Security implications by Java

Jan
2013 1 13
2 个回答
7 次查看(30 天)

0 个投票

E.g. Matlab R2009a is shipped with Java version 1.6.0_04-b12. There have been a lot of very important bugfixes for Java since this version 6.04. I can update the Java version, but this has strange side-effects e.g. for GUI elements. And even the current Java version 7.10 is severely vulnerable.
Which security problems do I have to expect from Java under Matlab?

请先登录,再回答此问题。

回答(2 个)

Jan
Jan 2013-1-13
编辑:Jan 2013-1-18

0 个投票

My own ideas:
  1. Matlab is a very powerful language itself. You do not need to call Java to do evil things. Therefore Java does not increase the level of vulnerability. Running foreign P-files from untrusted sources should be avoided at all. Is this a correct argument?
  2. It is a bad idea to use the built-in browser to surf the internet. Even official web sites have been highjacked and injected evil code to client computer through Java leaks. This harmless test page reveals the Java engine used in the browser:
web('http://javatester.org/version.html')
[EDITED, Jan] Sean's answer has disproved point 2: The builtin browser does not run Java applets. And calling Java directly from Matlab remains a security limitation.

5 个评论
显示 3更早的评论 隐藏 3更早的评论

Malcolm Lidierth
Malcolm Lidierth 2013-1-13
编辑:Malcolm Lidierth 2013-1-13
Jan
I agree entirely with [1] above but it does not require p-files: m-files can contain exactly the same malicious code - it's just that you can then read it. Java is targeted because of its ubiquity: it's more profitable for a criminal to target 100 million Java users than 1 million MATLAB users. To keep your PC completely safe - never turn it on.
As far as Java versions go, I have always used the latest within-version update on Windows and Mac without any issues but I do not use MATLAB uicontrols in my code.
Next month will see the final scheduled update to Java 6. Hopefully, MATLAB will eventually catch up. Java 8 is due later this year.
Jan
Jan 2013-1-14
编辑:Jan 2013-1-14
It is not easy to write Matlab code, which allows to gain admin privilegs without beeing very easy to detect in M-code. Some years ago, or when a user does not update frequently, there have been a weakness in sprintf, which allowed the execution of evil code with elevanted privileges. But currently I do not know any harmless looking evil M-functions. But for Java several severe problems are known and can be found in the net. Therefore on some critical systems in our labs, e.g. which contain personal data of patients, installing Java is prohibited (as well as any internet connection, of course), but Matlab is allowed. Will it be hard or impossible to find good reasons for this?
I assume this would be a more serious problem, if somebody offers a service to run foreign Matlab code on a server without checks. Would anybody dare to do this?!
Jan
Jan 2013-1-18
编辑:Jan 2013-1-18
Thanks, Malcolm, for these very intersting links. Both opinions concern the possibility to update Java. But what would they say about running v6.04?
Malcolm Lidierth
Malcolm Lidierth 2013-1-18
编辑:Malcolm Lidierth 2013-1-18
@Jan
I agree with your comments:
Use the most up-to-date Java 6. There have been many security fixes over the years (including recently, so you can not assume Java 6 is totally safe either). Fixed bugs are in the public domain so might not attract hackers seeking "kudos" but might still attract malicious/criminal hackers. It will be interesting to see if Oracle now decides to continue support for Java 6 beyond February.
Reasons not to update Java: some users require a guarantee that they will get exactly the same results from a specific MATLAB version when running code in 2008 or 2012 for regulatory/legal reasons. Perhaps that is why MATLAB ships a specific release (although not on Mac where the system version is used).
I think Walter has said somewhere that the MATLAB browser is a legacy Firefox browser. So I think you are probably right to recommend using a modern external browser to view web content but the choice of browser matters too - e.g. some disallow certain content when loaded from a local file system.
Java is on 3 billion devices. That is why it gets targeted. Flash is another target. Not so long ago Explorer was the target. Java is a victim of its success. If it were replaced, its successor would become the target.

请先登录,再进行评论。

Sean de Wolski
Sean de Wolski 2013-1-18

0 个投票

Here is the solution we published with regard to last week's Homeland Security (US) warning:
Soln:1-L6T44A

1 个评论
显示 -1更早的评论 隐藏 -1更早的评论

Jan
Jan 2013-1-18
Thanks, Sean, for pointing to this important statement. It concerns the current warning of the Homeland Security about a problem of Java 7.10, which allows to break out of the Java sandbox in a browser. The linked solutions explains, that Matlab's built-in browser is not affected.
However, my problem does not concern Java 7.10 in a browser, but 6.04 inside Matlab. E.g. the bug CVE-2008-5353 allows to run arbitrary code under elevated privileges. My question is, if e.g. a malicious student can use Matlab and the included old Java to gain admin privileges on a machine of the computer pool of the university.

请先登录,再进行评论。

类别

帮助中心File Exchange 中查找有关 Startup and Shutdown 的更多信息

标签

提问:

Jan
Jan
2013-1-13

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by