Using Java to Compromise GNU/Linux at Robert Pogson

A cross-platform trojan that can attack three different operating systems using Java has been found. Write once, run everywhere works for writers of malware except they need a different payload for different OS.

The idea of Java is great but it’s about time the holes in it were closed. Open-sourcing happened years ago. There’s no excuse for allowing Java, essentially, to be a “trojan-trojan” for malware.

Java still makes sense for applications but allowing/widely using downloads of Java applications is a questionable practice since the language is so easily abused. It’s not just Java. Several other programming languages have similar problems.

A search for vulnerabilities for Pascal gives No results found for site:mitre.org “weaknesses of software written in Pascal”. This is another example of the KISS principle (Keep It Simple, Stupid). Throwing everything into a programming language increases the number of holes and we don’t need holes.

see Cross-platform Trojan attacks Windows, Intel Macs, Linux | ZDNet.

My Mission

My observations and opinions about IT are based on 40 years of use in science and technology and lately, in education. I like IT that is fast, cost-effective and reliable. I do not care whether my solution is the same as yours. I like to think for myself.

My first use of GNU/Linux in 2001 was so remarkably better than what I had been using, I feel it is important work to share GNU/Linux with the world. I have been blessed by working in schools where students and school systems have benefited by good, modular software easily installed in most systems.

I have shown GNU/Linux to thousands of students and hundreds of teachers over the years and will continue in some way doing that until I die in spite of the opposition.

2 Responses to “Using Java to Compromise GNU/Linux”

Feed for this Entry

1 Mats Hagglund Jul 15th, 2012 at 10:46 pm

Is this an issue for only closed source java (Oracle/Sun) in browser or also for browsers using Open JDK/IcedTea Plugin?

BTW what’s the difference between security of Adobe Flash vs. plugins like mint flash plugin?
2 oiaohm Jul 16th, 2012 at 12:45 am

There is a reason for sandboxing like seccomp filters provides to be added to every web browser.

This case the downloader was flawed. It forget to give its .bin file executable permission on Linux.

There are a few different opensource flash implementations. Adobe Flash on Linux has been more secure than windows impelmentation. Windows Adobe flash implementation has a service todo things above the privilage level of the current user. Linux version has always lacked that.

The chrome version of Adobe Flash Linux has going forwards is inside pepper that is inside the seccomp sandbox. Security wise there is less weakness.

Of course Linux world is still adding more and more security options. Security follows the onion idea many layers are good.