Surprise!
Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft?
People need to give themselves a shake and stop using MS products!
Adam Gowdiak of Polish security consultancy and research outfit Security Explorations claims to have found myriad security holes in Google's App Engine. Explained here, Gowdiak says he and his colleagues “discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape.” Here' …
It gets posted on every story relating to security of non-Microsoft products. Presumably to counteract the fact that it was originally posted on Microsoft stories.
I guess it is to remind the person who originally posted it on the Microsoft story that every platform has security issues. I am not the OP so I am only summising but it is his (or another's, it's hard to say with ACs) meme.
Most likely no unless Python and PHP are really recompiled to Java then run on the Google-specific virtual machine. But then again, there shure will be other problems and integrity violations. A person knowledgeable in Googgggle AppEngine needs to provide info.
(Also: No AppEngine for Erlang? DISCRIMINATORY!)
I also wonder if they escaped the Java sandbox only to be confined in a private Linux virtual machine instance. Or does Google run multiple Java sandboxes in one (real or virtual ) host? The latter case would make the exploit very bad news.
I don't think python has a sandbox. Java's sandbox exists for browsers but I guess AppEngine borrows it to define some dos and donts for use of the service. I'd presume there are other dos and donts that are just written into the license agreements rather than restricted with code.
Really this story says security researcher did a bunch of things on an instance he was not meant to do, got no where, got spotted, got locked out.
Hardly a security fail.
According to the article:
we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total);
we achieved native code execution (ability to issue arbitrary library / system calls);
Sounds like a security fail.
I asked him wtf he was doing, he responded:
Taking into account the educational nature of the security issues found in your home, and what seems to be an appreciation you have for arbitrary security research, we hope you will make it possible for us to complete our work.
So if I'm reading this right he was doing security research on a live system without first notifying and getting permission from the host. Poor manners that. No wonder his account got shut down. Even worse he apparently has yet to speak to Google about this as he says the research "probably" looked like an attack, an indication that he's guessing, yet he's told world+dog. This is not the behavior of a reputable security researcher.
As for the holes themselves...I'm really not surprised. "Big system has security holes" is kinda a dog bites man type of story. 30 isn't even that many. Microsoft has been known to cover that many in a single (big, granted) patch Tuesday (and no, that's not a slam on MS). Tell Google and they'll either fix them or, if they're a core Java problem, work with Oracle to get them fixed.
I am working for an agency that is locked into them. I knew I was going to hate them when they told me I have to give them permission to pass on my details to whoever asked for them.
Then last Friday I couldn't even get a copy of a time sheet unless I bowed to Google.
WTF!!!
Arseholes!
This article could be interesting, but it doesn't explain:
1/ what evidence there is for the escape taking place? - at the very least, why should we take this security outfit seriously; do they have 'previous' in finding flaws?
2/ what are the implications of these flaws? - the details provided (if true) don't sound good, but if escaping the sandbox leaves you in a vacuum of space then it probably doesn't amount to much.
What we are told is that when they tried to do things they shouldn't, their account was shut down - which seems reasonable.
Evidence and implication information would be gratefully received.
...are you (and the other AC and non-AC posters above) serious?
This is one of the original members of the LSD team... so, yeah, almost 20 years in the game now obliterating the security of all core internet software. Only Windows, Irix, HP-UX, Solaris, *BSD, Java, AIX, Linux kernel and various userland tools are much much safer to use because of these guys. You are fucking welcome.
People claiming this is a non-story from a security standpoint, are either willfully ignorant, or still hung over from the weekend.