Experts Develop 3rd-Party Patch For New Java Zero-Day

← Back to Stories (view on slashdot.org)

Experts Develop 3rd-Party Patch For New Java Zero-Day

Posted by samzenpus on Monday August 27, 2012 @05:18AM from the patch-it-up dept.

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

110 of 154 comments (clear)

Min score:

Reason:

Sort:

A better idea... by DrEnter · 2012-08-27 05:18 · Score: 4, Insightful

You know what would be better idea than patching Java? Uninstalling it.
1. Re:A better idea... by MyLongNickName · 2012-08-27 05:31 · Score: 3, Insightful
  
  Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:A better idea... by gl4ss · 2012-08-27 05:35 · Score: 2
  
  you know what's funny? can't log into my web banking without it(it's only the signon flow where it's used, too).
  though, I guess I should still just whitelist it on certain sites. however applets can be used in good ways.. it's just that nobody ever does that.
  
  --
  world was created 5 seconds before this post as it is.
3. Re:A better idea... by udachny · 2012-08-27 05:39 · Score: 2
  
  ....
  Java Zero Day VulnerabilityâoeIn my lab environment, I was able to successfully exploit my test machine against latest version of Firefox with JRE version 1.7 update 6 installed,â he wrote on the company blog.
  The exploit was found on a server in China, and if it successfully attacks a given endpoint, the payload that is delivered is hosted on the same server. While the IP address associated with the malicious box has been known to serve malware in the past, it isnâ(TM)t responding to browser connections. Nevertheless, the IP is live. ....
  On Monday, the Metasploit Exploit team at Rapid7 said they found the PoC and had developed a working exploit that they say enables a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.
  âoeAs a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available,â a blog post from Rapid7 notes.
  Once again, itâ(TM)s wise to remove Java if it isnâ(TM)t absolutely needed in your environment. Most home users have little need for the software these days, and most experts agree the risk outweighs the reward when it comes to installing it.
  
  I don't know why the OP is moderated Funny, maybe they have Java installed on their 'humour sensing unit'.
  --
  OTOH I wish IBM bought Sun back when Oracle made their bid, this lack of interest by Oracle is just perplexing at this point. If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.
  
  --
  MY OTHER COMMENTS
4. Re:A better idea... by Anonymous Coward · 2012-08-27 05:40 · Score: 1, Insightful
  
  Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.
  A modest proposal to improve security. You know what be more effective than uninstalling Java? Uninstalling the network and other input devices. In fact, why don't you turn off the computer entirely?
  The number one reason that Java has published security holes is that Java is used heavily. Non-java programs also have security holes. Yes, it makes sense to reduce dependency on Java now, because Java has the current serious security hole. However, your parent wasn't suggesting that. Your parent was suggesting that uninstalling Java was better than fixing the security hole.
5. Re:A better idea... by Anonymous Coward · 2012-08-27 05:44 · Score: 1
  
  But.. but.. then how can I play Minecraft? :(
6. Re:A better idea... by Nabeel_co · 2012-08-27 05:48 · Score: 1
  
  ...Your parent was suggesting that uninstalling Java was better than fixing the security hole.
  I think that was because he was implying that Java isn't used anywhere enough now a days to warrant it being installed on client systems, for the most part.
7. Re:A better idea... by matrim99 · 2012-08-27 06:09 · Score: 1
  
  Or just someone who has experience in this industry.
  
  --
  Right. No, your other right. No, the other other right.
8. Re:A better idea... by t4ng* · 2012-08-27 06:10 · Score: 1
  
  Exactly! The only thing I ever need it for in a desktop environment is for apps use it, not for web pages.
  The real problem, as I see it, would be for all those smartphones out there that use java for everything
9. Re:A better idea... by Anonymous Coward · 2012-08-27 06:14 · Score: 2, Informative
  
  Your parent was suggesting that uninstalling Java was better than fixing the security hole.
  It *is* better than fixing the security hole. Fixing the security hole fixes ONE security problem. Uninstalling Java fixes that ONE security problem AND all unknown/future Java security problems.
10. Re:A better idea... by JonJ · 2012-08-27 06:16 · Score: 1
  
  Every single bank in Norway does this.
  
  --
  -- Linux user #369862
11. Re:A better idea... by Forty+Two+Tenfold · 2012-08-27 06:17 · Score: 1
  
  If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
12. Re:A better idea... by monkeyhybrid · 2012-08-27 06:28 · Score: 3, Funny
  
  I locked it down so *only* those 2 things can use it. One of them is not the web browser...
  But the other one is the web browser? ;)
13. Re:A better idea... by EdIII · 2012-08-27 06:34 · Score: 1
  
  Last time I checked USAA uses Java to deposit checks online too.
14. Re:A better idea... by Hatta · 2012-08-27 06:56 · Score: 1
  
  I would love to uninstall Java. But what would I replace UGENE and ImageJ with? It seems like any free, cross platform, GUI, scientific software is written in Java.
  
  --
  Give me Classic Slashdot or give me death!
15. Re:A better idea... by simplypeachy · 2012-08-27 06:58 · Score: 2
  
  Not with Internet Explorer it isn't. Even setting the Java control panel not to use the plug-ins, disable them in IE's Add-Ons and then remove all references to them using AutoRuns and parts of the Java plug-in can still execute.
16. Re:A better idea... by 93+Escort+Wagon · 2012-08-27 07:16 · Score: 2
  
  You know what would be better idea than patching Java? Uninstalling it.
  I didn't uninstall it; but several months ago I turned it off in my web browser(s). You know what? It hasn't impacted anything I do - none of the web sites I use rely on Java *at all*. Not the fun sites, not the banking sites, not the business sites...
  I've certainly got some local software that requires Java; but if it's not available in my browser you're going to have a difficult time getting an exploit onto my computer.
  
