Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Exploit Patched? Not So Fast

Posted by timothy on from the few-beans-short dept.

PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"

26 of 87 comments (clear)

  1. Arrrrrg by Haawkeye · · Score: 5, Insightful

    Come on really! That's it java is coming off my machines!

    1. Re:Arrrrrg by Anonymous Coward · · Score: 2, Informative

      Sandbox it externally. Don't rely on JRE to do it for you.

    2. Re:Arrrrrg by cbhacking · · Score: 4, Insightful

      Using what, a VM? That's probably the easiest and most cross-platform, but that hardly makes it easy (especially since VMs that are designed for easy use make extremely poor sandboxes). AppArmor or SELinux or some such? Well beyond the capabilities of most users. A dedicated low-privilege user account? That's possible on pretty much any platform, but will still leave a mess that you'll have to clean up afterward.

      Besides, I'd really rather stop before the attacker gets arbitrary code execution on my machine. Java is disabled or simply not present on my machines, thank you.

      --
      There's no place I could be, since I've found Serenity...
    3. Re:Arrrrrg by Jeremiah+Cornelius · · Score: 4, Funny

      Oracle should be "patched" by Anonymous.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    4. Re:Arrrrrg by Nerdfest · · Score: 5, Informative

      I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

    5. Re:Arrrrrg by whoever57 · · Score: 4, Insightful

      When was the last time you saw a Java applet?

      Try using Webex without Java enabled in your browser.

      --
      The real "Libtards" are the Libertarians!
    6. Re:Arrrrrg by Nerdfest · · Score: 3, Informative

      That product is pretty much a security exploit by its very nature.

    7. Re:Arrrrrg by reiisi · · Score: 2

      Well, I've been recommending a sort-of simple procedure for *nix users, where you call your browser through a restricted, dedicated user account with no login privileges.

      By no means is it a perfect solution, but every speed bump and low wall helps a bit.

      One could (should?) basically set up such pseudo-users for specific required processes that will run a java vm, and refrain from using Java otherwise.

      Of course, any architecture that allows a server to feed a client a class that the client's machine will instantiate is going to be vulnerable.

      --
      Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
    8. Re:Arrrrrg by LordLimecat · · Score: 5, Funny

      Sandbox [Java VM] externally

      Using what, a VM?

      Yo dawg, I heard you liked virtual machines...

    9. Re:Arrrrrg by DarwinSurvivor · · Score: 2

      Blackboard and Virtualmin are ones I'm forced to use on a regular basis.

    10. Re:Arrrrrg by Decker-Mage · · Score: 2

      When VMWare Workstation was very, very young (2000) and had that beta new-software smell, the very first thing I did with it was create a dedicated browser appliance. Given that security has always been one aspect of what I do, it was extremely nice to have a machine that I could "nuke" after cruising the underground looking at existing (and sometimes upcoming) threats. If that doesn't do anything for your situation (use-case, blech!), Sandboxie or another sandbox software package might do the trick. Now that it's a more mainstream feature, security suites are demonstrating the capability. Still, I'd much rather have the nuke-able machine with a Golden-image locked up elsewhere than necessarily rely on any one program or suite. Then again, I'm paranoid-in-depth here. Yes, they really are out to get me! ;-).

      --
      "[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
    11. Re:Arrrrrg by EvilIdler · · Score: 2

      Denmark uses NemID, which is a Java applet-based login system for all sorts of official things. Norway uses it for many banks. It's not nearly as bad as South-Korea's over-reliance on ActiveX, but there are quite a few services you can't use fully without frickin' client-side Java. I can't even get a bank statement without going through that Java login, as the mobile banking doesn't support more than looking at what's on the account and transferring money.

  2. Not surprising by cbhacking · · Score: 4, Interesting

    They've patched 6 of the 19 vulns that were reported back in April. Three were patched a couple months back as part of their usual 4-month patch cycle. As far as I know, those were never used in the wild. Three more were patched just recently, in response to rampant in-the-wild use and inclusion in exploit kits, etc.

    Of course, that leaves 13 still unpatched, and while apparently quite a few of them are defense-in-depth (insufficient, on their own, for full compromise), when you've got that many unpatched vulns it is totally unsurprising that somebody can chain a few of them together into a working exploit.

    --
    There's no place I could be, since I've found Serenity...
  3. WORE by tobiasly · · Score: 5, Funny

    Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

    1. Re:WORE by cbhacking · · Score: 2

      Ah, but ActiveX only ever ran on Microsoft platforms. With Java, you can exploit OS X, Linux, BSD, and so on through any browser with the Netscape plugin API (a.k.a. almost all of them)! Truly, a great day for the blackhats of the world.

