Friday, August 03, 2007

Java Exploits On the Rise? Read this.

I am really curious how much Microsoft stock Larry Seltzer owns.

In his latest article: Java Exploits on the Rise he is reporting Java exploits in a rather curious way.

http://www.eweek.com/article2/0,1895,2161797,00.asp

First all he is talking about the Apple Quicktime implementation in Java. I am not sure the details of this but if there is an application written in a particular language and it has a flaw, typically that is an issue that should be blamed on the application developer, not the language which they chose to implement the application in, right? Perhaps the underlying flaw was a Java bug, but the orginal article he references states:

As in one of the two QuickTime flaws that Apple fixed on May 29, the pwn-2-own hole fixed earlier in the month involved a problem with implementation of QuickTime for Java that allowed reading or writing out of the bounds of the allocated heap, and it also worked by enticing a user to visit a site containing a maliciously crafted Java applet.

"An implementation of " meaning the bug was in the implementation of the application - not in the software language used to implement the application. Right? Let's be clear about what is actually happening in this case. From the words above it is not clear if the error was caused by poorly written application code or Java itself.

On the other points:

#1 I agree with this article stating that Sun's handling of the release of a security patch was somewhat problematic:
http://www.theregister.co.uk/2007/07/10/sun_java_security_update/

#2 The flaw of a buffer overrun in the JavaWeb start app: was this flaw a result of programming done in Java (Java itself does not allow buffer overruns so I doubt this very much). After testing out a download on the sun web site which utilizes at least some component of the Java Web Start app I get this message:

This web site wants to run the following add-on: Java (TM) Web Start active x control from Sun Microsystems, Inc.

Note: this is an Active X control. It is not required to run Java applications. It is a tool to help keep Java applications up to date. In this case it is platform specific technology, so if this flaw is related to this component of running Java it is due to an improperly written Active X control (microsoft technology) or something in the Java Web Start active X control utilizing an underlying OS component to display images, not Java as a programming langage - at least for this Windows component. I would guess in this case it was written in C/C++ and compiled in native languages for each OS, and that is how the same bug got propagated to Linux and Solaris as well but cannot know for sure. Because it was not written in Java most likey that is the source of the buffer overrun, not Java itself.

#3 As for the image parsing flaw:

Consider the recent vulnerability in Java's image parsing code.

followed up by:

The parsing of data coming out of files seems to be a never-ending source of security issues in all platforms.

Yes image parsing is a source of security flaws on all platforms - and more than one report has come out on image parsing by various Microsoft technologies including Office. Java does not claim to prevent all image parsing flaws in and of itself. Some of this would be up to the application developer to validate input and output. Additionally since images are actually displayed by the OS (Microsoft - GDI) I would question - is it not up to the OS to validate the image? I am not sure but since all applications use the OS to display images and the OS sends the data to an output device for human visability - then I would recommend that this error checking be done on an OS level. BUT. I am not an OS developer. This occurs on all platforms - so I am guessing this needs to be handled by the app given that info.

The fact that Java is used to write malware is more like a compliment to the language than a detriment. Hacks can be written in any language. Perhaps Java is used because it offers more fine grained control over the environment and is more reliable and takes advantage of the fact it runs on any OS. HMM???

Also for the malware he referenced - that is not a Java flaw but an application written in Java that someone would have to download and run - just as they would have to run malware on any windows machine. You can write a piece of malware in windows technology and email it to someone and if they run it and it deletes their entire hard drive - is that a flaw in the technologies used to write the exploit? Please do not mince words and twist reality into an article designed to create a big headline where people get an idea in their head and don't read the details.

And finally, the most outrageous part of this article, is that he is referencing an exploit on the Symantec web site which references an OCX -- a Microsoft technology. An active X control. Also, the article references JavaScript. Have you ever heard the statement "JavaScript is not Java?" JavaScript runs client side, not server side. JavaScript was used in the exploit - it was not exploited. The Javascript mentioned at the beginning of the article is used to exploit Microsoft IE bugs and is an old, known exploit. The bottom of the article summarizing the new exploit and further clarifies that this is a Microsoft browser flaw - not a Java exploit:

The good news is that the vulnerability exploited in this attack was already patched by MS06-067; the bad news is that malware authors now know and will use this new technique. Heap Feng Shui really takes heap exploitation for browsers to the next level and it’s a powerful method that allows the creation of more efficient and reliable exploits in the future.

Yes there are flaws in Java as with any programming language including this very serious flaw in Java Web Start:

http://www.securiteam.com/windowsntfocus/5UP010UM0G.html

Every language has holes and will continue to be exploited just as banks are still robbed. However I still think Java provides a lot more control over your environment to manage security - unless you are running on Windows in which case you have to rely on the Windows OS for some aspects of security - which can be good and bad. If you are not an OS developer, Microsoft pours more money into OS development than you could do alone and you may be better off, though Linux is cheaper and for OS developers they will have more total control of the environment and Linux has proven to be more secure in some apsects than Windows.

However everything is ultimately exploitable and constant analysis is needed - no matter which language or OS you choose.