What happened to sun & java?
in [General Linux]
|
Prev: Pan Signature
Next: Re (2): What am I doing wrong ?
From: David H. Lipman on 22 Jul 2010 16:31 From: <blmblm(a)myrealbox.com> | In article <i182ho0v9t(a)news4.newsguy.com>, | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> From: <blmblm(a)myrealbox.com> >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying >> >> | as David H. Lipman wrote... >> | [ snip ] >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo source >> or >> >> many and infected computer due to its many vulnerabilities and subsequent >> >> exploitation. >> | Can you point me to a good source of information about these >> | vulnerabilities and exploitation? I did a quick Google search on Java >> | and "security hole" and found some mentions of exploitable flaws in >> | implementing Java's security model [*], but to me they didn't seem >> | to be adding up to "many vulnerabilities". What did I overlook? >> | [*] At least it *has* one, though I suppose one could make a case for >> | the notion that a badly-implemented security model might be worse >> | than none at all, in that it generates a false sense of safety. >> | Not trying to start a flame war here -- trying to fill in possible >> | gaps in my own knowledge! >> You can start with the ByteVerify exploit | A belated "thank you" for taking the trouble to provide some links. | It does look like there are more bugs than I might have suspected. | I didn't find anything that to me supports a claim that these | bugs (some of them fairly old) have been responsible for "many | an infected computer", but maybe I didn't read carefully enough, | and maybe my standards are lower than yours. <shrug>, maybe. Maybe you haven't been studying malware as long as I have. Being a meber of an Internation malware research group, I have access to *much* information. Sun Java was a causitive factor in many computers being infected with the Vundo Trojan and/or Virtumonde Adware. Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a 'd.class' file from a Java Jar. Notice its low catch rate. http://www.virustotal.com/analisis/1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a higher catch rate. http://www.virustotal.com/analisis/1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: blmblm on 24 Jul 2010 12:26 In article <i2a9q402me(a)news2.newsguy.com>, David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > From: <blmblm(a)myrealbox.com> > > | In article <i182ho0v9t(a)news4.newsguy.com>, > | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > >> From: <blmblm(a)myrealbox.com> > > >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, > >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: > >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> > > >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying > >> >> | as David H. Lipman wrote... > > >> | [ snip ] > > >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo source > >> or > >> >> many and infected computer due to its many vulnerabilities and subsequent > >> >> exploitation. [ snip ] > | A belated "thank you" for taking the trouble to provide some links. > | It does look like there are more bugs than I might have suspected. > | I didn't find anything that to me supports a claim that these > | bugs (some of them fairly old) have been responsible for "many > | an infected computer", but maybe I didn't read carefully enough, > | and maybe my standards are lower than yours. <shrug>, maybe. > > Maybe you haven't been studying malware as long as I have. Very possible -- it's not one of my areas of expertise, and I may owe you an apology for assuming, as I rather did, that it wasn't one of yours either, since you say: > Being a meber of an Internation malware research group, I have access to *much* > information. > > Sun Java was a causitive factor in many computers being infected with the Vundo Trojan > and/or Virtumonde Adware. The what .... pause to Google .... Is the Wikipedia article http://en.wikipedia.org/wiki/Vundo reasonably accurate? As a Linux bigot I admit that my attention rather started to wander when I got to the mention of the registry. Sort of a :-), since after all if one is going to comment on Java's security record it probably does make sense to base the comments on all the platforms it runs on. > Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a 'd.class' > file from a Java Jar. Notice its low catch rate. > http://www.virustotal.com/analisis/1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 > > Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a > higher catch rate. > http://www.virustotal.com/analisis/1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 I'm not sure how to interpret those pages -- is the point that the bytecode files causing the problem aren't detected by a lot of programs that are supposed to find viruses? and security problems that are unlikely to be caught are worse than those than are? though this is possibly drifting off-topic .... -- B. L. Massingill ObDisclaimer: I don't speak for my employers; they return the favor.
