A Tidal Wave of Java Flaw Exploitation

← Back to Stories (view on slashdot.org)

A Tidal Wave of Java Flaw Exploitation

Posted by Soulskill on Monday October 18, 2010 @08:04AM from the surf's-up dept.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

169 of 238 comments (clear)

Min score:

Reason:

Sort:

How? by MrEricSir · 2010-10-18 08:10 · Score: 4, Interesting

The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?
Are we talking applets, Java web start, or some other mechanism?

--
There's no -1 for "I don't get it."
1. Re:How? by adisakp · 2010-10-18 08:14 · Score: 5, Informative
  
  CVE Attacks Computers Description
  
  CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
  
  CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
  
  CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.
2. Re:How? by Florian+Weimer · 2010-10-18 08:14 · Score: 5, Informative
  
  Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).
3. Re:How? by adisakp · 2010-10-18 08:16 · Score: 4, Informative
  
  The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.
4. Re:How? by JonySuede · 2010-10-18 08:16 · Score: 2, Interesting
  
  according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start
  
  --
  Jehovah be praised, Oracle was not selected
5. Re:How? by hydrofix · 2010-10-18 08:37 · Score: 3, Informative
  
  I feel that NoScript is doing a greater and greater work in protecting me each and every day.
6. Re:How? by doishmere · 2010-10-18 08:39 · Score: 3, Informative
  
  A few days ago smbc comics was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.
7. Re:How? by Bill_the_Engineer · 2010-10-18 08:43 · Score: 4, Informative
  
  CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.
  CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009
  CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010
  The flaw may not be Windows specific, but OS X is not included in your list.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
8. Re:How? by Bill_the_Engineer · 2010-10-18 08:48 · Score: 5, Informative
  
  After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
9. Re:How? by Maxo-Texas · 2010-10-18 09:00 · Score: 1
  
  Absolutely. And then I decide what I'm going to allow.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
10. Re:How? by emkyooess · 2010-10-18 09:03 · Score: 2, Informative
  
  In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.
11. Re:How? by init100 · 2010-10-18 09:07 · Score: 3, Informative
  
  NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.
12. Re:How? by Erikderzweite · 2010-10-18 09:07 · Score: 1
  
  Well, those of us who update their Linux installation should be safe then. Windows is trickier of course with no centralized updates in place.
13. Re:How? by bhcompy · 2010-10-18 09:15 · Score: 1
  
  You can disable that easily within the NoScript configuration. As simple check box is all that is needed to be unchecked
14. Re:How? by Kvasio · 2010-10-18 09:17 · Score: 2, Insightful
  
  Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
  Theoretically it allows user to turn it off.
  When I turn it off, close java config and reopen - schedule is still active.
  Cutting in registry is the proper sollution.
15. Re:How? by adisakp · 2010-10-18 09:44 · Score: 2, Informative
  
  oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?
  Not so on Linux.
  I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.
  
  Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vulnerabilities are installed. Pretending this is a Windows-only issue isn't going to make OSX / Linux machines any safer.
16. Re:How? by broken_chaos · 2010-10-18 09:51 · Score: 4, Informative
  
  It sandboxes Java and Flash until we tell them to run, too.
  You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.
17. Re:How? by djdanlib · 2010-10-18 10:48 · Score: 1
  
  When you update the JRE, it doesn't uninstall the old version. Can something exploiting these vulnerabilities request an older version? It would appear to be possible. I've always kept my JRE updated, but I still got hit with a couple of these this year before uninstalling Java entirely and throwing out any software that depends on it.
18. Re:How? by Cougar+Town · 2010-10-18 10:52 · Score: 1
  
  Java installs its own updater on Windows. Unless you completely disable it, it will notify you of updates and install them for you.
19. Re:How? by fast+turtle · 2010-10-18 11:00 · Score: 1
  
  You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
20. Re:How? by Altanar · 2010-10-18 11:13 · Score: 1
  Maybe in a couple cases, but not mine. I was infected with the following on October 3, using JRE 1.6.0 Update 21, which was the newest build available when I was infected.
  
  Exploit:Java/CVE-2009-3867.IJ
  Exploit:Java/CVE-2008-5353.QV
  Trojan:Java/Bytverify
  Trojan:Java/Classloader.T
  Trojan:Java/Mugademel.A
  TrojanDownloader:Java/OpenConnection.EM.
21. Re:How? by drcheap · 2010-10-18 11:32 · Score: 1
  
  Platform independent security holes...sweet.
22. Re:How? by hydrofix · 2010-10-18 11:34 · Score: 1
  
  You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.
  Appears as if the Choir was less-educated, at least judging by how many people believed that NoScript only blocks JavaScript.
23. Re:How? by TheLink · 2010-10-18 12:13 · Score: 1
  
  Java ad with malware caused a buffer overflow condition (which was caught by McAfee) in JRE v11. Then it snuck in a malware executable (which was caught by McAfee) . Which then signaled other malware that I was open for business.
  Uh. How the heck can it signal other malware if it was really caught by McAfee?
  --
  
  Too many replies beneath your current threshold
24. Re:How? by petermgreen · 2010-10-18 12:17 · Score: 1
  
  Even if I had Java applets enabled (which I don't) on my Linux desktop then all this would provide would be a remote non-admin/non-root exploit.
  meh for several reasons
  Firstly on most desktop boxes even those running linux most important stuff happens under one user account. Pwn that account and you can do a lot of damage.
  Secondly if you pwn a user account it's possible to modify that users menus and command line environment so that next time they do something that requires root privileges they give them to you as well as to the program they intended to give them to.
  Finally while they may have been less local root holes on linux than on windows they do still pop up from time to time. Lie low for a while and you can probably get root eventually if you really want it.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
25. Re:How? by interkin3tic · 2010-10-18 12:20 · Score: 1
  
  I agree, I am annoyed by always showing the donation page during it's very frequent updates
  Somewhat off topic, but I've been wondering for a while what all those updates are for. I'm guessing that disabling javascript is not like an on/off switch?
26. Re:How? by John+Hasler · 2010-10-18 12:24 · Score: 1
  
  I strongly suspect that the exploits try to inject platform-dependent malware, though.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
27. Re:How? by zippthorne · 2010-10-18 13:15 · Score: 1
  
  I blame Minecraft.
  
  --
  Can you be Even More Awesome?!
28. Re:How? by jonwil · 2010-10-18 14:03 · Score: 1
  
  Have these been fixed on OSX yet? If not, even more reason for Oracle to take back control of Java on OSX from Apple (who dont seem to care about Java anymore)
29. Re:How? by PinkyGigglebrain · 2010-10-18 15:56 · Score: 1
  
  This makes me all the more glade I donated to NoScript yesterday.
  
  Come on people, if you use it donate, show your support! Same goes for all the other app.s or plugins we all use.
  
