Slashdot Mirror
Experts Develop 3rd-Party Patch For New Java Zero-Day
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
You know what would be better idea than patching Java? Uninstalling it.
You have to be fucking kidding me.
We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.
Its to bad someone finds a critical vulnerability in the platform every other month seemingly.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.
For MacOS, Apple handles all Java releases directly. R19 had new security features which basically broke many applets which called a webservice. On Windows and Linux, when Sun released a fix, our users were able to patch. Unfortunately, our Mac users had to wait until Apple got around to packaging the fix/update, which took weeks longer. The Java model has degenerated to Write Once, Debug Everywhere and Wait...
Why don't they make it so that you can download the installer (for use on other computers) without using TOP SECRET BURN BEFORE READING links??
oh btw a cool way to get all the "stuff" is http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/ download that file and then run it to get everything installed (and yes i did include both chrome and firefox)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows
Mod me up/Mod me down: I wont frown as I've no crown
Or what. :)
xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie perhaps.
.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let someone else download it becomes a department road block.
downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.
Modify the system - while it has gotten better, depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows
.exe picked up as trojan - this should be a hurdle.
It isn't a case of mediocre sysadmins so much as corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things. And the bigger the company, the harder it is to get it to turn that sort of corner. Add to that the rules involved in changing procedures (not to mention the money) and you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.
Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
In that case, the appropriate solution is to run these tasks from virtual machines, which are then wiped back to their original state at the end of each session. And to complain to the idiots who run these pages and clearly don't know the first thing about IT security.
Lots of vendors like to ship custom Java versions which their programs use (installed in their applications' subdirectories), and they rarely update the Java versions when a vulnerability is found for the version they based their custom job on.
I read this "my work requires it!" claim a lot. .exe, run of .exe outside of installed apps, change of the system.
I think it is hogwash.
Work requires a stable system. Work does not require access to xxx, download of
The admins are just hiding that they don't know how to implement measures like this.
It is the same breed that never updated IE6 "because we depend on it".
They will be owned. But they just don't care.
I bet a lot of those companies have outsourced admin and the admin company only performs to the minimal SLA, which in a corner states that security breaches and virus outbreaks are cured on time and material basis, with no possibility for damage compensation.
There's "Java" as in "JVM" or "JDK" and there are "various Java plugins for browsers". The latter have very little to do with Java proper and it's not clear why they are even needed these days.
xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie [imdb.com] perhaps.
You don't need to be shirt-shopping or checking out a Vin Diesel movie at work. Block remains in effect.
.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let somepony else download it becomes a department road block.
HAHAHAHAHAHA. No.
downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.
Which will be given exceptions on a case-by-case basis. Not letting everything on the whole system just go nuts with permissions.
depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows .exe
If you actually need this kind of access, you'd best fucking know better than to get infected with this shit.
It isn't a case of mediocre sysadmins
Keep telling yourself that.
corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things
We play a support role. For most businesses, the primary objective is not IT. Make it work like the rest of us do.
you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.
As someone on the inside, it still looks an awful lot like technological incompetence to me.
I would in all honesty change banks if that happened, not just because of the security holes but because it can be a phenomenal pain to get such an old version to play nice with a modern browser. You have to jump through hoops to even get such an old version. It would be sufficiently problematic that I would end up not using the web interface, which is sufficiently annoying that I would want a bank that had useable / secure web access.
xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie [imdb.com] perhaps.
You don't need to be shirt-shopping or checking out a Vin Diesel movie at work. Block remains in effect.
So you are providing a Internet connection for what reason at work? And your staff isn't allowed to use it for personal things during lunch or breaks?
.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let somepony else download it becomes a department road block.
HAHAHAHAHAHA. No.
Up to you whether or not you want your IT staff to download requested items. For your IT staff to do it, it becomes a support ticket and puts in the delay that your ticketing and support organization will put into the request.
downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.
Which will be given exceptions on a case-by-case basis. Not letting everything on the whole system just go nuts with permissions.
