Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Patches Java 7 Vulnerability

Posted by samzenpus on from the patch-it-up dept.

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

58 comments

  1. sweet by Anonymous Coward · · Score: 1, Insightful

    just this morning slashdot was calling oracle the scum of the earth for not caring about security yet they actually fixed it.

    1. Re:sweet by Sir_Sri · · Score: 3, Insightful

      Which is fair given that they hadn't really said much about it until this point. It's possible this is actually oracle policy, it's possible the press made them change or break policy. Everyone had understood their policy to be 'no out of cycle patch', and waiting until Oct 26, that's why a bunch of people came up with a hack patch for it, that's why the press was all over this.

      Some of this might just be Oracle not being used to dealing with end users, and they really do out of cycle patches for serious exploits etc. and they just did a shitty job of conveying that. It's also possible Larry got exploited while looking at porn and beat up a minion to make him fix it.

    2. Re:sweet by Charliemopps · · Score: 5, Funny

      I have to deal with Oracle every day. They operate much like a company that I used to work for... ATT. ATT is so large, so ubiquitous, their profits so untouchable, that they just don't give a shit anymore. They don't need to. To address a problem, ATT creates a new department, at the expense of millions of dollars. Often that new department does something as trivial as copy data from one system to another. Hiring a team of 10 people to do manual data entry all day every day is easier/cheaper than paying developers to do it right.

      Knowing what I know of Oracle, I'm sure that the "Mal-ware investigatory department" sent in form 24b-FF with a priority level 3 as soon as they knew about the issue. That form was received by a "Critical patch program director" who then scheduled the appropriate conference calls and meetings to discuss who would head up, design, testing, implementation, cost projections, etc... Once the team was assembled 2hr meetings with catered lunch were scheduled daily to discuss progress and adjusted cost projections. Now that the patch has been released, they will enter a post patch analysis of self aggrandizing back patting.

      You can't get rid of Oracle. They are the ATT of Databases. Everyone is stuck with them, they know it, we just have to bend over and hope they use lube.

    3. Re:sweet by qubezz · · Score: 4, Interesting

      I'll call them scum for attempting to foist the Ask Toolbar on us again for a security update.

    4. Re:sweet by Anonymous Coward · · Score: 0

      I removed all Java stuff from my machines, SDK everything - tired of this junk.

    5. Re:sweet by drakaan · · Score: 1

      ...they were informed about the vulnerability a couple of months ago.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
    6. Re:sweet by idontgno · · Score: 1

      You can't get rid of Oracle. They are the ATT of Databases.

      We don't care. We don't have to. We're the Phone Company.

      Ernestine

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    7. Re:sweet by Anonymous Coward · · Score: 0

      So?

  2. Patches? by superdave80 · · Score: 3, Funny

    Given all the news lately, I first read that as 'Patents'...

    1. Re:Patches? by Platypii · · Score: 2

      I read that the same way. Either way, it prevents the exploit, right?

  3. We don't need no steenking patches by WillAffleckUW · · Score: 2

    We have J.P. Patches Avenue in Fremont, Seattle, after all.

    Downloaded and applied both the 32 bit and 64 bit Win 7 patches. If you use both Firefox and IE you might have multiple versions on the 64 bit OS.

    The linux update was a lot more informative and descriptive than the Win 7 FF and Win 7 IE versions.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:We don't need no steenking patches by ZipK · · Score: 1

      We have J.P. Patches Avenue in Fremont, Seattle, after all.

      Will-- look in the dryer for your birthday present.

    2. Re:We don't need no steenking patches by PNutts · · Score: 2

      Correct. I don't need patches because I don't install Java.

  4. Link? by GuruBuckaroo · · Score: 0, Redundant

    Would it really kill the editors to include a link to the http://java.com/en/ download? Come on, guys...

    --
    Poor means hoping the toothache goes away.
    1. Re:Link? by Anonymous Coward · · Score: 0

      The first link goes straight to the download page.

    2. Re:Link? by Anonymous Coward · · Score: 1

      What? Is the TFS's link to that Oracle page with the blue graphic buttons labeled "Download" that, when clicked on, takes you to respective jre/jdk download pages too subtle for you?

    3. Re:Link? by Mashiki · · Score: 1

      Was it really needed? The second the patch went live, the autoupdaters on my end installed it.

      --
      Om, nomnomnom...
    4. Re:Link? by qubezz · · Score: 3, Informative

      The default in Java is to check for an update every month. If you want to reduce your exposure to "30-day" exploits, it would be wise to go into the Java control panel applet and increase the update check frequency to monthly or daily if you must use Java. "Update Now" is available on the update tab of the control panel applet if you don't want to download this update from the web.