  _
30. Re:How? by camperslo · 2010-10-18 16:32 · Score: 1
  
  It's a great utility, but it is odd that it only offers to block web bugs (a.k.a. clear GIFs, web beacons etc) on untrusted sites. I'd think people would like the option to block those all the time.
31. Re:How? by camperslo · 2010-10-18 16:42 · Score: 1
  
  After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
  I wonder what the situation is like on phones using JAVA...
32. Re:How? by spongman · 2010-10-18 16:50 · Score: 1
  
  write once, hack everywhere.
33. Re:How? by SamiKoivu · 2010-10-18 16:51 · Score: 1
  
  Yes, the name of the vulnerable class is RMIConnectionImpl, but to exploit it no connections are necessary. It's a local sandbox-escape/privilege escalation for Java applets, basically.
34. Re:How? by amorsen · 2010-10-18 18:12 · Score: 1
  
  Except those of us forced to run Oracle Java because Java programmers are universally clueless and so the online banking applet doesn't work in OpenJDK. First you need to build the RPM yourself because JRE 1.6.0 STILL isn't free software (or accept the prebuilt pseudo-RPM which craps all over the system), and after that there are no more automatic updates.
  Just to REALLY make sure that you might not accidentally lose out at the chance of some malware, Oracle Java also needs stack execution protection turned off in Firefox.
  
  --
  Finally! A year of moderation! Ready for 2019?
35. Re:How? by Vectormatic · 2010-10-18 19:24 · Score: 1
  
  which is bat-shit annoying compared to the centralized update mechanism in most linux distros.
  Not to mention the sneaky attempts to also install openoffice or a google toolbar along with the update..
  (honestly, i liked sun, but their update shens became a bit rude. Knowing oracle though, the next java update will come with a mandatory install of some oracle enterprise product, followed by a license key bill for every single cpu core in your system)
  
  --
  People, what a bunch of bastards
36. Re:How? by Vectormatic · 2010-10-18 19:26 · Score: 1
  
  just started a java update (you know, wouldnt want to get my work machine compromised), and what do you know? oracle wants me to install the Bing toolbar for internet explorer..
  Since when does MS need lackies like elison to install their crappy toolbars?
  
  --
  People, what a bunch of bastards
37. Re:How? by rolfc · 2010-10-18 19:48 · Score: 1
  
  Well, if you do apt-get update now, you will see it.
38. Re:How? by muntis · 2010-10-18 22:45 · Score: 1
  
  Yes, who does not hate all these windows update services, for java, for chrome, adobe. When computer starts to slow down, especially for win xp, first thing I do is to look up all these quickstarts and updates and turn them of through msconfig.
39. Re:How? by Tteddo · 2010-10-19 01:08 · Score: 1
  
  If you are in Vista or 7, find the executable for the java control panel applet and right click to "Run As Administrator". Then what you change will stick.
40. Re:How? by adisakp · 2010-10-19 04:01 · Score: 1
  
  If you've updated OSX, yes you are fixed. If you have updated Java on a PC you are fixed as well.
  
  The vulnerabilities lie on un-updated machines. If we consider a magical world of only properly updated machines, the problem doesn't exist on Windows either.
41. Re:How? by WuphonsReach · 2010-10-19 04:03 · Score: 2, Insightful
  
  After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
  
  Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.
  
  An update tool should not attempt to install additional software.
  
  --
  Wolde you bothe eate your cake, and have your cake?
42. Re:How? by adisakp · 2010-10-19 04:03 · Score: 1
  
  Just realized the above post sounds a bit snide... but saying a problem doesn't exist on updated machines is a lot different from saying a problem doesn't exist. Unfortunately many users don't update... they might not know how, they might choose not to, or their updater might be broken (happens in Windows alot).
43. Re:How? by Bill_the_Engineer · 2010-10-19 08:08 · Score: 1
  
  The key difference between Java on Windows and Java on OS X is that Apple includes Java as part of their OS. It is updated with the rest of their OS.
  Of course Apple is slower than Oracle about getting the latest language features out the door, but they are pretty reliable (not perfect) with security updates for the versions already released.
  Linux has the same advantage since most people use the package manager to install Java and it's updated as soon as the update reaches the repositories.
  Since Java is not part of the Windows update, Oracle relies on their own software updater. Unfortunately, they take the opportunity to use it to push other software which causes most people to disable the updater resulting in all these exploitable machines.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
44. Re:How? by drcheap · 2010-10-21 04:58 · Score: 1
  
  I strongly suspect that the exploits try to inject platform-dependent malware, though.
  Nah they write the malware in Java, too ;)
Nervous by Konster · 2010-10-18 08:10 · Score: 4, Funny

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.
1. Re:Nervous by MrEricSir · 2010-10-18 08:25 · Score: 4, Funny
  
  Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.
  
  --
  There's no -1 for "I don't get it."
2. Re:Nervous by Dystopian+Rebel · 2010-10-18 08:50 · Score: 1
  
  Seeing Oracle and Java all in the same sentence gives me a nervous tick
  Well, seeing Oracle and "Eleonore, Crimepack and SEO Sploit Pack" in the same paragraph makes me nervous.
  When Ellison's raiders see a money-making opportunity, they go for it.
  
  --
  Rich And Stupid is not so bad as Working For Rich And Stupid.
3. Re:Nervous by julesh · 2010-10-18 10:05 · Score: 1
  
  Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.
  "Linux, I am your father."
  "NOOOOOO!!!!!"
4. Re:Nervous by kholburn · 2010-10-18 12:22 · Score: 1
  
  Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.
  Seeing Microsoft advising about security gives me that kind of nervousness. Especially when they are pointing the finger at someone else.
  Let's see, Java runs on lots of platforms. Has it the same vulnerabilities on them? So we should all uninstall java and depend on Active-X? Which is now secure?
Patches have been available for a long time by adisakp · 2010-10-18 08:11 · Score: 3, Insightful

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.
So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
1. Re:Patches have been available for a long time by lgw · 2010-10-18 08:16 · Score: 4, Insightful
  
  I've run out of space in my head for all the different tools I need to seperately manage updates for.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:Patches have been available for a long time by MozeeToby · 2010-10-18 08:16 · Score: 4, Interesting
  
  For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.
3. Re:Patches have been available for a long time by Florian+Weimer · 2010-10-18 08:19 · Score: 4, Interesting
  
  Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).
4. Re:Patches have been available for a long time by Anonymous Coward · 2010-10-18 08:27 · Score: 5, Funny
  
  I've run out of space in my head for all the different tools I need to seperately manage updates for.
  Sounds like you need a computer.
5. Re:Patches have been available for a long time by wjousts · 2010-10-18 08:32 · Score: 1
  
  The only virus I ever got was on my wife's laptop and it appeared to come in through Java. She was sick of being constantly nagged to update Java anyway, so I removed Java completely. I had to nuke her account to completely clean it.
6. Re:Patches have been available for a long time by ADRA · 2010-10-18 08:33 · Score: 3, Insightful
  
  Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.
  That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.
  
