New Java Vulnerability Found Affecting Java 5, 6, and 7 SE

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

Java runtime vs. .NET runtime

[Nsks]

What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

Re:Java runtime vs. .NET runtime

[sgrover]

Dude!!! You almost made pop come out my nose! I laughed so hard!

Re:Java runtime vs. .NET runtime

[gagol]

You mean like this?

Re:Java runtime vs. .NET runtime

[scorp1us]

Nah, I'd say Flash is the most exploited runtime.

I never liked Java, but .NET is even worse for a web platform as it only supports a fraction of the platforms. Java was invented to be portable, .NET was invented to be less portable Java.

Re:Java runtime vs. .NET runtime

[Tharkkun]

What is with Java and all these exploits? It's the most exploited piece of software on planet. I think they should learn something from Microsoft's .NET runtime. It's installed on pretty much every Windows computer out there. Still there are no exploits against it! Microsoft seems to know what they're doing much better than Oracle

All of the present exploits have come from Sun, prior to being acquired by Oracle. Did you expect Oracle to go back and regression test for exploits? I thought the code being open source would allow these things to be found?

Re:Java runtime vs. .NET runtime

[Joce640k]

What does ActiveX have to do with .Net?

Re:Java runtime vs. .NET runtime

[shutdown+-p+now]

.NET actually has a bigger attack surface when it comes to sandbox exploits, because its type system is much more complicated, and so its bytecode verifier has to be more complex as well to deal with that, with more corner cases that it can potentially get wrong. For example, .NET has the concept of managed pointers (aka byref) for parameter passing. It also has the concept of vararg methods on VM level (with a variable number of argument actually being pushed on the execution stack - not like Java array-based varargs). I was exoerimenting in that area to do something unrelated, and found an exploit where you could pass a byref-to-byref (something that's normally verboten, verifier just didn't catch it that time) to a vararg method, and mutate the reference to point to the stack frame that's about to be teared down - eventually letting you to hijack an object's vtable pointer, for example, and execute arbitrary code.

Every big SW package has bugs

[davidwr]

While I commend their efforts, they could've reduced unneeded panic, FUD, and distraction by giving Oracle a few weeks to patch it before the big announcement.

Now customers everywhere will be concerned about this bug instead of the disclosed-to-the-vendor-only bug that gives you full administrative rights but which won't be made public until a reasonable time after the vendor was notified.

Apologies in advance if Oracle was notified a few weeks before this was made public and didn't disclose it themselves.

Report exploits to Debian and Red Hat too

[David+Gerard]

The OpenJDK teams at Debian (who also do Ubuntu) and Red Hat are good people to notify as well. Unlike Oracle, they won't sit on bugs.

Re:Report exploits to Debian and Red Hat too

you do realize that installing a package as root does not automatically cause the binary to be run AS root. I could chown every file on a linux system to be owned by root:root and still be able to run programs as a non-privileged account.

I don't know if you're trolling or misinformed, but there is nothing inherently insecure about installing packages as root. RUNNING them as root is something completely different.

The Captha was "Audited" ... funny.

Re:Report exploits to Debian and Red Hat too

[viperidaenz]

You don't need to be admin to run Java on Windows. You can do it with 7zip, the exe installer can be opened as an archive and the tools.zip file inside is effectively the JDK. Unzip and enjoy. You just can't install it as the system JRE or install the browser plugin. Both of which should always require admin rights.

"Wow, thanks a lot Oracle."

Release of Java 5: September 30, 2004
Oracle's acquisition of Sun: January 27, 2010

I know it's fun to hate on Oracle (commencing Ellison yacht joke in 5, 4, 3...), but it makes you look a little imbalanced to blame them for a vulnerability that exists in a product created by a different company almost 5+ years before Oracle even bought them.

Shouldn't we at least wait until after we find out that Oracle knew all about this for months on end, chose to tell no one, and then ported it forward into Java 7 before we lambaste them?

Re:"Wow, thanks a lot Oracle."

No! Fuck Oracle! They are the 1%!

Re:"Wow, thanks a lot Oracle."

[Nimey]

Java 5 was even EOL'd well before Oracle bought Sun.

Re:"Wow, thanks a lot Oracle."

[Cid+Highwind]

Number of fscks Larry Ellison has given about Java since finding out owning it doesn't mean Google owes him a ton of money for Dalvik: 0

Re:"Wow, thanks a lot Oracle."

[LourensV]

Actually, after the acquisition Sun Microsystems, Inc. and Oracle USA, Inc. were merged to form Oracle America, Inc. So strictly speaking, Oracle is Sun. I wholly agree though that we need to know for how long they knew about this before passing judgement.

Re:"Wow, thanks a lot Oracle."

