Sign in / up

back to article 'Mark-of-the-Beast' bug topples Java apps

A bug in Oracle's Java programming framework causes computers to freeze when they encounter certain numerical values with large numbers of decimal places, a flaw that makes websites susceptible to highly efficient denial-of-service attacks. The vulnerability in the latest version of Java is similar to a flaw discovered last …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Reggi
    Go

    Reported 10 years ago

    The issue was reported 10 years ago in 2001:

    http://bugs.sun.com/view_bug.do?bug_id=4421494

    (The bug report also contains a suggested fix.)

    There is a test for this issue in the Free Software Jacks mauve testsuite:

    http://sourceware.org/mauve/jacks.html

    So none of the free software java implementations had this bug since they

    ran this testsuite. But apparently the Sun java implementation was never tested

    against it.

    Luckily now that OpenJDK is available under the GPL someone already posted

    a fix to the core-libs mailinglist last week:

    http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html

    1 0
    1. Anonymous Coward
      Reply Icon
      Unhappy

      Thanks Oracle

      "This bug is not available"

      :(

      1 0
  2. Squirrel
    Unhappy

    not to worry oracle are helping

    since update 23 the html delegator freezes up on reload making anything with a html content (JTextPane, JEditorPane et al.) break with a null pointer exception. This obviously breaks a lot of web applets - I've read reports of banks applets being completely useless. Bug was in the last update (23?) from October and no fix is coming. Did Oracle fire the Java team?

    Talk about a game breaker. We've had to code around it but txt vs rtf vs html... html wins, rtf is a pain and txt is just not fluffable enough for the designers. *le sigh*

    0 0
  3. RachelG

    or parse input via BigDecimal...

    BeanShell 2.0b4 - by Pat Niemeyer (pat@pat.net)

    bsh % import java.math.*;

    bsh % bd = new BigDecimal("2.225073858507201E-208");

    bsh % print (bd);

    2.225073858507201E-208

    bsh % print (bd.doubleValue());

    2.225073858507201E-208

    bsh % double d = bd.doubleValue();

    bsh % print (d);

    2.225073858507201E-208

    bsh %

    :-)

    Ironically a few days before this broke, I was asked if we could optimise out the use of BigDecimals to hold and move typical price values in a legacy product we needed to make faster. Luckily it wasn't going to be easy enough to do immediately...

    0 0
  4. Cameron Colley

    I'll remember this.

    The next time someone suggests that writing OSs in Java would help security and stability I'll be sure to point them here.

    OK, I know it's more complicated than one bug -- but this goes to show that no language is without flaws.

    1 2
  5. ElReg!comments!Pierre
    WTF?

    @ Cameron "point them here"

    Next time someone suggests that writing OSs in Java would help ANYTHING, or that Java is without flaws, you should point them to the nearest asylum, not here.

    7 0
  6. Anonymous Coward
    Anonymous Coward

    hmmm

    is this why i've had problems with opening hotmail emails in my inbox the last couple days through firefox /ubuntu ? having to use seamonkey to read and delete anything.

    0 0
    1. Nipsirc
      Reply Icon

      No. It isn't.

      I can't imagine anything less likely than Microsoft using Java applets for you to read your Hotmail emails in a browser. Perhaps you're confusing Java with JavaScript? Think of the differences between Java and JavaScript as being the same as the differences between jam and jamboree, or microscope and Microsoft.

      0 0
This topic is closed for new posts.

Other stories you might like