Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Develops Patch For Java Zero Day In 30 Minutes

Posted by Soulskill on from the 30-minutes-or-less-or-your-zero-day-is-free dept.

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

57 comments

  1. Code review by danomac · · Score: 4, Insightful

    They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

    1. Re:Code review by wonkey_monkey · · Score: 4, Insightful
      Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

      A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

      And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

      Researcher Develops Patch For Java Zero Day

      which isn't quite as immediately sexy.

      --
      systemd is Roko's Basilisk.
    2. Re:Code review by Likes+Microsoft · · Score: 1

      TFA incorrectly called this a zero day. It has to be known to be actively exploited in the wild first.

      --
      -- Who am I? How did I get here? My God, what have I done?!
    3. Re:Code review by sjames · · Score: 2

      It does give us some idea of the extent of the patch (quite limited) and thus the effort required to revalidate the package (small as that sort of thing goes). I find that information useful in evaluating Oracle's response.

    4. Re:Code review by Anonymous Coward · · Score: 0

      They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

      Ha. You don't know Oracle. They won't push out any patch until you sign a multi-million dollar service contract!

    5. Re:Code review by StormReaver · · Score: 2

      I doubt they'll push any patch out without testing it.

      You must be new to Oracle. I envy you.

  2. Tank it by Anonymous Coward · · Score: 1

    I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

    1. Re:Tank it by Nyder · · Score: 1

      I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

      Okay, this is weird. I happen to be watching the 30 Rock Season 7 premier right now.

      --
      Be seeing you...
    2. Re:Tank it by Anonymous Coward · · Score: 1

      Are you saying it's weird because you're watching it or because you're an executive at Oracle?

    3. Re:Tank it by Smallpond · · Score: 1

      Actually, it's weird because he's Alec Baldwin.

    4. Re:Tank it by sexconker · · Score: 1

      Actually, it's weird because he's Alec Baldwin.

      Actually, it's weird because someone actually watches 30 Rock.

      Actually, it's weird because someone actually watches NBC.

    5. Re:Tank it by Anonymous Coward · · Score: 0

      Actually, it's weird because someone on slashdot actually watches TV.

  3. The cost is rarely in coding the patch... by Anonymous Coward · · Score: 3, Insightful

    It's in testing it.

    1. Re:The cost is rarely in coding the patch... by pkinetics · · Score: 2

      With Oracle products, it seldom is the testing of just the SE app. Its all their other apps that integrate into it that are the problem. Further down the chain, it is the vendors who use the Oracle products that are further more hosed, which end up holding up the deployment of the client.

    2. Re:The cost is rarely in coding the patch... by Anonymous Coward · · Score: 0

      Or in millions of machines infected with malware. Oh, right, that's not THEIR costs.

    3. Re:The cost is rarely in coding the patch... by Slashcrunch · · Score: 1

      You're 100% correct that a reasonable amount of effort is needed to test a patch that is going to be deployed to users and enterprise systems.

      But here we have a known exploit, and Oracle with their huge pool of resources cannot manage to release patch for it before Feb 2013? You can believe that they don't have the resources to test the patch in a shorter time frame or even create a better one? I seriously doubt that it takes Oracle months to regression test a single patch.

      The bottom line is that Oracle are the owners of Java, and they can't patch it in a timely fashion.

      Companies and people running Java applications are OK with this?

      I was once a huge fan of Java and in all seriousness, this is one of the exact reasons that I don't touch Java anymore. I don't even look at MS stuff either for similar reasons.

    4. Re:The cost is rarely in coding the patch... by LordLimecat · · Score: 1

      Since when has Oracle / Sun cared about breaking compatibility with Java? IIRC many older Cisco web-config pages use Java 1.4.2 u7 (or something)-- any newer (update 8) and it breaks. And when JavaSE7 came out, it broke LibreOffice and basically every other app I used (I think CrashPlan too). Backwards compatible my foot.

      Pretty sure the various iterations of BES break horribly if you try to update their java-- but that might not be a java issue per se.

    5. Re:The cost is rarely in coding the patch... by Anonymous Coward · · Score: 0

      It's crap like this that is getting Java removed from web browsers by the shit loads each and every day. On the machines that don't require Java at all, Java is banned.

      As a business you can't possibly operate under the imminent threat that Java's security holes represent. 4 more months for a critical patch for exploits that are in the wild now? Seriously?

      At my company right now you need to use a remote desktop session to use a vendor website that has Java apps. We work off white lists to prevent any connections to unauthorized websites.

      If you have Java open and running in a web browser right now in a company, you're asking for it. I can't see how situations like this are encouraging further enterprise development of platforms that use Java either.

    6. Re:The cost is rarely in coding the patch... by jroysdon · · Score: 1

      Java 6 update 37 also broke the ASA ASDM interface. Works just fine with Java 6 update 33 (update 35 wasn't a real security fix for Java 6). TAC is reviewing and will probably post a bugid soon.

    7. Re:The cost is rarely in coding the patch... by LordLimecat · · Score: 1

      when the heck was update 37 released? U32 just came out in august.....

    8. Re:The cost is rarely in coding the patch... by jroysdon · · Score: 1

      Keep up. U32 was released in April. U37 was last week.

      Java 6 Updates

  4. 5 months? by Nyder · · Score: 1

    I don't see how it can be called critical updates if they only do them twice a year. That doesn't sound like the patches they put out on those days are very critical. Unless this is another word we are changing the meaning of...

    --
    Be seeing you...
    1. Re:5 months? by TaoPhoenix · · Score: 1

      Glad to know someone else thought about that, too. In the one hand we have the frenetic "let's monitor the internet to make the web safer!" (A few stories back). Then on the other we get "Oh well, there's a security flaw that we won't fix until February."