[Trepidity]

They've owned the product for almost three years now, so I'd say that bugs in current versions are their fault for not doing sufficient QA to find/fix, regardless of where they originated. When you own something, you own the responsibility too.

Re:"Wow, thanks a lot Oracle."

[Billly+Gates]

Part of this is not Oracle's or Sun's fault. It is the customers who uses 10 year old software that relies on these exploits to provide functionality like COM integration with Excel and other useless features.

The more Oracle plugs these holes the more users will demand to keep XP and Java 1.4.2 around the office. Corporate customers hate change and fixes make them nervous.

Java does run on every platform. The problem is it does not run on past versions of itself and like ancient versions of IE they create lockin. Most regular users do not use it as an applet. Chrome and Firefox wont even let you run Java applets believe it or not by default if you have Java installed. Just IE because no one uses it.

Sadly I use eclipse and Aptana and I know many users who use Vuze for bittorents so java i snot going away but at least most of us can upgrade. I use the insecure version but double check to make sure it wont work on my browser so I am good.

Re:"Wow, thanks a lot Oracle."

[Billly+Gates]

Worse I have to clean machines which use Java 1.4.2 on the clients using IE 7. They get infected ALOT but use them for their banking apps online. Can't upgrade them because the 9 year old Kronos app is not compatible with any other version and this would hurt the shareprice.

Re:"Wow, thanks a lot Oracle."

[Trogre]

Number of viable alternative desktop implementations? Ditto.

Is Java the new Flash?

[blahbooboo]

Please discuss.

Re:Is Java the new Flash?

No, Java is the old Flash.

Re:Is Java the new Flash?

[Chris+Mattern]

He'll save every one of us!

Re:Is Java the new Flash?

[dkf]

Actually, Javascript needs to be the new Java. Which seems to actually be happening.

Shit. Swapping something that's extremely well defined (even anal-retentively so) for something with as... err... whimsical set of variations as Javascript is such a huge step forward. Not.

Sure, Javascript sucks seriously in its own way and can't touch Java in performance, but it does the job, blows Java out of the water in responsivess, and has multiple implementations not under the control of any one company.

On the other hand, the main reason that JS is responsive is that it's got a fully warmed up engine going by the time your browser actually loads any script code. There's a large class of things that you can't do in JS (well, not the JS that's in browsers) and the multiple implementations vary in subtle ways that bite you on the ass.

It isn't just manipulating graphics or DOM trees that people want to do in browsers.

Java, it's the new Flash

[BLToday]

for malware.

Re:the java plugin?

[rbrausse]

So when was the last time you actually needed that Java-plugin in your browser?

10 minutes ago. even twice (Barracuda's SSL VPN tunneling thingy is based on Java, and our web-based CPOE uses Java to print barcodes*)

If you have an IT job you might need it.

Java plugins won't help you flip burgers, but if you work in a large corporation you will find about fifty mission-critical apps you definitely will need that plug-in for.

And the sysadmins hate EVERY SINGLE ONE OF THEM.

Because they SUCK to admin... end users who don't have to use or admin the codebase love them, because they are pretty and sound like coffee.

Re:If you have an IT job you might need it.

[Trogre]

I thought that the Google Dalvik case would have ended all fear about repercussions from developing a viable alternative implementation. And with Oracles horrible, horrible track record I would have thought people would have been scrambling to do so.

So far we have... nothing I can think of.

Re:the java plugin?

[codealot]

I just RTFA, from what I can tell this affects anyone who needs to run untrusted code in a JVM with a SecurityManager, not just applets.

That said, I can't think of any reason to do that besides applets, so most vulnerable users are those with browser plugins. Virtually everyone I know who runs Java deploys it within a servlet container where untrusted code is not normally a concern. Given that, the story seems a bit overblown.

Wowzers

[Billly+Gates]

Good thing we use Java 1.4.2 at work. Looks like I am safe

Oracle, did you learn from last time?

[onyxruby]

Oracle, did you learn from last time?

1. Have you publicly acknowledged the exploit?
2. Have you given at least some idea of how it works?
3. Have you given any mitigation instructions or will people simply have to uninstall your product since your not saying how to mitigate this?
4. Have you given any type of public communication along the lines of "were working on it"?
5. Are you giving any type of eta for a hot fix?
6. Have you learned that saying, we'll fix a critical exploit on one billion machines at the regular quarterly update schedule is not acceptable?

Home sick today or I would have been neck deep in this all bloody day. Haven't had a chance to look and see if they learned from their last royal clusterfuck or not.

Re:the java plugin?

[fa2k]

The good thing about the plugin is that Java is the only credible cross-platform sanboxed execution environment, and by having the plugin there's a large incentive to find any bugs in the sandbox. With every breach fixed, Java gets more secure.