From: David H. Lipman on 24 Jul 2010 15:06 From: <blmblm(a)myrealbox.com> | In article <i2a9q402me(a)news2.newsguy.com>, | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> From: <blmblm(a)myrealbox.com> >> | In article <i182ho0v9t(a)news4.newsguy.com>, >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> From: <blmblm(a)myrealbox.com> >> >> | In article <i0rm0e0q2f(a)news2.newsguy.com>, >> >> | David H. Lipman <DLipman~nospam~@Verizon.Net> wrote: >> >> >> From: "Aragorn" <aragorn(a)chatfactory.invalid> >> >> >> | On Monday 05 July 2010 00:29 in comp.os.linux.misc, somebody identifying >> >> >> | as David H. Lipman wrote... >> >> | [ snip ] >> >> >> I just hope Oracle and get the people at Sun to secure JRE. It is been theo >> source >> >> or >> >> >> many and infected computer due to its many vulnerabilities and subsequent >> >> >> exploitation. | [ snip ] >> | A belated "thank you" for taking the trouble to provide some links. >> | It does look like there are more bugs than I might have suspected. >> | I didn't find anything that to me supports a claim that these >> | bugs (some of them fairly old) have been responsible for "many >> | an infected computer", but maybe I didn't read carefully enough, >> | and maybe my standards are lower than yours. <shrug>, maybe. >> Maybe you haven't been studying malware as long as I have. | Very possible -- it's not one of my areas of expertise, and I may | owe you an apology for assuming, as I rather did, that it wasn't one | of yours either, since you say: >> Being a meber of an Internation malware research group, I have access to *much* >> information. >> Sun Java was a causitive factor in many computers being infected with the Vundo Trojan >> and/or Virtumonde Adware. | The what .... pause to Google .... Is the Wikipedia article | http://en.wikipedia.org/wiki/Vundo | reasonably accurate? | As a Linux bigot I admit that my attention rather started to wander | when I got to the mention of the registry. Sort of a :-), since | after all if one is going to comment on Java's security record it | probably does make sense to base the comments on all the platforms | it runs on. >> Here is a Virus Total report for the "Riskware:Java/SmsSend.Gen!A" detected in a >> 'd.class' >> file from a Java Jar. Notice its low catch rate. >> http://www.virustotal.com/analisis/ >> 1f2d4d6d59f179adbfa1f6c594326e30cdccba0bb7e7250dc9b96d8e87e10dd4-1279582420 >> Here is a report for 'Client.class' found in Java Jar. This downloader trojan has a >> higher catch rate. >> http://www.virustotal.com/analisis/ >> 1847338f2ad1a84f589b57f9f33fe06a72af8cbeea2c3f6d431bd4e0a113f137-1279062792 | I'm not sure how to interpret those pages -- is the point that | the bytecode files causing the problem aren't detected by a lot | of programs that are supposed to find viruses? and security | problems that are unlikely to be caught are worse than those than | are? though this is possibly drifting off-topic .... I did not read the full Wiki. It jsut indicates symptoms of the Vundo family. As for the Virus Total reports they show just how poorly Many Java related trojans and exploits are poorly detected. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Maxwell Lol on 25 Jul 2010 09:15 "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes: > As for the Virus Total reports they show just how poorly Many Java > related trojans and exploits are poorly detected. Sorry for coming into this discussion late.... Secunia recently released a report. For those who don't know, secunia offers a product called psi which is free, and checks to see if ANY of your programs have security vunerabilities. It tells you it's time to update your jre, flash, etc. I run it on my personal Windows-based computers. As an option, it can collect information from a large number of users. Based on that informaiton, they summaries thair statistics here: here: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf On page 14 is a chart of the vulnerabilities of 3rd party programs ranked by product, and Oracle/sun is ranked as #3. So there are many java security issues. More so that Acrobat or flash. (Although Acrobat had more "events") which may be a better indication of the severity of the vulnerability. This chart - Table 3 - does show that 89% of the computers running psi have Java installed. So there is a large installed base. If it's declining in popularity, these numbers don't seem to indicate it. Arobat Reader is 91% and Flash is 99%, BTW. However, I can't believe that the number of vulnerabilities in Java is causing Sun/Oracle's decline. Firefox and Safari have more vulnerabilities, and that does not seem to afffect their popularity. And vulnerabilities in flash or acrobat do not seem to affect their popularity. Personally - I think that Oracle/Sun is suffering from a confusion of their focus.
From: blmblm on 30 Jul 2010 10:41
In article <87eier66sw.fsf(a)mythtv.grymoire.com>, Maxwell Lol <nospam(a)com.invalid> wrote: > "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes: > > > As for the Virus Total reports they show just how poorly Many Java > > related trojans and exploits are poorly detected. > > Sorry for coming into this discussion late.... > > Secunia recently released a report. > > For those who don't know, secunia offers a product called psi which is > free, and checks to see if ANY of your programs have security > vunerabilities. It tells you it's time to update your jre, flash, > etc. I run it on my personal Windows-based computers. As an option, it > can collect information from a large number of users. Based on that > informaiton, they summaries thair statistics here: here: > > http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf > > On page 14 is a chart of the vulnerabilities of 3rd party programs > ranked by product, and Oracle/sun is ranked as #3. Nitpicking a bit -- Java specifically, not "Oracle/sun", right? A person who just reads your post and not the report might think what's being ranked here is some kind of summary information for all products made by "Oracle/Sun" [*], which isn't the case. [*] Which in turn may still be too new a marriage to be regarded as a single entity with a single reputation? > So there are many > java security issues. More so that Acrobat or flash. (Although Acrobat > had more "events") which may be a better indication of the severity of > the vulnerability. Yes, the thing I kept wondering in skimming through that report was "are all of these problems of equal importance?" The other thing is that this report seems to talk only about Windows, and one of the problems mentioned upthread seemed to specifically involve modifying the registry, which makes me wonder how many of all these problems are cross-platform. I find it imaginable at least that Sun could be a lot better at writing secure software for UNIX-like systems than secure software for other platforms -- I mean, one of their offerings *IS* a UNIX-like operating system, no? Still, disappointing/disturbing/something. > This chart - Table 3 - does show that 89% of the computers running psi > have Java installed. So there is a large installed base. If it's > declining in popularity, these numbers don't seem to indicate it. > > Arobat Reader is 91% and Flash is 99%, BTW. > > However, I can't believe that the number of vulnerabilities in Java is > causing Sun/Oracle's decline. Firefox and Safari have more > vulnerabilities, and that does not seem to afffect their popularity. > And vulnerabilities in flash or acrobat do not seem to affect their > popularity. > > Personally - I think that Oracle/Sun is suffering from a confusion of > their focus. > -- B. L. Massingill ObDisclaimer: I don't speak for my employers; they return the favor. |