  --
  #DeleteChrome
17. Re:A better idea... by edxwelch · 2012-08-27 07:19 · Score: 1
  
  In all fairness, Java is no less secure than .NET or any other middleware. Why not just deinstall everything? Then your really safe.
18. Re:A better idea... by Exitar · 2012-08-27 07:27 · Score: 2
  
  Attack vectors? Like the internet?
19. Re:A better idea... by pionzypher · 2012-08-27 07:38 · Score: 1
  
  This. I'm surprised that this is the first post to plainly say it after gp alluded to it.
  
  You shouldn't have posted AC.
  
  --
  I'll believe in corporations having personhood when Texas executes one... - advocate_one
20. Re:A better idea... by Em+Adespoton · 2012-08-27 08:01 · Score: 1
  
  Exactly! The only thing I ever need it for in a desktop environment is for apps use it, not for web pages.
  The real problem, as I see it, would be for all those smartphones out there that use java for everything
  iOS doesn't do Java, so all those sites out there that want to support iOS devices have to have an alternative. Because of this, Java Applets and J2ME sites always have a usable alternative these days.
21. Re:A better idea... by Em+Adespoton · 2012-08-27 08:05 · Score: 1
  
  So uninstall all plugins, etc. and only run pure Java apps. To go one better, only run them in a sandbox (a VM should do the trick). That way, you can still copy/paste the output and even share the files back, but as you aren't doing anything in that sandbox other than running that Java app, that instance of Java won't be exploited. You don't even need to upgrade for new features/security fixes!
22. Re:A better idea... by c0lo · 2012-08-27 08:13 · Score: 2
  
  Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense.
  Hmmm... seems you are right... the maximum security for a computer is achieved by uninstalling the OS and keeping the computer powered off. (I'm not saying you advice this, but just to put into evidence that security is not the objective that anyone would like maximized).
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
23. Re:A better idea... by KDR_11k · 2012-08-27 08:15 · Score: 1
  
  To elaborate, the mobile version of Minecraft:
  - Is limited to a fixed world size, it does not expand as you explore like the PC one does.
  - Has only a very limited selection of enemies.
  - Lacks many of the tools, blocks, etc.
  - Does not include enchanting or bow & arrow
  - Doesn't apply gravity to sand and gravel
  - Has been declared shit by Notch himself.
  and many other restrictions. It's slowly evolving past the original release that was basically just creative mode but it hasn't come too far yet.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
24. Re:A better idea... by snemarch · 2012-08-27 08:23 · Score: 1
  
  For us people living in Denmark, there's pretty much no way to avoid Java. The nation-wide "digital signature" (that's what they call it - in fact it's really just a glorified single-signon) NemID ("Easy ID") requires Java. It's a big fscking mess, it's run by the banking industry but being shoved down our troaths for interfacing with the government, and there's already successful MITM attacks for it.
  Oh yeah, and the signed Java applet is just a bootstrap that fetches unsigned applets from "whatever location", and it includes JNI binaries as well that snoops system info for "fingerprinting reasons"... perfect vector for the PET, the Danish version of NSA. Goodtimes.
  
  --
  Coffee-driven development.
25. Re:A better idea... by sapgau · 2012-08-27 08:31 · Score: 1
  
  Java is also used heavily on the browser in Colleges and Universities (Higher Ed.) for rich text editors, chat rooms and some other educational content.
26. Re:A better idea... by LordLimecat · 2012-08-27 09:29 · Score: 2
  
  In Chrome: Wrench-->Settings; Advanced Settings; Content settings; "Click to Play" under plugins.
  Problem solved.
27. Re:A better idea... by LordLimecat · 2012-08-27 09:32 · Score: 2
  
  Your parent was suggesting that uninstalling Java was better than fixing the security hole.
  It is, given the huge percentage of malware infections directly caused by Java and Adobe plugin exploits.
  Patching this particular hole fixes the problem for about 2 weeks till the next 0-day drops. Some of us like to get off of that nasty little merry-go-round, and get rid of a plugin that has basically no use. If you really need it, set your plugins to Click-To-Play (through flashblock for firefox, or as detailed here for chrome)
28. Re:A better idea... by hot+soldering+iron · 2012-08-27 09:50 · Score: 1
  
  It also happens to be embedded in Oracle Databases, and even though it isn't mentioned wither this 0-day affects Android, the Djarvik Engine is modeled after Java. Java is used in an incredible number of applications, it just doesn't get rubbed in your face all the time. Yeah, nobody uses Java anymore. Except... everybody.
  
