A Tidal Wave of Java Flaw Exploitation

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

How?

[MrEricSir]

The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?

Are we talking applets, Java web start, or some other mechanism?

Re:How?

[adisakp]

CVE Attacks Computers Description

CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.

CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.

CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.

Re:How?

[Florian+Weimer]

Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).

Re:How?

[adisakp]

The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.

Re:How?

[JonySuede]

according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start

Re:How?

[hydrofix]

I feel that NoScript is doing a greater and greater work in protecting me each and every day.

Re:How?

I agree, I am annoyed by always showing the donation page during it's very frequent updates which is why I've donated elsewhere so far but I'm thinking that guy gets some of my holiday donations this year.

Re:How?

[doishmere]

A few days ago smbc comics was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.

Re:How?

[Bill_the_Engineer]

CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.

CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009

CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010

The flaw may not be Windows specific, but OS X is not included in your list.

Re:How?

My "disable Java" option is even safer than your NoScript.

Isn't NoScript for Javascript anyway, which has no relation whatsoever to Java?

Re:How?

you realize Java != Javascript

Re:How?

[Bill_the_Engineer]

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

Re:How?

Here's what happened on my machine over the weekend: a Java ad with malware caused a buffer overflow condition (which was caught by McAfee) in JRE v11. Then it snuck in a malware executable (which was caught by McAfee) . Which then signaled other malware that I was open for business. Not caught by McAfee. Hilarity ensued as "explorer.exe" decided to catalog my entire system looking for passwords and account info.

Malwarebytes detected this after the fact and cleaned it all, but after many hours of getting re-infected every time I re-connected to the internet, I found that it was a Java vulnerability. Simply uninstalling every JRE and updating to the latest version resolved everything.

Re:How?

[meloneg]

You do realize that NoScript blocks all embedded objects don't you?

Re:How?

[Maxo-Texas]

Absolutely. And then I decide what I'm going to allow.

Re:How?

[emkyooess]

In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.

Re:How?

[init100]

NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.

Re:How?

[Erikderzweite]

Well, those of us who update their Linux installation should be safe then. Windows is trickier of course with no centralized updates in place.

Re:How?

[bhcompy]

NoScript blocks .jar

Re:How?

[bhcompy]

You can disable that easily within the NoScript configuration. As simple check box is all that is needed to be unchecked

Re:How?

[Kvasio]

Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
Theoretically it allows user to turn it off.
When I turn it off, close java config and reopen - schedule is still active.
Cutting in registry is the proper sollution.

Re:How?

[adisakp]

oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?

Not so on Linux.

I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.

Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vulnerabilities are installed. Pretending this is a Windows-only issue isn't going to make OSX / Linux machines any safer.

Re:How?

[broken_chaos]

It sandboxes Java and Flash until we tell them to run, too.

You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.

Re:How?

"Exploit once, infect anywhere!" - JAVA (TM)

Java is a trademark of SUN^H^H^HOracle Corporation.

Re:How?

[djdanlib]

When you update the JRE, it doesn't uninstall the old version. Can something exploiting these vulnerabilities request an older version? It would appear to be possible. I've always kept my JRE updated, but I still got hit with a couple of these this year before uninstalling Java entirely and throwing out any software that depends on it.

Re:How?

[Cougar+Town]

Java installs its own updater on Windows. Unless you completely disable it, it will notify you of updates and install them for you.

Re:How?

[fast+turtle]

You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.

Re:How?

Pffft. I don't know about other distros, but sun-java6 packages in Ubuntu are dismally supported and always have been. In prior releases, Ubuntu rarely updated the packages once they landed in the repositories, putting their users at risk with outdated and vulnerable java versions. Now, it's been 6 days since Oracle released the 1.6.0_22 update, and Ubuntu/Canonical still doesn't have any updated packages in their repo. I don't understand why they can get a new version of Adobe Flash in the repo within a day or two of a security release, but not the Java packages. It's not like Ubuntu has to apply a lot of patches to make Java work. They slightly alter the jvm's directory structure and make some links in /etc/alternatives. That's basically it. It's disgraceful how Ubuntu is so concerned with making sure a proprietary close-source product like Adobe Flash is quickly updated, but when it comes to Java they leave their users vulnerable to attacks.

Re:How?

[Altanar]

Maybe in a couple cases, but not mine. I was infected with the following on October 3, using JRE 1.6.0 Update 21, which was the newest build available when I was infected.

• Exploit:Java/CVE-2009-3867.IJ
• Exploit:Java/CVE-2008-5353.QV
• Trojan:Java/Bytverify
• Trojan:Java/Classloader.T
• Trojan:Java/Mugademel.A
• TrojanDownloader:Java/OpenConnection.EM.

Re:How?

[drcheap]

Platform independent security holes...sweet.

Re:How?

[hydrofix]

You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.

Appears as if the Choir was less-educated, at least judging by how many people believed that NoScript only blocks JavaScript.

Re:How?

[TheLink]

Java ad with malware caused a buffer overflow condition (which was caught by McAfee) in JRE v11. Then it snuck in a malware executable (which was caught by McAfee) . Which then signaled other malware that I was open for business.

Uh. How the heck can it signal other malware if it was really caught by McAfee?

Re:How?

[petermgreen]

Even if I had Java applets enabled (which I don't) on my Linux desktop then all this would provide would be a remote non-admin/non-root exploit.
meh for several reasons

Firstly on most desktop boxes even those running linux most important stuff happens under one user account. Pwn that account and you can do a lot of damage.

Secondly if you pwn a user account it's possible to modify that users menus and command line environment so that next time they do something that requires root privileges they give them to you as well as to the program they intended to give them to.

Finally while they may have been less local root holes on linux than on windows they do still pop up from time to time. Lie low for a while and you can probably get root eventually if you really want it.

Re:How?

[interkin3tic]

I agree, I am annoyed by always showing the donation page during it's very frequent updates

Somewhat off topic, but I've been wondering for a while what all those updates are for. I'm guessing that disabling javascript is not like an on/off switch?

Re:How?

[John+Hasler]

I strongly suspect that the exploits try to inject platform-dependent malware, though.

Re:How?

[zippthorne]

I blame Minecraft.

Re:How?

[jonwil]

Have these been fixed on OSX yet? If not, even more reason for Oracle to take back control of Java on OSX from Apple (who dont seem to care about Java anymore)

Re:How?

[Lunix+Nutcase]

Windows is trickier of course with no centralized updates in place.

Why is it trickier? The JRE on Windows has an updater that flags when an update is ready to install. For this not to happen the user has to specifically go out of their way to disable it.

Re:How?

I have modest hopes that the gents over at CoApp will solve that problem for Windows.

Re:How?

The Windows JRE has automatic software updates. Anyone who wants to upgrade can easily do so.

Re:How?

[PinkyGigglebrain]

This makes me all the more glade I donated to NoScript yesterday.

Come on people, if you use it donate, show your support! Same goes for all the other app.s or plugins we all use.

_

Re:How?

[camperslo]

It's a great utility, but it is odd that it only offers to block web bugs (a.k.a. clear GIFs, web beacons etc) on untrusted sites. I'd think people would like the option to block those all the time.

Re:How?

[camperslo]

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

I wonder what the situation is like on phones using JAVA...

Re:How?

[spongman]

write once, hack everywhere.

Re:How?

[SamiKoivu]

Yes, the name of the vulnerable class is RMIConnectionImpl, but to exploit it no connections are necessary. It's a local sandbox-escape/privilege escalation for Java applets, basically.