  --
  Bye!
7. Re:Patches have been available for a long time by Anonymous Coward · 2010-10-18 08:35 · Score: 1, Interesting
  
  The best solution then is to leave it uninstalled permanently. I mean really what do you need it for on a home machine? It's not like there are any apps that need it.
8. Re:Patches have been available for a long time by Darkness404 · 2010-10-18 08:35 · Score: 2, Insightful
  
  Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.
  
  Plus, the patch wants you to install a massive amount of crapware in order to patch your system.
  
  --
  Taxation is legalized theft, no more, no less.
9. Re:Patches have been available for a long time by coredog64 · 2010-10-18 08:37 · Score: 1
  
  If you still need 1.4 or 1.5, you can get support but it's going to cost you. I've got an install of JDK 6u11 in parallel with newer versions because of a Swing change that broke some Sun/NetBeans tooling. IIRC, 6u17 was another game changer.
10. Re:Patches have been available for a long time by tuffy · 2010-10-18 08:40 · Score: 2, Insightful
  
  "Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.
  
  --
  Ita erat quando hic adveni.
11. Re:Patches have been available for a long time by mspohr · 2010-10-18 08:56 · Score: 1
  
  Linux and Mac use repositories which manage updates for the system and all applications. Automatic. No space in the head required.
  
  --
  I don't read your sig. Why are you reading mine?
12. Re:Patches have been available for a long time by abigor · 2010-10-18 08:57 · Score: 1
  
  You can always tell the people that don't work in "the biz" when they make comments like the parent's.
13. Re:Patches have been available for a long time by ADRA · 2010-10-18 09:01 · Score: 4, Informative
  
  There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.
  It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.
  
  --
  Bye!
14. Re:Patches have been available for a long time by vlm · 2010-10-18 09:09 · Score: 4, Interesting
  
  He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".
  The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
15. Re:Patches have been available for a long time by tlhIngan · 2010-10-18 09:11 · Score: 1
  
  It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).
  Including, surprisingly, Android.
  OpenJDK 1.6 works with Android, but if you want to use the official one they recommend, you have to use 1.5 (Java 5) because of some oddball parser issues in official Oracle JDK 1.6.
  So one's choices are ot use the unsupported OpenJDK 1.6 with Android, or the unsupported (but Android-supported) JDK 1.5. Bleh.
  I hope Android 3.0 fixes this. This is an issue on Ubuntu 10.04 and onwards, as JDK 1.5 is no longer in the repository and you have to do some hacks to get 9.x JDK 1.5 in...
  http://source.android.com/source/download.html
16. Re:Patches have been available for a long time by jmpeace · 2010-10-18 09:14 · Score: 1
  
  apt-get upgrade
17. Re:Patches have been available for a long time by Ant+P. · 2010-10-18 09:22 · Score: 5, Funny
  
  I guess Windows isn't ready for the desktop.
18. Re:Patches have been available for a long time by lgw · 2010-10-18 09:30 · Score: 3, Informative
  
  All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
19. Re:Patches have been available for a long time by blackest_k · 2010-10-18 09:57 · Score: 2, Informative
  
  Usually that is the case but
  https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/659937
  The current version appears to be vulnerable. you can manually update or use the ppa
  sudo add-apt-repository ppa:duh/sun-java6
  and then the usual update upgrade
  when the official packaging comes out it should overwrite the ppa version.
  
  --
  Blarney Quality Restaurant, Plants
20. Re:Patches have been available for a long time by scdeimos · 2010-10-18 10:02 · Score: 1
  
  So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
  Even patched machines are vulnerable as well, at least on Windows (don't know if it does this on other OSs). Java updates on Windows do not uninstall previous versions of Java, they just add a new one.
  Since Java apps can request specific versions of the JRE to run in, even patched machines are vulnerable until the user/admin Uninstalls the previous versions.
21. Re:Patches have been available for a long time by lazyforker · 2010-10-18 10:44 · Score: 1
  
  There's an app for that, probably.
22. Re:Patches have been available for a long time by Altanar · 2010-10-18 11:20 · Score: 1
  
  My machine was auto-updated to JRE 1.6.0 Update 21 (the newest available on October 3) when it was infected with three different Java trojans and a downloader using two different Java exploits. Perhaps Java is a buggy piece of shit that should be uninstalled immediately.
23. Re:Patches have been available for a long time by TheRaven64 · 2010-10-18 11:21 · Score: 1
  
  Two or three java vulnerabilities ago, I disabled the Java plugin in my browser. Last vulnerability, I went to disable it again, only to discover that I never got around to reenabling it because I never came across a site with a Java applet in it. I presume there are still some out there, but I've not seen any for a very long time.
  
  --
  I am TheRaven on Soylent News
24. Re:Patches have been available for a long time by John+Hasler · 2010-10-18 12:30 · Score: 1
  
  I've never run across a site that required Java (which I've always had disabled in Fireofox). I do have Java installed so that I can run applications that use it, but why should I enable it in my browser?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
25. Re:Patches have been available for a long time by jrumney · 2010-10-18 12:33 · Score: 1
  
  I suspect part of the problem is that Sun introduced a way for a web page to request a specific version of Java in the OBJECT tag due to developers being uneasy about the possibility of their applet being run on a version of Java they hadn't tested with. Additionally, when you upgrade Java, it installs the new version alongside the older installs, so the old versions are still there to be exploited.
26. Re:Patches have been available for a long time by shutdown+-p+now · 2010-10-18 13:47 · Score: 1
  
  In some cases, Java/JVM design itself lends to problems with versioning. For example, since all methods are virtual (in Simula/C++ sense of the word) by default, and any method with a matching name and signature in a derived class will override one in the base class, any addition of a new non-sealed non-private/package method to a non-sealed non-private/package class is potentially a breaking change. It's a rare thing to run into in practice, but due to the sheer amount of Java code out there, it's not impossible.
  Note that @Override doesn't help here - it helps to make sure that your method does indeed override what you intend it to, but there's no way to ensure that your method does not override anything accidentally.
27. Re:Patches have been available for a long time by metrix007 · 2010-10-18 15:58 · Score: 1
  
  Fuck that, repositories are a step backwards. There is a reason only a few distros use them.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
28. Re:Patches have been available for a long time by TheRaven64 · 2010-10-18 20:20 · Score: 1
  
  You're confusing the language and the platform. There are several implementations of Java-the-language, including Google's Dalvik, Kaffee, IBM's small collection of VMs, and so on. There is only one complete implementation of Java-the-platform, which includes all of the standard class libraries.
  To make an accurate comparison to C, you also need to include things like GUI toolkits. How many independent, complete, implementations are there of GTK? Win32? Or any other C toolkit that you happen to prefer?
  