  --
  When you want something built, come see me. If you want correct grammar and spelling, get a F*ing liberal arts student.
29. Re:A better idea... by ArsenneLupin · 2012-08-27 09:53 · Score: 1
  
  And in Luxembourg too.
30. Re:A better idea... by tlambert · 2012-08-27 09:54 · Score: 1
  
  But.. but.. then how can I play Minecraft? :(
  I mentally translate "JRE" to "MRE" for Minecraft Runtime Environment.
  In all seriousness, many banks run a captive Java application for login authentication using challenge/response as an anti-phishing mechanism to prevent storing the credentials. Given that Java is frequently exploited, this isn't a very effective strategy, given the current generation of online channel-breaking attacks.
31. Re:A better idea... by Desler · 2012-08-27 09:55 · Score: 1
  
  So less than 1% of all home PC users?
32. Re:A better idea... by snemarch · 2012-08-27 09:56 · Score: 1
  
  Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.
  I don't have a Java plugin in my browser, I consider that pretty much security suicide. Because I live in .dk, I have to use a browser with Java plugin from time to time, but I handle that in a locked down virtual machine that I use solely for that purpose.
  Also: I kinda like Java as a language (even if it's verbose and the platform has a boatload of flaws), the JVM has a few nifty things here and there, and my day job involves Java coding. That doesn't mean I'm going to close my eyes and pretend it's a good thing to have installed on client systems, though.
  
  --
  Coffee-driven development.
33. Re:A better idea... by Desler · 2012-08-27 09:56 · Score: 2
  
  Yes it is. The .NET runtime has substantially less security issues than Java. Just chek out Secunia.
34. Re:A better idea... by snemarch · 2012-08-27 10:02 · Score: 2
  
  Keep away from the browser plugin and install just the JRE. You'll still be 0wned by clicking on "Olsen twins hot lesbian session.mpg .jar", but you'll be safe from browser drive-by attacks.
  
  --
  Coffee-driven development.
35. Re:A better idea... by amicusNYCL · 2012-08-27 10:03 · Score: 1
  
  In all fairness, Java is no less secure than .NET or any other middleware.
  In all fairness, that statement is crap without any supporting data. It is in fact possible for some middleware to be designed and built more poorly than other middleware. That's like saying that, in all fairness, Duke Nukem Forever is every bit as stable and well-designed as any other game.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
36. Re:A better idea... by snemarch · 2012-08-27 10:24 · Score: 1
  
  They don't need the browser plugin, though, only the JRE - so while they'll fall prey to clicking "Olsen Twins Hot Steaming Lesbian Sex.MPG .jar", they won't get browser drive-by malware.
  
  --
  Coffee-driven development.
37. Re:A better idea... by dkf · 2012-08-27 10:52 · Score: 2
  
  Just deleting the network drivers would be enough. It'd simultaneously make the internet a better place too...
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
38. Re:A better idea... by danomac · 2012-08-27 11:03 · Score: 1
  
  I wonder if it affects Java-powered devices like BD players? Hard to uninstall that. I guess if I see an update for mine I'll know what it's for.
39. Re:A better idea... by exomondo · 2012-08-27 14:03 · Score: 1
  
  In all fairness, Java is no less secure than .NET or any other middleware.
  In all fairness, Flash is no less secure or stable than any HTML5 implementation.
40. Re:A better idea... by Nivag064 · 2012-08-27 18:02 · Score: 1
  
  Internet Explorer is a security nightmare, even without considering any problems with plugins.
  
  Much better to use Firefox with Flashblock & NoScript installed!
41. Re:A better idea... by Vintermann · 2012-08-27 19:02 · Score: 2
  
  Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.
  So what do you suggest as alternatives? Java does serve a function, you know. There are plenty of things that haven't had an emphasis on security from day one.
  The irresponsible thing here is Oracle's update schedule.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
42. Re:A better idea... by Vintermann · 2012-08-27 19:04 · Score: 1
  
  the Djarvik Engine is modeled after Java
  Well, I don't think it's likely that the exploit is at a level where Djallben would have inadverdently duplicated it.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
43. Re:A better idea... by tehlinux · 2012-08-28 10:34 · Score: 1
  
  That's a great idea, unless, you know, you need the java browser plug-in for university or something. ;)
  
  --
  Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
44. Re:A better idea... by Baki · 2012-08-28 19:32 · Score: 1
  
  When talking about java in a browser executing remote code: agree, avoid it if you can.
  When talking about java as platform (like .net or other platforms) for server side applications, then dumping java because of this bug is a bit drastic.
Quarterly security patch? by Anonymous Coward · 2012-08-27 05:20 · Score: 1

You have to be fucking kidding me.
1. Re:Quarterly security patch? by plover · 2012-08-27 05:25 · Score: 4, Funny
  
  The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?
  
  --
  John
2. Re:Quarterly security patch? by Fuzzums · 2012-08-27 05:32 · Score: 2
  
  Don't make fun of this. Metrics don't lie. Seriously.
  
  --
  Privacy is terrorism.
3. Re:Quarterly security patch? by Anonymous Coward · 2012-08-27 05:46 · Score: 2, Informative
  
  I'm not sure if you are trolling, but here's why:
  There is a significant amount of work to test the software before doing a release.
  The code base is big and old, there are a lot of targets, and I'm guessing that not all tests are automated.
  Also, there is this issue of reducing the number of versions "out in the wild", at least for paying customers,
  as more versions that costs money to provide support for.
  All this will take resources away from fixing bugs and working on new features.
  It's not as if there are nothing to do if no new bugs are found...
4. Re:Quarterly security patch? by another+random+user · 2012-08-27 05:51 · Score: 1
  
  And what happens when it's time to release the next version but no new vulnerabilities have been found?
  Don't worry about it, that's never going to happen.
  