      On a more serious note, this does highlight two problems with modern computing:
      1. Write-once-run-everywhere is convenient for developers, but puts a huge security purden on the platform developer (a burden which Oracle seems either unwilling or unable to bear). If you want to become the universal execution platform, you better make damn sure you aren't allowing universal exploitation too.
      2. Yes, Macs and Linux users and anybody else who can load a Java applet in their browser is vunlerable to malware, even 0-day (well, 0-day for patches, more like 120-day since the vendor was notified) exploits. If nobody bothers to attack your system, it's simply because the value they can get from it isn't worth the cost of developing the payload (which is hardly difficult). If you want to be a success in the market, though, you're going to have to take the scrutiny that comes along with it. Don't be complacent; you're far from immune.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:WORE by sjames · · Score: 3, Funny

      Honest to God, when I glanced at the subject, I read it as "WHORE" which seems somewhat apt for Java these days.

    3. Re:WORE by medv4380 · · Score: 2

      I don't believe there is all that much of a security burden that Oracle needs to bear. The problem is that Java is in essence executable code. It really is too powerful to be embedded into a web page and just trusted. Running Java in a web page is like running native executable and expecting the sandbox to work every time. If Java only ran when you wanted it to run then the exploiters wouldn't have such an easy attack vector. The user could still be hit but they'd have to do more then pull up a page.

    4. Re:WORE by cbhacking · · Score: 5, Interesting

      Normally I'd agree with you, but the exact same thing is true of JavaScript and yet very, very few people are calling for a universal end to that. Now, a handful of people (relative to the global computer userbase) use NoScript, but even among NoScript users most realize that it's either too complex or too difficult for most people to use correctly all the time.

      As it happens, I do block plug-ins (especially Flash and Java) by default, permitting them only on a case-by-case basis, except where I can remove them entirely. However, even to my (highly technical; he's been coding since he was in high school) father, that's too much of a hassle. He expects (rightly, if not wisely) that software vendors will keep their software as secure as possible, and respond quickly to any threats. That's the standard to which I'm holding Oracle here, and they're failing to meet it.

      --
      There's no place I could be, since I've found Serenity...
    5. Re:WORE by SplashMyBandit · · Score: 4, Informative

      > With Java, you can exploit OS X, Linux, BSD, any ...
      I know you say "Java applets" later on, but it is important to qualify this at every stage (since even the techie Slashdot readers appear to be horribly ignorant that there are differences between JavaScript, Java applets and Java applications).

      Readers should take note:

      1. 1) In general Java applications and web services are secure (in fact, more secure than C++ etc)
      2. 2) It is malicious Java applets that pose a potential risk to users (just like malicious buffer-overrun inducing JPEG images do).

      Now cue the hundreds of Java-hating posts that don't know the difference between JavaScript, Java applets and Java applications/servlets but still think that some other technology is more secure (hint: it is not - every tech out there has holes that get discovered from time to time - including your operating system).

  4. Is Oracle's "proprietary" attitude the problem? by reiisi · · Score: 2

    We know that the license (for Oracle's release) is a charade.

    Isn't the whole problem here derived from Oracle's attitude that they own this thing?

    I don't think it's possible to keep a closed/proprietary attitude and make secure software. I don't mean that the form of the license guarantees anything, there are always exceptions where the license and the community attitude are out of sync, but I think it's clear that software products have to be open to the end user to be secure.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  5. Not so fast by MobileTatsu-NJG · · Score: 5, Funny

    Not so fast.

    Isn't that Java's mission statement?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    1. Re:Not so fast by MROD · · Score: 2

      No, Java is an exceptional language: At the slightest provocation is throws one.

      --

      Agrajag: "Oh no, not again!"
  6. Re:about:addons by Runaway1956 · · Score: 3, Insightful

    Protip, your ass.

    The real protip? If your bank requires you to enable java or flash to use their site, you're banking in the wrong place.

    Now, pull your head out of your ass, and thing "security" instead of "convenience".

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  7. Re:Why would I run Java on my browser? by isorox · · Score: 2

    I've had no need for it. Who does?

    Lights out management of servers?

  8. OpenJDK vs. Oracle Java? by someones · · Score: 3, Interesting

    I switched to OpenJDK a while back.
    In its early days it was bugged and crashed all the time, but that time seems long forgotten past.

    Is there a reason to favor Oracle's Java over OpenJDK?

  9. Re:about:addons by BlackThorne_DK · · Score: 3, Interesting

    Oh well, welcome to my world. In Denmark, not only does the bank require Java. The _state_ require you to use the same braindead java-infested login (NemID), not only on all banks, but also on every public accessible site (Pensions, Healthcare, Unemployment benefits, Student benefits...).
    No matter what I do, and which bank I choose, I need to use NemID, and Java.

    I just disabled Java on my work machine. Now I need to make a virtual machine or something, if I actually want to pay my bills. :-(