Re:How?

[amorsen]

Except those of us forced to run Oracle Java because Java programmers are universally clueless and so the online banking applet doesn't work in OpenJDK. First you need to build the RPM yourself because JRE 1.6.0 STILL isn't free software (or accept the prebuilt pseudo-RPM which craps all over the system), and after that there are no more automatic updates.

Just to REALLY make sure that you might not accidentally lose out at the chance of some malware, Oracle Java also needs stack execution protection turned off in Firefox.

Re:How?

[Vectormatic]

which is bat-shit annoying compared to the centralized update mechanism in most linux distros.

Not to mention the sneaky attempts to also install openoffice or a google toolbar along with the update..

(honestly, i liked sun, but their update shens became a bit rude. Knowing oracle though, the next java update will come with a mandatory install of some oracle enterprise product, followed by a license key bill for every single cpu core in your system)

Re:How?

[Vectormatic]

just started a java update (you know, wouldnt want to get my work machine compromised), and what do you know? oracle wants me to install the Bing toolbar for internet explorer..

Since when does MS need lackies like elison to install their crappy toolbars?

Re:How?

[rolfc]

Well, if you do apt-get update now, you will see it.

Re:How?

[muntis]

Yes, who does not hate all these windows update services, for java, for chrome, adobe. When computer starts to slow down, especially for win xp, first thing I do is to look up all these quickstarts and updates and turn them of through msconfig.

Re:How?

[Tteddo]

If you are in Vista or 7, find the executable for the java control panel applet and right click to "Run As Administrator". Then what you change will stick.

Re:How?

[adisakp]

If you've updated OSX, yes you are fixed. If you have updated Java on a PC you are fixed as well.

The vulnerabilities lie on un-updated machines. If we consider a magical world of only properly updated machines, the problem doesn't exist on Windows either.

Re:How?

[WuphonsReach]

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.

An update tool should not attempt to install additional software.

Re:How?

[adisakp]

Just realized the above post sounds a bit snide... but saying a problem doesn't exist on updated machines is a lot different from saying a problem doesn't exist. Unfortunately many users don't update... they might not know how, they might choose not to, or their updater might be broken (happens in Windows alot).

Re:How?

[Bill_the_Engineer]

The key difference between Java on Windows and Java on OS X is that Apple includes Java as part of their OS. It is updated with the rest of their OS.

Of course Apple is slower than Oracle about getting the latest language features out the door, but they are pretty reliable (not perfect) with security updates for the versions already released.

Linux has the same advantage since most people use the package manager to install Java and it's updated as soon as the update reaches the repositories.

Since Java is not part of the Windows update, Oracle relies on their own software updater. Unfortunately, they take the opportunity to use it to push other software which causes most people to disable the updater resulting in all these exploitable machines.

Re:How?

[drcheap]

I strongly suspect that the exploits try to inject platform-dependent malware, though.

Nah they write the malware in Java, too ;)

Re:How?

For this not to happen the user has to specifically go out of their way to disable it.

Or use windows as a non-administrative account, which will never get to install the update.

At least Windows 7 is finally ready for the desktop what with the ability to designate normal users as having permission to agree to microsoft's frequent license changes so that (microsoft's, not Java's) updates can be installed automatically. Without having to dive into inner arcana of the Group Policy Editor and registry, that is.

Nervous

[Konster]

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.

Re:Nervous

[MrEricSir]

Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.

Re:Nervous

Thank you for your contribution. You may return to algebra class now.

Re:Nervous

[Dystopian+Rebel]

Seeing Oracle and Java all in the same sentence gives me a nervous tick

Well, seeing Oracle and "Eleonore, Crimepack and SEO Sploit Pack" in the same paragraph makes me nervous.

When Ellison's raiders see a money-making opportunity, they go for it.

Re:Nervous

[julesh]

Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.

"Linux, I am your father."

"NOOOOOO!!!!!"

Re:Nervous

...or Zynga is buying Valve

Re:Nervous

[kholburn]

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.

Seeing Microsoft advising about security gives me that kind of nervousness. Especially when they are pointing the finger at someone else.

Let's see, Java runs on lots of platforms. Has it the same vulnerabilities on them? So we should all uninstall java and depend on Active-X? Which is now secure?

Re:Nervous

Linus Torvalds is not for sale. He's free.

Patches have been available for a long time

[adisakp]

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

Re:Patches have been available for a long time

[lgw]

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Re:Patches have been available for a long time

[MozeeToby]

For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.

Re:Patches have been available for a long time

[Florian+Weimer]

Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

Re:Patches have been available for a long time

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Sounds like you need a computer.

Re:Patches have been available for a long time

[yyxx]

There is a solution for that: use Ubuntu Linux.

Re:Patches have been available for a long time

[wjousts]

The only virus I ever got was on my wife's laptop and it appeared to come in through Java. She was sick of being constantly nagged to update Java anyway, so I removed Java completely. I had to nuke her account to completely clean it.

Re:Patches have been available for a long time

[ADRA]

Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

Re:Patches have been available for a long time

The best solution then is to leave it uninstalled permanently. I mean really what do you need it for on a home machine? It's not like there are any apps that need it.

Re:Patches have been available for a long time

[Darkness404]

Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

Plus, the patch wants you to install a massive amount of crapware in order to patch your system.

Re:Patches have been available for a long time

[coredog64]

If you still need 1.4 or 1.5, you can get support but it's going to cost you. I've got an install of JDK 6u11 in parallel with newer versions because of a Swing change that broke some Sun/NetBeans tooling. IIRC, 6u17 was another game changer.

Re:Patches have been available for a long time

[tuffy]

"Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

Re:Patches have been available for a long time

it isn't an update.. it installed another copy of java with no option to uninstall old (exploitable) jre/jdk installations.

Re:Patches have been available for a long time

[mspohr]

Linux and Mac use repositories which manage updates for the system and all applications. Automatic. No space in the head required.

Re:Patches have been available for a long time

[abigor]

You can always tell the people that don't work in "the biz" when they make comments like the parent's.

Re:Patches have been available for a long time

[ADRA]

There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.

It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.

Re:Patches have been available for a long time

Can't: driver issues.

Re:Patches have been available for a long time

[vlm]

He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".

The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.

Re:Patches have been available for a long time

[tlhIngan]

It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

Including, surprisingly, Android.

OpenJDK 1.6 works with Android, but if you want to use the official one they recommend, you have to use 1.5 (Java 5) because of some oddball parser issues in official Oracle JDK 1.6.

So one's choices are ot use the unsupported OpenJDK 1.6 with Android, or the unsupported (but Android-supported) JDK 1.5. Bleh.

I hope Android 3.0 fixes this. This is an issue on Ubuntu 10.04 and onwards, as JDK 1.5 is no longer in the repository and you have to do some hacks to get 9.x JDK 1.5 in...

http://source.android.com/source/download.html

Re:Patches have been available for a long time

[jmpeace]

apt-get upgrade

Re:Patches have been available for a long time

[cb88]

Maybe you missed his point ... there are quite a few free and non free C compilers which fairly high compliance to standards. Can the same be said for java. Non Sun/Oracle derived java implementations pretty much don't exist... and the derivations that do exist are just redesigns of the VM which serve to introduce incompatibilities/bugs

Re:Patches have been available for a long time

[Ant+P.]

I guess Windows isn't ready for the desktop.