  --
  I am TheRaven on Soylent News
29. Re:Patches have been available for a long time by hcgpragt · 2010-10-18 23:16 · Score: 1
  
  You dn't have to. There are tools for that.
  The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases. These are then neatly displayed in your browser for you to download.
30. Re:Patches have been available for a long time by blackest_k · 2010-10-19 09:49 · Score: 1
  
  The official update is out now and overwriting the ppa version on my system as I type.
  
  --
  Blarney Quality Restaurant, Plants
31. Re:Patches have been available for a long time by MareLooke · 2010-10-20 23:48 · Score: 1
  
  The funniest thing is that it is no longer true. And hasn't been true since the 1.5 release. Java is no slower than, say, .Net (iirc it's even way faster). I have no idea why this bullshit keeps coming up every time someone mentions Java.
  And crash all the time? Hire better developers.
32. Re:Patches have been available for a long time by drolli · 2010-10-21 04:38 · Score: 1
  
  normally i expect apt-get update take care of it
  under windows the update hint constantly popping up triggers a reflex in my hand to click on it. no thoughts are wasted.
Nerd rage by Anonymous Coward · 2010-10-18 08:12 · Score: 1, Interesting

People are angry at Oracle for screwing Sun so they are writing exploits for revenge.
1. Re:Nerd rage by interkin3tic · 2010-10-18 08:19 · Score: 4, Insightful
  
  Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?
2. Re:Nerd rage by dirtyhippie · 2010-10-18 08:35 · Score: 1
  
  I doubt it, but there is definitely a strong time correlation between the increase of java attacks and oracle's sun acquisition. My guess would be that because Oracle doesn't know how to monetize java (without suing others), attention is shifting away from java and the code is getting a thin film of dust over it.
3. Re:Nerd rage by gtall · 2010-10-18 09:52 · Score: 1
  
  To date, Oracle is only suing Google for creating Near Java, I'm a bit fuzzy about how they feel they are entitled to do this given Google isn't using any Sun tech but then Oracle is probably fuzzy on this point as well. Anyhow, how many organizations are producing Java versions? Why should yer basic Fortune 500 give a rat's ass about Oracle suing for mutant Java implementations when all they doing is using either Oracle's or IBM's version? And IBM just bent over to receive the Uncle Larry's teenie weenie to preserve them from having their license revoked in 2015 when it comes due to renewal. If IBM had any balls, they'd have told Uncle Larry to stick it where the Sun don't shine, remove Oracle IP, and fork the damn thing.
4. Re:Nerd rage by John+Hasler · 2010-10-18 12:39 · Score: 1
  
  To date, Oracle is only suing Google for creating Near Java, I'm a bit fuzzy about how they feel they are entitled to do this given Google isn't using any Sun tech...
  Patents.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
5. Re:Nerd rage by gtall · 2010-10-18 21:57 · Score: 1
  
  Google's version was clean room, you cannot patent ideas, only implementations.
6. Re:Nerd rage by Richard_at_work · 2010-10-18 22:32 · Score: 1
  
  Clean room implementations defeat copyright, not patents...
Great by rakuen · 2010-10-18 08:22 · Score: 1

So now not only are PDFs and Java processing landmines, they're now viral landmines as well.
Oracle just put me in a rough spot by Anonymous Coward · 2010-10-18 08:22 · Score: 2, Interesting

This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.
Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis whether to lose access to some important applications, or remain vulnerable to Java exploits for an unknown and possibly indefinite period of time.
1. Re:Oracle just put me in a rough spot by pwagland · 2010-10-18 19:55 · Score: 1
  
  The grandparent probably has customers using Eclipse, the only program that I know of to have the problem, there may well be others, but they are not in as wide-spread use.
  However, Oracle has already fixed that problem, so the GP is just trolling.
  http://ianskerrett.wordpress.com/2010/07/29/oracle-demostrates-great-community-support-and-fixes-eclipse/
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6969236
  http://bewarethepenguin.blogspot.com/2010/07/tip-of-hat-to-oracle.html
Patch bloat by edxwelch · 2010-10-18 08:23 · Score: 5, Interesting

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
1. Re:Patch bloat by TubeSteak · 2010-10-18 09:01 · Score: 4, Informative
  
  What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
  If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.
  
  --
  [Fuck Beta]
  o0t!
2. Re:Patch bloat by _xeno_ · 2010-10-18 09:37 · Score: 2, Informative
  
  Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
3. Re:Patch bloat by bill_mcgonigle · 2010-10-18 10:35 · Score: 1
  
  What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
  
  chkconfig yum-cron on
  
  Presto will handle the deltarpms.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Patch bloat by poor_boi · 2010-10-18 12:07 · Score: 1
  
  If you download Java (JRE or JDK) via the developer site, the installer doesn't have any toolbars or crapware embedded in it. Only the java.com-hosted installer has a toolbar "offer" during install. This is why I always download from java.sun.com (I suppose now it's http://www.oracle.com/technetwork/java/javase/downloads/index.html).
5. Re:Patch bloat by interkin3tic · 2010-10-18 12:27 · Score: 1
  
  You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
  77mb!?! Well, that pretty much fills up MY entire hard drive.
6. Re:Patch bloat by edxwelch · 2010-10-18 12:52 · Score: 1
  
  that's how I updated.... ah, I not sure about the file size, but it definately tried to install the yahoo toolbar
7. Re:Patch bloat by zippthorne · 2010-10-18 13:19 · Score: 1
  
  You shouldn't need the JDK just to run some random java app. Something is very wrong here.
  
  --
  Can you be Even More Awesome?!
8. Re:Patch bloat by _xeno_ · 2010-10-18 16:14 · Score: 2, Informative
  
  Quite a few people who post on Slashdot are developers. I happen to be employed to write Java webapps. To do this, I need the JDK.
  If you're doing the full 77MB download, you're grabbing the JDK. As I posted, as far as I know, Sun never offered patches for the JDK: your only choice was to redownload the entire thing. Oracle appears to be continuing that practice.
  If all you're using is the JRE, the download is much smaller (16MB versus 77MB) and it should be able to automatically update via patches.
  However for quite a few Slashdot posters, the JRE is not an option, and we're stuck downloading the entire JDK. Every. Single. Freaking. Time. It's a bit annoying, especially seeing as some 20+MB are just documentation and examples that rarely change between updates.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
9. Re:Patch bloat by dotNetProgrammer · 2010-10-19 02:51 · Score: 1
  
  I just installed a java update this morning - and the real eyebrow raiser was that it wanted to install the BING toolbar...
This article speaks the truth by gman003 · 2010-10-18 08:24 · Score: 5, Funny

I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.
1. Re:This article speaks the truth by davecason · 2010-10-19 15:55 · Score: 1
  
  Maybe Microsoft can help with a simple change to all their browsers: before an add-on is engaged, have an "are you sure" window. Or add an always off management option for snap-ins with related management utilities. Even better, like drivers, maintain awareness of major add-ins and what is ok, then go to always off on any version with a known exploit. More impressive would be to simply be aware of the exploit. Simple: look for Java, or any other add-in, downloading something that either has an executable magic byte or a magic byte mismatch to file extension or a broken magic byte.
Re:Stuck on old versions by leenks · 2010-10-18 08:25 · Score: 1

So fix your broken government department's IT policy.
Re:JVM on Windows? by jgagnon · 2010-10-18 08:25 · Score: 1

Yeah, because nobody ever runs Java applets on Windows...

