Sun Pushes Emergency Java Patch

← Back to Stories (view on slashdot.org)

Sun Pushes Emergency Java Patch

Posted by timothy on Thursday April 15, 2010 @07:53AM from the emergency-shot-of-soy-latte dept.

Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

90 comments

PHB syndrome by 18_Rabbit · 2010-04-15 07:56 · Score: 4, Insightful

Why is it that corporate types never understand that if the white hats have found it, the black hats have too...and are exploiting it.
1. Re:PHB syndrome by ILuvRamen · 2010-04-15 08:08 · Score: 3, Informative
  
  They assume white hats are smarter and faster because they have jobs and are being paid. What they don't realize is that black hats also have "jobs" and are being paid.
  
  --
  Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
2. Re:PHB syndrome by mea37 · 2010-04-15 08:30 · Score: 5, Insightful
  
  That's not the problem.
  The problem is, management (the people in control of the big corporations who harbor at most marginal technical aptitude) see the flaw but lack the imagination to understand how it could be used for real harm until they see it used for real harm.
  (Actually, "lack the imagination" may be misleading. They are motivated to think that the problem is not a big deal, and they have no problem convincing themselves of this rather than exploring the possible threat scenarios.)
  Full disclosure changes the risk from the company's point of view ("Oh, great, now we know people are trying to think of a way we're not seeing to exploit this") but the real tipping point is when they see a demonstration of harm being done (not merely a proof-of-concept that they can rationalize away).
3. Re:PHB syndrome by phantomcircuit · 2010-04-15 08:46 · Score: 3, Insightful
  
  What they don't realize is that black hats also have "jobs" and are being paid.
  It's even worse than that. The black hats are almost certainly being paid far more than the white hats are.
4. Re:PHB syndrome by david_thornley · 2010-04-15 09:52 · Score: 2, Insightful
  
  Why is it that Slashdotters never understand that hasty patches are dangerous and expensive? This patch almost certainly hasn't been tested as well as Sun would like, and they could well be screwing up people's computers. There are dangers in patching too hastily and patching too slowly, and somebody has to decide on the trade-offs.
  My guess is that they were hoping to run it through the normal cycle when they saw it being used in the wild, and decided that it was important to get something off now, regardless of risk and possible additional expense.
  The fact that they were able to issue a patch the day after they found live exploits indicates that they were probably working on it already, and simply misjudged the immediacy of the danger.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
5. Re:PHB syndrome by ls671 · 2010-04-15 10:15 · Score: 1
  
  > This patch almost certainly hasn't been tested as well as Sun would like
  You do not have to release the latest and greatest if hasn't been tested enough for your taste.
  Just branch from the last stable release and apply only the fix that is needed for security reasons. This is done all the time !
  A patch to filter input parameters should be trivial enough to test ;-))
  
  --
  Everything I write is lies, read between the lines.
6. Re:PHB syndrome by Anonymous Coward · 2010-04-15 12:14 · Score: 2, Informative
  
  True, but the last stable release (update 19) is crap already. Unfortunately, 19 was also a critical security update so we had to start deploying it. It has broken at least 5 major applications already (for example a resource scheduling application - to reserve meeting rooms and equipment, a publishing application used to move internal web code from test to production, and several more). Sun's habit of breaking stuff with every release is really a serious problem.
7. Re:PHB syndrome by Anonymous Coward · 2010-04-15 12:25 · Score: 0
  
  I wonder, would it be illegal to sell an exploit/spambot/botnet toolkit to some entrepeneur. As long as it is not me who actually uses it? I mean I thought Mr. Kasparov was running Kaspersky.
  It is a pity that my talent is wasted and these guys seem to value what I do.
  I do not want to go to jail or get a bullet into my head, though.
  Anyone got references?
8. Re:PHB syndrome by IdleTime · 2010-04-15 12:28 · Score: 2, Informative
  
  You can read the published advisory here:
  http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html
  
  --
  If you mod me down, I *will* introduce you to my sister!
9. Re:PHB syndrome by Anonymous Coward · 2010-04-15 13:41 · Score: 0
  
  There only is Ormandy's claim that Sun *ahem* Oracle wasn't going to issue an emergency patch. I trust Ormandy that he *thought* that Oracle would not issue an emergency patch. But I consider it dumb to just go public with an exploit rather than give the vendor a few weeks of time to first analyze and then fix the issue. The public then gets a patch that was not properly tested, and thus is more likely than usual to either contain an incomplete security fix, or breaks something else.
10. Re:PHB syndrome by eloki · 2010-04-15 13:53 · Score: 3, Insightful
  
  Really? I thought the problem might be that they see the flaw but see it as lacking urgency as they have insufficient stake in an urgent patch.
  When it becomes an exploited flaw, the company reputation is now at risk and customers/users experiencing actual (as opposed to possible) loss are much more likely to get angry and demanding. Now the company has a stake in the patch.
  (But as pointed out elsewhere, it's hard to comprehensively test on an urgent patch.)
11. Re:PHB syndrome by Anonymous Coward · 2010-04-15 14:18 · Score: 0
  
  You've obviously never released any real software.
12. Re:PHB syndrome by shentino · 2010-04-15 14:30 · Score: 2, Informative
  
  An unfortunate side effect that full disclosure also gets them royally pissed at you for "exposing" their flaw.
13. Re:PHB syndrome by Anonymous Coward · 2010-04-15 15:01 · Score: 1, Insightful
  
  Dude, you're full of crap.
14. Re:PHB syndrome by ultranova · 2010-04-15 16:50 · Score: 1
  
  And an unfortunate side effect of that is that you have to disclose anonymously for your own protection, and that means simply making the whole thing public from the start.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
15. Re:PHB syndrome by Anonymous Coward · 2010-04-15 20:24 · Score: 0
  
  About half of your post is in brackets. (It's really annoying, and if you're having to use brackets so much, consider re-wording your post).
16. Re:PHB syndrome by ls671 · 2010-04-15 21:38 · Score: 1
  
  You have obviously never worked on a serious project and you are obviously unaware of tools such as source repositories, with functionality such as versioning and branching functionality.
  I bet your sources live on your hard-drive. At best, you might be using MS source-safe which is pretty limited in functionality.
  
  --
  Everything I write is lies, read between the lines.
17. Re:PHB syndrome by david_thornley · 2010-04-16 00:03 · Score: 1
  
  On the theory that a patch from a stable version will break nothing? If it filters input parameters, how are you to know, without extensive testing, that it filters the right ones? If it filters out too much, it may break perfectly reasonable applications. If it filters out too little, it may leave the system vulnerable. It may do both, if it's just a little wrong.
  Yes, I, too, have deployed very simple patches to stable software without adequate testing. One recent time, I put a hundred-thousand-dollar machine out of commission that way, and I'm generally quite competent while fixing things.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
White Hats by DarkKnightRadick · 2010-04-15 07:57 · Score: 5, Insightful

I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.

--
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
1. Re:White Hats by poetmatt · 2010-04-15 08:17 · Score: 2, Informative
  
  that sounds nice and all, but there are currently very real legal risks involved even if you are a white hat and employed by a company to look for this stuff.
  I agree that white hats should do it anyway - one way or the other the legal system will get around to protecting it, probably as whistleblowing/free speech, but in the meantime I think plenty are afraid to be taken to court for disclosing vulnerabilities and/or not being employed for future whitehat jobs.
2. Re:White Hats by Anonymous Coward · 2010-04-15 08:39 · Score: 0
  
  Does white hat mean good, lawful or lawful-good?
3. Re:White Hats by hlee · 2010-04-15 09:06 · Score: 1
  
  I take white hat to mean Good, i.e. you're not using the exploit for personal gain.
  You're Lawful Good if you're working on behalf of some legal authority. Chaotic Good if you're exposing it to shame/antagonize the companies. Neutral Good if just out of your own personal reasons.
4. Re:White Hats by Anonymous Coward · 2010-04-15 12:28 · Score: 0
  
  then you are not a white hat.
  you are a grey hat
5. Re:White Hats by Anonymous Coward · 2010-04-15 18:54 · Score: 0
  
  But does that mean the Black hats have Lawful Evil?
6. Re:White Hats by Anonymous Coward · 2010-04-15 20:19 · Score: 0
  
  If they sell the exploit to others for money they are Lawful Evil.
  If they use the exploit to steal data and use it for extortion they are Neutral Evil.
  If they use the exploit to wipe the system, delete files, damage stuff, they are Chaotic Evil.
Hm... by oldhack · 2010-04-15 07:59 · Score: 0, Redundant

But does it affect any iStuff?

--
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
1. Re:Hm... by laederkeps · 2010-04-15 08:21 · Score: 0, Offtopic
  
  I only just realized that you can go into the slashdot preferences and select which sections of the site you wish to see.
  You'll notice that all the iStuff is conveniently collected under the "Apple" section.
  Hiding it sure removes a lot of cruft from the front page.
2. Re:Hm... by sqlrob · 2010-04-15 08:37 · Score: 1
  
  If Sun patched this today, you can expect the patch for iStuff around Christmas or so, if that quickly.
  They've been that slow before on exploited vulnerabilities, they'll be that slow again.
3. Re:Hm... by mlyle · 2010-04-15 15:42 · Score: 1
  
  Given that the problem is not exploitable on MacOS X with Safari... I think they'll be very slow to release a fix.
Summary reads better with hyphenated words only by bugeaterr · 2010-04-15 08:08 · Score: 5, Funny

about-face
drive-by
in-the-wild
out-of-cycle
booby-trapped
Java-Plugin
command-line
about-face
full-disclosure
1. Re:Summary reads better with hyphenated words only by OrwellianLurker · 2010-04-15 08:13 · Score: 2, Funny
  
  What do you expect from Tim-Othy?
  
  --
  'Political power grows out of the barrel of a gun.' - Mao Tse-tung
2. Re:Summary reads better with hyphenated words only by clone53421 · 2010-04-15 08:13 · Score: 1
  
  Summary reads better with hyphenated words only
  That is surprisingly true.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
3. Re:Summary reads better with hyphenated words only by ooshna · 2010-04-15 14:21 · Score: 1
  
  Its like a George Carlin rant.
Oracle by farble1670 · 2010-04-15 08:20 · Score: 4, Informative

there is no company or organization called "sun" ... there is only oracle now.
1. Re:Oracle by Macrat · 2010-04-15 08:31 · Score: 1
  
  This is not the Sun you are looking for
2. Re:Oracle by Anonymous Coward · 2010-04-15 08:50 · Score: 1, Funny
  
  That's no Sun.
3. Re:Oracle by Anonymous Coward · 2010-04-15 09:44 · Score: 0
  
  "On January 26, 2010, we completed our acquisition of Sun Microsystems, Inc. (Sun), a provider of hardware systems, software and services, by means of a merger of one of our wholly owned subsidiaries with and into Sun such that Sun became a wholly owned subsidiary of Oracle" -- Oracle 10-Q (emphasis added)
  Rarely are "mergers" destructive of corporate entities (especially so early in an acquisition)
4. Re:Oracle by game+kid · 2010-04-15 11:53 · Score: 1
  
  Rarely are "mergers" destructive of corporate entities (especially so early in an acquisition)
  Don't worry, they'll find a way.
  
  --
  You can hold down the "B" button for continuous firing.
5. Re:Oracle by iggymanz · 2010-04-15 13:07 · Score: 1
  
  uh huh, why don't you go to *sun.com* and check out some *sun solaris* features, and observe
6. Re:Oracle by John+Hasler · 2010-04-15 14:22 · Score: 1
  
  Even if Oracle does intend to liquidate Sun and merge its assets into itself rather than operate it as a wholly-owned subsiduary Sun certainly still exists as a legal entity. It takes many months (sometimes years) to work through all the details of a merger.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
7. Re:Oracle by drinkypoo · 2010-04-15 23:31 · Score: 1
  
  there is no company or organization called "sun" ... there is only oracle now.
  It's not too late for Oracle to sell some or all of Sun, as "Sun".
  Your grasp on corporatism is only half-sufficient to keep you from falling off a cliff.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:Oracle by tehcyder · 2010-04-15 23:45 · Score: 1
  
  there is no company or organization called "sun" ... there is only oracle now.
  