Re:Patches have been available for a long time

[lgw]

All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!

Re:Patches have been available for a long time

MSJVM, bitches

Re:Patches have been available for a long time

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Sounds like you need a computer.

The article on Crimepack which is linked in the summary, advises Secunia to check which packages on your machine need to be updated.

Re:Patches have been available for a long time

Linux and Macs are BOTH managing single-source repositories. One of these is mostly open source and uses standard packaging rather than company-specific install-time code. With a 5+ year track record of Ubuntu repositories, and zero track record on MS's part, (except for their new suggestions thing in W7) there is no value added for devs even if Windows gets a universe-type repo tomorrow.

The way things are in the Win32 world, this will be done with MSIs, which most amateurs do not use for installs and some pros fear due to post-release hacks inadvertently allowed by them. There will need to be some sort of widely adopted NEW api, and knowing windsows devs, it always takes 2 Windows releases before they learn to not screw up installs, read/write/exe access rights, firewall stuff and HD locations for their crap.

To summarize, it would be a major hassle for coders who already have a tried-and-true track/distribute like we want method. Matter of fact, those damn auto-update programs take care of the maintenance part of the install, but for MS to make an app store to access the code files would be a problem too. Let alone giving corporations rights to disallow specific functions and apps so people won't win32-apt-get install pr0n-downloader to their business machines.

Re:Patches have been available for a long time

[blackest_k]

Usually that is the case but

https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/659937

The current version appears to be vulnerable. you can manually update or use the ppa

sudo add-apt-repository ppa:duh/sun-java6

and then the usual update upgrade
when the official packaging comes out it should overwrite the ppa version.

Re:Patches have been available for a long time

[scdeimos]

So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

Even patched machines are vulnerable as well, at least on Windows (don't know if it does this on other OSs). Java updates on Windows do not uninstall previous versions of Java, they just add a new one.

Since Java apps can request specific versions of the JRE to run in, even patched machines are vulnerable until the user/admin Uninstalls the previous versions.

Re:Patches have been available for a long time

[lazyforker]

There's an app for that, probably.

Re:Patches have been available for a long time

[Altanar]

My machine was auto-updated to JRE 1.6.0 Update 21 (the newest available on October 3) when it was infected with three different Java trojans and a downloader using two different Java exploits. Perhaps Java is a buggy piece of shit that should be uninstalled immediately.

Re:Patches have been available for a long time

[TheRaven64]

Two or three java vulnerabilities ago, I disabled the Java plugin in my browser. Last vulnerability, I went to disable it again, only to discover that I never got around to reenabling it because I never came across a site with a Java applet in it. I presume there are still some out there, but I've not seen any for a very long time.

Re:Patches have been available for a long time

Until you install a few dozen interesting looking apps and development tools from Ubuntu's default repositories, and Ubuntu's package manager gets all confused by the new version dependency graph since you've deviated from the default installation, and then security updates just flat out stop working (yes, this _did_ happen to me and no, I hadn't installed software or drivers from anywhere except apt-get from Ubuntu's own repositories but no, it wasn't as bad as when Suse 9.0's KDE WM quit working after I installed Qt development libraries lol). Then no space is required in your head either, because you just can't do any updates at all. Umm, win?

Linux needs to annihilate dependency-hell before it even begins to become ready for serious desktop use. No, package managers and repositories are _not_ the answer, not if Ubuntu the "user friendly" distro can't even get it right for *all* of the apps in their own repositories. Providing a way to install any application and its dependencies separately from all other installed applications and libraries, and making that the default except perhaps when the OS detects opportunities for sharing identical libraries (using md5 sums similar to the new memory page sharing approach recently added to the kernel) - _that_ would be the answer. There should be NO coincidental coupling between unrelated software applications, that's SW engineering 101, and it's also basic decency to the end user.

Re:Patches have been available for a long time

[John+Hasler]

I've never run across a site that required Java (which I've always had disabled in Fireofox). I do have Java installed so that I can run applications that use it, but why should I enable it in my browser?

Re:Patches have been available for a long time

[jrumney]

I suspect part of the problem is that Sun introduced a way for a web page to request a specific version of Java in the OBJECT tag due to developers being uneasy about the possibility of their applet being run on a version of Java they hadn't tested with. Additionally, when you upgrade Java, it installs the new version alongside the older installs, so the old versions are still there to be exploited.

Re:Patches have been available for a long time

Windows 8 App Store

Re:Patches have been available for a long time

[shutdown+-p+now]

In some cases, Java/JVM design itself lends to problems with versioning. For example, since all methods are virtual (in Simula/C++ sense of the word) by default, and any method with a matching name and signature in a derived class will override one in the base class, any addition of a new non-sealed non-private/package method to a non-sealed non-private/package class is potentially a breaking change. It's a rare thing to run into in practice, but due to the sheer amount of Java code out there, it's not impossible.

Note that @Override doesn't help here - it helps to make sure that your method does indeed override what you intend it to, but there's no way to ensure that your method does not override anything accidentally.

Re:Patches have been available for a long time

[metrix007]

Fuck that, repositories are a step backwards. There is a reason only a few distros use them.

Re:Patches have been available for a long time

If You are using windows, checkout Secunia PSI if You are a home user or CSI if You are a corporate user. Both check for software installed on Your computer and compare it against Secunia vulnerability database. If you have any exploitable software, PSI/CSI will inform You about that software and it theres a fix available, PSI/CSI will provide further instructions how you can fix the problem.

I do not work for Secunia. Their PSI/CSI is the closest thing on Windows to aptitude - eg get all the updates from one place.

Re:Patches have been available for a long time

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

JRE doesn't bug user daily with update now popups... depends on settings.

Re:Patches have been available for a long time

Well played, sir!

Re:Patches have been available for a long time

[TheRaven64]

You're confusing the language and the platform. There are several implementations of Java-the-language, including Google's Dalvik, Kaffee, IBM's small collection of VMs, and so on. There is only one complete implementation of Java-the-platform, which includes all of the standard class libraries.

To make an accurate comparison to C, you also need to include things like GUI toolkits. How many independent, complete, implementations are there of GTK? Win32? Or any other C toolkit that you happen to prefer?

Re:Patches have been available for a long time

[hcgpragt]

You dn't have to. There are tools for that.

The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases. These are then neatly displayed in your browser for you to download.

Re:Patches have been available for a long time

[blackest_k]

The official update is out now and overwriting the ppa version on my system as I type.

Re:Patches have been available for a long time

[MareLooke]

The funniest thing is that it is no longer true. And hasn't been true since the 1.5 release. Java is no slower than, say, .Net (iirc it's even way faster). I have no idea why this bullshit keeps coming up every time someone mentions Java.

And crash all the time? Hire better developers.

Re:Patches have been available for a long time

[drolli]

normally i expect apt-get update take care of it

under windows the update hint constantly popping up triggers a reflex in my hand to click on it. no thoughts are wasted.

Nerd rage

People are angry at Oracle for screwing Sun so they are writing exploits for revenge.

Re:Nerd rage

[interkin3tic]

Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

Re:Nerd rage

[dirtyhippie]

I doubt it, but there is definitely a strong time correlation between the increase of java attacks and oracle's sun acquisition. My guess would be that because Oracle doesn't know how to monetize java (without suing others), attention is shifting away from java and the code is getting a thin film of dust over it.

Re:Nerd rage

Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

Microsoft? Seriously... who has the most to benefit from Java becoming "untrusted."