--
Remember to maintain your supply of /facepalm oil to prevent chafing.
Re:JVM on Windows? by MrEricSir · 2010-10-18 08:28 · Score: 4, Funny

Yeah, they should have used ActiveX, right?

--
There's no -1 for "I don't get it."
Re:JVM on Windows? by Anonymous Coward · 2010-10-18 08:33 · Score: 1, Insightful

You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.
Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.
Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.
Nice try by turgid · 2010-10-18 08:33 · Score: 1

+1 Funny (very bad attempt at trolling).

--
Stick Men
1. Re:Nice try by julesh · 2010-10-18 08:45 · Score: 1
  
  Not sure why you think this is a troll. I, too, have recently had a massive malware infection through a Java applet. I did manage to sort it out via an antivirus program, but it took over 3 days for it to clean all 375,000 infected files from my system. It would have been faster to reinstall.
2. Re:Nice try by MozeeToby · 2010-10-18 08:56 · Score: 1
  
  I don't see that as trolling, the only reason my recent Java delivered infection wasn't orders of magnitude worse is because Avira contained the problem before it got out of hand. Yes, I suppose I should be angry that Avira let it get as far as it did (the initial infection was running and Avira couldn't stop or remove it), but I'm grateful that the 20+ infections that the first one tried to spawn weren't able to run. Even still it was a night's work.
  Reboot to a live CD, run a scan and remove/repair infected files, search the registry for the infected file names and remove if appropriate, reboot to Windows safe mode and scan again (trying to find anything running), reboot to regular mode, then back to the live CD for another scan (in case something came back when Windows rebooted).
  Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.
3. Re:Nice try by Pieroxy · 2010-10-18 09:06 · Score: 1
  
  Dude, stop it! I'm laughiong my ass off !!!!
  
  --
  Write boring code, not shiny code!
4. Re:Nice try by turgid · 2010-10-18 09:23 · Score: 3, Informative
  
  Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.
  Me neither. I switched to Linux in 1996.
  
  --
  Stick Men
5. Re:Nice try by cortana · 2010-10-18 10:19 · Score: 1
  
  Reinstall.
6. Re:Nice try by LordLimecat · 2010-10-18 10:35 · Score: 1
  Checklist for when you experience an infection?
  
  Nuke the MBR (recovery console, or linux's ms-sys)
  nuke any random exes in %appdata% or %appdata\randomdigits\, etc
  Inspect the autoruns list with Sysinternals' autoruns
  Check the system for a rootkit with GMER
  If this is personal use (as opposed to commercial / business), run Combofix (google it, they dont seem to like direct links)
  If you have a capable AV (like avast), a boot-time scan is helpful
  Additionally, if you know the specific virus, there are specific removal tools that are remarkably effective; I would nevertheless run the steps above to verify the computer is clean. If you see any evidence that your repairs are being undone, you may need to break out a live-boot linux disk, or hose the entire OS-- dont forget to nuke the MBR if you do a clean install, and to sanitize any connected USB drives.
7. Re:Nice try by LordLimecat · 2010-10-18 10:37 · Score: 1
  
  Which is great, because I hear that the detection and removal tools are quite modern on Linux-- certainly you dont intend to claim that Linux is actually immune to trojans?
  
  For its flaws, the removal tools in XP are phenomenal, and with combofix, rootkits become a minor annoyance.
8. Re:Nice try by marcello_dl · 2010-10-18 11:30 · Score: 1
  
  And linux lacks a registry cleaner utility too. You might wonder why.
  Really, should I even bother to look for removal tools when reinstalling aptosid from a usb live stick takes 4 minutes and gives me much more assurance that the system is clean? A dpkg get/setselections restores all other stuff I had installed and good luck for the malware to hide in the few text config file in /etc that I need to restore before being up and running again.
  All of this is not linux gurus stuff it's in the installation manual of debian which i read sometime around 2002.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
9. Re:Nice try by vlueboy · 2010-10-18 12:10 · Score: 1
  
  If you have a low-key organization but a VIP machine where reinstalling is heavily punished, read along. Unless your spyware used Group policy lockouts preventing "Run", cmd.exe, taskmgr, regedit and system restore for even your admin accounts. I don't get why paywalled MS Group Policy into XP Pro, but left it present enough that spyware can 0wn your non-domain Home machines. Stop and reinstall anyway if you do see the above issues.
  Create a new passworded admin account just in case your next boot automagically reinstalls the spyware --The root "Administrator" can be hard to log in as beyond safe mode, and some spyware auto-hoses only the original account, which you can contemplate nuking (copy your pics, docs, bookmarks and browser profiles first.)
  Get processxp and Install/Run Avast but don't heal anything till the very end. Just check for anything it detects. AVs tend to partially uninstall stuff and I prefer spybot.
  Run spybotsd + update to the latest file
  TaskMGR or processXP and try to kill odd or randomized process names. ProcessXP can show DLLs and let you pause / kill them temporarily without killing your explorer shell. Note if there's respawning through a helper process and try to flash-kill both at once.
  ---------------------
  Reboot in Safemode. If the spyware corrupted that, just reinstall.
  Try system restore. Fails 50/50 for me on most disaster moments, but can save you the hassle of gioing through the below recovery steps...
  Run SpybotSD (every year or so you need to redownload from their site and do a new full reinstall to get their updated engines)
  1) reimmunize
  2) clean BHO and ActiveX (lol, killing Java and adobe's doubius bits if I can)
  3) Check process list and startup lists for more rand exes in temp folders.
  4) Run a thorough check (all afternoon, check back every hour to OK any obscure file access errors). Checks last from 2 hours to about 4 depending on whether you updated your detection
  5) While that happens, keep going below
  Check the LSP [winsock extensions] section for weird injected stuff -if you have more than about 20, use their reset button. WinTCPfix might help if you are having internet problems.
  Check your firewall for opened ports, especially with Windows Live Remote Desktop (some name to that effect) sharing newly enabled.
  Check IE, Firefox and Opera for proxy settings redirecting your web traffic to local sniffers. If you find this or te firewall changes, you should reinstall because someone's watching you closely and might have other hooks in your OS.
  Clean the (legacy) Startup folder for yor Start Menu and the one under the "All users" Folder
  Check registry for startup programs in your account. If you have the time, repeat for the .DEFAULT profile regkey
  Check the services.msc list --some sneaky processes lacking "company info" show you a path to a temp folder or Windowd \ System32
  Sort windows\system32 by date to see if any exes, bat files or dlls have download dates you don't remember having "caused." Might wanna move manually (safe mode, usually) and/or rename exe to "bad" in case the file has some "critical function" for your shell thanks to the spyware injecting itself. I haven't had a virus like that in years. The most you'll see is "such and such exe file could not be found on the next boot." If you know the exact date and time of infection, do a C:\ search for that date on *.* and include system, hidden and all other stuff. You'll get some folders / program names that can be googled from another PC for gravity of infection and steps to counter.
  If spybot is finished scanning, Fix the "problems," and reboot to gauge the effectiveness
  Some sneaky spyware doesn't die unless you also install and run adaware or waste anoter hour with updating and sweeping w/ MSAntispyware.
  Reboot a few times and recheck process lists. Rerun Spybot to ensure stuff was removed.
10. Re:Nice try by poor_boi · 2010-10-18 12:10 · Score: 1
  
