Slashdot Mirror
A Tidal Wave of Java Flaw Exploitation
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack."
Several days ago, Oracle released a patch that fixed 29 Java security flaws.
CVE Attacks Computers Description
CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.
Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).
The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.
I feel that NoScript is doing a greater and greater work in protecting me each and every day.
A few days ago smbc comics was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.
CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.
CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009
CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010
The flaw may not be Windows specific, but OS X is not included in your list.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.
[Fuck Beta]
o0t!
There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.
It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.
Bye!
In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.
NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.
Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.
Me neither. I switched to Linux in 1996.
Stick Men
All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!
Socialism: a lie told by totalitarians and believed by fools.
Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.
You are in a maze of twisty little relative jumps, all alike.
oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?
Not so on Linux.
I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.
Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vulnerabilities are installed. Pretending this is a Windows-only issue isn't going to make OSX / Linux machines any safer.
It sandboxes Java and Flash until we tell them to run, too.
You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.
Usually that is the case but
https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/659937
The current version appears to be vulnerable. you can manually update or use the ppa
sudo add-apt-repository ppa:duh/sun-java6
and then the usual update upgrade
when the official packaging comes out it should overwrite the ppa version.
Blarney Quality Restaurant, Plants
Quite a few people who post on Slashdot are developers. I happen to be employed to write Java webapps. To do this, I need the JDK.
If you're doing the full 77MB download, you're grabbing the JDK. As I posted, as far as I know, Sun never offered patches for the JDK: your only choice was to redownload the entire thing. Oracle appears to be continuing that practice.
If all you're using is the JRE, the download is much smaller (16MB versus 77MB) and it should be able to automatically update via patches.
However for quite a few Slashdot posters, the JRE is not an option, and we're stuck downloading the entire JDK. Every. Single. Freaking. Time. It's a bit annoying, especially seeing as some 20+MB are just documentation and examples that rarely change between updates.
You are in a maze of twisty little relative jumps, all alike.
CVE-2010-0094 is a privilege escalation vulnerability in the JVM. The applet does not need to be signed and the user does not need to click OK on any dialog window. Even though the flaw is in an RMI related class, the exploitation does not require RMI privileges. No RMI stuff actually takes place, it just happens that this class is a trusted JVM core class that could in the previous versions of Java be exploited into elevating untrusted applet code privileges, thusly escaping the sandbox. Having escaped the sandbox the Java code can then do whatever it wishes, within the local privileges of the user running the browser process, including native code of the platform it's being run on.