Slashdot Mirror
Experts Develop 3rd-Party Patch For New Java Zero-Day
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
You know what would be better idea than patching Java? Uninstalling it.
You have to be fucking kidding me.
We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.
Its to bad someone finds a critical vulnerability in the platform every other month seemingly.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.
theorists - Due to the troubles ASSOCIATION OF of the GGNA I of Walnut Creek, guest and never get
For MacOS, Apple handles all Java releases directly. R19 had new security features which basically broke many applets which called a webservice. On Windows and Linux, when Sun released a fix, our users were able to patch. Unfortunately, our Mac users had to wait until Apple got around to packaging the fix/update, which took weeks longer. The Java model has degenerated to Write Once, Debug Everywhere and Wait...
Why don't they make it so that you can download the installer (for use on other computers) without using TOP SECRET BURN BEFORE READING links??
oh btw a cool way to get all the "stuff" is http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/ download that file and then run it to get everything installed (and yes i did include both chrome and firefox)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
Why is this vulnerability not going to affect us much?
- it tries to access a domain that has xxx in its name - such domain names are blocked .exe - such downloads are blocked for users .exe into the temp dir and run it - running .exe in the user profile (and thus the temp dir) is blocked by policy .exe it downloads is recognized as a trojan by the virus scanner
- it tries to download a
- it downloads the
- it tries to modify the system - but the users have no admin privilege and cannot modify C:\WINDOWS
- the
So there are at least 5 hurdles between this exploit and the system.
Now, we are just a humble company with mediocre system admins.
I wonder why this kind of exploit always seems to affect high profile companies and government organizations.
Are the admins there totally incapable nitwits, or what?
Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows
Mod me up/Mod me down: I wont frown as I've no crown
Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
In that case, the appropriate solution is to run these tasks from virtual machines, which are then wiped back to their original state at the end of each session. And to complain to the idiots who run these pages and clearly don't know the first thing about IT security.
Lots of vendors like to ship custom Java versions which their programs use (installed in their applications' subdirectories), and they rarely update the Java versions when a vulnerability is found for the version they based their custom job on.
Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes
"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily spend one fifth of their lives sitting in front of a *box* with pictures? Fifteen years sitting in prison is punishment. But 15 years sitting in front of a television set is entertainment. And the average American now spends more than one and a half years of his life just watching television commercials. Fifty minutes, every day of his life, watching commercials. Now, that's power."
##
"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover: http://www.imdb.com/name/nm0000417/bio
##
"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man." - Mel Gibson (from an interview)
##
"We'll know our disinformation program is complete when everything the American public believes is false." - William Casey, CIA Director
##
George Carlin:
"The real owners are the big wealthy business interests that control things and make all the important decisions. Forget the politicians, they're an irrelevancy. The politicians are put there to give you the idea that you have freedom of choice. You don't. You have no choice. You have owners. They own you. They own everything. They own all the important land. They own and control the corporations. They've long since bought and paid for the Senate, the Congress, the statehouses, the city halls. They've got the judges in their back pockets. And they own all the big media companies, so that they control just about all of the news and information you hear. They've got you by the balls. They spend billions of dollars every year lobbying lobbying to get what they want. Well, we know what they want; they want more for themselves and less for everybody else.
But I'll tell you what they don't want. They don't want a population of citizens capable of critical thinking. They don't want well-informed, well-educated people capable of critical thinking. They're not interested in that. That doesn't help them. That's against their interests. They don't want people who are smart enough to sit around the kitchen table and figure out how badly they're getting fucked by a system that threw them overboard 30 fucking years ago.
You know what they want? Obedient workers people who are just smart enough to run the machines and do the paperwork but just dumb enough to passively accept all these increasingly shittier jobs with the lower pay, the longer hours, reduced benefits, the end of overtime and the vanishing pension that disappears the minute you go to collect it. And, now, they're coming for your Social Security. They want your fucking retirement money. They want it back, so they can give it to their criminal friends on Wall Street. And you know something? They'll get it. They'll get it all, sooner or later, because they own this fucking place. It's a big clu
There's "Java" as in "JVM" or "JDK" and there are "various Java plugins for browsers". The latter have very little to do with Java proper and it's not clear why they are even needed these days.
I would in all honesty change banks if that happened, not just because of the security holes but because it can be a phenomenal pain to get such an old version to play nice with a modern browser. You have to jump through hoops to even get such an old version. It would be sufficiently problematic that I would end up not using the web interface, which is sufficiently annoying that I would want a bank that had useable / secure web access.
So... With all those "turn your java plugins off" posts... Should we turn off our tomcat/jboss/glassfish/webspheres off as well?
My JRE wants to update itself every time I turn around, and I say "why, yes, go ahead". Where does this "quarterly update cycle" statement come from?
They must not have looked at Java's security history since about version 6r16 when they decided to do quarterly updated. Although, they've broken many, many, many installs of Java by releasing 3 or 4 updates in 1 month. Maybe they should just build it with some sort of security in mind and they wouldn't have this problem.
I tested this on Ubuntu 12.04 in both Firefox and Chrome. The exploit worked (which is no surprise since Java is Java everywhere). However, it doesn't seem to work with OpenJDK (which is what Ubuntu installs by default as a Java replacement).
In any case, I then turned on AppArmor and it killed the exploit cold in both browsers. I highly recommend using AppArmor, SELinux or Grsec.
If Linux is so secure why does this effect Linux / Windows / Mac (unix based).
Seriously Asking..
A quick look here: .NET each month on average. All critical remote executable.
http://technet.microsoft.com/en-us/security/bulletin/
Reveals about one security patch for
If you know you need a JRE, try GCJ or IcedTea/OpenJDK version 6, and see if your Java program will still run (or if you can tweak settings to get it to run). This comparison of Java VMs is helpful: http://en.wikipedia.org/wiki/Comparison_of_Java_virtual_machines
For GNU/Linux users, there are a lot of choices to avoid this, if our platforms are even targeted. For Windows and Mac OSX users, I've been recommending:
1. Uninstall all versions of Sun/Oracle Java JRE
2. Install OpenJDK 6, only if needed (easy install packages here http://www.openscg.com/se/openjdk/index.jsp )
^ that link also has install packages for GNU/Linux, but obviously you'll want to use your distro's package manager if you have one. Also, I recommend uninstalling *all versions* of Sun/Oracle Java, not just 7, because it's a simpler instruction for users. I find a lot of people hit a cognitive wall when they have to check software versions, even if the info is right in front of them.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
Showing my loss in technical knowledge, but arent Android apps all pretty much Java, rebaked in a specific format? So is Android vulnerable to this or simply browser plugin exploits?
You know,this Beats By Dre UK friendship is that money can not buy,it is time not lead back to the share of the sincere friendship Heart exchange are Dr Dre Headphones the wealth of your life.When you pay,you do not have to always look forward to a friend to say thank you.A thousand times,thanks a thousand times and may not be able to compete with an understanding eyes!I have at least Dr Dre Beats five Needless to say thank friends,so I am grateful to God,will cherish the hard-won mutual affection!