Depends on the app. Case-by-case - if everyone is running an app that requires that sort of access, your case has just been shot - of course it also means you have to know the complete behavior of every app that is run on every system in your environment so you can deal with the strange failures that come up every now and then because you do stop that sort of thing by default when apps write temp files and the like.
depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows .exe
If you actually need this kind of access, you'd best fucking know better than to get infected with this shit.
We are in agreement here. Sadly a lot of Dev staff aren't as savvy as we'd like.
It isn't a case of mediocre sysadmins
Keep telling yourself that.
I don't have to tell myself (an anonymous coward posting this? Might want to look in the mirror there)
corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things
We play a support role. For most businesses, the primary objective is not IT. Make it work like the rest of us do.
Yes we do. And if you assume that every other environment has the same requirements as the one you are talking about - you might want to look closer at that mediocre sysadmin statement you mentioned earlier. We in IT provide a functioning environment that lets the end users do what they need with the minimal amount of interruption. Depends on what the business is doing as to what sort of access is needed - what you describe in the above is a typical office environment - which wouldn't suit the needs of my users as a software development house. (And doing it 'the office environment' way only generated 200 request tickets the first 3 days... which could have been avoided... )
you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.
As someone on the inside, it still looks an awful lot like technological incompetence to me.
As someone also on the inside, and doing this for a while, it isn't always incompetence...
I read this "my work requires it!" claim a lot.
I think it is hogwash.
Work requires a stable system.
True - but "stable system" varies depending on the type of work done. If you have a typical office environment (accounting, marketing, etc) you are correct. If you have a software development shop, it changes things...
Work does not require access to xxx, download of .exe, run of .exe outside of installed apps, change of the system.
xxx <> porn -- blocking based on character strings may have unintended side effects. (I was looking for tape DLTXXX29...)
Things outside of installed apps -- so how does your Dev staff grab a copy of something to install and test out?
The admins are just hiding that they don't know how to implement measures like this.
Or they are more experienced than you think because the environments they are providing services to contraindicate what you propose - unless you like to have multiple tickets for your staff to go find and download software to make available...
It is the same breed that never updated IE6 "because we depend on it".
They will be owned. But they just don't care.
I bet a lot of those companies have outsourced admin and the admin company only performs to the minimal SLA, which in a corner states that security breaches and virus outbreaks are cured on time and material basis, with no possibility for damage compensation.
The IE6 bit - was a cost issue - company didn't want to spend the amount of time/money required to make their internal app not require IE6 - failing to recognize that most companies are more willing to wait til they have no choice to upgrade their apps... But I would bet that you are correct regarding the outsourcing bit. :)
Don't confuse an exploit with a specific piece of malware. This invalidates all your above points.
Also, keep in mind that there's (public-and-patched as well as private-0day) privilege escalation exploits available for all major operating systems. This directly invalidates your point #4, and indirectly #3. #2 and #5 are relatively trivial to overcome... but the funny/sad thing is that you don't need any of this trickery in order to be effective. You can get a zillion zombie bots all running in user-mode without much anti-malware tricks, simply because the majority of users are computer illiterate and will click on anything in order to see Olsen Twins Hot Lesbian Sex.
Coffee-driven development.
The admins are just hiding that they don't know how to implement measures like this.
Implementing it is easy. Dealing with the CEO being unable to execute a mission critical program that has to be run this very instant or the company will burst into flames is hard.
Even if that "mission critical program" is hotnudes.jpg.exe.
So... With all those "turn your java plugins off" posts... Should we turn off our tomcat/jboss/glassfish/webspheres off as well?
Fortunately we have a CEO that is just a reasonable man, not the type usually described on slashdot (which is probably very rare).
Today even a CEO understands that security is more important than porn on his screen.
The above article shows the typical hogwash about software development. When I see that entire municipality networks are owned by trojans and rootkits that get in using the mechanisms described above and easily avoided, I know that the klerks handing out the passports or maintaining the real estate database are no software developers and thus do not need those extra permissions.
It is very clear that you have no clue about system administration.
Always expanding every situation to the broadest possible is not going to bring you anything.
Bringing an environment in which the user can do as she wants (including installation of external software) is just a disaster waiting to happen.
And oh, there are different Anonymous users posting in this same thread.