  --
  -1 troll is not supposed to be used simply because you don't agree
5. Re:Quarterly security patch? by Milharis · 2012-08-27 05:51 · Score: 1
  
  Luckily for criminals, those exploits are made public the day following the quarterly update.
  Seriously though, they don't have out-of-schedule updates for critical security bugs?
6. Re:Quarterly security patch? by Forty+Two+Tenfold · 2012-08-27 06:21 · Score: 1
  
  And what happens when it's time to release the next version but no new vulnerabilities have been found?
  You can go GNOME3 on any software anytime.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
7. Re:Quarterly security patch? by ruiner13 · 2012-08-27 06:47 · Score: 3, Funny
  
  The US doesn't use the metric system, therefore it is full of liars. :)
  
  --
  today is spelling optional day.
8. Re:Quarterly security patch? by _xeno_ · 2012-08-27 08:00 · Score: 1
  
  Seriously though, they don't have out-of-schedule updates for critical security bugs?
  Well, it's Oracle, so I expect they do, they just cost extra. I mean, you are up to date on your Oracle Certified Java Security Support, right?
  (Note: I'm joking. The actual service is called Oracle Premier Support for the Java SE Platform and you only need it to get security patches for "old" versions of Java.)
  
  --
  You are in a maze of twisty little relative jumps, all alike.
9. Re:Quarterly security patch? by sapgau · 2012-08-27 08:34 · Score: 1
  
  Users get upset when the server is rebooted/restarted on short notice.
  You get alot of "I need two weeks in advance to prepare for this" complaints.
10. Re:Quarterly security patch? by snemarch · 2012-08-27 10:27 · Score: 1
  
  *cough* version control software + branches *cough* - hardly rocket science.
  
  --
  Coffee-driven development.
11. Re:Quarterly security patch? by Vintermann · 2012-08-27 19:10 · Score: 1
  
  So, in order to play Minecraft safely (requires Sun Java 6, sucks with OpenJDK or later versions for some reason), I need to pay Oracle $3300? Got it.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
12. Re:Quarterly security patch? by _xeno_ · 2012-08-28 02:40 · Score: 1
  
  Nah, you only will need to pay once Java 6 reaches end of life last month. I mean, November. I mean, next February.
  (And, yes, seriously - the Java 6 EOL date has been pushed forward twice so far. Presumably because Java 7 still isn't quite ready on all platforms.)
  
  --
  You are in a maze of twisty little relative jumps, all alike.
You know its funny by DarkOx · 2012-08-27 05:29 · Score: 2, Interesting

We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.
Its to bad someone finds a critical vulnerability in the platform every other month seemingly.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
1. Re:You know its funny by Anonymous Coward · 2012-08-27 05:36 · Score: 1
  
  Maybe it would help if they used Java to program the vm.
  Then it would be impossible to have security vulnerabilities.
2. Re:You know its funny by binarylarry · 2012-08-27 05:48 · Score: 3, Insightful
  
  This isn't a flaw in Java itself but yet another flaw in the browser plugin.
  Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?
  Maybe the real issue is a shitty plugin API and/or implementation?
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:You know its funny by Anonymous Coward · 2012-08-27 07:30 · Score: 2, Informative
  
  Not true...
  http://dev.metasploit.com/redmine/projects/framework/repository/revisions/52ca1083c22de7022baf7dca8a1756909f803341/entry/external/source/exploits/CVE-2012-XXXX/Exploit.java
  It's a bug in how java bean statements interact with security domains, as far as I can tell. Definitely a JRE bug.
  It really is just more reason why you should never let your language's runtime get completely out of hand - this kind of stuff should have been in libraries, not in the runtime.
4. Re:You know its funny by sapgau · 2012-08-27 08:38 · Score: 2
  
  Will we ever be safe from all that?
  Oh, it's Java bashing time, sorry...
5. Re:You know its funny by PCM2 · 2012-08-27 12:00 · Score: 1
  
  Basically you're bolting three proprietary, poorly maintained web browsers onto your shiny main webbrowser. Guess where the bugs are going to be?
  To be fair, though, Java is open source. Even if you think Oracle wields too much control over it, the source code is there for anyone to read, for security purposes or otherwise.
  
  --
  Breakfast served all day!
6. Re:You know its funny by petermgreen · 2012-08-27 22:11 · Score: 1
  
  Assuming they were written by programmers of roughly equal competence Java applications in general probablly are safer than their counterparts in more traditional languages due to the fact that certain categories of exploit basically can't happen.
  The java related security problems mainly come from software (most notablly the browser plugin) that uses the java runtime's sandboxing features to run untrusted code. The sandboxing system is highly complex and as such prone to bugs and when bugs do happen they often end up allowing untrusted code to do things you really don't want it to do.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Don't browse with Java by JDG1980 · 2012-08-27 05:33 · Score: 5, Informative

There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.
1. Re:Don't browse with Java by Megahard · 2012-08-27 05:43 · Score: 3, Informative
  
  Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.
  
