JAVA get pwned 4 times @ Pwn2Own

Discussion in 'other security issues & news' started by ComputerSaysNo, Mar 8, 2013.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
  2. BrandiCandi

    BrandiCandi Guest

    The java attack winner got paid the least of all the prizes at pwn2own for a reason.
     
  3. Hmm... lots of enterprise level stuff (e.g. Hadoop) is implemented in Java. I wonder how vulnerabilities in the JVM would affect such software.
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I won a prize too... the day I uninstalled Java from all of my computers. :cool:
     
  5. BrandiCandi

    BrandiCandi Guest

    It's a big problem. Removing Java is excellent advice except where it's necessary. That's why security pros are screaming and yelling at Oracle to come up with a real solution. (btw solution != patch)
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Oracle should get their act together with Java. :ninja:
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Brief summary.

    Just went to test u17, the above is from http://javatester.org/
     
  8. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    "But Java applets can also be digitally signed and signed applets run outside of the normal Java sandbox by design. In other words, they don't need to depend on a bug in Java, they are purposely given free reign to do whatever they want. An example of a signed Java applet is the Secunia Online Software Inspector."

    Newbie Q: Can you help me understand the ramifications of this statement. Is it saying that certain exploits are only being passed by Java in the signed applets, so Oracle would not consider it a security breach on their part? As per the given example, would the user be aware of the exploit(how)? Would Secunia now be considered at fault?
     
    Last edited: Mar 10, 2013
  9. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
  10. DrBenGolfing

    DrBenGolfing Registered Member

    Joined:
    Nov 29, 2012
    Posts:
    251
    Location:
    Hometown of Van Cliburn
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Forget enterprise. How about home users who are Android rooting enthusiasts lol? :p
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's important to note that vulnerabilities in the JRE from Oracle wouldn't exist in the Dalvik JRE for Android.

    Java, as a language, is more secure than C++. It's just kinda crap in every way related to its implementation.
     
Loading...
Thread Status:
Not open for further replies.