Dangerous Java flaw threatens virtually everything

Not hard to patch across the enterprise is you are running Novell Zenworks or other patching solutions.
Posted by anonymous on Friday, July 13 2007 11:12 PM

This article is useless without detailed information concerning the flaw(s) and a link to the advisorie(s).
Posted by Alphager on Friday, July 13 2007 11:18 PM

The bigger problem is similar to the DST patch for Java. There are embedded devices (switches, routers, etc) that have java on them that most likely will never get an update. Then there's the issue of compatibility, if an application needs ver X and the fix is in ver Y, you're waiting for the vendor to patch the code in their app so that you can update the Java which just adds more stuff to pile of things to do.
Posted by Les on Friday, July 13 2007 11:24 PM

Horrible article without references virtually useless.

No details, no references, no links... (is it even true?)

References, people. I don't know or care who Liam Tung is (therefore I do *not* take his word at face value), but I *do* care about managing risk around this flaw if it exists.

I'm off to google to find a source with sufficient information and references to be useful. No thanks to you, editor.
Posted by anonymous on Friday, July 13 2007 11:40 PM

I think telling hackers exactly what the problem is would be somewhat ridiculous too. I think the idea would be to disable the JRE if you are using a new program from an untrusted source or visiting an untrusted website.
Posted by Patrick on Friday, July 13 2007 11:47 PM

Agree with above comments - this article is useless without details.
Posted by Eric on Friday, July 13 2007 11:48 PM

It still requires you to run the exploit code. On most embedded devices it would require another flaw in the application that allowed the attacker to run the exploit code. The big attack vector is Java applets via a web browser; once the Java on the host machine is updated it is fixed. Also, on windows machines, this is generally done automatically with the Java updater.
Posted by Darrell Wright on Friday, July 13 2007 11:49 PM

yep. totally worthless. not helpful at all...hmmm...can you say FUD?
Posted by anonymous on Friday, July 13 2007 11:52 PM

Yah know, maybe if developers weren't all wrapped up in Extreme
Programming/Agile
Development/insert-latest-hip-name-for-pushing-crap-out-the-door-before-it's-ready maybe there would be few security problems.
Posted by anonymous on Saturday, July 14 2007 12:09 AM

I can't find anything on bugtraq that would correspond to this.
Posted by Jim Rootham on Saturday, July 14 2007 12:15 AM

OMG! My Java toaster is burning my toast! It must be a Java vulnerability. :-/

Worst. Article. Ever.

Bugtraq URL? CIAC? no.

Bad yellow journalist. No cookie for you! (and no, I'm not being racist: en.wikipedia.org...)
Posted by anonymous on Saturday, July 14 2007 12:27 AM

I LOVE LAMP!
Posted by Dirk Smedly on Saturday, July 14 2007 12:27 AM

"SKY is FALLING"

A story like this without information
regarding version, or any other detail is less than useful. Did a summer intern write this article ?
Posted by Paul Arntson on Saturday, July 14 2007 12:37 AM

It would be nice if they mentioned what versions of the runtime are affected. All? Some? Most? 1.2? 1.6?
Posted by Perfect Reign on Saturday, July 14 2007 12:42 AM

Also agree with posters above, article auther is a complete weenie. Assuming he's referring to this relase from AusCERT:
www.auscert.org.au...
No need to panic. Sky not falling. We've seen this same sort of Java flaw before, easily dealt with.
Posted by realunixguy on Saturday, July 14 2007 12:51 AM

What a useless article! Put up a link, at least! For crying out loud!
Posted by anonymous on Saturday, July 14 2007 12:55 AM

This article is like FUD
No version notification - all since 1.0?
newest what?
Not hard to patch JVM's in a REAL enterprise - automated rollouts of software updates are common.

This article is worthless, and fear mongering - hmmm MS employee? ;)
Posted by anonymous on Saturday, July 14 2007 12:59 AM

sunsolve.sun.com...

the above is a link to sun's information on the vulnerability..
Posted by anonymous on Saturday, July 14 2007 01:00 AM

could I have a link to the real article please that actually tells me about the bug? or are you just going to point and scream like mr ballmer told you to?
Posted by dave.d on Saturday, July 14 2007 01:26 AM

What a buncha FUD. Nothing to see here. Move along...
Posted by Ron on Saturday, July 14 2007 02:08 AM

You've obviously never had to patch Java in an Enterprise environment. The problem with Java is that so many programs require unsecure versions, and since many of those are web applications you have no way of knowing until people come screaming to you after you've patched it.
Posted by tojo2000 on Saturday, July 14 2007 03:03 AM

Another JPEG/BMP client side vuln.

Read more about it here;

blogs.sun.com...

scary.beasts.org...

www.frsirt.com...
Posted by senuz on Saturday, July 14 2007 04:28 AM

This is a hit piece. Immeditaly, the language is too harsh and there are no details. Sounds like FUD!!


Don't believe it for a second. No details lets them cast broad assertions; security threats (real ones) are never broad. They happen in certain very detailed situations only.
Posted by Diang Xiopaeng on Saturday, July 14 2007 06:36 AM

the first paragraph metions google security team but all the quotes are from other people.. what's this got to do with google??
Posted by confused on Saturday, July 14 2007 07:15 AM

Where's the bug? On JVM or on the Java code? I remember that I had studied that JVM only runs class bytecode and it first verify if the bytecode doesn't affect the security policies before running. It's not possible to run something that is not verified be the JVM. The web servers that accept java have harder security implemented inside them. Mobile devices have a limited version of the JVM, but it doesn't mean that it will not work properly.
But, if it's about harmful code, so it's a programming problem, not a Java problem.
Posted by Paulo Ortolan on Saturday, July 14 2007 08:54 AM

Hello.

www.auscert.org.au...
Posted by Rick Ross on Saturday, July 14 2007 10:14 AM

LAMP is great because you don't have to worry about vunrabilities because you can be certain that there are many.
Posted by Jessta on Sunday, July 15 2007 08:48 AM

Without actionable information, even a simple link to the sunsolve advisory, this article is worse than news, it's FUD. There is little earth-shattering about this vulnerability. It requires several preconditions that are not particularly common before a serious compromise (system access) is possible.
I request that ZDNet learn the IT security culture of responsible disclosure before continuing writing articles like this. Responsible disclosure gives enough details for security personnel to accurately evaluate the risk profile and act. However, it should not provide exploit code unless it's required to perform the risk profile, and even then, it should be benign.
Posted by anonymous on Monday, July 16 2007 05:47 AM

Editor's note: The author of this article, Liam Tung from ZDNet Australia, has since updated his piece with the relevant link. More information is also available from Sun Microsystems (sunsolve.sun.com...).
Posted by Eileen Yu on Monday, July 16 2007 09:04 AM

Seriously FUD - where's the hysteria about July 10 Microsoft Security Bulletin MS07-040 - Critical Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212) - much nastier than this issue.
Posted by anonymous on Saturday, July 21 2007 01:14 AM

Isn't this why you buy SMS? I pushed out 6.2 last night.
Posted by Jeff in Kabul on Saturday, July 21 2007 11:48 AM