  --
  I eat only the real part of complex carbohydrates.
2. Re:Don't browse with Java by Anonymous Coward · 2012-08-27 05:50 · Score: 2, Informative
  
  Better yet, disable all plugins by default (or set for "click to run"), and whitelist sites you regularly visit and trust. You should have a minimal attack surface when visiting *any* site you don't explicitly trust.
3. Re:Don't browse with Java by CAIMLAS · 2012-08-27 07:41 · Score: 1
  
  It's exploits like this which make me pine for someone to re-implement VMS security mechanisms for modern operating systems. If I could get that kind of granular control at the IP level of a network, I'd be even happier. "Prohibit all traffic from to anywhere except sites x, y, z". It wouldn't be a fix, but it'd sure help.
  I know I can do it with layer 7 filtering, but it's still a huge headache today.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
4. Re:Don't browse with Java by tokul · 2012-08-27 08:55 · Score: 1
  
  Now with dynamic HTML, Canvas, SVG, and AJAX
  
  Java has all app-like stuff contained in single object. All above tools only create mashed soup on top of html with different browser specific quirks.
5. Re:Don't browse with Java by antdude · 2012-08-27 09:36 · Score: 1
  
  I have it disabled 99% of the times. My work's time card system and online classes/courses require Java. Lame, I know! :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
6. Re:Don't browse with Java by amicusNYCL · 2012-08-27 09:51 · Score: 1
  
  All above tools only create mashed soup on top of html with different browser specific quirks.
  ...while eliminating all security issues around Java. If you think that's a bad tradeoff, please point to the Java version of Facebook, or the Java version of Youtube, or Gmail, etc.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
7. Re:Don't browse with Java by exomondo · 2012-08-27 14:42 · Score: 1
  
  ...while eliminating all security issues around Java.
  In exchange for security issues in a bunch of other technologies across a number of implementations, great tradeoff! Like the SVG Remote Execution Exploit in Safari, or the SVG Font Manipulation Vulnerability in Opera, or Mozilla's cross-origin data theft canvas vulnerability or the AJAX Javascript hijacking bug found by Fortify that affected applications built with Xajax, GWT, jQuery, Prototype, Dojo, Moo.fx, Yahoo.UI, Microsoft Atlas, MochiKit, etc...
8. Re:Don't browse with Java by amicusNYCL · 2012-08-28 05:08 · Score: 1
  
  Like the SVG Remote Execution Exploit in Safari, or the SVG Font Manipulation Vulnerability in Opera, or Mozilla's cross-origin data theft canvas vulnerability or the AJAX Javascript hijacking bug found by Fortify that affected applications built with Xajax, GWT, jQuery, Prototype, Dojo, Moo.fx, Yahoo.UI, Microsoft Atlas, MochiKit, etc...
  Just out of curiosity, what percentage of infections are the result of attacking those exploits? Java is responsible for 37% of infections on Windows machines, how many infections were caused by exploiting Xajax, or MochiKit? Can you point to a reference for anyone using Safari who got an infection via SVG?
  More importantly, does installing Java eliminate all of those other vulnerabilities, or does it just add new ones?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
9. Re:Don't browse with Java by exomondo · 2012-08-28 10:38 · Score: 1
  
  Just out of curiosity, what percentage of infections are the result of attacking those exploits?
  I don't know, those were just examples to illustrate that replacing Java will eliminate Java exploits but introduce new ones because not only are there a bunch of replacement technologies there are a bunch of different implementations of them. HTML5/Canvas/SVG/AJAX is demonstrably no more secure than Java, i find the technologies themselves to be better and that would be my case for switching to them but to make a case for them on a security basis is just ignorant of the fact that they are not inherently any more secure.
  
  Java is responsible for 37% of infections on Windows machines, how many infections were caused by exploiting Xajax, or MochiKit?
  I don't know, i'm not saying Java is better, clearly you would have to correlate Java infections with the installbase of Java vs the various technologies replacing it as well as the amount of use of them, but that would end up convoluted and inaccurate and isn't even relevant unless you're trying to make a case for one over the other...which i am not.
  
  Can you point to a reference for anyone using Safari who got an infection via SVG?
  No.
  
  More importantly, does installing Java eliminate all of those other vulnerabilities, or does it just add new ones?
  I don't think that's important, in fact i would think you'd have to be an idiot to think installing Java eliminated those vulnerabilities at all. I'm not pro-Java (in fact i don't really like Java, Java applications just don't feel right on desktops/laptops) i'm just saying that eliminating Java and switching to HTML5/Canvas/SVG/AJAX/etc... doesn't make security problems go away because Java isn't inherently less secure than those technologies, we'll just see vulnerabilities in all the implementations of those instead.
10. Re:Don't browse with Java by amicusNYCL · 2012-08-28 11:28 · Score: 1
  
  Well, that was a very measured response.
  I tend to think that those vulnerabilities are there already, whether you use them or not. Browsers support SVG and whatnot, so those are already there whether beneficial developers are using them or not. I don't think there are vulnerabilities specific to individual toolkits like jQuery or Prototype, I assume that they all deal with the vulnerabilities inherent in the browser itself. So it's up to the browser vendors to fix those, and for the most part they are doing a decent job at it. Oddly enough, Microsoft in particular is taking security very seriously in IE9+ (a little too seriously in some cases, throwing out the baby with the bathwater). So the way I see it, you already have the vulnerabilities present in the browser and adding plugins like Java or Acrobat are just going to increase the attack surface. Using technologies like SVG or WebGL or other relatively new and high-level things aren't going to add any new vulnerabilities, because they're there whether you use them or not, but eliminating Java or Acrobat or Flash should in theory make you safer. Flash is the only one of the three major infection vectors that I'm not completely ready to divorce just yet.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
11. Re:Don't browse with Java by exomondo · 2012-08-28 13:46 · Score: 1
  
  I tend to think that those vulnerabilities are there already, whether you use them or not. Browsers support SVG and whatnot, so those are already there whether beneficial developers are using them or not.
  I see your point, yes they are there to a degree but at this stage no browser even fully implements the 'standards' yet and they aren't widely used, much better to target Java as you know just about everyone has it installed. Once everyone has a HTML5/Canvas/SVG/AJAX/etc... compliant browser installed that will become a much larger target
  
  I don't think there are vulnerabilities specific to individual toolkits like jQuery or Prototype
  Those were specifically generating vulnerable code.
  