Re:Nerd rage

[gtall]

To date, Oracle is only suing Google for creating Near Java, I'm a bit fuzzy about how they feel they are entitled to do this given Google isn't using any Sun tech but then Oracle is probably fuzzy on this point as well. Anyhow, how many organizations are producing Java versions? Why should yer basic Fortune 500 give a rat's ass about Oracle suing for mutant Java implementations when all they doing is using either Oracle's or IBM's version? And IBM just bent over to receive the Uncle Larry's teenie weenie to preserve them from having their license revoked in 2015 when it comes due to renewal. If IBM had any balls, they'd have told Uncle Larry to stick it where the Sun don't shine, remove Oracle IP, and fork the damn thing.

Re:Nerd rage

[John+Hasler]

To date, Oracle is only suing Google for creating Near Java, I'm a bit fuzzy about how they feel they are entitled to do this given Google isn't using any Sun tech...

Patents.

Re:Nerd rage

[gtall]

Google's version was clean room, you cannot patent ideas, only implementations.

Re:Nerd rage

[Richard_at_work]

Clean room implementations defeat copyright, not patents...

JVM on Windows?

[big+dumb+dog]

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.

Re:JVM on Windows?

[jgagnon]

Yeah, because nobody ever runs Java applets on Windows...

Re:JVM on Windows?

[MrEricSir]

Yeah, they should have used ActiveX, right?

Re:JVM on Windows?

You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.

Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.

Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.

Re:JVM on Windows?

[big+dumb+dog]

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.

I can't believe someone Trolled me...

Re:JVM on Windows?

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.

I can't believe someone Trolled me...

Nelson: Haw haw

If you were going for Funny you forgot to get the latest update for your 'Joke' VM.

Stuck on old versions

Meanwhile, I continue to be forced to use Java 1.5 at work because a product supplied by Oracle (Discoverer) doesn't run properly on a newer version.

(At least the version our organization has doesn't work. There's a theoretical upgrade coming in November. Let's hope I don't get pwned before then.)

Re:Stuck on old versions

[leenks]

So fix your broken government department's IT policy.

Re:Stuck on old versions

[JonySuede]

what is so hard about using the 1.5 jre for this particular app and the modern still supported 1.6 jre for the rest of the system ?

Re:Stuck on old versions

[StoatBringer]

An awful lot of big organisations are terrified of upgrading anything in case things stop working (and of course, nobody wants to be the one who suggested the upgrade if it all goes wrong). I've seen so many places that will not move past IE6 and Java 1.4 because they daren't risk their clunky old systems not working anymore.

Re:Stuck on old versions

[gtall]

I happen to be in charge of our government IT policy. I will henceforth dictate that all government departments' IT policy be fixed to accomodate Oracle products henceforth. There, howzzat?

Re:Stuck on old versions

[jonwil]

Thats why you get one computer, update it, spend some time making sure the old apps run and if they do, roll it out companywide.
If they dont run, you either dont roll the updates out or you find newer versions of the apps that do run.

Companies that refuse to update past IE6 or update the JVM or whatever because they have known incompatibilities with important apps are fine. Companies that refuse to update because there MIGHT be issuse (and they dont know either way because no-one has bothered to do some testing) are the problem.

Great

[rakuen]

So now not only are PDFs and Java processing landmines, they're now viral landmines as well.

Oracle just put me in a rough spot

This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.

Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis whether to lose access to some important applications, or remain vulnerable to Java exploits for an unknown and possibly indefinite period of time.

Re:Oracle just put me in a rough spot

6u20 is pretty recent. I would assume that the apps are fucked in some way - i.e. using things that are unspecified or relying on non-guaranteed behaviour. Each JVM has to undergo strict checking before it is certified for release (deprecated methods anyone?). I the company chooses to ignore updates, then it's their problem (like eclipse depending on a vendor string for example....). My guess is probably your app was depending on a bunch of deprecated unsupported shit and now finally 6u21 has managed to bork the system.

Since you can specify which version of the JVM, or even include it in a separate app dir, these problems seem to be on the part of the devs (like using the latest version of .NET for example without checking it actually exists)

Re:Oracle just put me in a rough spot

[pwagland]

The grandparent probably has customers using Eclipse, the only program that I know of to have the problem, there may well be others, but they are not in as wide-spread use.

However, Oracle has already fixed that problem, so the GP is just trolling.

http://ianskerrett.wordpress.com/2010/07/29/oracle-demostrates-great-community-support-and-fixes-eclipse/
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6969236
http://bewarethepenguin.blogspot.com/2010/07/tip-of-hat-to-oracle.html

Patch bloat

[edxwelch]

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

Re:Patch bloat

Nonsense. The patch is to disable the web plugin. Java doesn't belong in browsers.

Re:Patch bloat

[TubeSteak]

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.

Re:Patch bloat

[_xeno_]

Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.

Re:Patch bloat

[bill_mcgonigle]

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

chkconfig yum-cron on

Presto will handle the deltarpms.

Re:Patch bloat

[poor_boi]

If you download Java (JRE or JDK) via the developer site, the installer doesn't have any toolbars or crapware embedded in it. Only the java.com-hosted installer has a toolbar "offer" during install. This is why I always download from java.sun.com (I suppose now it's http://www.oracle.com/technetwork/java/javase/downloads/index.html).

Re:Patch bloat

[interkin3tic]

You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

77mb!?! Well, that pretty much fills up MY entire hard drive.

Re:Patch bloat

[edxwelch]

that's how I updated.... ah, I not sure about the file size, but it definately tried to install the yahoo toolbar

Re:Patch bloat

I've had the control panel updater push toolbars and OpenOffice. That's just unforgivable, and Java is now installed only on a need-to-use basis on any systems I set up. If Adobe Reader 10 doesn't solve the ongoing security problems in that application, it's getting the same treatment.

On the plus side, my default installs are getting mighty slim!

Re:Patch bloat

[zippthorne]

You shouldn't need the JDK just to run some random java app. Something is very wrong here.

Re:Patch bloat

[_xeno_]

Quite a few people who post on Slashdot are developers. I happen to be employed to write Java webapps. To do this, I need the JDK.

If you're doing the full 77MB download, you're grabbing the JDK. As I posted, as far as I know, Sun never offered patches for the JDK: your only choice was to redownload the entire thing. Oracle appears to be continuing that practice.

If all you're using is the JRE, the download is much smaller (16MB versus 77MB) and it should be able to automatically update via patches.

However for quite a few Slashdot posters, the JRE is not an option, and we're stuck downloading the entire JDK. Every. Single. Freaking. Time. It's a bit annoying, especially seeing as some 20+MB are just documentation and examples that rarely change between updates.

Re:Patch bloat

Yeah the JDK doesn't seem to be able to update. But its not like you really need to update it as much as the JRE.

Re:Patch bloat

[dotNetProgrammer]

I just installed a java update this morning - and the real eyebrow raiser was that it wanted to install the BING toolbar...

Re:Patch bloat

I am also developing in Java and I noticed that auto-updates also update the jdk.

This article speaks the truth

[gman003]

I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.

Re:This article speaks the truth

same thing happened to me. i had a fully patched windows xp box, was using the latest java browser, went past a weird web site... something reached through the browser and wrecked the entire machine. i spent two days trying to disinfect, gave up and put ubuntu over the old install, hoping it wouldn't happen again... so this can happen to my linux boxen too? that's very scary! btw that's the first time in 25 years I've been beaten by malware.

