Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Pushes Emergency Java Patch

Posted by timothy on from the emergency-shot-of-soy-latte dept.

Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

29 of 90 comments (clear)

  1. PHB syndrome by 18_Rabbit · · Score: 4, Insightful

    Why is it that corporate types never understand that if the white hats have found it, the black hats have too...and are exploiting it.

    1. Re:PHB syndrome by ILuvRamen · · Score: 3, Informative

      They assume white hats are smarter and faster because they have jobs and are being paid. What they don't realize is that black hats also have "jobs" and are being paid.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    2. Re:PHB syndrome by mea37 · · Score: 5, Insightful

      That's not the problem.

      The problem is, management (the people in control of the big corporations who harbor at most marginal technical aptitude) see the flaw but lack the imagination to understand how it could be used for real harm until they see it used for real harm.

      (Actually, "lack the imagination" may be misleading. They are motivated to think that the problem is not a big deal, and they have no problem convincing themselves of this rather than exploring the possible threat scenarios.)

      Full disclosure changes the risk from the company's point of view ("Oh, great, now we know people are trying to think of a way we're not seeing to exploit this") but the real tipping point is when they see a demonstration of harm being done (not merely a proof-of-concept that they can rationalize away).

    3. Re:PHB syndrome by phantomcircuit · · Score: 3, Insightful

      What they don't realize is that black hats also have "jobs" and are being paid.

      It's even worse than that. The black hats are almost certainly being paid far more than the white hats are.

    4. Re:PHB syndrome by david_thornley · · Score: 2, Insightful

      Why is it that Slashdotters never understand that hasty patches are dangerous and expensive? This patch almost certainly hasn't been tested as well as Sun would like, and they could well be screwing up people's computers. There are dangers in patching too hastily and patching too slowly, and somebody has to decide on the trade-offs.

      My guess is that they were hoping to run it through the normal cycle when they saw it being used in the wild, and decided that it was important to get something off now, regardless of risk and possible additional expense.

      The fact that they were able to issue a patch the day after they found live exploits indicates that they were probably working on it already, and simply misjudged the immediacy of the danger.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    5. Re:PHB syndrome by Anonymous Coward · · Score: 2, Informative

      True, but the last stable release (update 19) is crap already. Unfortunately, 19 was also a critical security update so we had to start deploying it. It has broken at least 5 major applications already (for example a resource scheduling application - to reserve meeting rooms and equipment, a publishing application used to move internal web code from test to production, and several more). Sun's habit of breaking stuff with every release is really a serious problem.

    6. Re:PHB syndrome by IdleTime · · Score: 2, Informative

      You can read the published advisory here:
      http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

      --
      If you mod me down, I *will* introduce you to my sister!
    7. Re:PHB syndrome by eloki · · Score: 3, Insightful

      Really? I thought the problem might be that they see the flaw but see it as lacking urgency as they have insufficient stake in an urgent patch.

      When it becomes an exploited flaw, the company reputation is now at risk and customers/users experiencing actual (as opposed to possible) loss are much more likely to get angry and demanding. Now the company has a stake in the patch.

      (But as pointed out elsewhere, it's hard to comprehensively test on an urgent patch.)

    8. Re:PHB syndrome by shentino · · Score: 2, Informative

      An unfortunate side effect that full disclosure also gets them royally pissed at you for "exposing" their flaw.

  2. White Hats by DarkKnightRadick · · Score: 5, Insightful

    I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.

    --
    "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    1. Re:White Hats by poetmatt · · Score: 2, Informative

      that sounds nice and all, but there are currently very real legal risks involved even if you are a white hat and employed by a company to look for this stuff.

      I agree that white hats should do it anyway - one way or the other the legal system will get around to protecting it, probably as whistleblowing/free speech, but in the meantime I think plenty are afraid to be taken to court for disclosing vulnerabilities and/or not being employed for future whitehat jobs.

  3. Summary reads better with hyphenated words only by bugeaterr · · Score: 5, Funny

    about-face
    drive-by
    in-the-wild
    out-of-cycle
    booby-trapped
    Java-Plugin
    command-line
    about-face
    full-disclosure

    1. Re:Summary reads better with hyphenated words only by OrwellianLurker · · Score: 2, Funny

      What do you expect from Tim-Othy?

      --
      'Political power grows out of the barrel of a gun.' - Mao Tse-tung
  4. Oracle by farble1670 · · Score: 4, Informative

    there is no company or organization called "sun" ... there is only oracle now.

  5. So does thinkgeek by OglinTatas · · Score: 3, Funny

    java patch:
    http://www.thinkgeek.com/stuff/41/caffederm.shtml

    --
    More music, fewer hits
  6. Does it bypass UAC? by tkinnun0 · · Score: 2, Interesting

    Does this exploit bypass UAC in 7 and Vista?

    1. Re:Does it bypass UAC? by Anonymous Coward · · Score: 2, Insightful

      Does this exploit bypass UAC in 7 and Vista?

      No, the user still does that.

  7. Need a new breed of white hat by syousef · · Score: 4, Funny

    I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.