    5. Re:Link? by arth1 · · Score: 3, Informative

      The default in Java is to check for an update every month.

      Yet the java updater keeps on running in the background at all times, instead of using the OS scheduler.

  5. Too little ... by Anonymous Coward · · Score: 1

    ...too late. Damage done, in terms of PR if not the actual bug.

  6. Was That So Hard? by rsmith-mac · · Score: 5, Informative

    See guys, was that so hard? Now next time you should focus on getting the patch out before it gets exploited in the wild, since you've been sitting on this exploit for the last 4 months.

    1. Re:Was That So Hard? by Anonymous Coward · · Score: 0

      Our computers' OS has been sitting on this for over 30 years! and still are, just waiting for another vector.

    2. Re:Was That So Hard? by El_Oscuro · · Score: 4, Funny

      Apparantely so. Just google Oracle TNS Listener Poison vulnerability for a real cluster fuck.

      --
      "Be grateful for what you have. You may never know when you may lose it."
  7. Most Mac users are SOL by bogie · · Score: 1, Informative

    Fact: Most Mac users are at this point still running Snow Leopard.

    Fact: Snow Leopard can only run Java 6 and Apple has stopped releasing security updates for it and the OS in general.

    Fact: Most Mac users are SOL.

    Sorry to be a bit trollish here but Apple, you know the richest company in history with money to burn, refuses to spend money to support an OS that is only 3 years old and that pisses me off.

    --
    If you wanna get rich, you know that payback is a bitch
    1. Re:Most Mac users are SOL by Anonymous Coward · · Score: 4, Informative

      Fact: Java 6 isn't vulnerable to this attack.

      There are other problems that they are exposed to, but this isn't one of them.

    2. Re:Most Mac users are SOL by OdinOdin_ · · Score: 1, Informative

      From what I understand of the situation Java6 is not affected (only changes made for Java 7).

      Yes you apple users should seriously make a stand on that forced upgrade or no support for you policy.

    3. Re:Most Mac users are SOL by yuhong · · Score: 1

      In fact, Java 7 Update 6 that added full support for Mac OS X was only released a few weeks ago.

    4. Re:Most Mac users are SOL by Anonymous Coward · · Score: 4, Informative

      Fact: Java 6 isn't vulnerable to this attack.

      Wrong, Java 6 is affected. From the "Security Alert":

      Affected product releases and versions:
      JDK and JRE 7 Update 6 and before
      JDK and JRE 6 Update 34 and before

      But it appears Oracle did not provide a patch for Java 6 yesterday.

    5. Re:Most Mac users are SOL by Anonymous Coward · · Score: 1

      You can use Java 7 with latest updates on Snow Leopard: http://code.google.com/p/openjdk-osx-build/

    6. Re:Most Mac users are SOL by bogie · · Score: 1

      Thanks for the link I'll check it out.

      --
      If you wanna get rich, you know that payback is a bitch
  8. Too little too late by onyxruby · · Score: 4, Interesting

    I killed Java 7 on Monday at my work. I won't bring it back any time soon. Oracle, in case you care this is how you messed this up royally:

    1. You sat on this since April.
    2. Exploits have been in the wild since last weekend and you didn't even acknowledge it until today.
    3. The community was left to fend for themselves, and the only way to fend for themselves was to /remove/ your product.

    This is how you should have had handled this:
    1. You should have patched this during your normal patch release cycle that you had since April.
    2. You should have immediately acknowledged the exploit.
    3. You should have immediately acknowledged the breadth of the exploit.
    4. A very simple note on your blog to the affect of "were working on this, expect something shortly" would have made all the difference.

    As a result of your failure to take security half as seriously as Microsoft (I never could have imagined I would say that 10 years ago), I spent the first have of my week testing an emergency uninstall package of Java for multiple platforms. After getting it approved through an ECAB and rushing it into production - since I had no idea when you were going to release a patch I uninstalled Java 7 system wide at a very large institution this week.

    After my emergency uninstall went into production it came up in a meeting with management today that an out of band patch got released today. At this point my response to management was simple, "too late". No one questioned my decision and Java 7 is now gone.

    Learn from this Oracle, learn from this, you royally fucked this up.

    1. Re:Too little too late by TubeSteak · · Score: 4, Insightful

      If your company didn't need Java to interact with internal or client/vendor/etc websites, you probably shouldn't have it installed in the first place.
      Firewalls and antivirus scanners are nice, but reducing the attack surface is better.