  In the same way that you can only buy Diageo and not Guinness?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
9. Re:Oracle by silverglade00 · 2010-04-16 01:57 · Score: 1
  
  It's a space station!
10. Re:Oracle by Anonymous Coward · 2010-04-16 05:04 · Score: 0
  
  Believe it or not, legal entities are not defined by domain names.
11. Re:Oracle by sjames · 2010-04-16 08:09 · Score: 1
  
  I propose that from now on we refer to the entities as zombie Sun and Papa Oracle.
OK Corral by mindbrane · 2010-04-15 08:22 · Score: 0

I've not been able to stay current with security affairs since about Windows 98, not because staying current with computer security isn't important, but because I just don't have the time. Fortunately I'm able to keep my work computers offline. But as a Luser look at it this way, every security patch is a bullet you hoped to have dodged, now think of how many security patches a Window's box needs, especially if it's always online and loaded with 3rd party software, it's like the Gunfight at the OK Corral. What does it say about the true state of the internet?

--
ideopath @ play
does this issue effect solaris? by Anonymous Coward · 2010-04-15 08:24 · Score: 0

does it?
1. Re:does this issue effect solaris? by afidel · 2010-04-15 08:45 · Score: 1
  
  Yes.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
So does thinkgeek by OglinTatas · 2010-04-15 08:26 · Score: 3, Funny

java patch:
http://www.thinkgeek.com/stuff/41/caffederm.shtml

--
More music, fewer hits
smoking day at slashdot by FranTaylor · 2010-04-15 08:29 · Score: 1

First it's e-cigs and now it's patches.
What's next, an article about pipes?
1. Re:smoking day at slashdot by rickb928 · 2010-04-15 08:36 · Score: 1
  
  No, NO! They're tubes, you noobs.
  Sheesh. Get it right, eh?
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
Does it bypass UAC? by tkinnun0 · 2010-04-15 08:42 · Score: 2, Interesting

Does this exploit bypass UAC in 7 and Vista?
1. Re:Does it bypass UAC? by Anonymous Coward · 2010-04-15 10:14 · Score: 2, Insightful
  
  Does this exploit bypass UAC in 7 and Vista?
  No, the user still does that.
Need a new breed of white hat by syousef · 2010-04-15 08:43 · Score: 4, Funny

I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
I recommend we coin a new term for this elite breed of white hat. White hats that are more aggressive. Not afraid to be an asshole when required. I would like to propose: "ass hats"

--
These posts express my own personal views, not those of my employer
1. Re:Need a new breed of white hat by Anonymous Coward · 2010-04-15 15:10 · Score: 0
  
  That honor is reserved for most on /.
2. Re:Need a new breed of white hat by ozmanjusri · 2010-04-15 19:13 · Score: 1
  
  Brown hats?
  
  --
  "I've got more toys than Teruhisa Kitahara."
There's a workaround by afidel · 2010-04-15 08:43 · Score: 3, Insightful

Just disable jnlp file association, we have a number of third party websites that require a specific version of java to function (I'm looking at you ADP etime) and so we can't just upgrade to the newest version. The workaround is to remove the JNLP file association from the registry which leads IE to prompt to download the file instead of automatically running it.

--
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
1. Re:There's a workaround by woodsrunner · 2010-04-16 03:35 · Score: 1
  
  Your post worried me, and immediately tested with ADP Timesaver and it worked for me. Not sure if it's the same product.
Saw this earlier today by VGPowerlord · 2010-04-15 08:46 · Score: 2, Informative

The Register mentioned this earlier today, and I immediately informed our local IT guy, who contacted someone higher up at Enterprise Security.
Then Worf came to my desk and said I needed to test the Java upgrade before they deployed it to everyone.
...
Ok, not Worf, just one of our tech guys. Since I'm one of two Java developers on this floor as well as the one who reported it, I got the fun job of making sure everything i have (Eclipse, OC4J, Oracle SQLDeveloper, Oracle JDeveloper, etc...) still worked.

--
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
1. Re:Saw this earlier today by StuartHankins · 2010-04-15 09:12 · Score: 1
  
  As least your org is clueful enough to have you test for problems before rolling it out. Some orgs might choose to avoid it altogether because of the chance it could break something, or because they're lazy, or countless other reasons. Sounds like you're lucky you work for someone who took a timely, thoughtful approach to the problem.
Come on, be adults. by Anonymous Coward · 2010-04-15 08:52 · Score: 3, Insightful

It's not that corporations don't "get the value" of White Hat reports. They love them!
But these corporations are not giant machines running on magic. They are made up of people who have other priorities, other dead lines and will not get paid anything for going through the mountains of work that must be done to issue an emergency fix. Absolutely, they should be more responsive. But it's not like they're sitting on the beach smokin a bowl. These corporations are busting their ass to find enough money to keep all their people employed. Issuing an embarrassing, costly and difficult fix is a lot like working an extra job to pay an unexpected hospital bill. How much enthusiasm would have in that situation?
1. Re:Come on, be adults. by Anonymous Coward · 2010-04-16 02:47 · Score: 0
  
  I imagined corporate officers in the bowl smoking and finding enough money to keep employees employed situations that you described. Sadly, I found the former more believable than the latter.
Huge hole by Anonymous Coward · 2010-04-15 09:04 · Score: 0

At least it works now, unlike the hastily pushed out 1.6.0_19-b05 version that crippled our app on numerous computers.
The hole was so big - it should have been fixed ASAP (with at most a day or two of high-priority testing). Shame on you Soracle.
1. Re:Huge hole by VGPowerlord · 2010-04-15 09:09 · Score: 1
  
  ...fifth build of 1.6.0_19 and it still crippled your app? Whoops.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
2. Re:Huge hole by Anonymous Coward · 2010-04-15 09:13 · Score: 0
  
  yeah it was a huge hole. Measured 6-goatses in diameter.
Java 1.5 users are screwed by Anonymous Coward · 2010-04-15 09:12 · Score: 3, Informative

Due to development constraints, I run JDK 5 Update 22 on my system.
As of Nov 3rd 2009, Update 22 is the last public release of version 5.
I used the exploit demo link to see if it is also vulnerable, and sure enough it attempted to launch a program.
So now the still-quite-large-installed-base of 1.5.0_x users are screwed!!!
Fortunately though, my AVG quickly blocked it, reporting it as "Exploit JSE WebStart (type 1067)"
1. Re:Java 1.5 users are screwed by jo42 · 2010-04-15 09:50 · Score: 0, Flamebait
  
  I ended up uninstalling Java the day I got hit by malware through Java.
  Don't need it to run anything on my machine so the POS is gone, gone, gone.
2. Re:Java 1.5 users are screwed by loxosceles · 2010-04-15 12:25 · Score: 1
  
  Corporate constraints?
  That's what VMs are for: testing and development without exposing your main desktop and web browser to those vulnerabilities.
3. Re:Java 1.5 users are screwed by Anonymous Coward · 2010-04-15 14:29 · Score: 2, Insightful
  
  Java 5 is from 2004. Now we have 2010.
  I know how you feel. I liked my firefox 1.0, too. It sucked when I had to upgrade to firefox 2.0.
  I would have preferred mozilla to support firefox 1.0 forever. Free of charge, of course.
4. Re:Java 1.5 users are screwed by Anonymous Coward · 2010-04-16 04:23 · Score: 0
  
  PowerPC Mac users are stuck with Java 1.5. These computers are at least 4 years old, not six.
5. Re:Java 1.5 users are screwed by tgrigsby · 2010-04-16 05:03 · Score: 1
  
  My AVG reported it as type 1066, but yeah, AVG stopped this exploit cold.
  
  --
  *** *** You're just jealous 'cause the voices talk to me... ***
I was affected by Anonymous Coward · 2010-04-15 09:30 · Score: 2, Interesting

I was actually hit by one of these "drive by downloads" within firefox via java 5-6 weeks ago. Browsing porn, opened a tab to a video, the browser suddenly got sluggish like crazy. Task manager showed java executable running at near 100% cpu. The processes were so locked up that an attempt to kill either the java process or firefox just wasn't doing anything. I have Avast for anti-virus, and it wasn't complaining about any virus - until the exact moment I clicked to reboot the machine. At that instant, Avast popped up a virus alert, but it was too late - I guess the reboot process shut down the Avast service/process *before* the browser. Immediately after a reboot I discovered I was, for the first time in my life, rootkitted. It took 2 rounds of Malwarebytes' Anti-Malware and a windows-xp-recovery execution of `fixmbr` to completely eradicate.
I would *not* have java installed (at least not for browsers) to begin with if not for the fact that the Canada Revnue Agency's website *requires* java just to login to one's government account. Ridiculous.
Which toolbar does this patch? by snsh · 2010-04-15 09:50 · Score: 2, Interesting

Now, does this vulnerability apply to java's Bing toolbar, their Yahoo! toolbar, the MSN toolbar, or their Google toolbar?
1. Re:Which toolbar does this patch? by Kaboom13 · 2010-04-15 11:04 · Score: 2, Informative
  
  The Java SE page has downloads that don't have the obnoxious toolbar/trial crap in them
  http://java.sun.com/javase/downloads/index.jsp
Ahem. The patch doesn't seem to work well here. by surveyork · 2010-04-15 10:37 · Score: 0

I installed the new JRE and then tried the PoC http://3.ly/qht4 . Sometimes I get an error message as shown in the article, but most times the calculator pops up. I'm using XP SP3 & PaleMoon 3.6.3 browser.

--
2019 is going to be the year of Linux on the desktop.
1. Re:Ahem. The patch doesn't seem to work well here. by surveyork · 2010-04-23 18:05 · Score: 0
  
  Yo! I discovered that the patch left some systems still vulnerable:
  
  http://www.kb.cert.org/vuls/id/886582
  
  "Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory.
  
  Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit."
  
  --
  2019 is going to be the year of Linux on the desktop.
I hate JAVA update by JaCKeL+1.0 · 2010-04-15 11:49 · Score: 3, Insightful

They will once again propose me to install a toolbar. WTF, just do your update and stop trying to install shit I don't want after I already said "NO" to the same queation 10 freaking times before.
1. Re:I hate JAVA update by pne · 2010-04-19 21:36 · Score: 1
  
  I'm always amused that the annoying Yahoo toolbar ad in the installer claims to "block annoying ads".
  
  --
  Esli epei etot cumprenan, shris soa Sfaha.
No they're not by Anonymous Coward · 2010-04-15 13:34 · Score: 0

http://www.sun.com/software/javaforbusiness/index.jsp
Just those that don't pay, rather than migrate.
Update Links by kcbnac · 2010-04-15 13:44 · Score: 2, Informative

For Java, here's a quick link to see what version you have installed, and if there's a new version available or not:
www.java.com/en/download/installed.jsp?detect=jre&try=1
Here's one for Adobe Flash Player:
http://www.adobe.com/software/flash/about/
What other plugins are there links for like this?
I'd love to have a page set up that I can just click through a set of links to verify each app is current when checking PCs. If the update process is painless enough, just have friends and family run through it every so often, or when they hear of a "java exploit" or "flash bug" or whatever. (I train most of 'em well enough that they can do this, or I automate the system to check regularly)
The major browsers (except IE, that's tied to Windows) update themselves on Windows boxes - what links are useful to ensure the rest of the browser-accessible ecosystem is current?
1. Re:Update Links by Anonymous Coward · 2010-04-15 20:23 · Score: 0
  
  You seem to be looking for the Secunia Online Software Inspector (OSI). It will scan your Windows OS plus common applications and plugins (including Flash and Java) to tell you whether any are out of date from a security point of view. Warnings about out of date programs include a link to the updated versions.
  Ironically, the software is written in Java. The online scanner doesn't require any installation, though Secunia does offer an installable version.
Write once, exploit everywhere by Slashcrunch · 2010-04-15 13:45 · Score: 4, Funny

"Write once, exploit everywhere"
Well, someone had to say it.
Java 6 u19 Works Fine by rliden · 2010-04-15 15:56 · Score: 1

I have Java 6 update 19 installed and I get the same error and failed attempt using this link (weird url but it's the one from the TFA): test demo. The author also said the fix wasn't mentioned in the patch notes. Could this vulnerability have been fixed in a previous version and no one actually tested what versions/updates were actually vulnerable before publishing these articles, or did I miss something?