Re:This article speaks the truth

I have never heard of a Java virus before. Either you had some really old version or you had to accept the certificate which will give the Java applet full access of your system which most likely would install a virus exe. This could also be done more than just Java.

Re:This article speaks the truth

[davecason]

Maybe Microsoft can help with a simple change to all their browsers: before an add-on is engaged, have an "are you sure" window. Or add an always off management option for snap-ins with related management utilities. Even better, like drivers, maintain awareness of major add-ins and what is ok, then go to always off on any version with a known exploit. More impressive would be to simply be aware of the exploit. Simple: look for Java, or any other add-in, downloading something that either has an executable magic byte or a magic byte mismatch to file extension or a broken magic byte.

Advertising

The latest Java patch comes with a prompt to add the Microsoft Bing toolbar.

Nice try

[turgid]

+1 Funny (very bad attempt at trolling).

Re:Nice try

[julesh]

Not sure why you think this is a troll. I, too, have recently had a massive malware infection through a Java applet. I did manage to sort it out via an antivirus program, but it took over 3 days for it to clean all 375,000 infected files from my system. It would have been faster to reinstall.

Re:Nice try

[MozeeToby]

I don't see that as trolling, the only reason my recent Java delivered infection wasn't orders of magnitude worse is because Avira contained the problem before it got out of hand. Yes, I suppose I should be angry that Avira let it get as far as it did (the initial infection was running and Avira couldn't stop or remove it), but I'm grateful that the 20+ infections that the first one tried to spawn weren't able to run. Even still it was a night's work.

Reboot to a live CD, run a scan and remove/repair infected files, search the registry for the infected file names and remove if appropriate, reboot to Windows safe mode and scan again (trying to find anything running), reboot to regular mode, then back to the live CD for another scan (in case something came back when Windows rebooted).

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.

Re:Nice try

[Pieroxy]

Dude, stop it! I'm laughiong my ass off !!!!

Re:Nice try

[turgid]

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.

Me neither. I switched to Linux in 1996.

Re:Nice try

[cortana]

Reinstall.

Re:Nice try

[LordLimecat]

Checklist for when you experience an infection?

• Nuke the MBR (recovery console, or linux's ms-sys)
• nuke any random exes in %appdata% or %appdata\randomdigits\, etc
• Inspect the autoruns list with Sysinternals' autoruns
• Check the system for a rootkit with GMER
• If this is personal use (as opposed to commercial / business), run Combofix (google it, they dont seem to like direct links)
• If you have a capable AV (like avast), a boot-time scan is helpful

Additionally, if you know the specific virus, there are specific removal tools that are remarkably effective; I would nevertheless run the steps above to verify the computer is clean. If you see any evidence that your repairs are being undone, you may need to break out a live-boot linux disk, or hose the entire OS-- dont forget to nuke the MBR if you do a clean install, and to sanitize any connected USB drives.

Re:Nice try

[LordLimecat]

Which is great, because I hear that the detection and removal tools are quite modern on Linux-- certainly you dont intend to claim that Linux is actually immune to trojans?

For its flaws, the removal tools in XP are phenomenal, and with combofix, rootkits become a minor annoyance.

Re:Nice try

[marcello_dl]

And linux lacks a registry cleaner utility too. You might wonder why.

Really, should I even bother to look for removal tools when reinstalling aptosid from a usb live stick takes 4 minutes and gives me much more assurance that the system is clean? A dpkg get/setselections restores all other stuff I had installed and good luck for the malware to hide in the few text config file in /etc that I need to restore before being up and running again.

All of this is not linux gurus stuff it's in the installation manual of debian which i read sometime around 2002.

Re:Nice try

Please mod the parent into oblivion. Anything other than a reformat and reinstall is unsafe.

Re:Nice try

[vlueboy]

If you have a low-key organization but a VIP machine where reinstalling is heavily punished, read along. Unless your spyware used Group policy lockouts preventing "Run", cmd.exe, taskmgr, regedit and system restore for even your admin accounts. I don't get why paywalled MS Group Policy into XP Pro, but left it present enough that spyware can 0wn your non-domain Home machines. Stop and reinstall anyway if you do see the above issues.

Create a new passworded admin account just in case your next boot automagically reinstalls the spyware --The root "Administrator" can be hard to log in as beyond safe mode, and some spyware auto-hoses only the original account, which you can contemplate nuking (copy your pics, docs, bookmarks and browser profiles first.)

Get processxp and Install/Run Avast but don't heal anything till the very end. Just check for anything it detects. AVs tend to partially uninstall stuff and I prefer spybot.

Run spybotsd + update to the latest file

TaskMGR or processXP and try to kill odd or randomized process names. ProcessXP can show DLLs and let you pause / kill them temporarily without killing your explorer shell. Note if there's respawning through a helper process and try to flash-kill both at once.

---------------------
Reboot in Safemode. If the spyware corrupted that, just reinstall.

Try system restore. Fails 50/50 for me on most disaster moments, but can save you the hassle of gioing through the below recovery steps...

Run SpybotSD (every year or so you need to redownload from their site and do a new full reinstall to get their updated engines)
1) reimmunize
2) clean BHO and ActiveX (lol, killing Java and adobe's doubius bits if I can)
3) Check process list and startup lists for more rand exes in temp folders.
4) Run a thorough check (all afternoon, check back every hour to OK any obscure file access errors). Checks last from 2 hours to about 4 depending on whether you updated your detection
5) While that happens, keep going below

Check the LSP [winsock extensions] section for weird injected stuff -if you have more than about 20, use their reset button. WinTCPfix might help if you are having internet problems.

Check your firewall for opened ports, especially with Windows Live Remote Desktop (some name to that effect) sharing newly enabled.

Check IE, Firefox and Opera for proxy settings redirecting your web traffic to local sniffers. If you find this or te firewall changes, you should reinstall because someone's watching you closely and might have other hooks in your OS.

Clean the (legacy) Startup folder for yor Start Menu and the one under the "All users" Folder
Check registry for startup programs in your account. If you have the time, repeat for the .DEFAULT profile regkey
Check the services.msc list --some sneaky processes lacking "company info" show you a path to a temp folder or Windowd \ System32

Sort windows\system32 by date to see if any exes, bat files or dlls have download dates you don't remember having "caused." Might wanna move manually (safe mode, usually) and/or rename exe to "bad" in case the file has some "critical function" for your shell thanks to the spyware injecting itself. I haven't had a virus like that in years. The most you'll see is "such and such exe file could not be found on the next boot." If you know the exact date and time of infection, do a C:\ search for that date on *.* and include system, hidden and all other stuff. You'll get some folders / program names that can be googled from another PC for gravity of infection and steps to counter.

If spybot is finished scanning, Fix the "problems," and reboot to gauge the effectiveness

Some sneaky spyware doesn't die unless you also install and run adaware or waste anoter hour with updating and sweeping w/ MSAntispyware.

Reboot a few times and recheck process lists. Rerun Spybot to ensure stuff was removed.

Re:Nice try

[poor_boi]

If you don't want to reinstall (you really should) then at least run Malware Bytes in addition to a full system scan with your usual A-V software.

Re:Nice try

[zippthorne]

Of course linux is going to have decent detection and removal tools.

A linux live CD is most geeks' first choice when it comes to removing viruses and trojans from their windows boxes...

Seriously, though why go on a block by block hunting trip when you can do a clean wipe, scan your data from optical media, and re-install? You're not saving any time, you know.