      --
      [Fuck Beta]
      o0t!
    2. Re:Too little too late by onyxruby · · Score: 1

      Wholeheartedly agreed.

      Unfortunately for political reasons I have certain users that have admin rights and can install things anyways. I couldn't agree with you more, I really couldn't.

    3. Re:Too little too late by Anonymous Coward · · Score: 0

      Not to mention that an uninstall wasn't necessary to mitigate the risk.

    4. Re:Too little too late by DigiShaman · · Score: 2

      Hopefully those users with local admin rights also have some form of managed AV software. Norton, Trend Micro, Vipre, anything that will report back to a central server with full logging of malware hits. I actually called one of the owners of of a company over to my computer and showed him the logs of two laptop users that have systemically been abusing their rights. That ended that crap in a hurry :)

      --
      Life is not for the lazy.
    5. Re:Too little too late by arth1 · · Score: 1

      Not to mention that an uninstall wasn't necessary to mitigate the risk.

      But it worked just fine.

      I avoid Oracle applications whenever I can because of how they treat their customers. This includes open source where the copyrights are held by Oracle, or the main development effort is under Oracle. So I avoid java, mysql, berkeley db, openoffice, virtualbox and zfs.

    6. Re:Too little too late by Trogre · · Score: 2

      How many computers at your work? 20? Oh dear, so now I guess Java is only installed on more than 2,999,999,980 devices.

      That'll show 'em.

      In all seriousness though, I agree with you. Ellison is a douche and the purchase of Java and MySQL (the only parts of Sun worth anything) was the worst things that could have happened to them.

      Well, unless Microsoft or Apple bought them instead but that doesn't bear thinking about.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    7. Re:Too little too late by Trogre · · Score: 2

      Ah, so you're a LibreOffice man.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    8. Re:Too little too late by rastos1 · · Score: 2

      Learn from this Oracle, learn from this, you royally fucked this up.

      We don't care; we don't have to. We are Oracle.

    9. Re:Too little too late by Anonymous Coward · · Score: 2, Insightful

      2 things:

      As a sysadmin, you need to have a means to both silently install as remove software. The fact you state you spent half your week testing an emergency uninstall package of Java for multiple platforms indicates you did not have an upgrade path in place. Upgrading java requires removing the old version *unless* you need to keep a an older version for compatibility reasons, *in which case* you just simply cannot uninstall java and say to your management 'Too late' :-) . So Oracle is not the only one messing stuff up in your company's infrastructure, apparently :-) (nothing personal, just business).

      Secondly: if you just can say to your management *after* the patch got out: 'Too late' and get away with it, why o why were you loading java on your systems on the first place? This just does not make any sense. Why did you open your company to lines of attack putting them at risk for disrupting its normal operation? No blame on your side? Wow.

      I feel a strong anti java sentiment in your story. It is just software and software has bugs. Did you feel and did the same when visiting sites with IE provoked the same problems? Or flash? Or ..., or ... (just fill in the blanks with software listed in http://cve.mitre.org/ ).

      So just curious: when management decide they require to run software xyz and this stuff requires the oracle jre, what are you going to tell them? Up yours? :-)

      Get real, grow up and accept that people and businesses make mistakes (yes, you too) and are entitled to correct them even if it takes a little longer than what we all would like it.

    10. Re:Too little too late by Anonymous Coward · · Score: 0

      > 3. The community was left to fend for themselves, and the only way to fend for themselves was to /remove/ your product.

      Actually the community did even produce a patch:
      http://thread.gmane.org/gmane.comp.java.openjdk.beans.devel/34
      But it was ignored...

    11. Re:Too little too late by arth1 · · Score: 1

      Ah, so you're a LibreOffice man.

      No, Libreoffice was forked from Openoffice.org after Oracle took it over, and to my knowledge, no effort has been taken to excise the open source code to which Oracle or at-the-time Oracle employees hold the copyrights.
      It also requires Java for some of the components, which is another blocker.

    12. Re:Too little too late by onyxruby · · Score: 1

      I work at one of the largest Universities in the world. Agree with you about Oracle being a disaster on many things.

    13. Re:Too little too late by onyxruby · · Score: 1

      My normal Java upgrade packages first uninstall old versions of Java. Officially we only ran Java 6 to begin with, however we had a number of users who have admin privelages for political reasons and so we had to get all of the uninstall strings for Java 7 and test them on several platforms and test them on our management platform.