My JRE wants to update itself every time I turn around, and I say "why, yes, go ahead". Where does this "quarterly update cycle" statement come from?
They must not have looked at Java's security history since about version 6r16 when they decided to do quarterly updated. Although, they've broken many, many, many installs of Java by releasing 3 or 4 updates in 1 month. Maybe they should just build it with some sort of security in mind and they wouldn't have this problem.
of course it also means you have to know the complete behavior of every app that is run on every system in your environment
Is this not standard operating procedure? I mean, it's obviously not for you since you seem to be arguing in favor of letting people run willy nilly all over the internet, downloading and installing applications at will, running their web browsers with administrative access and such. But the fact that you've been in the industry for a long time doesn't really do much to change my opinion of your competence, as I've seen quite a lot of people who have been in the industry a long time who failed to properly lock their companies' environments. Sorry, but users very, very rarely need unrestricted internet access or system-wide privileges.
I tested this on Ubuntu 12.04 in both Firefox and Chrome. The exploit worked (which is no surprise since Java is Java everywhere). However, it doesn't seem to work with OpenJDK (which is what Ubuntu installs by default as a Java replacement).
In any case, I then turned on AppArmor and it killed the exploit cold in both browsers. I highly recommend using AppArmor, SELinux or Grsec.
If Linux is so secure why does this effect Linux / Windows / Mac (unix based).
Seriously Asking..
A quick look here: .NET each month on average. All critical remote executable.
http://technet.microsoft.com/en-us/security/bulletin/
Reveals about one security patch for
If you know you need a JRE, try GCJ or IcedTea/OpenJDK version 6, and see if your Java program will still run (or if you can tweak settings to get it to run). This comparison of Java VMs is helpful: http://en.wikipedia.org/wiki/Comparison_of_Java_virtual_machines
For GNU/Linux users, there are a lot of choices to avoid this, if our platforms are even targeted. For Windows and Mac OSX users, I've been recommending:
1. Uninstall all versions of Sun/Oracle Java JRE
2. Install OpenJDK 6, only if needed (easy install packages here http://www.openscg.com/se/openjdk/index.jsp )
^ that link also has install packages for GNU/Linux, but obviously you'll want to use your distro's package manager if you have one. Also, I recommend uninstalling *all versions* of Sun/Oracle Java, not just 7, because it's a simpler instruction for users. I find a lot of people hit a cognitive wall when they have to check software versions, even if the info is right in front of them.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
Showing my loss in technical knowledge, but arent Android apps all pretty much Java, rebaked in a specific format? So is Android vulnerable to this or simply browser plugin exploits?
If you allow the systems to do Wi-Fi, your internet filters are one personal smart-phone away from being bypassed - so instead of letting your staff know that you monitor internet connections and let them go about and willy-nilly do things (which means they aren't working, which is a management issue) you force them to do things that can put you in a deeper pickle (such as bridge your internal network to the Internet via their personal hot spot). They blow up their system, you wipe it and restore from image. They lost something important - they've learned not to go willy-nilly all over the internet. Of course most people are smart enough not to do that in the first place from their work machines but..
The admin access -- again depends on the apps sadly. Oh - and if you have a Dev shop where they are creating executables and unit testing ... the ability to "install" is kind of important, is it not? Or do they only test on other machines instead of perhaps debugging? And the research folks may be hunting down some new tool they read about in a forum and want to see if it can be added... Again, depends on the environment. You have an office shop where it's just sales and accounting - then yeah they don't have a reason to grab anything new except the company sanctioned tools. (or do they? Neat graphing utility? some new widget for Excel that ties into the accounting database better? Nah - they can get IT to download and vet it.)
Now, access to the servers (the stuff that supports the office and keeps it running) - different animal and different discussion.
You know,this Beats By Dre UK friendship is that money can not buy,it is time not lead back to the share of the sincere friendship Heart exchange are Dr Dre Headphones the wealth of your life.When you pay,you do not have to always look forward to a friend to say thank you.A thousand times,thanks a thousand times and may not be able to compete with an understanding eyes!I have at least Dr Dre Beats five Needless to say thank friends,so I am grateful to God,will cherish the hard-won mutual affection!