Re:Nice try

[gman003]

Unfortunately, Linux isn't the best OS for everything. It works great for servers - I use it for that with very few problems. It works as a desktop, if all you need is OpenOffice and a web browser, and aren't a complete newb. However, gaming performance on Linux is terrible and complex, and as a gamer I find it best to use Windows for gaming (and as a normal office PC as well, simply because it's there).

Linux is a tool - it works well for what it's designed for, but trying to use it for something it isn't designed for is like using a hammer to remove screws - it may work eventually, but it's a lot quicker and a lot easier to just use a screwdriver.

Re:Nice try

[gman003]

Still doesn't catch everything. The one I had, for instance, went undetected by AVG, Microsoft Defender, and MalwareBytes.

But it can't hide from fdisk.

Re:Nice try

[codepunk]

Oh is that all you got to do? How about not running windows in the first place and it can be reduce to a single step.

1. Boot OS and get your shit done.

JRE's no mere ranger.

Java is Enterprise(tm).

You know, something that Ubuntu completely isn't. And it is not a thing to be updated willy nilly, by random developers. Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.

/smarmy because I'm tired of people insisting the only valid solution for desktop Linux is also the only valid solution to running a server.

Re:JRE's no mere ranger.

[binarylarry]

Ubuntu "just works" so I'd fucking hope to hell it's enterprise ready.

Re:JRE's no mere ranger.

[cb88]

Ubuntu is a hackfest off of svn branches of software with custom never upstreamed patches. Yeah .... its *stable* except half of anything you want to do is broken. Personally I'm an ArchLinux user where everything works perfectly at least once a week :-P

Re:JRE's no mere ranger.

Java is Enterprise(tm)

Java is a bloated, buggy piece of crap, a good match for Oracle's enterprise software.

You know, something that Ubuntu completely isn't. And it is not a thing to be updated willy nilly, by random developers.

Sun's and Oracle's developers are even more random than the open source developers.

Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.

I've worked in the "Enterprise(tm) world". Stop bullshitting.

Re:JRE's no mere ranger.

[Haeleth]

Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.

Indeed. Most of the Enterprise(tm) world is probably completely safe from these attacks. At least till 2027 when they upgrade to the vulnerable versions.

So...

Users of FF + NoScript are relatively safe?

Re:So...

[meloneg]

But Lynx lacks that little button with "Allow scripts..." pop-up menu.

once again, wrong default

I've said it before and always seem to get modded dowen, but anyone who runs their system setup by default to execute random code from the internet just by visiting a web page is asking for trouble.

You should run things you have a *reason* to run, and a reason to trust. Don't just run anything from anywhere by default, that's stupid. Make a conscious decision. Use your brain! That's what it's there for: to let you make decisions about how to interact with the world around you.

People's computers get jacked because they don't care about what things they run. Even when you think it's sandboxed, there can still be flaws.

Turn off scripting by default! Run scripts on your bank site or whatever, where you have a REASON to and it's for your benefit. Don't just run any random shit that any random web page throws your way, that's idiotic.

Re:once again, wrong default

I don't run scripts by default (proud NoScript user here) but the sad fact is that even this isn't guaranteed to protect you. It's better than running scripts everywhere, but legitimate sites, even those you would expect to be fairly secure, can be exploited to serve malicious content to you. How is the end user supposed to know about whether website XYZ is vulnerable to HTML injections or not?

Re:once again, wrong default

[TheLink]

That's why I suggested this years ago:
http://lists.w3.org/Archives/Public/www-html/2002May/0021.html
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html

I think mozilla are finally trying to do something about it:
https://developer.mozilla.org/en/Security/CSP

But after so many years, worms and exploits...

Java Vulnerabilities Patched in 1.6.0_22

[bughunter]

You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.

Update available here.

DoublePlusKarmaWhoreGoodness: For best protection, run a Mozilla browser with the NoScript add-on. (AdBlockPlus and RemoveItPermanently make great complements to NoScript, too.)

Re:Java Vulnerabilities Patched in 1.6.0_22

You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.

Ummm, no. JRE 6 Update 22 was released last week, October 2010.

http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

Re:Java Vulnerabilities Patched in 1.6.0_22

[ee2go]

Note that Ubuntu Partners repository is still at update 21. You have to update manually to 22 right now. I found this information helpful in doing this: http://sites.google.com/site/easylinuxtipsproject/java

Re:Java Vulnerabilities Patched in 1.6.0_22

[Altanar]

Update 22 came out last week.

Re:Java Vulnerabilities Patched in 1.6.0_22

[pwagland]

Update 21, which fixes some, and possibly these, vulnerabilities was released in July, Update 22 however was released last week.

Microsoft warned today ...

"Microsoft warned today ..." - that's how emails from idiots began 5 years ago.

MS and Adobe to join?

[cyberjock1980]

Since MS has posted this list of exploits that were fixed on Update 22(last spring!) is it safe to assume that Microsoft is simply trying to redirect people who complain about Adobe's security vulnerabilities to look at Java with bigger contempt so Microsoft can buy Adobe and still claim that their software is the most secure?

Seems a bit odd to me that Microsoft would be trying to improve Adobe's image when they need to be looking at their own. Perhaps they ARE looking at their own image because Adobe will soon be a part of Microsoft.

Re:MS and Adobe to join?

[gtall]

I doubt it has anything to do with Adobe. It is probably simply yet another MS screwup that was reported to upper management as an Java insecurity and their marketing machine took over.

disable java in browser?

[F�an�ro]

Is there a way to disable java across all browsers, but keep it installed for other software like openoffice?
I.e. block all applet functionality, but still allow local java code to run?

That would make maintaining friend's pcs a lot easier. They never update on time, and when they do, I always have to remove a new bundled browser toolbar again.

Re:disable java in browser?

[LordLimecat]

Yes. Its in the control panel applet.

Re:disable java in browser?

[F�an�ro]

Thanks!
Seems like it only lists settings for IE and firefox, not chrome or opera, but it's a start.

Java applets require authorization

[SplashMyBandit]

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

Re:Java applets require authorization

[Tanktalus]

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

Unless, of course, said exploit allowed the bypassing of the certificate requirement.

Re:Java applets require authorization

[SplashMyBandit]

From the description the exploit appears to be due to a malware applet already downloaded and running in the user's browser.

That still requires certificate acceptance before the applet can run.


If the certificate was signed by the trusted Certification Authority (CA) the user would not see warning - and the CA needs to be notifified so they can revoke the cert).

Of course even with these mechanism the malware applets are still dangerous to the "Click OK, OK, OK until you are done installing crowd".

Re:Java applets require authorization

[codegen]

Java appplets must be signed to write to the user's hard drive.

<sigh>I know this is slashdot, but would it hurt to read some details? If you look into it, these are vulnerabilities in the Java VM, allowing the attacker to send arbitrary native code to be executed by the VM. Once you trick the Java VM executing arbitrary native code, you have bypassed any protections provided by the JVM. The JVM security policy only applies to java byte codes, or native code that was produced by translating java byte codes. No signature is needed.

Re:Java applets require authorization

[codegen]

No. No. No. A certificate is only needed if you want to use the Java Security Policy to access local resources such as a hard drive. If I write an applet that only displays a bouncing ball in the browser, I don't need to have it signed in order to download and run. If I then exploit a vulnerability in the VM that allows me to execute arbitrary x86 code inside of the VM, then I have full access to the machine (or at least as much access as the account running the browser). No certificate is needed.

