What happened to sun & java?
in [Slackware]
|
Prev: kgpg problems
Next: Downloading 13.1?
From: blmblm on 22 Jul 2010 12:48 In article <i182ho0v9t(a)news4.newsguy.com>, David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > From: <blmblm(a)myrealbox.com> > > | In article <i0rm0e0q2f(a)news2.newsguy.com>, > | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > >> From: "Aragorn" <aragorn(a)chatfactory.invalid> > > >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying > >> | as David H. Lipman wrote... > > | [ snip ] > > >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo source or > >> many and infected computer due to its many vulnerabilities and subsequent > >> exploitation. > > | Can you point me to a good source of information about these > | vulnerabilities and exploitation? I did a quick Google search on Java > | and "security hole" and found some mentions of exploitable flaws in > | implementing Java's security model [*], but to me they didn't seem > | to be adding up to "many vulnerabilities". What did I overlook? > > | [*] At least it *has* one, though I suppose one could make a case for > | the notion that a badly-implemented security model might be worse > | than none at all, in that it generates a false sense of safety. > > | Not trying to start a flame war here -- trying to fill in possible > | gaps in my own knowledge! > > You can start with the ByteVerify exploit A belated "thank you" for taking the trouble to provide some links. It does look like there are more bugs than I might have suspected. I didn't find anything that to me supports a claim that these bugs (some of them fairly old) have been responsible for "many an infected computer", but maybe I didn't read carefully enough, and maybe my standards are lower than yours. <shrug>, maybe. > F**K ! > > Dead > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1 > > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 > > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 > > "Book marks to the legacy Sun Alert: : http://sunsolve.sun.com/search/document.do?assetkey=1-26-102854-1 > are no longer available and SunSolve will report the document is not found. As the mapping > to the new system does not exit. > To find this SunAlert, searching on the keywords or the original title, for example, > Security Vulnerability in the Sun Java Web Console May Allow Access to Privileged on > SunSolve will provide the new link: http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001060.1-1 > " > > > http://isc.sans.edu/diary.html?storyid=2088 > > http://www.us-cert.gov/cas/alerts/SA08-340A.html > > http://search.us-cert.gov/search?q=sun+java&btnG.x=0&btnG.y=0&btnG=Go&entqr=0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&oe=UTF-8&ie=UTF-8&client=default_frontend&proxystylesheet=default_frontend&site=default_collection > -- B. L. Massingill ObDisclaimer: I don't speak for my employers; they return the favor.
From: David H. Lipman on 22 Jul 2010 16:31 From: <blmblm(a)myrealbox.com> | In article <i182ho0v9t(a)news4.newsguy.com>, | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> From: <blmblm(a)myrealbox.com> >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying >> >> | as David H. Lipman wrote... >> | [ snip ] >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo source >> or >> >> many and infected computer due to its many vulnerabilities and subsequent >> >> exploitation. >> | Can you point me to a good source of information about these >> | vulnerabilities and exploitation? I did a quick Google search on Java >> | and "security hole" and found some mentions of exploitable flaws in >> | implementing Java's security model [*], but to me they didn't seem >> | to be adding up to "many vulnerabilities". What did I overlook? >> | [*] At least it *has* one, though I suppose one could make a case for >> | the notion that a badly-implemented security model might be worse >> | than none at all, in that it generates a false sense of safety. >> | Not trying to start a flame war here -- trying to fill in possible >> | gaps in my own knowledge! >> You can start with the ByteVerify exploit | A belated "thank you" for taking the trouble to provide some links. | It does look like there are more bugs than I might have suspected. | I didn't find anything that to me supports a claim that these | bugs (some of them fairly old) have been responsible for "many | an infected computer", but maybe I didn't read carefully enough, | and maybe my standards are lower than yours. <shrug>, maybe. Maybe you haven't been studying malware as long as I have. Being a meber of an Internation malware research group, I have access to *much* information. Sun Java was a causitive factor in many computers being infected with the Vundo Trojan and/or Virtumonde Adware. Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a 'd.class' file from a Java Jar. Notice its low catch rate. http://www.virustotal.com/analisis/1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a higher catch rate. http://www.virustotal.com/analisis/1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: blmblm on 24 Jul 2010 12:26 In article <i2a9q402me(a)news2.newsguy.com>, David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > From: <blmblm(a)myrealbox.com> > > | In article <i182ho0v9t(a)news4.newsguy.com>, > | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > >> From: <blmblm(a)myrealbox.com> > > >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, > >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> > > >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying > >> >> | as David H. Lipman wrote... > > >> | [ snip ] > > >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo source > >> or > >> >> many and infected computer due to its many vulnerabilities and subsequent > >> >> exploitation. [ snip ] > | A belated "thank you" for taking the trouble to provide some links. > | It does look like there are more bugs than I might have suspected. > | I didn't find anything that to me supports a claim that these > | bugs (some of them fairly old) have been responsible for "many > | an infected computer", but maybe I didn't read carefully enough, > | and maybe my standards are lower than yours. <shrug>, maybe. > > Maybe you haven't been studying malware as long as I have. Very possible -- it's not one of my areas of expertise, and I may owe you an apology for assuming, as I rather did, that it wasn't one of yours either, since you say: > Being a meber of an Internation malware research group, I have access to *much* > information. > > Sun Java was a causitive factor in many computers being infected with the Vundo Trojan > and/or Virtumonde Adware. The what .... pause to Google .... Is the Wikipedia article http://en.wikipedia.org/wiki/Vundo reasonably accurate? As a Linux bigot I admit that my attention rather started to wander when I got to the mention of the registry. Sort of a :-), since after all if one is going to comment on Java's security record it probably does make sense to base the comments on all the platforms it runs on. > Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a 'd.class' > file from a Java Jar. Notice its low catch rate. > http://www.virustotal.com/analisis/1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 > > Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a > higher catch rate. > http://www.virustotal.com/analisis/1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 I'm not sure how to interpret those pages -- is the point that the bytecode files causing the problem aren't detected by a lot of programs that are supposed to find viruses? and security problems that are unlikely to be caught are worse than those than are? though this is possibly drifting off-topic .... -- B. L. Massingill ObDisclaimer: I don't speak for my employers; they return the favor.
From: David H. Lipman on 24 Jul 2010 15:06 From: <blmblm(a)myrealbox.com> | In article <i2a9q402me(a)news2.newsguy.com>, | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> From: <blmblm(a)myrealbox.com> >> | In article <i182ho0v9t(a)news4.newsguy.com>, >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> From: <blmblm(a)myrealbox.com> >> >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, >> >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> >> >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying >> >> >> | as David H. Lipman wrote... >> >> | [ snip ] >> >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo >> source >> >> or >> >> >> many and infected computer due to its many vulnerabilities and subsequent >> >> >> exploitation. | [ snip ] >> | A belated "thank you" for taking the trouble to provide some links. >> | It does look like there are more bugs than I might have suspected. >> | I didn't find anything that to me supports a claim that these >> | bugs (some of them fairly old) have been responsible for "many >> | an infected computer", but maybe I didn't read carefully enough, >> | and maybe my standards are lower than yours. <shrug>, maybe. >> Maybe you haven't been studying malware as long as I have. | Very possible -- it's not one of my areas of expertise, and I may | owe you an apology for assuming, as I rather did, that it wasn't one | of yours either, since you say: >> Being a meber of an Internation malware research group, I have access to *much* >> information. >> Sun Java was a causitive factor in many computers being infected with the Vundo Trojan >> and/or Virtumonde Adware. | The what .... pause to Google .... Is the Wikipedia article | http://en.wikipedia.org/wiki/Vundo | reasonably accurate? | As a Linux bigot I admit that my attention rather started to wander | when I got to the mention of the registry. Sort of a :-), since | after all if one is going to comment on Java's security record it | probably does make sense to base the comments on all the platforms | it runs on. >> Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a >> 'd.class' >> file from a Java Jar. Notice its low catch rate. >> http://www.virustotal.com/analisis/ >> 1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 >> Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a >> higher catch rate. >> http://www.virustotal.com/analisis/ >> 1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 | I'm not sure how to interpret those pages -- is the point that | the bytecode files causing the problem aren't detected by a lot | of programs that are supposed to find viruses? and security | problems that are unlikely to be caught are worse than those than | are? though this is possibly drifting off-topic .... I did not read the full Wiki. It jsut indicates symptoms of the Vundo family. As for the Virus Total reports they show just how poorly Many Java related trojans and exploits are poorly detected. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Maxwell Lol on 25 Jul 2010 09:15
"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes: > As for the Virus Total reports they show just how poorly Many Java > related trojans and exploits are poorly detected. Sorry for coming into this discussion late.... Secunia recently released a report. For those who don't know, secunia offers a product called psi which is free, and checks to see if ANY of your programs have security vunerabilities. It tells you it's time to update your jre, flash, etc. I run it on my personal Windows-based computers. As an option, it can collect information from a large number of users. Based on that informaiton, they summaries thair statistics here: here: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf On page 14 is a chart of the vulnerabilities of 3rd party programs ranked by product, and Oracle/sun is ranked as #3. So there are many java security issues. More so that Acrobat or flash. (Although Acrobat had more "events") which may be a better indication of the severity of the vulnerability. This chart - Table 3 - does show that 89% of the computers running psi have Java installed. So there is a large installed base. If it's declining in popularity, these numbers don't seem to indicate it. Arobat Reader is 91% and Flash is 99%, BTW. However, I can't believe that the number of vulnerabilities in Java is causing Sun/Oracle's decline. Firefox and Safari have more vulnerabilities, and that does not seem to afffect their popularity. And vulnerabilities in flash or acrobat do not seem to affect their popularity. Personally - I think that Oracle/Sun is suffering from a confusion of their focus. |