  So it's up to the browser vendors to fix those, and for the most part they are doing a decent job at it.
  The real concern there is that browser makers have enough trouble with vulnerabilities without taking everything Java is used for and having to maintain that too.
  
  So the way I see it, you already have the vulnerabilities present in the browser and adding plugins like Java or Acrobat are just going to increase the attack surface. Using technologies like SVG or WebGL or other relatively new and high-level things aren't going to add any new vulnerabilities, because they're there whether you use them or not, but eliminating Java or Acrobat or Flash should in theory make you safer.
  I agree, but from an attacker's perspective why bother with HTML5/Canvas/SVG/AJAX when there is much more chance that your target will have Java, sure they aren't any more secure but they aren't as ubiquitous, when things shift the other way so will the attackers. Yes we will see a significant reduction of Java from the browser but then HTML5/Canvas/SVG/AJAX will just become the target with already-struggling browser security teams having to deal with all of that too.
  So i see your point but i don't think the overall amount of infections/vulnerabilities is going to change, it will just be what technologies are exploited. But yes if you don't need Java you might as well uninstall it.
12. Re:Don't browse with Java by gay358 · 2012-08-28 22:07 · Score: 1
  
  IMHO, HTML5 is even more frightening. It has many security threats that java programs don't have, like cross-site scripting attacs, cross-site request forgeries etc.
An Even Better Idea by RobertLTux · 2012-08-27 05:47 · Score: 1

Why don't they make it so that you can download the installer (for use on other computers) without using TOP SECRET BURN BEFORE READING links??
oh btw a cool way to get all the "stuff" is http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/ download that file and then run it to get everything installed (and yes i did include both chrome and firefox)

--
Any person using FTFY or editing my postings agrees to a US$50.00 charge
1. Re:An Even Better Idea by snemarch · 2012-08-27 10:04 · Score: 1
  
  Seems legit.
  
  --
  Coffee-driven development.
Re:It's Worse for Apple Users by MacColossus · 2012-08-27 05:49 · Score: 5, Informative

Not any more. Oracle is providing Java 7 and later for Mac. http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
If I remind well by Vapula · 2012-08-27 06:04 · Score: 5, Interesting

During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
1. Re:If I remind well by Sponge+Bath · 2012-08-27 06:35 · Score: 2
  
  Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
  Larry Ellison glances at his screwdriver...
2. Re:If I remind well by RabidReindeer · 2012-08-27 06:56 · Score: 2
  
  During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
  But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
  Well, Oracle doesn't need to fix Java. Oracle is "Unbreakable"[TM]
3. Re:If I remind well by snemarch · 2012-08-27 10:33 · Score: 1
  
  Larry Ellison glances at his screwdriver...
  ...then laughs manically, and screws everybody over. Again.
  
  --
  Coffee-driven development.
4. Re:If I remind well by subanark · 2012-08-27 11:17 · Score: 1
  
  If only that were true. There is a huge fiasco here at Washington State University as the new finical aid system has broke leaving many students without the money they need for books/supplies/rent/tuition/food. Guess who set up this system... Oracle
  http://dailyevergreen.com/read/Admins-offer-differing-explanations-for-financial-aid-issues
5. Re:If I remind well by Daedalon · 2012-08-28 03:10 · Score: 1
  
  Under Oracle's care Open Office was updated as well or possibly even better than in the years before that. After the Feb 2011 release of 3.3 Oracle made the decision that they didn't want to continue providing commercial support for the project and started to look for alternatives. In May they had made their decision and donated the project to Apache Software Foundation.
  
  I think this is among the best things to happen for open source in ages. It took a lot of hard work for the ASF community to replace the non-free libraries with free ones, which was the cause of the 15-month delay between 3.3 and 3.4, but now that we're finally there, look forward to having a more open, more free and faster-developing Office suite that can finally close the gap in usability and compatibility between the free alternatives and MS Office.
  
  I've preferred Calc over Excel for years, but the tabs of .docs saved in Writer have never matched those saved in Word and Impress hasn't come even close to matching PowerPoint, so I've stuck with using a mixed office suite. Now that OpenOffice is in the hands of such a strong and capable community I look forward to it gradually replacing MS Office everywhere.
  
  Sources:
  http://en.wikipedia.org/wiki/OpenOffice
  http://www.zdnet.com/blog/open-source/oracle-gives-openoffice-to-apache/9035
  
  Is there something Oracle has done wrong with MySQL?
6. Re:If I remind well by Vapula · 2012-08-28 05:35 · Score: 1
  
  They didn't replace non-free by free... They did replace GPL by non-GPL (ASL) component.
  To provide a mechanical analogy, they didn't replace tri-wing, pentalobe or such screw by flat screw but standard cruciform screws by slot screws...
  Before the donation to Apache, Oracle managed to have OpenOffice fork (LibreOffice) because of political issues from Oracle... that's never good for an opensource project...
Re:It's Worse for Apple Users by Anonymous Coward · 2012-08-27 06:22 · Score: 4, Funny

It's up to Sun to release a JVM for OS X now
Boy, are you Apple users in trouble!
Re: Java is like IE 6 in business by Anonymous Coward · 2012-08-27 06:59 · Score: 1

Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
Re:It's Worse for Apple Users by Forty+Two+Tenfold · 2012-08-27 07:08 · Score: 1

Apparently Sun IS now releasing a JVM for OS X. Yay!
So we were both wrong.
Some more than others. 2009 called and asked to tell you that. 4/20 to be exact.