Re:Java applets require authorization

[SplashMyBandit]

the CVE-2010-0094 exploit was for deserialization of RMIConnectionImpl.

Applets need to be trusted to do RMI over the default RMI ports back to the server serving the applet. Hence, applet signing required at this stage to establish the RMI connection (before any deserialization can occur). If the applet has been accepted then the vulnerability comes into play, and that the privilege to deserialization of RMIConnectionImpl is not checked (this is the flaw), but that is after the connection is established.

The CVE entry stats that the exploit allows system-level *Java* calls to be run, not arbitrary x86 code as you claim (not every JVM runs on x86 dontcha know).

Re:Java applets require authorization

[SamiKoivu]

CVE-2010-0094 is a privilege escalation vulnerability in the JVM. The applet does not need to be signed and the user does not need to click OK on any dialog window. Even though the flaw is in an RMI related class, the exploitation does not require RMI privileges. No RMI stuff actually takes place, it just happens that this class is a trusted JVM core class that could in the previous versions of Java be exploited into elevating untrusted applet code privileges, thusly escaping the sandbox. Having escaped the sandbox the Java code can then do whatever it wishes, within the local privileges of the user running the browser process, including native code of the platform it's being run on.

Re:Java applets require authorization

[SplashMyBandit]

How does the affected class get deserialized? It is not being run (permissions before the exploit prevent it without user interaction) and a copy of RMIConnectionImpl is loaded from the client's machine into their browser. So I'm curious as to how the offending code gets activiated and whether the user bypasses protections or not.

> including native code of the platform it's being run on.

Still needs to load it the same way the native library loader does, with the same privilege as an ordinary user (same as a bad local Java application, so the OS should limit the damage - except maybe on Windows). You also have to know where the particular library is (not too hard on Windows and Mac, harder on Linux due to the differing layout of different flavours). I suppose you could then use a local exploit of the library to get further - again a decent O/S (eg. Linux) will be fortified against user escalation.

Re:Java applets require authorization

[SamiKoivu]

If you have an applet in a signed jar, the user gets prompted to execute the applet. If the user clicks "Run", the applets gets executed with full permissions. If, on the other hand, the user clicks on "Cancel", the applet gets executed with default applet permissions.

If you have an applet in an unsigned jar, it gets executed with default applet permissions without any user interaction. This is the case of the vulnerability. The default applet permissions are very limited, but they let you call most of the standard classes of Java, including that RMIConnectionImpl class. RMIConnectionImpl had a flaw, where it did privileged deserialization from an untrusted source and that flaw can be leveraged by an applet to elevate it's privileges. (For more details, see my original advisory).

Re:Java applets require authorization

[SamiKoivu]

You are correct that the OS limits the damage where configured properly, yes.

Re:Java applets require authorization

And who authorizes the 'signature' to ID that something can be written to the hard drive? The JRE (Java Runtime Environment)? If there's a bug in the JRE which can be exploited, then it doesn't matter if it's signed or not.

It's not like Java forces you to set the Evil Bit before you can compromise a system. It's not magickally immune just because it runs bytecode. Somewhere, somehow, the code has to get interpreted and executed. If there's a bug ANYWHERE along the line that someone can figure out (buffer overflows being a common one, but there's other ways), and they figure out how to abuse it in just the right way so to break out of the so-called 'sandbox', then it's got potential to infect your machine with worms and trojans.

It's the same issue as with both PDF and Flash. The difference is that there has been a lot of negative press for Adobe for the lax security in their software (and rightly so). Java hasn't had as much press on it from what I've seen on /., but there's likely a lot of defects and exploits still present.

Re:Java applets require authorization

[SplashMyBandit]

Thanks for your explanation (which I already knew, btw) and for your work in raising the advisory.

My understanding was that an applet with default permissions could not make an RMI call to the originating host without a change to security settings (or being signed). I have seen a list of ports that an unprivileged applet can make back to the originating server (port 80 for example) but did not see the RMI port on that list of permitted ports - although there is admittedly conflicting documentation out there on the Interwebz. Perhaps the documentation is wrong? Otherwise a priviledged applet is needed, yeah?

Cisco is the worst!

Not only does Cisco distribute ancient versions of java with most of their software, Cisco actually requires these ancient versions of java full of security holes to work.

And allegedly Cisco takes security seriously. I pointed this out to my sales rep, who didn't think this was a problem. What a POS (both Cisco and the sales rep).

Re:Cisco is the worst!

[petermgreen]

It depends how they are using them. If they are keeping private copies and only using them to run trusted software I don't see any big problem.

OTOH if they are installing old versions systemwide that is BAD.

Yahoo toolbar

[amaupin]

And when you install Java you get the Yahoo toolbar, as well! (Unless you uncheck it.) It's like Sun (or Oracle, I don't know which) sat around a table and brainstormed ways to make Java appear as malware-ific as possible.

Great job guys. You're lucky Flex's mxmlc.exe (and now Minecraft) require Java or I'd have no use whatsoever for your tainted runtimes...

Lies, damn lies, and statistics

The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits

That's a lot of qualifiers in that statement. Four of them, in fact. They are "commercial", "crimeware", "exploitation", and "kit".

Wow, Microsoft happens to have found one small segment of the malware market where a Microsoft vulnerability ISN'T the top money maker for malware authors.

They appear to have left out the "sold by purple gnomes on Tuesdays to fairies riding on pink ponies."

In Other News

[Fnord666]

In other news, Microsoft profits were down somewhat this quarter. Sources at Microsoft cited an increase in overtime expenses as the cause.

Use Only HTML5/JavaScript

[smist08]

I think this speaks to the need to not run plug-ins in the browser. To only HTML/JavaScript. Ie don't allow the PDF plugin, don't allow Flash, don't allow Silverlight, don't allow Java Applets. All of these proprietary plug-ins cause all kinds of security problems. They have proven to be a bad idea. I think Steve Jobs is on the right track banning them from the iPhone/iPad.

stop bundling toolbars with security updates!!!!

then people would update more often without the worry of installing some additional (spy|crap)ware,
pre-checked toolbar installers should NEVER be included with security updates especially monthly ones and any company that does so should be publicly chastised (or just plain sued)
i guess Oracle isnt the successful billion dollar company we thought it was if they have to resort to installing bottom of the barrel shitty toolbars (which are a night mare in a corpoarte enviroment) to whoever pays them the most, dignity isn't even a consideration.

I think the best for everyone concerned is we simply remove Java from all machines
and stop supporting/recommending it as a platform, same as Adobes horrible Acrobat products,
the numerous security flaws and general incompetence or these companies now outweigh the benefits of using their products, its just easier to remove it permanently and not worry that 10,000 desktops now have some random advertising companies toolbar spying on them than deal with the 3 users that actually need the products specific features in the first place.

Ironically it's in the C-written part of the JVM

In a not-so-unexpected twist, all the buffer overflows leading to remote code execution are present... In the C-written part of the JVM/APIs.

Which is honestly, kinda very lol.

So far there has not been a single buffer overflow targetting pure Java code because, well... The Java specs simply make this impossible (or the hypotetical JVM that would be affected wouldn't be complying with the Sun/Oracle Java specs and hence wouldn't be a "JVM").

So, yup, once again... Buffer-overflow in C-written code. Film at 11.

jucheck.exe and "Unknown publisher"

[ortholattice]

Windows 7 kept nagging me off and on for weeks saying "jucheck.exe" was from an "Unknown Publisher" and asking whether I wanted to let it modify my system. I kept saying "no" because I'd never heard of this program (I don't use Java very often) and didn't have time to research it.

