The Register reports on the Crypto Bug of the Year:
Java versions 15 to 18 contain a flaw in its [Elliptic Curve Digital Signature Algorithm] signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations.
Cyber-criminals could therefore pass off cryptographically signed malicious downloads and bogus information as if it were real, and affected Java applications and services won’t know the difference.
The scope of the damage that could be done is wide: encrypted communications, authentication tokens, code updates, and more, built on Oracle’s flawed code could be subverted, and as far as vulnerable Java-written programs are concerned, the data looks legitimate and trustworthy.
Ah! For the days of CP/M and 58K TPA (Transient Program Area). Yeah, that’s right – ‘K’ – meaning 1000. When programming wasn’t for the sloppy.
