‘Mark-of-the-Beast’ Bug Topples Java Apps

Home > News & Articles > ‘Mark-of-the-Beast’ Bug Topples Java Apps

‘Mark-of-the-Beast’ Bug Topples Java Apps

February 8th, 2011 ipadoholic Leave a comment Go to comments

A bug in Oracle’s Java programming horizon causes computers to solidify when they confront particular numerical values with considerable figures of decimal places, a smirch that creates websites receptive to rarely effective denial-of-service attacks.

The disadvantage in the ultimate chronicle of Java is identical to a smirch detected final month that tormented the PHP language. It is trigged when applications endeavor to routine values such as 2.2250738585072011e-308. Systems running both Windows- and Linux-based apps that try to allocate the worth to a “double” non-static stoop to an gigantic double back that consumes 100 percent of their CPU’s resources.

“The worst segment about all of these techniques is that they’re both exceedingly effective at shower up server resources and moreover exceedingly uneven in conditions of assailant bid contra effect,” he wrote final month . “In many cases, a singular solicit of reduction than 1,000 bytes is sufficient to take advantage of the vulnerability. This basically reduces the attacker’s cost to zero, creates it doubtful that he’ll ever be caught, and creates it even more doubtful that you’ll be able to head off the assault with any type of IPS or firewall.”

Sullivan has offering a elementary blacklist filtering book that developers can use to isolate their Java-based apps from risk until Oracle problems a patch. The proxy workaround is easy sufficient to use, but it might produce fake positives, he said.

The Java disadvantage was initial disclosed by Konstantin Preier. He mentioned that Windows machines running the ultimate 32-bit or 64-bit editions of JRE/JDK 1.6.0_23 were vulnerable. He moreover gifted the complaint with 32-bit Java running on OpenSuse Linux.

The bug stems from the burden of representing a few floating-point figures in the binary format that computers must be perform particular tasks. Such values are often most appropriate approximations that are distributed by the underlying CPU. As Sullivan explained in an email to The Register :

It took PHP maintainers about 48 hours to put together the denial-of-service bug after it initial came to light. Oracle has normally not been as dexterous in regulating safety bugs in Java solely when safety watchers elevate a big scent .

Word of the denial-of-service hazard came a few days before a well-defined assistant professor warned of an unrelated Java bug that creates users exposed to attacks that enable hackers to rename or upload files at will and could be used for behind Remote Code Execution exploits. Researcher Sami Koivu mentioned he reported the smirch to Sun in 2008 but that it still hasn’t been fixed.