When I finally had some time (and was fed up with the nagging), I typed "jucheck.exe unknown publisher" in Google. I waded my way through the hits warning me that it was probably a virus and that I should do a "free scan" with their anti-virus software (any .exe seems to bring up these scams). After reading some forums, I began to feel that it was probably OK, although I didn't find a crystal clear answer that made me totally confident. I was a little nervous when I finally allowed it to run, but it seemed to install the Java update OK.

I don't know how the "cautious" average user is supposed to deal with this. (Of course, an ordinary average user would just let it run, which is why they get viruses.) Why do they give it such a cryptic name? What's the deal with the "Unknown publisher"?

Checklist

[Caerdwyn]

1. Reformat/reinstall.

If something got by an anti-virus app, and managed an infection, a rootkit is almost certainly one of the first things downloaded by the malware (assuming that the malware is botnet-focused rather than just simple vandalism). The initial infection is almost never the one that carries the payload (the software that the person who deployed the malware really wants to run); the usual sequence is infect--rootkit--get instructions from a website/IRC channel--download payload--wait for instructions to execute payload.

So even if you clean the initial infector, the rootkit may still be there, which your AV software may or may not detect. If not, the downloaded payloads have a good chance of being undetected, in which case they appear as just another service or startup item. Payloads seldom do anything exploitative, in that they're doing ordinary appish things (sending emails, reading files, uploading data, visiting a website or IRC channel), and thus can be difficult to detect just from their behavior.

Therefore, if someone's PC is infected, you don't know what other goodies have been downloaded since the initial infection. Nuke it from orbit,t hat's the only way to be sure.

(boot from a Linux CD, mount your hard drives read-only, back off your data, scan that data, then reinstall your OS and apps including an initial reformat. Anything else and you might miss something.)

It's not a surprise

[thethibs]

It's not a surprise that there are a lot of unpatched systems out there. Java's stealth-mode installation pretty much guarantees it.

I know what I'm doing. The machine on my desk is one I built myself from parts (won't do that again; these days an off the shelf system costs a great deal less than the sum of its parts). Every bit of software is there because I decided it should be--or so I thought. This post got me curious.

I've never consciously installed or enabled java on this machine and yet, in the java program directory there's a jdk and three jre's.

Jdk?! I haven't done any coding in java in over six years, and not on this machine. Two of the jre's have the same time stamp, the third seems to be the most recent.

Let's look at the control panel--yup, there's a java icon. Bring up the dialog and auto update is not enabled. So I have an old version of the jre, an older version of the jdk, and no idea why they're there.

I'm supposed to know they should be patched?

Wooops!

i bet Larry Ellison is regretting his purchase now, maybe wondering how big a can of worms Java really is... a platform indepedent can of worms that is.

PLEASE mod parent up

[bagofbeans]

..laughed my cotton socks off. Thanks.

On the Java update splash window is says:

Welcome to Java

Java provides safe and secure access to the world of amazing Java content.

Huh?

Re:On the Java update splash window is says:

Java is sandboxed! The VM is invulnerable to exploits that C apps are subject to!

Re:On the Java update splash window is says:

The underlying VM itself is written in C or C++, so that's what attackers are trying to exploit.

The Java Automatic Updater is annoying

[GWBasic]

The reason why Java's never updated is that it's automatic updater is annoying. It always shows up as soon as a boot up my computer, and then tells me I need to reboot. Now, given that normal people like to USE their computers; and given that many corporate computers take forever to boot up, something like this is going to remain ignored. Just think, after waiting 5+ minutes while my computer boots up, do you think I'm going to reboot again for something I've never heard of nor, as far as I know, use?

The Java updater needs to be a lot better. It's like that annoying crack addict that hits you up for money every time you walk down the street.

Re:Linux

We run Ubuntu and I keep up with the automatic updates. Regardless, I am curious what damage is possible considering my family members have no sudo access.

Re:Ironically it's in the C-written part of the JV

[0123456]

So far there has not been a single buffer overflow targetting pure Java code because, well... The Java specs simply make this impossible (or the hypotetical JVM that would be affected wouldn't be complying with the Sun/Oracle Java specs and hence wouldn't be a "JVM")

Clearly the solution is to rewrite the JVM in Java.

Not very surprising

It was only a matter of time, first everyone uses activeX and it's many holes, when more people began using other browsers they went after swf/pdf holes, but Adobe is apparently catching up, and the announced sandboxing in the next big version of reader, they're probably begining to migrate their efforts elsewhere, which basically leaves mostly just Java that is present on most machines.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It is vulnerable because it is popular.

[jameskojiro]

Unlike the Macrocost implementation of it C# or whatever.

In other news OS2 is the most secure system ever, too bad no one is using it....

Re:It is vulnerable because it is popular.

[shutdown+-p+now]

2004 called, it wants its FUD back.

85 vulnerabilities total for Oracle

I saw this go thru us-cert list the other day. IIRC there were some 85 vulnerabilities in Oracles database suite.

I was pissed to say the least. How stupid do you have to be to allow such a huge number of vulnerabilities accumulate into a single massive patch set? I can't say I'm surprised one bit that this shit is being explioted the way it is. Idiots.

Mime-type screwyness

[billcopc]

I noticed something like this yesterday, where some idiot's rooted blog was trying to drive-by a bunch of PDFs, which were mime-typed as jars so they spawned the Java quickstart kludge. In my case they didn't get anywhere since my debugger fired up, but I on a non-developer workstation they probably could have had a field day.

Cue endless Java and Adobe bashing in 3...2...1...

Secunia PSI

[WD]

Try Secunia PSI. It will scan your system for any software that needs to be updated. http://secunia.com/vulnerability_scanning/personal/

Re:Ironically it's in the C-written part of the JV

[SamiKoivu]

Two of the three cited vulns aren't actually buffer overflows. It's badly written Java code that other Java code can exploit to escape from the sandbox.

Confusion

[SamiKoivu]

Just to clear up some of the confusion. The news of the recent release fixing 29 vulnerabilities isn't directly related to the 3 vulnerabilities cited as the biggest Java threats, as fixes for these were released earlier.
CVE-2008-5353 was fixed in December 2008 with Java 6 update 11.
CVE-2010-0094 was fixed in the spring of 2010 with Java 6 update 19.
CVE-2009-3867 was fixed with Java 6 update 17 (november 2009?).

Not that the latest version we're all running isn't vulnerable to a ton of other stuff.

Now that everybody's playing Minecraft...

... people actually start using Java and find loads of bugs in it

and .NET?

What are the chances that a whole bunch of the same exploits going to attack NET? Or has that already happened? Remember, this is Microsoft we're talking about. They create a half-baked clone of a popular program, add some cheap veneer and a few dubious "features" and then go to market and hype the hell out of it.

This may shed light on this for you MrEricSir

http://secunia.com/advisories/product/12878/

That's for the JAVA runtime...

(NOW: If you wish to see more on the vulnerabilities in ANY of Sun Microsystems' other product lines, see here instead -> http://secunia.com/advisories/vendor/15/ )

APK

P.S.=> Hope that helps... apk

How do you remove java permanently? shit.

[zymano]

I always get the stupid bho.

Damnit. Why does Sun not do anything.

what java control panel?

where is this java control panel please?