      My irritation with Java is twofold. First it is very high maintenance and secondhand is that Oracle completely dropped the ball on communications with this.

      I'm with you on management platforms, I made my living as a consultant / architect for them for many years in the enterprise space. Preaching to the choir on that one.....

  9. Also Java 6 u35 (Apparently) by AlienSexist · · Score: 3, Interesting

    Coincidentally Java 6 update 35 was also released at the same time. The release notes cite a security fix. All CVE entries and info I could find only describe this issue as a Java 7 vulnerability. I had not see any confirmation yet that it also applied to Java 6 other than the brand new update.

  10. Installed and Installed as a plugin by Anonymous Coward · · Score: 1

    are two different things.

  11. Are Java Applets Even Needed Anymore? by medv4380 · · Score: 1

    I don't really see the need for applets any more as a load if present part of the page. The last one I ran was for Nvidia and all it did was detect which driver I needed. Chrome didn't have Java installed since it was a fresh install, but even after installing it chrome asked nicely if I wanted to run the plugin. Back in the day when people thought they could use applets the way they use flash auto loading was needed, but now that part failed why not just go to a load on request only. At least that way the applets aren't running unless I let them.

    1. Re:Are Java Applets Even Needed Anymore? by AlienSexist · · Score: 2

      My understanding is... no. HTML5 and plain old JavaScript should replace or supercede pretty much anything an Applet can do. I think there still could be a place for Java WebStart, but I'm concerned for JavaFX in light of HTML5 as well. JavaFX seems just too late to the game. Like Java's eventual answer to Adobe Flash and Microsoft Silverlight just in time to surrender to HTML5. Then again, this is in terms of using JavaFX in the web tier, you can still write native apps, like games, with JavaFX for hardware accelerated graphic goodness.

  12. What happened to October, Oracle? by Culture20 · · Score: 2

    Now my patch cycle is going to be screwed up! /sarcasm

  13. Ya ha ha by jodido · · Score: 1

    Since I can't get Java to run in Firefox, Chrome or IE I have nothing to worry about.

  14. Source of revenue: patches with crapware by bitflusher · · Score: 3, Interesting

    The thing on my mind is, how much does Oracle earn with a patch release. The ask toolbar crapware is installed by default and people hitting "next next next" will be infected. Only by installing this with care you will not get the ask toolbar. I know they are not alone in this (adobe wants to install the crome browser as default AND the google toolbar for IE, talk about redundancy) but they incorporate it in all updates..

  15. Bing!!! by Fuzzums · · Score: 4, Insightful

    Wouldn't it be great if Microsoft bundled a bing search toolbar with every .net update..
    Well. No.
    For the same reason: DieAskToolbarDie.

    --
    Privacy is terrorism.
  16. Real link, not cnet bullshit by Legion303 · · Score: 1

    http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html

    1. Re:Real link, not cnet bullshit by Anonymous Coward · · Score: 0

      OK, that's all well and good... I suppose...

      BUT, here I am a Mac OS X Lion user, and I hear that there's a Java vulnerability. I know that Oracle is now
      in charge of providing a fix nowadays, not Apple. Oh, and the vulnerability is in Java 7, not 6. OK, fine - I
      check my system by going to one or another of the various web sites that tells me I'm still running Java 6.
      OK, fine, I'm not going to worry (too much; I always worry because I've been around the block with various
      operating systems and major components over the past 35+ years).

      Now I click on the link in the immediate parent and what am I looking at?

      How do I know that this is now the correct file to download and install. WHEN was it posted? There are
      no dates. WHAT is the proper version number and patch level needed to ensure that we'll be OK? It's
      not stated !! How do I know that this isn't the same stuff available for download from two weeks ago before
      they started patching everything on an emergency basis?

      It's not Legion303's fault and I'm not yammering at him/her - I'm talking about how poorly Oracle has deployed
      a fix, assuming that these are the real fixes that I'll need. Quite incredible that the largest software company
      in the world has performed like this!

  17. better link for you by RobertLTux · · Score: 1

    http://ninite.com/flash-flashie-java-shockwave/

    and as an added bonus it skips installing the "extra" [redacted] for you

    --
    Any person using FTFY or editing my postings agrees to a US$50.00 charge
  18. Ninite has it by Anonymous Coward · · Score: 0

    I use the Pro version of Ninite to keep things updated at work. When checking whether they had already gotten the Java update in, I found that Ninte has released a Pro version for free for a week. I recommend the free version to friends/family, and it should be good for most people, but the Pro version is worth a free try if you manage lots of computers and don't have an automated update solution already.