Serious New Java Flaw Affects All Browsers

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

All browsers?

[K.+S.+Kyosuke]

Oh come, on. Shall I try it in Links? I've told you a million times that you're not supposed to overuse hyperboles.

Re:All browsers?

Perhaps, but if people have been getting bad java, they're going to need some ceramic parabolas right quick.

Re:All browsers?

[Peach+Rings]

Any sane browser is immune. Browsers shouldn't allow execution of Java code any time you simply click on a link. You should use NoScript or, better yet, just disable the Java plugin altogether except in the rare cases when you need it.

Re:All browsers?

[NatasRevol]

From the first link:

"Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."

Re:All browsers?

[WrongSizeGlass]

I guess this is also the one good thing for iPhone and iPod Touch users...since they can't run Java anyways, they are also immune.

FTFA: "Browsers running on Apple's Mac OS X are not vulnerable." That includes iPhone, iPod Touch & iPad .... oh, and Mac's, too.

Re:All browsers?

[TheRaven64]

I went to disable Java as soon as I saw the headline (before getting to the part that said my platform was not affected). When I got to the preferences dialog, I found that it was already disabled. I turned it off last time there was a high-profile Java vulnerability - about two years ago, as I recall - and had completely forgotten. I guess that means that Java Applets are pretty much dead. I can't remember the last time that I saw one, and I've certainly not seen any sites failing because I had Java disabled.

Re:All browsers?

[treeves]

Stick it in your latus rectum.

For years?!

[irreverant]

That's great, no one knew about it till now? i don't believe that.

Re:For years?!

[postbigbang]

You didn't notice we've been watching you?

java -start -mykeylogger_to_ru -get_passwords_for_everything & -send_to_nsa_listening_post

wasn't that link you clicked?

Re:For years?!

[leenks]

Troll. Client side java applications are still very popular in enterprises where something richer than a typical webapp is required (though this may change as browser tech matures), and JWS is a convenient medium for deploying them. Hell, even Eclipse RCP applications can be deployed with webstart.

Re:For years?!

[Bill_the_Engineer]

Agree. I use Java because it's the easiest way to write cross platform client applications without having to experience DLL hell or dependency issues.

Guess it's time to uncheck that box

[Ma8thew]

Can't recall the last time I even used a Java applet. Just uncheck the box in preferences and forget about it.

Re:Guess it's time to uncheck that box

[pjt33]

Java Webstart, not applet. Basically you download a .jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles .jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).

Re:Guess it's time to uncheck that box

[AchilleTalon]

Well, I am mainly writing Web client applications in Java to gain unauthorized access to your desktop.

Re:Guess it's time to uncheck that box

[thsths]

> Sun botched the first applet plugin (which sucked). They rewrote it last year, which was recently released in an update.

Can you tell me where I get a Java plugin that doesn't suck? Because mine still does - it takes seconds to load, blocks the browser in the mean time, it always looks ugly (something wrong with the fonts?), and it often interferes with the web page. Plus the update mechanism is terrible - certainly if you have a normal user account for normal use.

Actually even the Flash plugin is a lot better, plus Flash graphics just look excellent.

Re:Guess it's time to uncheck that box

[GIL_Dude]

http://runescape.com/ is a Java site my son uses all the time. AT&T Connect web conferencing service is one I use at work all the time. There are certainly folks that need it for a bunch of different things, but I will certainly stipulate that it isn't used on the desktop (thankfully!) as much as it was. That said, at work, every time we send out a Java security patch we get calls from users of all kinds of vertical market apps about how the patch broke their app and we have to get the vendor to get a new version out really quick. Quite annoying how it always breaks stuff as it moves forward.

Re:Guess it's time to uncheck that box

And what webapp sites would these be??? Really, there are not too many mainstream sites that require a JRE to function properly. I remember a short period where Java was used similar to Flash (I remember perverse cases where individual animated buttons were Java applets), and I occasionally stumble upon some of these broken down and burnt out sites.

There are specific sites that tend to use Java, like online tutorials for math and science subjects, or somebody's hack, or just a browser integrated version of some Java app for something like an interactive simulator, but these are fairly niche.

Or are you yet another fool that thinks that Java and Javascript are closely related?

This is javocalypse

http://blog.cr0.org/2010/04/javacalypse.html

People have Java enabled in their browser?

[WindSword]

Wow! I never knew.

Article Contents

[Oxford_Comma_Lover]

Yes, the summary's misleading; but the article at least is a bit clearer: it refers to windows-based browsers.

"In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn't believe it was serious enough to warrant an emergency patch," sayeth the article.

Now that it's on slashdot, of course, that is clearly no longer the case, if indeed it was.

Re:Article Contents

[binarylarry]

Actually it affected Linux browsers too.

