Security update for IntelliJ-based IDEs v2016.1 and older versions(blog.jetbrains.com)
blog.jetbrains.com
Security update for IntelliJ-based IDEs v2016.1 and older versions
http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/
21 comments
If anyone on OSX has trouble launching the updated .app bundle: check the JVM specified in info.plist (right-click on the .app -> Show Package Contents -> Contents -> Info.plist) is 1.7* or (better, for Retina support) 1.8* . The default 1.6* just kept crashing for me (PyCharm 3.4.4, OSX 10.11.4, way too many Java versions installed for my own mental health).
In my Info.plist: <key>JVMVersion</key><string>1.8*,1.8+</string>, but still kept crashing. Have to rollback to old vulnerable version.
There is a workaround for start-up crashes
https://intellij-support.jetbrains.com/hc/en-us/articles/208...
Please see if that works.
https://intellij-support.jetbrains.com/hc/en-us/articles/208...
Please see if that works.
:( I have 1.8* and seems to work.
If you run on not the latest version, make sure to check for updates twice in order to see the free minor version upgrade.
FYI this also covers Android Studio as well so anyone using that should upgrade as well.
I'm behind a firewall, doesn't this mean I'm safe?
No, all that's necessary to trigger it is browsing to a page containing attacker-controlled JavaScript or Flash. The browser on your own computer would be connecting to the server on your own computer, and firewalls tend to only block external connections.
This is very disappointing from JetBrains :-/
We're sorry.
We've done our best to address the issue, provide the fixes for current versions as well as back-port it up to 3 years for all products running on the platform. In any case we apologise and have learned from this and will improve.
We've done our best to address the issue, provide the fixes for current versions as well as back-port it up to 3 years for all products running on the platform. In any case we apologise and have learned from this and will improve.
I'm happy with how the issue was addressed. No one can expect perfection from a complicated piece of software such as this. I was glad to have received the email and find the blog post with a thorough list of FAQs.
I'm glad to see proper credit given to Jordan for finding the flaw. Maybe I'm a cynic, but I'm glad that this was an open process and not a one line blog post about a critical security update. Keep up the great work.
I'm glad to see proper credit given to Jordan for finding the flaw. Maybe I'm a cynic, but I'm glad that this was an open process and not a one line blog post about a critical security update. Keep up the great work.
It would be interesting to see the lessons learned. I do plain old IntelliJ development without any web stuff at the moment, so it was a surprise to learn that things were being exposed to the web.
To JetBrains' credit they were very responsive throughout the disclosure process. I received a reply to my initial report in under two hours. Generally response times are measured in days unless you know someone in the company.
They also gave me diffs against intellij-community master so I could verify their fixes were sound, and they were generally receptive to my feedback.
They also gave me diffs against intellij-community master so I could verify their fixes were sound, and they were generally receptive to my feedback.
Once again we appreciate your professionalism in this and very grateful for all your help.
While the bug is a downer, I was impressed with how they responded to it, especially the fact that they simultaneously released patch updates for all products (including Android Studio) and for all relevant prior versions. The email I got made the severity clear and I was able to easily update WebStorm, PyCharm, and Android Studio without any problems.
Updating has been painless, their communication was open and direct, and there aren't (to my knowledge) any exploits in the wild. How is this a failing on their part? Do you expect 100% perfection?
It is, but everyone can/will have vulnerabilities.
"Check for Update" tells me I have the latest version.
However the FAQ (http://blog.jetbrains.com/blog/2016/05/11/security-update-fo...) says:
Which would mean that a version built "April 29, 2016" is vulnerable?
Also the linked download page (https://confluence.jetbrains.com/display/WI/Previous+WebStor...) says:
That is, the version number and date are different from what I have, but the build number is the same?!
Maybe it's too late in the day for me to think straight, but somethings wrong here. What product versions are safe?