--
Don't think of it as a flame, more like an argument that does 3d6 fire damage.
"the full-disclosure weapon" by Schraegstrichpunkt · 2010-04-15 16:13 · Score: 1

"Weapon". Biased, much?

--
http://outcampaign.org/
Here in Europe we want the LAVA patch from Iceland by Anonymous Coward · 2010-04-15 19:04 · Score: 0

first... forget the Sun, some of us can no longer see it!
eyelet kasugai by Mana+Mana · 2010-04-15 19:36 · Score: 1

Know what, security analyst jobs became common and then we had these periodic reports of `vendor ignores for-long-time reported insecure flaws, errors, etc.' bullshit. Fuckthat! go back to the ole publish to Bugtraq all warts most post haste. But then you don't get legally usable cred for your resume---oh, excuse me, Curriculum vitae, oh so sorry, CV---awww.
Use an alternate profile with different settings by Anonymous Coward · 2010-04-15 20:08 · Score: 0

If you are using Firefox, you could create a separate profile just for accessing the Canada Revnue Agency and have Java enabled only in that profile. I do something similar for banking. Or you could manually enable the Java plugin only while accessing the Canada Revnue Agency; you can do this in Firefox without even a restart.
Using separate OS accounts with different sets of plugins enabled would work as well.
The fact that your browser could install a rootkit means that you're running with administrator privileges. Not smart. If you can't browse porn from a limited account, you can at least turn off administrative privileges for Firefox using the DropMyRights program from Microsoft.
Sun is Dead by Anonymous Coward · 2010-04-16 03:36 · Score: 0

Seems you haven't been there in a while. sun.com redirects to oracle.com. It is now called Oracle Solaris.
See: Oracle Solaris
The Sun has died and turned into a brown dwarf.
Re:We are all individuals by b4dc0d3r · 2010-04-16 04:36 · Score: 1

Why is it that slashdot poster types group everyone together, as if they all have a hive mind? Each company has to learn this lesson, and often if a person is replaced the new guy has to learn it as well. Each company learns as it happens, and still they might resist the change in certain situations.
I frequently find small quirks in my codebase while looking at other unrelated items like general performance monitoring, and don't have time to investigate completely, but if someone complains I'll fix it. The change control process and testing is a lot of overhead to fix something that most people don't run into. So I can see the perspective of the "don't fix unless it's necessary" crowd, and it requires a real change in thinking and process updates to ensure everyone is going to be onboard. If someone doesn't think the change is worthwhile they can reject the change or delay it, either through making additional informational or approval requests, or flat out rejecting the change request. So it sits.
On the other hand, I write code for corporate internal sites and their clients, with heavy security and tracking, so if someone manages to turn a quirk into a vulnerability they will be caught and fired - and my data isn't sensitive enough that anyone would even try to break in. Most websites do not have the ability to threaten "you will lose your job" if the users hack it, so my motivation is just what can I package into a release without documenting all of the little bug fixes.
My point is, it will take a lot to switch me to the "fix everything just in case" mentality, and it would take other people, individually, some revelation or event like this before they start being proactive in their fixes.
This post incorporates the linked post below by reference as well.
http://it.slashdot.org/comments.pl?sid=1620242&cid=31864318
IN THE NAME OF F*** by Anonymous Coward · 2010-04-16 13:08 · Score: 0

It is very simple - large vendors - work with white hat researchers you hubristic f*** tards. What is the problem???????Do you have a problem with people doing uber skiled work for free? Sweet zombie jesus pass the vodka......................