    I recommend we coin a new term for this elite breed of white hat. White hats that are more aggressive. Not afraid to be an asshole when required. I would like to propose: "ass hats"

    --
    These posts express my own personal views, not those of my employer
  8. There's a workaround by afidel · · Score: 3, Insightful

    Just disable jnlp file association, we have a number of third party websites that require a specific version of java to function (I'm looking at you ADP etime) and so we can't just upgrade to the newest version. The workaround is to remove the JNLP file association from the registry which leads IE to prompt to download the file instead of automatically running it.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  9. Saw this earlier today by VGPowerlord · · Score: 2, Informative

    The Register mentioned this earlier today, and I immediately informed our local IT guy, who contacted someone higher up at Enterprise Security.

    Then Worf came to my desk and said I needed to test the Java upgrade before they deployed it to everyone.

    ...

    Ok, not Worf, just one of our tech guys. Since I'm one of two Java developers on this floor as well as the one who reported it, I got the fun job of making sure everything i have (Eclipse, OC4J, Oracle SQLDeveloper, Oracle JDeveloper, etc...) still worked.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  10. Come on, be adults. by Anonymous Coward · · Score: 3, Insightful

    It's not that corporations don't "get the value" of White Hat reports. They love them!

    But these corporations are not giant machines running on magic. They are made up of people who have other priorities, other dead lines and will not get paid anything for going through the mountains of work that must be done to issue an emergency fix. Absolutely, they should be more responsive. But it's not like they're sitting on the beach smokin a bowl. These corporations are busting their ass to find enough money to keep all their people employed. Issuing an embarrassing, costly and difficult fix is a lot like working an extra job to pay an unexpected hospital bill. How much enthusiasm would have in that situation?

  11. Java 1.5 users are screwed by Anonymous Coward · · Score: 3, Informative

    Due to development constraints, I run JDK 5 Update 22 on my system.
    As of Nov 3rd 2009, Update 22 is the last public release of version 5.
    I used the exploit demo link to see if it is also vulnerable, and sure enough it attempted to launch a program.
    So now the still-quite-large-installed-base of 1.5.0_x users are screwed!!!

    Fortunately though, my AVG quickly blocked it, reporting it as "Exploit JSE WebStart (type 1067)"

    1. Re:Java 1.5 users are screwed by Anonymous Coward · · Score: 2, Insightful

      Java 5 is from 2004. Now we have 2010.
      I know how you feel. I liked my firefox 1.0, too. It sucked when I had to upgrade to firefox 2.0.
      I would have preferred mozilla to support firefox 1.0 forever. Free of charge, of course.

  12. I was affected by Anonymous Coward · · Score: 2, Interesting

    I was actually hit by one of these "drive by downloads" within firefox via java 5-6 weeks ago. Browsing porn, opened a tab to a video, the browser suddenly got sluggish like crazy. Task manager showed java executable running at near 100% cpu. The processes were so locked up that an attempt to kill either the java process or firefox just wasn't doing anything. I have Avast for anti-virus, and it wasn't complaining about any virus - until the exact moment I clicked to reboot the machine. At that instant, Avast popped up a virus alert, but it was too late - I guess the reboot process shut down the Avast service/process *before* the browser. Immediately after a reboot I discovered I was, for the first time in my life, rootkitted. It took 2 rounds of Malwarebytes' Anti-Malware and a windows-xp-recovery execution of `fixmbr` to completely eradicate.

    I would *not* have java installed (at least not for browsers) to begin with if not for the fact that the Canada Revnue Agency's website *requires* java just to login to one's government account. Ridiculous.

  13. Which toolbar does this patch? by snsh · · Score: 2, Interesting

    Now, does this vulnerability apply to java's Bing toolbar, their Yahoo! toolbar, the MSN toolbar, or their Google toolbar?

    1. Re:Which toolbar does this patch? by Kaboom13 · · Score: 2, Informative

      The Java SE page has downloads that don't have the obnoxious toolbar/trial crap in them
      http://java.sun.com/javase/downloads/index.jsp

  14. I hate JAVA update by JaCKeL+1.0 · · Score: 3, Insightful

    They will once again propose me to install a toolbar. WTF, just do your update and stop trying to install shit I don't want after I already said "NO" to the same queation 10 freaking times before.

  15. Update Links by kcbnac · · Score: 2, Informative

    For Java, here's a quick link to see what version you have installed, and if there's a new version available or not:

    www.java.com/en/download/installed.jsp?detect=jre&try=1

    Here's one for Adobe Flash Player:

    http://www.adobe.com/software/flash/about/

    What other plugins are there links for like this?

    I'd love to have a page set up that I can just click through a set of links to verify each app is current when checking PCs. If the update process is painless enough, just have friends and family run through it every so often, or when they hear of a "java exploit" or "flash bug" or whatever. (I train most of 'em well enough that they can do this, or I automate the system to check regularly)

    The major browsers (except IE, that's tied to Windows) update themselves on Windows boxes - what links are useful to ensure the rest of the browser-accessible ecosystem is current?

  16. Write once, exploit everywhere by Slashcrunch · · Score: 4, Funny

    "Write once, exploit everywhere"

    Well, someone had to say it.