--
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Re:Vulnerable? by Eristone · 2012-08-27 07:18 · Score: 1

Or what. :)
xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie perhaps.
.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let someone else download it becomes a department road block.
downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.
Modify the system - while it has gotten better, depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows
.exe picked up as trojan - this should be a hurdle.
It isn't a case of mediocre sysadmins so much as corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things. And the bigger the company, the harder it is to get it to turn that sort of corner. Add to that the rules involved in changing procedures (not to mention the money) and you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.
Re: Java is like IE 6 in business by JDG1980 · 2012-08-27 07:24 · Score: 1

Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.
In that case, the appropriate solution is to run these tasks from virtual machines, which are then wiped back to their original state at the end of each session. And to complain to the idiots who run these pages and clearly don't know the first thing about IT security.
Re:And this is why I don't have Java Installed by njahnke · 2012-08-27 07:42 · Score: 1

Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows
awesome grammar nazi troll. i was getting all excited and then it was suddenly as though you realized java isn't an acronym right before the end of your post.
Vendors shipping custom Java versions by Culture20 · 2012-08-27 07:49 · Score: 1

Lots of vendors like to ship custom Java versions which their programs use (installed in their applications' subdirectories), and they rarely update the Java versions when a vulnerability is found for the version they based their custom job on.
1. Re:Vendors shipping custom Java versions by Anonymous Coward · 2012-08-27 08:40 · Score: 1
  
  But then those environments seldomly run .jar files that get in from the outside, like a browser plugin would.
2. Re:Vendors shipping custom Java versions by Culture20 · 2012-08-28 15:31 · Score: 1
  
  No, but they are susceptible to MitM attacks if they download anything. Hopefully they sign and check the files they download.
Re: Java is like IE 6 in business by LordLimecat · 2012-08-27 09:36 · Score: 1

I would in all honesty change banks if that happened, not just because of the security holes but because it can be a phenomenal pain to get such an old version to play nice with a modern browser. You have to jump through hoops to even get such an old version. It would be sufficiently problematic that I would end up not using the web interface, which is sufficiently annoying that I would want a bank that had useable / secure web access.
Re:Vulnerable? by Eristone · 2012-08-27 10:15 · Score: 1

xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie [imdb.com] perhaps.
You don't need to be shirt-shopping or checking out a Vin Diesel movie at work. Block remains in effect.
So you are providing a Internet connection for what reason at work? And your staff isn't allowed to use it for personal things during lunch or breaks?

.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let somepony else download it becomes a department road block.
HAHAHAHAHAHA. No.
Up to you whether or not you want your IT staff to download requested items. For your IT staff to do it, it becomes a support ticket and puts in the delay that your ticketing and support organization will put into the request.

downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.
Which will be given exceptions on a case-by-case basis. Not letting everything on the whole system just go nuts with permissions.
Depends on the app. Case-by-case - if everyone is running an app that requires that sort of access, your case has just been shot - of course it also means you have to know the complete behavior of every app that is run on every system in your environment so you can deal with the strange failures that come up every now and then because you do stop that sort of thing by default when apps write temp files and the like.

depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows .exe
If you actually need this kind of access, you'd best fucking know better than to get infected with this shit.
We are in agreement here. Sadly a lot of Dev staff aren't as savvy as we'd like.

It isn't a case of mediocre sysadmins
Keep telling yourself that.
I don't have to tell myself (an anonymous coward posting this? Might want to look in the mirror there)

corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things
We play a support role. For most businesses, the primary objective is not IT. Make it work like the rest of us do.
Yes we do. And if you assume that every other environment has the same requirements as the one you are talking about - you might want to look closer at that mediocre sysadmin statement you mentioned earlier. We in IT provide a functioning environment that lets the end users do what they need with the minimal amount of interruption. Depends on what the business is doing as to what sort of access is needed - what you describe in the above is a typical office environment - which wouldn't suit the needs of my users as a software development house. (And doing it 'the office environment' way only generated 200 request tickets the first 3 days... which could have been avoided... )

you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.
As someone on the inside, it still looks an awful lot like technological incompetence to me.
As someone also on the inside, and doing this for a while, it isn't always incompetence...
Re:Vulnerable? by Eristone · 2012-08-27 10:18 · Score: 1

I read this "my work requires it!" claim a lot.
I think it is hogwash.
Work requires a stable system.
True - but "stable system" varies depending on the type of work done. If you have a typical office environment (accounting, marketing, etc) you are correct. If you have a software development shop, it changes things...

Work does not require access to xxx, download of .exe, run of .exe outside of installed apps, change of the system.
xxx <> porn -- blocking based on character strings may have unintended side effects. (I was looking for tape DLTXXX29...)
Things outside of installed apps -- so how does your Dev staff grab a copy of something to install and test out?

