Security implications by Java

Jan
2013 1월 13
2 답변
조회 수: 7 (30일)

0 개 추천

E.g. Matlab R2009a is shipped with Java version 1.6.0_04-b12. There have been a lot of very important bugfixes for Java since this version 6.04. I can update the Java version, but this has strange side-effects e.g. for GUI elements. And even the current Java version 7.10 is severely vulnerable.
Which security problems do I have to expect from Java under Matlab?

이 질문에 답변하려면 로그인하십시오.

답변 (2개)

Jan
Jan 2013년 1월 13일
편집: Jan 2013년 1월 18일

0 개 추천

My own ideas:
  1. Matlab is a very powerful language itself. You do not need to call Java to do evil things. Therefore Java does not increase the level of vulnerability. Running foreign P-files from untrusted sources should be avoided at all. Is this a correct argument?
  2. It is a bad idea to use the built-in browser to surf the internet. Even official web sites have been highjacked and injected evil code to client computer through Java leaks. This harmless test page reveals the Java engine used in the browser:
web('http://javatester.org/version.html')
[EDITED, Jan] Sean's answer has disproved point 2: The builtin browser does not run Java applets. And calling Java directly from Matlab remains a security limitation.

댓글 수: 5
이전 댓글 3개 표시 이전 댓글 3개 숨기기

Malcolm Lidierth
Malcolm Lidierth 2013년 1월 13일
편집: Malcolm Lidierth 2013년 1월 13일
Jan
I agree entirely with [1] above but it does not require p-files: m-files can contain exactly the same malicious code - it's just that you can then read it. Java is targeted because of its ubiquity: it's more profitable for a criminal to target 100 million Java users than 1 million MATLAB users. To keep your PC completely safe - never turn it on.
As far as Java versions go, I have always used the latest within-version update on Windows and Mac without any issues but I do not use MATLAB uicontrols in my code.
Next month will see the final scheduled update to Java 6. Hopefully, MATLAB will eventually catch up. Java 8 is due later this year.
Jan
Jan 2013년 1월 14일
편집: Jan 2013년 1월 14일
It is not easy to write Matlab code, which allows to gain admin privilegs without beeing very easy to detect in M-code. Some years ago, or when a user does not update frequently, there have been a weakness in sprintf, which allowed the execution of evil code with elevanted privileges. But currently I do not know any harmless looking evil M-functions. But for Java several severe problems are known and can be found in the net. Therefore on some critical systems in our labs, e.g. which contain personal data of patients, installing Java is prohibited (as well as any internet connection, of course), but Matlab is allowed. Will it be hard or impossible to find good reasons for this?
I assume this would be a more serious problem, if somebody offers a service to run foreign Matlab code on a server without checks. Would anybody dare to do this?!
Jan
Jan 2013년 1월 18일
편집: Jan 2013년 1월 18일
Thanks, Malcolm, for these very intersting links. Both opinions concern the possibility to update Java. But what would they say about running v6.04?
Malcolm Lidierth
Malcolm Lidierth 2013년 1월 18일
편집: Malcolm Lidierth 2013년 1월 18일
@Jan
I agree with your comments:
Use the most up-to-date Java 6. There have been many security fixes over the years (including recently, so you can not assume Java 6 is totally safe either). Fixed bugs are in the public domain so might not attract hackers seeking "kudos" but might still attract malicious/criminal hackers. It will be interesting to see if Oracle now decides to continue support for Java 6 beyond February.
Reasons not to update Java: some users require a guarantee that they will get exactly the same results from a specific MATLAB version when running code in 2008 or 2012 for regulatory/legal reasons. Perhaps that is why MATLAB ships a specific release (although not on Mac where the system version is used).
I think Walter has said somewhere that the MATLAB browser is a legacy Firefox browser. So I think you are probably right to recommend using a modern external browser to view web content but the choice of browser matters too - e.g. some disallow certain content when loaded from a local file system.
Java is on 3 billion devices. That is why it gets targeted. Flash is another target. Not so long ago Explorer was the target. Java is a victim of its success. If it were replaced, its successor would become the target.

댓글을 달려면 로그인하십시오.

Sean de Wolski
Sean de Wolski 2013년 1월 18일

0 개 추천

Here is the solution we published with regard to last week's Homeland Security (US) warning:
Soln:1-L6T44A

댓글 수: 1
이전 댓글 -1개 표시 이전 댓글 -1개 숨기기

Jan
Jan 2013년 1월 18일
Thanks, Sean, for pointing to this important statement. It concerns the current warning of the Homeland Security about a problem of Java 7.10, which allows to break out of the Java sandbox in a browser. The linked solutions explains, that Matlab's built-in browser is not affected.
However, my problem does not concern Java 7.10 in a browser, but 6.04 inside Matlab. E.g. the bug CVE-2008-5353 allows to run arbitrary code under elevated privileges. My question is, if e.g. a malicious student can use Matlab and the included old Java to gain admin privileges on a machine of the computer pool of the university.

댓글을 달려면 로그인하십시오.

카테고리

도움말 센터File Exchange에서 Startup and Shutdown에 대해 자세히 알아보기

태그

질문:

Jan
Jan
2013년 1월 13일

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by