  If you don't want to reinstall (you really should) then at least run Malware Bytes in addition to a full system scan with your usual A-V software.
11. Re:Nice try by zippthorne · 2010-10-18 13:28 · Score: 1
  
  Of course linux is going to have decent detection and removal tools.
  A linux live CD is most geeks' first choice when it comes to removing viruses and trojans from their windows boxes...
  Seriously, though why go on a block by block hunting trip when you can do a clean wipe, scan your data from optical media, and re-install? You're not saving any time, you know.
  
  --
  Can you be Even More Awesome?!
12. Re:Nice try by gman003 · 2010-10-18 13:37 · Score: 1
  
  Unfortunately, Linux isn't the best OS for everything. It works great for servers - I use it for that with very few problems. It works as a desktop, if all you need is OpenOffice and a web browser, and aren't a complete newb. However, gaming performance on Linux is terrible and complex, and as a gamer I find it best to use Windows for gaming (and as a normal office PC as well, simply because it's there).
  
  Linux is a tool - it works well for what it's designed for, but trying to use it for something it isn't designed for is like using a hammer to remove screws - it may work eventually, but it's a lot quicker and a lot easier to just use a screwdriver.
13. Re:Nice try by gman003 · 2010-10-18 13:39 · Score: 1
  
  Still doesn't catch everything. The one I had, for instance, went undetected by AVG, Microsoft Defender, and MalwareBytes.
  
  But it can't hide from fdisk.
14. Re:Nice try by codepunk · 2010-10-18 16:11 · Score: 1
  
  Oh is that all you got to do? How about not running windows in the first place and it can be reduce to a single step.
  1. Boot OS and get your shit done.
  
  --
  
  Got Code?
Re:JVM on Windows? by big+dumb+dog · 2010-10-18 08:55 · Score: 1

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.
I can't believe someone Trolled me...

--
"Seven years of college down the drain. Might as well join the f-ing Peace Corps." - John 'Bluto' Blutarsky
Re:So... by meloneg · 2010-10-18 08:58 · Score: 1

But Lynx lacks that little button with "Allow scripts..." pop-up menu.
Java Vulnerabilities Patched in 1.6.0_22 by bughunter · 2010-10-18 09:03 · Score: 1

You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.
Update available here.
DoublePlusKarmaWhoreGoodness: For best protection, run a Mozilla browser with the NoScript add-on. (AdBlockPlus and RemoveItPermanently make great complements to NoScript, too.)

--
I can see the fnords!
1. Re:Java Vulnerabilities Patched in 1.6.0_22 by ee2go · 2010-10-18 09:59 · Score: 1
  
  Note that Ubuntu Partners repository is still at update 21. You have to update manually to 22 right now. I found this information helpful in doing this: http://sites.google.com/site/easylinuxtipsproject/java
2. Re:Java Vulnerabilities Patched in 1.6.0_22 by Altanar · 2010-10-18 11:28 · Score: 1
  
  Update 22 came out last week.
3. Re:Java Vulnerabilities Patched in 1.6.0_22 by pwagland · 2010-10-18 19:58 · Score: 1
  
  Update 21, which fixes some, and possibly these, vulnerabilities was released in July, Update 22 however was released last week.
MS and Adobe to join? by cyberjock1980 · 2010-10-18 09:14 · Score: 1

Since MS has posted this list of exploits that were fixed on Update 22(last spring!) is it safe to assume that Microsoft is simply trying to redirect people who complain about Adobe's security vulnerabilities to look at Java with bigger contempt so Microsoft can buy Adobe and still claim that their software is the most secure?
Seems a bit odd to me that Microsoft would be trying to improve Adobe's image when they need to be looking at their own. Perhaps they ARE looking at their own image because Adobe will soon be a part of Microsoft.
1. Re:MS and Adobe to join? by gtall · 2010-10-18 09:58 · Score: 1
  
  I doubt it has anything to do with Adobe. It is probably simply yet another MS screwup that was reported to upper management as an Java insecurity and their marketing machine took over.
disable java in browser? by F�an�ro · 2010-10-18 09:18 · Score: 1

Is there a way to disable java across all browsers, but keep it installed for other software like openoffice?
I.e. block all applet functionality, but still allow local java code to run?
That would make maintaining friend's pcs a lot easier. They never update on time, and when they do, I always have to remove a new bundled browser toolbar again.
1. Re:disable java in browser? by LordLimecat · 2010-10-18 10:38 · Score: 1
  
  Yes. Its in the control panel applet.
2. Re:disable java in browser? by F�an�ro · 2010-10-18 12:37 · Score: 1
  
  Thanks!
  Seems like it only lists settings for IE and firefox, not chrome or opera, but it's a start.
Java applets require authorization by SplashMyBandit · 2010-10-18 09:19 · Score: 2, Interesting

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.
1. Re:Java applets require authorization by Tanktalus · 2010-10-18 09:36 · Score: 1
  
  If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.
  Unless, of course, said exploit allowed the bypassing of the certificate requirement.
2. Re:Java applets require authorization by SplashMyBandit · 2010-10-18 12:12 · Score: 1
  
  From the description the exploit appears to be due to a malware applet already downloaded and running in the user's browser.
  
  That still requires certificate acceptance before the applet can run.
  
  If the certificate was signed by the trusted Certification Authority (CA) the user would not see warning - and the CA needs to be notifified so they can revoke the cert).
  
  Of course even with these mechanism the malware applets are still dangerous to the "Click OK, OK, OK until you are done installing crowd".
3. Re:Java applets require authorization by codegen · 2010-10-18 12:54 · Score: 1
  
  Java appplets must be signed to write to the user's hard drive.
  <sigh>I know this is slashdot, but would it hurt to read some details? If you look into it, these are vulnerabilities in the Java VM, allowing the attacker to send arbitrary native code to be executed by the VM. Once you trick the Java VM executing arbitrary native code, you have bypassed any protections provided by the JVM. The JVM security policy only applies to java byte codes, or native code that was produced by translating java byte codes. No signature is needed.
  
