Experts Develop 3rd-Party Patch For New Java Zero-Day

← Back to Stories (view on slashdot.org)

Experts Develop 3rd-Party Patch For New Java Zero-Day

Posted by samzenpus on Monday August 27, 2012 @05:18AM from the patch-it-up dept.

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

34 of 154 comments (clear)

Min score:

Reason:

Sort:

A better idea... by DrEnter · 2012-08-27 05:18 · Score: 4, Insightful

You know what would be better idea than patching Java? Uninstalling it.
1. Re:A better idea... by MyLongNickName · 2012-08-27 05:31 · Score: 3, Insightful
  
  Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:A better idea... by gl4ss · 2012-08-27 05:35 · Score: 2
  
  you know what's funny? can't log into my web banking without it(it's only the signon flow where it's used, too).
  though, I guess I should still just whitelist it on certain sites. however applets can be used in good ways.. it's just that nobody ever does that.
  
  --
  world was created 5 seconds before this post as it is.
3. Re:A better idea... by udachny · 2012-08-27 05:39 · Score: 2
  
  ....
  Java Zero Day VulnerabilityâoeIn my lab environment, I was able to successfully exploit my test machine against latest version of Firefox with JRE version 1.7 update 6 installed,â he wrote on the company blog.
  The exploit was found on a server in China, and if it successfully attacks a given endpoint, the payload that is delivered is hosted on the same server. While the IP address associated with the malicious box has been known to serve malware in the past, it isnâ(TM)t responding to browser connections. Nevertheless, the IP is live. ....
  On Monday, the Metasploit Exploit team at Rapid7 said they found the PoC and had developed a working exploit that they say enables a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.
  âoeAs a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available,â a blog post from Rapid7 notes.
  Once again, itâ(TM)s wise to remove Java if it isnâ(TM)t absolutely needed in your environment. Most home users have little need for the software these days, and most experts agree the risk outweighs the reward when it comes to installing it.
  
  I don't know why the OP is moderated Funny, maybe they have Java installed on their 'humour sensing unit'.
  --
  OTOH I wish IBM bought Sun back when Oracle made their bid, this lack of interest by Oracle is just perplexing at this point. If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.
  
  --
  MY OTHER COMMENTS
4. Re:A better idea... by Anonymous Coward · 2012-08-27 06:14 · Score: 2, Informative
  
  Your parent was suggesting that uninstalling Java was better than fixing the security hole.
  It *is* better than fixing the security hole. Fixing the security hole fixes ONE security problem. Uninstalling Java fixes that ONE security problem AND all unknown/future Java security problems.
5. Re:A better idea... by monkeyhybrid · 2012-08-27 06:28 · Score: 3, Funny
  
  I locked it down so *only* those 2 things can use it. One of them is not the web browser...
  But the other one is the web browser? ;)
6. Re:A better idea... by simplypeachy · 2012-08-27 06:58 · Score: 2
  
  Not with Internet Explorer it isn't. Even setting the Java control panel not to use the plug-ins, disable them in IE's Add-Ons and then remove all references to them using AutoRuns and parts of the Java plug-in can still execute.
7. Re:A better idea... by 93+Escort+Wagon · 2012-08-27 07:16 · Score: 2
  
  You know what would be better idea than patching Java? Uninstalling it.
  I didn't uninstall it; but several months ago I turned it off in my web browser(s). You know what? It hasn't impacted anything I do - none of the web sites I use rely on Java *at all*. Not the fun sites, not the banking sites, not the business sites...
  I've certainly got some local software that requires Java; but if it's not available in my browser you're going to have a difficult time getting an exploit onto my computer.
  
  --
  #DeleteChrome
8. Re:A better idea... by Exitar · 2012-08-27 07:27 · Score: 2
  
  Attack vectors? Like the internet?
9. Re:A better idea... by c0lo · 2012-08-27 08:13 · Score: 2
  
  Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense.
  Hmmm... seems you are right... the maximum security for a computer is achieved by uninstalling the OS and keeping the computer powered off. (I'm not saying you advice this, but just to put into evidence that security is not the objective that anyone would like maximized).
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
10. Re:A better idea... by LordLimecat · 2012-08-27 09:29 · Score: 2
  
  In Chrome: Wrench-->Settings; Advanced Settings; Content settings; "Click to Play" under plugins.
  Problem solved.
11. Re:A better idea... by LordLimecat · 2012-08-27 09:32 · Score: 2
  
  Your parent was suggesting that uninstalling Java was better than fixing the security hole.
  It is, given the huge percentage of malware infections directly caused by Java and Adobe plugin exploits.
  Patching this particular hole fixes the problem for about 2 weeks till the next 0-day drops. Some of us like to get off of that nasty little merry-go-round, and get rid of a plugin that has basically no use. If you really need it, set your plugins to Click-To-Play (through flashblock for firefox, or as detailed here for chrome)
12. Re:A better idea... by Desler · 2012-08-27 09:56 · Score: 2
  
  Yes it is. The .NET runtime has substantially less security issues than Java. Just chek out Secunia.
13. Re:A better idea... by snemarch · 2012-08-27 10:02 · Score: 2
  
  Keep away from the browser plugin and install just the JRE. You'll still be 0wned by clicking on "Olsen twins hot lesbian session.mpg .jar", but you'll be safe from browser drive-by attacks.
  