However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

Re:Article Contents

[hairyfeet]

Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

So can we please let this little fact DIAF already? Because frankly it doesn't matter if the malware is running with user or admin rights because in the end it HAS YOUR STUFF which is all anybody gives a shit about. I have never in my nearly 15 years of PC repair had anybody go "but is the system okay?". All anybody has ever ever cared about, even when I tell them I'm gonna have to nuke it, is "can you give me back my stuff please?". So let us just let this little "malware at root VS user" crud die already. If you have malware running at either level it has access to your stuff, which depending on how religiously you back up (which guess what? 99.995% of users in my experience don't have recent backups, if they have backups at all) can be a PITA at best and a true tragedy if you use irreplaceable memories.

So in conclusion: If the malware can run, whether on Linux or Windows, it can get to your stuff, which is WAY more important than whether or not your system gets hosed. After all any geek here at /. can get a system fully running and tweaked nicely in a couple of hours, how long would it take to replace that only copy of your vacation photos, or that only copy of your late grandmother's last Xmas here on earth?

Re:Article Contents

[petermgreen]

Don't even need to trick them, just put wrappers in place so that next time they try to use one of those tools it runs the malware. For bonus points design the malware so it takes what the user was originally trying to do as a command line parameter and runs that as well so the user isn't any the wiser.

Re:Article Contents

[jabberw0k]

If you are going to make a cogent argument, you should omit the profanity; by resorting to vulgarities you torpedo yourself. What a shame, you probably had a valid point.

Re:Article Contents

[Confusador]

Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.

Re:Article Contents

[GigaplexNZ]

Unless your username has the string "user" in it, that won't do a heck of a lot. Why do so many people try to create a way to suggest "replace with current user's home directory" when a syntactically correct one exists already? The added bonus is that it works even if the user's home directory is set up in a different location to the normal convention.

rm -rf ~

Re:Article Contents

[GigaplexNZ]

Yes, I realise that.

(try $ echo rm -rf ~)? rm will probably not understand it

test@localhost:~$ echo rm -rf ~
rm -rf /home/test

test@localhost:~$ ls -a ~
. .. .bashrc

test@localhost:~$ rm -rf ~
rm: cannot remove directory `/home/test': Permission denied

test@localhost:~$ ls -a ~
. ..

Aside from my test user not having permission to remove the directory itself, "rm -rf ~" does work and is devastating.

How to disable Java?

[mtxf]

In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.

Re:How to disable Java?

[The+MAZZTer]

That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.

Re:How to disable Java?

[mtxf]

Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!

--------------------
Affected Software
------------------------

All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
affected by this vulnerability. Disabling the java plugin is not sufficient to
prevent exploitation, as the toolkit is installed independently.

There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.

To check if you're vulnerable, PoC is here: http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

Re:Howcum?

[binarylarry]

Because it's not an exploit in Java, it's an exploit in the way parameter are provided to Java, when it is launched by the web start native executable.

Re:New?

[binarylarry]

Compared to what? Java has a pretty fantastic security track record.

Also this isn't an exploit in the Java runtime, it's an exploit in the way the web start native launcher parses arguments before using them to launch the Java virtual machine.

Re:New?

[Yvan256]

Compared to
[_] Enable Java

Re:New?

[binarylarry]

It gets even safer with:

[_] Enable teh interwebs

oh oh! and this one:

[_] Enable computer power

The ultimately in security, I've done it!

Re:New?

[shutdown+-p+now]

Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or .NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on /. several times already.

Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.

Some precisions....

[ls671]

Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

I thought this should be made clearer... ;-))

Re:New?

[Culture20]

[_] Enable computer power

The ultimately in security, I've done it!

I didn't see a "*($^#@$@^$&&&... NO CARRIER". I call shenanigans!

And yet it ISN'T fixed

[Wee]

The article says that version 1.6.0_19 is affected.

So no, not old news. Not "long since" fixed.

-B

Re:And yet it ISN'T fixed

[fluffy99]

I tried to run their simple exploit demo, but it failed to load.

I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.

Java has had a built-in backdoor

[Animats]

This isn't a bug. This is a backdoor inserted by someone at Sun.

The article says there is an "undocumented parameter" which allows specifying, on the command line, which run-time system to load. That allows loading arbitrary executable code. It's a built-in backdoor.

Re:Java has had a built-in backdoor

[petermgreen]

Personally I doubt this was deliberate.

The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.

HURRY!!!

Both users of Java Web Start need to be contacted immediately!

Sounds like FUD to me...

[mswhippingboy]

This is not a flaw in java. This is (possibly) a flaw in JavaWS, which is nothing more than a technology for launching applications from a web page. It does not affect java applets, or java applications launched from the command line or desktop.
If you RTFA, you'll see that the problem is that a link can redirect the executable that gets launched so that INSTEAD of java launching, something nefarious gets launched.

While the whole scenario described is a bit contrived, it is something that should definitely be corrected. It is not however, a flaw in Java.
Calling this a flaw in java is equivalent to claiming that .Net has a serious security flaw because a link can be created that claims to launch a .Net application when in reality it points to a spyware executable.