  --
  Atlas stands on the earth and carries the celestial sphere on his shoulders.
4. Re:Java applets require authorization by codegen · 2010-10-18 13:12 · Score: 1
  
  No. No. No. A certificate is only needed if you want to use the Java Security Policy to access local resources such as a hard drive. If I write an applet that only displays a bouncing ball in the browser, I don't need to have it signed in order to download and run. If I then exploit a vulnerability in the VM that allows me to execute arbitrary x86 code inside of the VM, then I have full access to the machine (or at least as much access as the account running the browser). No certificate is needed.
  
  --
  Atlas stands on the earth and carries the celestial sphere on his shoulders.
5. Re:Java applets require authorization by SplashMyBandit · 2010-10-18 14:26 · Score: 1
  
  the CVE-2010-0094 exploit was for deserialization of RMIConnectionImpl.
  
  Applets need to be trusted to do RMI over the default RMI ports back to the server serving the applet. Hence, applet signing required at this stage to establish the RMI connection (before any deserialization can occur). If the applet has been accepted then the vulnerability comes into play, and that the privilege to deserialization of RMIConnectionImpl is not checked (this is the flaw), but that is after the connection is established.
  
  The CVE entry stats that the exploit allows system-level *Java* calls to be run, not arbitrary x86 code as you claim (not every JVM runs on x86 dontcha know).
6. Re:Java applets require authorization by SamiKoivu · 2010-10-18 17:06 · Score: 3, Informative
  
  CVE-2010-0094 is a privilege escalation vulnerability in the JVM. The applet does not need to be signed and the user does not need to click OK on any dialog window. Even though the flaw is in an RMI related class, the exploitation does not require RMI privileges. No RMI stuff actually takes place, it just happens that this class is a trusted JVM core class that could in the previous versions of Java be exploited into elevating untrusted applet code privileges, thusly escaping the sandbox. Having escaped the sandbox the Java code can then do whatever it wishes, within the local privileges of the user running the browser process, including native code of the platform it's being run on.
7. Re:Java applets require authorization by SplashMyBandit · 2010-10-18 19:57 · Score: 1
  
  How does the affected class get deserialized? It is not being run (permissions before the exploit prevent it without user interaction) and a copy of RMIConnectionImpl is loaded from the client's machine into their browser. So I'm curious as to how the offending code gets activiated and whether the user bypasses protections or not.
  
  > including native code of the platform it's being run on.
  
  Still needs to load it the same way the native library loader does, with the same privilege as an ordinary user (same as a bad local Java application, so the OS should limit the damage - except maybe on Windows). You also have to know where the particular library is (not too hard on Windows and Mac, harder on Linux due to the differing layout of different flavours). I suppose you could then use a local exploit of the library to get further - again a decent O/S (eg. Linux) will be fortified against user escalation.
8. Re:Java applets require authorization by SamiKoivu · 2010-10-19 00:10 · Score: 1
  
  If you have an applet in a signed jar, the user gets prompted to execute the applet. If the user clicks "Run", the applets gets executed with full permissions. If, on the other hand, the user clicks on "Cancel", the applet gets executed with default applet permissions.
  If you have an applet in an unsigned jar, it gets executed with default applet permissions without any user interaction. This is the case of the vulnerability. The default applet permissions are very limited, but they let you call most of the standard classes of Java, including that RMIConnectionImpl class. RMIConnectionImpl had a flaw, where it did privileged deserialization from an untrusted source and that flaw can be leveraged by an applet to elevate it's privileges. (For more details, see my original advisory).
9. Re:Java applets require authorization by SamiKoivu · 2010-10-19 00:11 · Score: 1
  
  You are correct that the OS limits the damage where configured properly, yes.
10. Re:Java applets require authorization by SplashMyBandit · 2010-10-19 07:14 · Score: 1
  
  Thanks for your explanation (which I already knew, btw) and for your work in raising the advisory.
  
  My understanding was that an applet with default permissions could not make an RMI call to the originating host without a change to security settings (or being signed). I have seen a list of ports that an unprivileged applet can make back to the originating server (port 80 for example) but did not see the RMI port on that list of permitted ports - although there is admittedly conflicting documentation out there on the Interwebz. Perhaps the documentation is wrong? Otherwise a priviledged applet is needed, yeah?
In Other News by Fnord666 · 2010-10-18 09:30 · Score: 1

In other news, Microsoft profits were down somewhat this quarter. Sources at Microsoft cited an increase in overtime expenses as the cause.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Use Only HTML5/JavaScript by smist08 · 2010-10-18 09:33 · Score: 1

I think this speaks to the need to not run plug-ins in the browser. To only HTML/JavaScript. Ie don't allow the PDF plugin, don't allow Flash, don't allow Silverlight, don't allow Java Applets. All of these proprietary plug-ins cause all kinds of security problems. They have proven to be a bad idea. I think Steve Jobs is on the right track banning them from the iPhone/iPad.
Re:Stuck on old versions by JonySuede · 2010-10-18 09:43 · Score: 1

what is so hard about using the 1.5 jre for this particular app and the modern still supported 1.6 jre for the rest of the system ?

--
Jehovah be praised, Oracle was not selected
Re:Stuck on old versions by StoatBringer · 2010-10-18 09:48 · Score: 1

An awful lot of big organisations are terrified of upgrading anything in case things stop working (and of course, nobody wants to be the one who suggested the upgrade if it all goes wrong). I've seen so many places that will not move past IE6 and Java 1.4 because they daren't risk their clunky old systems not working anymore.

--
Cress, cress, lovely lovely cress
jucheck.exe and "Unknown publisher" by ortholattice · 2010-10-18 09:54 · Score: 1

Windows 7 kept nagging me off and on for weeks saying "jucheck.exe" was from an "Unknown Publisher" and asking whether I wanted to let it modify my system. I kept saying "no" because I'd never heard of this program (I don't use Java very often) and didn't have time to research it.
When I finally had some time (and was fed up with the nagging), I typed "jucheck.exe unknown publisher" in Google. I waded my way through the hits warning me that it was probably a virus and that I should do a "free scan" with their anti-virus software (any .exe seems to bring up these scams). After reading some forums, I began to feel that it was probably OK, although I didn't find a crystal clear answer that made me totally confident. I was a little nervous when I finally allowed it to run, but it seemed to install the Java update OK.
I don't know how the "cautious" average user is supposed to deal with this. (Of course, an ordinary average user would just let it run, which is why they get viruses.) Why do they give it such a cryptic name? What's the deal with the "Unknown publisher"?
Re:Stuck on old versions by gtall · 2010-10-18 09:54 · Score: 1

I happen to be in charge of our government IT policy. I will henceforth dictate that all government departments' IT policy be fixed to accomodate Oracle products henceforth. There, howzzat?
Checklist by Caerdwyn · 2010-10-18 09:59 · Score: 1

1. Reformat/reinstall.
If something got by an anti-virus app, and managed an infection, a rootkit is almost certainly one of the first things downloaded by the malware (assuming that the malware is botnet-focused rather than just simple vandalism). The initial infection is almost never the one that carries the payload (the software that the person who deployed the malware really wants to run); the usual sequence is infect--rootkit--get instructions from a website/IRC channel--download payload--wait for instructions to execute payload.
So even if you clean the initial infector, the rootkit may still be there, which your AV software may or may not detect. If not, the downloaded payloads have a good chance of being undetected, in which case they appear as just another service or startup item. Payloads seldom do anything exploitative, in that they're doing ordinary appish things (sending emails, reading files, uploading data, visiting a website or IRC channel), and thus can be difficult to detect just from their behavior.
Therefore, if someone's PC is infected, you don't know what other goodies have been downloaded since the initial infection. Nuke it from orbit,t hat's the only way to be sure.
(boot from a Linux CD, mount your hard drives read-only, back off your data, scan that data, then reinstall your OS and apps including an initial reformat. Anything else and you might miss something.)

--
Everybody gets what the majority deserves.
It's not a surprise by thethibs · 2010-10-18 10:10 · Score: 1

It's not a surprise that there are a lot of unpatched systems out there. Java's stealth-mode installation pretty much guarantees it.
I know what I'm doing. The machine on my desk is one I built myself from parts (won't do that again; these days an off the shelf system costs a great deal less than the sum of its parts). Every bit of software is there because I decided it should be--or so I thought. This post got me curious.
I've never consciously installed or enabled java on this machine and yet, in the java program directory there's a jdk and three jre's.
Jdk?! I haven't done any coding in java in over six years, and not on this machine. Two of the jre's have the same time stamp, the third seems to be the most recent.
Let's look at the control panel--yup, there's a java icon. Bring up the dialog and auto update is not enabled. So I have an old version of the jre, an older version of the jdk, and no idea why they're there.
I'm supposed to know they should be patched?

--
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
PLEASE mod parent up by bagofbeans · 2010-10-18 10:16 · Score: 1

..laughed my cotton socks off. Thanks.
The Java Automatic Updater is annoying by GWBasic · 2010-10-18 10:38 · Score: 1

The reason why Java's never updated is that it's automatic updater is annoying. It always shows up as soon as a boot up my computer, and then tells me I need to reboot. Now, given that normal people like to USE their computers; and given that many corporate computers take forever to boot up, something like this is going to remain ignored. Just think, after waiting 5+ minutes while my computer boots up, do you think I'm going to reboot again for something I've never heard of nor, as far as I know, use?
The Java updater needs to be a lot better. It's like that annoying crack addict that hits you up for money every time you walk down the street.

--
No, I will not work for your startup
Re:Ironically it's in the C-written part of the JV by 0123456 · 2010-10-18 10:50 · Score: 1

So far there has not been a single buffer overflow targetting pure Java code because, well... The Java specs simply make this impossible (or the hypotetical JVM that would be affected wouldn't be complying with the Sun/Oracle Java specs and hence wouldn't be a "JVM")
Clearly the solution is to rewrite the JVM in Java.
Comment removed by account_deleted · 2010-10-18 10:52 · Score: 1

Comment removed based on user account deletion
Re:Cisco is the worst! by petermgreen · 2010-10-18 12:25 · Score: 1

It depends how they are using them. If they are keeping private copies and only using them to run trusted software I don't see any big problem.
OTOH if they are installing old versions systemwide that is BAD.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
It is vulnerable because it is popular. by jameskojiro · 2010-10-18 12:32 · Score: 1

Unlike the Macrocost implementation of it C# or whatever.
In other news OS2 is the most secure system ever, too bad no one is using it....

--
Tsukasa: All I really want, is to be left alone...
1. Re:It is vulnerable because it is popular. by shutdown+-p+now · 2010-10-18 13:55 · Score: 1
  
  2004 called, it wants its FUD back.
Re:once again, wrong default by TheLink · 2010-10-18 12:38 · Score: 1

That's why I suggested this years ago:
http://lists.w3.org/Archives/Public/www-html/2002May/0021.html
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html
I think mozilla are finally trying to do something about it:
https://developer.mozilla.org/en/Security/CSP
But after so many years, worms and exploits...
--
- Too many replies beneath your current threshold
Re:Stuck on old versions by jonwil · 2010-10-18 14:08 · Score: 1

Thats why you get one computer, update it, spend some time making sure the old apps run and if they do, roll it out companywide.
If they dont run, you either dont roll the updates out or you find newer versions of the apps that do run.
Companies that refuse to update past IE6 or update the JVM or whatever because they have known incompatibilities with important apps are fine. Companies that refuse to update because there MIGHT be issuse (and they dont know either way because no-one has bothered to do some testing) are the problem.
Mime-type screwyness by billcopc · 2010-10-18 15:02 · Score: 1

I noticed something like this yesterday, where some idiot's rooted blog was trying to drive-by a bunch of PDFs, which were mime-typed as jars so they spawned the Java quickstart kludge. In my case they didn't get anywhere since my debugger fired up, but I on a non-developer workstation they probably could have had a field day.
Cue endless Java and Adobe bashing in 3...2...1...

--
-Billco, Fnarg.com
Secunia PSI by WD · 2010-10-18 16:17 · Score: 1

Try Secunia PSI. It will scan your system for any software that needs to be updated. http://secunia.com/vulnerability_scanning/personal/
Re:Ironically it's in the C-written part of the JV by SamiKoivu · 2010-10-18 17:31 · Score: 2, Interesting

Two of the three cited vulns aren't actually buffer overflows. It's badly written Java code that other Java code can exploit to escape from the sandbox.
Confusion by SamiKoivu · 2010-10-18 17:57 · Score: 1

Just to clear up some of the confusion. The news of the recent release fixing 29 vulnerabilities isn't directly related to the 3 vulnerabilities cited as the biggest Java threats, as fixes for these were released earlier.
CVE-2008-5353 was fixed in December 2008 with Java 6 update 11.
CVE-2010-0094 was fixed in the spring of 2010 with Java 6 update 19.
CVE-2009-3867 was fixed with Java 6 update 17 (november 2009?).
Not that the latest version we're all running isn't vulnerable to a ton of other stuff.
Re:JRE's no mere ranger. by Haeleth · 2010-10-19 12:34 · Score: 2, Funny

Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.
Indeed. Most of the Enterprise(tm) world is probably completely safe from these attacks. At least till 2027 when they upgrade to the vulnerable versions.
How do you remove java permanently? shit. by zymano · 2010-10-21 09:12 · Score: 1

I always get the stupid bho.
Damnit. Why does Sun not do anything.