The admins are just hiding that they don't know how to implement measures like this.
Or they are more experienced than you think because the environments they are providing services to contraindicate what you propose - unless you like to have multiple tickets for your staff to go find and download software to make available...

It is the same breed that never updated IE6 "because we depend on it".
They will be owned. But they just don't care.
I bet a lot of those companies have outsourced admin and the admin company only performs to the minimal SLA, which in a corner states that security breaches and virus outbreaks are cured on time and material basis, with no possibility for damage compensation.
The IE6 bit - was a cost issue - company didn't want to spend the amount of time/money required to make their internal app not require IE6 - failing to recognize that most companies are more willing to wait til they have no choice to upgrade their apps... But I would bet that you are correct regarding the outsourcing bit. :)
Re:Vulnerable? by snemarch · 2012-08-27 10:44 · Score: 1

Don't confuse an exploit with a specific piece of malware. This invalidates all your above points.
Also, keep in mind that there's (public-and-patched as well as private-0day) privilege escalation exploits available for all major operating systems. This directly invalidates your point #4, and indirectly #3. #2 and #5 are relatively trivial to overcome... but the funny/sad thing is that you don't need any of this trickery in order to be effective. You can get a zillion zombie bots all running in user-mode without much anti-malware tricks, simply because the majority of users are computer illiterate and will click on anything in order to see Olsen Twins Hot Lesbian Sex.

--
Coffee-driven development.
Quarterly update cycle? Um... whut? by jlusk4 · 2012-08-28 01:14 · Score: 2

My JRE wants to update itself every time I turn around, and I say "why, yes, go ahead". Where does this "quarterly update cycle" statement come from?
quarterly, huh? by slashmydots · 2012-08-28 01:49 · Score: 1

They must not have looked at Java's security history since about version 6r16 when they decided to do quarterly updated. Although, they've broken many, many, many installs of Java by releasing 3 or 4 updates in 1 month. Maybe they should just build it with some sort of security in mind and they wouldn't have this problem.
Re:Server or Client-Side by petermgreen · 2012-08-28 06:43 · Score: 1

Does your software rely on the sandboxing features of java to prevent code from accessing things it shouldn't? and if so are you trying to protect against malice or just against accidents?
If you are relying on the sandboxing features of java to protect against malice you might want to reconsider your strategy. If not you are probablly ok.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Re:It's Worse for Apple Users by Carcass666 · 2012-08-28 07:55 · Score: 1

That's actually really good news. Thanks for sharing.
Bullshit by edxwelch · 2012-08-28 11:27 · Score: 1

A quick look here:
http://technet.microsoft.com/en-us/security/bulletin/
Reveals about one security patch for .NET each month on average. All critical remote executable.
Install an alternative JRE if you need it by seandiggity · 2012-08-28 12:02 · Score: 2

If you know you need a JRE, try GCJ or IcedTea/OpenJDK version 6, and see if your Java program will still run (or if you can tweak settings to get it to run). This comparison of Java VMs is helpful: http://en.wikipedia.org/wiki/Comparison_of_Java_virtual_machines

For GNU/Linux users, there are a lot of choices to avoid this, if our platforms are even targeted. For Windows and Mac OSX users, I've been recommending:
1. Uninstall all versions of Sun/Oracle Java JRE
2. Install OpenJDK 6, only if needed (easy install packages here http://www.openscg.com/se/openjdk/index.jsp )

^ that link also has install packages for GNU/Linux, but obviously you'll want to use your distro's package manager if you have one. Also, I recommend uninstalling *all versions* of Sun/Oracle Java, not just 7, because it's a simpler instruction for users. I find a lot of people hit a cognitive wall when they have to check software versions, even if the info is right in front of them.

--
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
What about the Android OS? by sperm · 2012-08-29 02:36 · Score: 1

Showing my loss in technical knowledge, but arent Android apps all pretty much Java, rebaked in a specific format? So is Android vulnerable to this or simply browser plugin exploits?
Re:Vulnerable? by Eristone · 2012-08-29 12:46 · Score: 1

If you allow the systems to do Wi-Fi, your internet filters are one personal smart-phone away from being bypassed - so instead of letting your staff know that you monitor internet connections and let them go about and willy-nilly do things (which means they aren't working, which is a management issue) you force them to do things that can put you in a deeper pickle (such as bridge your internal network to the Internet via their personal hot spot). They blow up their system, you wipe it and restore from image. They lost something important - they've learned not to go willy-nilly all over the internet. Of course most people are smart enough not to do that in the first place from their work machines but..
The admin access -- again depends on the apps sadly. Oh - and if you have a Dev shop where they are creating executables and unit testing ... the ability to "install" is kind of important, is it not? Or do they only test on other machines instead of perhaps debugging? And the research folks may be hunting down some new tool they read about in a forum and want to see if it can be added... Again, depends on the environment. You have an office shop where it's just sales and accounting - then yeah they don't have a reason to grab anything new except the company sanctioned tools. (or do they? Neat graphing utility? some new widget for Excel that ties into the accounting database better? Nah - they can get IT to download and vet it.)
Now, access to the servers (the stuff that supports the office and keeps it running) - different animal and different discussion.
Re:It's Worse for Apple Users by MacColossus · 2012-08-30 13:00 · Score: 1

You're welcome. Fix released. http://www.macrumors.com/2012/08/30/oracle-releases-patch-to-address-security-vulnerability-in-java-7/