← Back to team overview

openjdk team mailing list archive

  1. openjdk team
  2. Mailing list archive
  3. Message #05174

[Bug 668314] Re: Trojan under Linux passing by Java ! ! !

  Thread PreviousDate PreviousThread Next 
Apparently, the problem was  a vulnerability in Java SE 6
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3560
exploitable  by the trojan . This has been fixed in Lucid
https://lists.ubuntu.com/archives/lucid-changes/2010-October/011816.html
by October 19 .

The issue itself  is pretty weird, however not that  big of a deal. What
it actually shows is that Java technology is pretty insecure  in its
nature, mostly redundant, that is why fortunately  not installed on most
Linux distros by default.

As far as the OS security question is concerned, although not completely infallible, most Linux/*BSD/Solaris platforms are more protected from malware and viruses than MS Windows is. Actually, this page http://www.ubuntu.com/desktop/why-use-ubuntu claims that the risk is intangible for Ubuntu users. And the statement is true. The reasons  lie in the fundamental difference between open source unix-like and ms windows os'es.
  
The old but still mostly valid article http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ by Nicholas Petrely talks just exactly about that. Most article's points (if not all) still apply now.

BRW, Linux/*BSD is the most popular server OS, especially web server,
which is verifiable. MS Windows has no more than 30% of the Internet
domains (mostly parking ones).

So, HacKurx and all of us, we are indeed more secure than our Windows-using  counterparts. 
Just do not install an unsigned, binary-only, unverified pieces of software Ubuntu repos have tons of applications, more than enough for everyone.  Get a strong account password  and do not run "sudo rm -rf /*"  on your machines too often  :-)


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3560

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.
https://bugs.launchpad.net/bugs/668314

Title:
  Trojan under Linux passing by Java ! ! !

Status in “openjdk-6” package in Ubuntu:
  Fix Released

Bug description:
  Hi,

A trojan named "Boonana/Koobface" can be installed under linux because of java.
I thus confirm my request of real-time protection in ubuntu.

More information in French here:
http://www.echosdunet.net/dossiers/dossier_6179_un+trojan+windows+passe+sous+mac+os+x+linux+via+java.html

Why not make a real-time protection to clamav inspired by "sentinel clam" ?

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: icedtea6-plugin 6b20-1.9.1-1ubuntu3
ProcVersionSignature: Ubuntu 2.6.35-23.36-generic 2.6.35.7
Uname: Linux 2.6.35-23-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Fri Oct 29 14:29:14 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANG=fr_FR.utf8
 SHELL=/bin/bash
SourcePackage: openjdk-6
  Thread PreviousDate PreviousThread Next