  --
  Coffee-driven development.
14. Re:A better idea... by dkf · 2012-08-27 10:52 · Score: 2
  
  Just deleting the network drivers would be enough. It'd simultaneously make the internet a better place too...
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
15. Re:A better idea... by Vintermann · 2012-08-27 19:02 · Score: 2
  
  Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.
  So what do you suggest as alternatives? Java does serve a function, you know. There are plenty of things that haven't had an emphasis on security from day one.
  The irresponsible thing here is Oracle's update schedule.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
Re:Quarterly security patch? by plover · 2012-08-27 05:25 · Score: 4, Funny

The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?

--
John
You know its funny by DarkOx · 2012-08-27 05:29 · Score: 2, Interesting

We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.
Its to bad someone finds a critical vulnerability in the platform every other month seemingly.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
1. Re:You know its funny by binarylarry · 2012-08-27 05:48 · Score: 3, Insightful
  
  This isn't a flaw in Java itself but yet another flaw in the browser plugin.
  Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?
  Maybe the real issue is a shitty plugin API and/or implementation?
  
  --
  Mod me down, my New Earth Global Warmingist friends!
2. Re:You know its funny by Anonymous Coward · 2012-08-27 07:30 · Score: 2, Informative
  
  Not true...
  http://dev.metasploit.com/redmine/projects/framework/repository/revisions/52ca1083c22de7022baf7dca8a1756909f803341/entry/external/source/exploits/CVE-2012-XXXX/Exploit.java
  It's a bug in how java bean statements interact with security domains, as far as I can tell. Definitely a JRE bug.
  It really is just more reason why you should never let your language's runtime get completely out of hand - this kind of stuff should have been in libraries, not in the runtime.
3. Re:You know its funny by sapgau · 2012-08-27 08:38 · Score: 2
  
  Will we ever be safe from all that?
  Oh, it's Java bashing time, sorry...
Re:Quarterly security patch? by Fuzzums · 2012-08-27 05:32 · Score: 2

Don't make fun of this. Metrics don't lie. Seriously.

--
Privacy is terrorism.
Don't browse with Java by JDG1980 · 2012-08-27 05:33 · Score: 5, Informative

There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.
1. Re:Don't browse with Java by Megahard · 2012-08-27 05:43 · Score: 3, Informative
  
  Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.
  
  --
  I eat only the real part of complex carbohydrates.
2. Re:Don't browse with Java by Anonymous Coward · 2012-08-27 05:50 · Score: 2, Informative
  
  Better yet, disable all plugins by default (or set for "click to run"), and whitelist sites you regularly visit and trust. You should have a minimal attack surface when visiting *any* site you don't explicitly trust.
Re:Quarterly security patch? by Anonymous Coward · 2012-08-27 05:46 · Score: 2, Informative

I'm not sure if you are trolling, but here's why:
There is a significant amount of work to test the software before doing a release.
The code base is big and old, there are a lot of targets, and I'm guessing that not all tests are automated.
Also, there is this issue of reducing the number of versions "out in the wild", at least for paying customers,
as more versions that costs money to provide support for.
All this will take resources away from fixing bugs and working on new features.
It's not as if there are nothing to do if no new bugs are found...
Re:It's Worse for Apple Users by MacColossus · 2012-08-27 05:49 · Score: 5, Informative

Not any more. Oracle is providing Java 7 and later for Mac. http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
If I remind well by Vapula · 2012-08-27 06:04 · Score: 5, Interesting

During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
1. Re:If I remind well by Sponge+Bath · 2012-08-27 06:35 · Score: 2
  
  Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
  Larry Ellison glances at his screwdriver...
2. Re:If I remind well by RabidReindeer · 2012-08-27 06:56 · Score: 2
  
  During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
  But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...
  Well, Oracle doesn't need to fix Java. Oracle is "Unbreakable"[TM]
Re:It's Worse for Apple Users by Anonymous Coward · 2012-08-27 06:22 · Score: 4, Funny

It's up to Sun to release a JVM for OS X now
Boy, are you Apple users in trouble!
Re:Quarterly security patch? by ruiner13 · 2012-08-27 06:47 · Score: 3, Funny

The US doesn't use the metric system, therefore it is full of liars. :)

--
today is spelling optional day.
Quarterly update cycle? Um... whut? by jlusk4 · 2012-08-28 01:14 · Score: 2

My JRE wants to update itself every time I turn around, and I say "why, yes, go ahead". Where does this "quarterly update cycle" statement come from?
Install an alternative JRE if you need it by seandiggity · 2012-08-28 12:02 · Score: 2

If you know you need a JRE, try GCJ or IcedTea/OpenJDK version 6, and see if your Java program will still run (or if you can tweak settings to get it to run). This comparison of Java VMs is helpful: http://en.wikipedia.org/wiki/Comparison_of_Java_virtual_machines

For GNU/Linux users, there are a lot of choices to avoid this, if our platforms are even targeted. For Windows and Mac OSX users, I've been recommending:
1. Uninstall all versions of Sun/Oracle Java JRE
2. Install OpenJDK 6, only if needed (easy install packages here http://www.openscg.com/se/openjdk/index.jsp )

^ that link also has install packages for GNU/Linux, but obviously you'll want to use your distro's package manager if you have one. Also, I recommend uninstalling *all versions* of Sun/Oracle Java, not just 7, because it's a simpler instruction for users. I find a lot of people hit a cognitive wall when they have to check software versions, even if the info is right in front of them.

--
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms