in the first place.

Simply put, don't run programs on your computer that you don't know where they came from. The problem is that Java programs can be set up to run automatically. Shame on the browsers for that.

To put this another way -- It's not that Java has bigger security problems than other languages, it's that security problems are a bigger issue when you operate under the trust model that Java does. If the model intends for you to have untrusted sources running code, then a security issue is a larger potential vulnerability than if you expect all code to be trusted prior to execution.

[speedchase]

I think i agree with the principles from which you speak, but perhaps analogous to the jvm, the clr utilized by .net provides security, and c# code isnt run directly, but is constructed into il. So i personally agree that java is not the root problem at times, but it may be a generalization to say its security is superior to. Net's.

I personally find java's power in its portability. Security isnt obviously superior to. Net's imho.

I thought that C# worked more similar to C or C++ than java. please forgive my confusion, you are correct.

To put this another way -- It's not that Java has bigger security problems than other languages, it's that security problems are a bigger issue when you operate under the trust model that Java does. If the model intends for you to have untrusted sources running code, then a security issue is a larger potential vulnerability than if you expect all code to be trusted prior to execution.

yeah basically.

It doesn't matter if the site is trusted. The exploit is being deployed through ad networks. If the trusted site uses an ad network that has been compromised with the exploit, and you view that site, and you have a vulnerable version of Java, arbitrary code can be executed on your processor. This doesn't affect the downloaded KGS client, nor does it affect the applet version of KGS, since KGS does not use an ad network.

It's a good idea to disable Java in your browser until you're on a site on which you actually need it (like playing a game).

The solution is to treat Java applets like downloading an executable file. That's basically what it is. Have browsers trust different applets separately based on what the user tells it to do. Don't remember trust

[cyclops]

Maybe another stupid question. Does my antivirus protection ( f-secure, up to date ) offers any protection against the java vulnerabilities? And how to detect whether you are hacked already? No, I am not paranoia, but I don't want to compromise my wife's laptop. She needs it for her work.

[Ellyster]

@cyclops:

The general answer is NO, but it really depends on what the bug is and what the attackers wants to do with it.



Generally speaking, the most serious bugs are the ones that "allow root access" or "allow remote arbitrary code execution".

So to speak, they can do anything you can do, if the attacker wants to execute a virus... well the antivirus can detect it... but if the attacker wants to switch off the antivirus, he can (or even be more sutile and add and exeption just to the virus that he want to use).

Usually this kind of bugs are used to install "root kits" to become your pc part of a zombie network or to install "keyloggers" to get passwords, creditcars, etc...

[cyclops]

@cyclops: .....

Thanks for your information. Quite alarming though.

Don't tell Jasiek; he might easily freak out

So if wms gets rootkitted all kgs players must pray.
How does KGS work at the server side? Is it a servlet? Is it run on a computer which is controlled by WMS? How does wms protect it?
But wait, probably it is not the server that we need to fear but the applet cq client we are downloading everytime we connect to kgs.
I instructed my browser to trust anything that comes from kgs so I forgot how the authentication and verification is done. Is there a certificate? Well, I am not an expert so some questions may not be to the point.
Has wms a document around about how he provides safety to us?
Well, next thing now for me is to login to KGS to play a game

[speedchase]

Has wms a document around about how he provides safety to us?
Well, next thing now for me is to login to KGS to play a game

unless you are worried about wms hacking your computer, you should be fine. Just use the desktop client.

[quantumf]

This vulnerability was patched yesterday by Oracle (update 11).