      --
      My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
    2. Re:5 months? by Local+ID10T · · Score: 4, Insightful

      Microsoft has Patch Tuesday, Oracle has Patch February...

      --
      "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
    3. Re:5 months? by Anonymous Coward · · Score: 0

      This just another shining example of why Oracle and Larry Ellison suck.

    4. Re:5 months? by cusco · · Score: 1

      And Adobe just leaves security holes with known exploits in the wild for Acrobat open for two years, never fixes them in the free version of Reader, and then tells users they have to upgrade Reader even though it breaks things. Only software company I loathe more than Oracle.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  5. Patch right here! by Deathlizard · · Score: 5, Funny

    Windows

    Linux

    Mac OS X

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:Patch right here! by Anonymous Coward · · Score: 1

      Stupid noob question: Does a vulnerability like this effect linux boxes that are running java?

    2. Re:Patch right here! by Anonymous Coward · · Score: 1

      Well many of us do development with Java and wish to use it for developing server-based programs on Windows machines, but the installer insists on inserting its tendrils deep into any web browser it can find. Is there any way to prevent this because it is easy to overlook disabling this after the upgrade. Keeping it from installing the shovelware is bad enough.

    3. Re:Patch right here! by Deathlizard · · Score: 3, Informative

      1) install 64 bit java
      2) Uninstall IE, or don't use IE 64 bit.
      3) remember to update, because 64 bit java doesn't have an updater. Not that it works anyway.

      The 32 bit browsers (chrome, firefox, even 32 bit IE) won't use the 64 bit java to run applets and since IE is the only 64 bit browser and cannot be set as the default browser, it will limit your attack surface.

      --
      In Soviet Russia, Trojan exploits YOU!
    4. Re:Patch right here! by Anonymous Coward · · Score: 0

      In all seriousness, most people probably shouldn't have the browser vector enabled in the first place. It's not used for much anymore.

      No reason you can't keep java on the desktop, though. It does have its uses.

    5. Re:Patch right here! by Anonymous Coward · · Score: 0

      since IE is the only 64 bit browser

      Why is this? You can get 64-bit builds of Chromium or Firefox for Linux, why not for Windows?

    6. Re:Patch right here! by LordLimecat · · Score: 2

      Java vulns are typically cross platform.

    7. Re:Patch right here! by Anonymous Coward · · Score: 0

      Opera has 64bit builds too.

    8. Re:Patch right here! by Anonymous Coward · · Score: 0

      You don't have to install Java to use the JRE (or JDK)

      You can copy the extracted JRE to your target machine then have your application start using that JRE

      .\somefolder\jre\bin\java.exe -cp your.class.path id.you.app.Main

      There is no registry entry and no browser plugin. Obviously setting environment vars, adding to paths and creating shortcuts/aliases etc will make things nicer.

  6. Great, expect this in the wild in 4...3....2.... by NinjaTekNeeks · · Score: 3, Insightful

    Provided to Oracle on the 19th and Oracle plans to patch it in February. This has got to be a dream come true for the bad guys, while Oracle tests the fix, they can find and start adding it to their exploit kits.

  7. Interesting thought by Anonymous Coward · · Score: 0

    We have had discussions on /. regarding developers being responsible for shoddy code.

    What about being held responsible for leaving a known severe security hole open for months just because that's your patch cycle?

  8. well... by SuperDre · · Score: 4, Insightful

    writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..

  9. Oracle was a zero day vulnerability... by Mister+Liberty · · Score: 1

    ...patched by Google not long ago.

  10. Java on Windows zero-day vulnerability .. by dgharmon · · Score: 2

    Why doesn't this vuln run on OS X or Linux, why is Oracle discriminating against these?

    --
    AccountKiller
  11. What? He hacked Java? by stanlyb · · Score: 0

    I say, put him in jail. maximum security. For life. NO, 10 lifetimes. And let him watch Obama-Romney debate. Only. Day and night (wow, i am sooo cruel).

  12. Oracle is still learning consumer software by abirdman · · Score: 3, Insightful

    Oracle hasn't in the past worked with a lot of end user software, and it shows. I get the impression Larry Ellison doesn't like the short turnaround required for desktop software updates. The out-of-band java update they released for (at least) Windows 7 a couple weeks ago was disorganized. Two support people at work managed to install separate versions on their own computers. Version 7 is actually a point update of version 6. They may be the same version, and only show differently in Control Panel. Our company uses a lot of java (and Oracle software) and it's getting difficult to keep it organized and keep Oracle products talking to other Oracle products.

    I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.

    --
    Everything I've ever learned the hard way was based on a statistically invalid sample.
  13. BeenThereDoneThat by Tablizer · · Score: 1

    I've had very quick turnarounds for certain fixes in the past. An example would be: "Oops, I forgot the semi-colon here...[type type]...Compile, there!"

    Then the office goes, "Damn you're fast!" Tell them what happened?....naaaah.

    --
    Table-ized A.I.
    1. Re:BeenThereDoneThat by Rockoon · · Score: 1

      Anyone care to take a shot at estimating how many man-years have been globally wasted finding missing semicolons?

      A thousand? A hundred thousand?

      --
      "His name was James Damore."
    2. Re:BeenThereDoneThat by Anonymous Coward · · Score: 0

      In c or c++ not much as it won't compile and tells you the line number. If you deploy before even compiling then you have much bigger problems than a few man hours.

    3. Re:BeenThereDoneThat by Tablizer · · Score: 1

      There used to be an urban legend that one of the Mariner planet probes crashed due to comma in a Fortran program that was supposed to be a period. Although it was an urban legend, it is possible to make a compile-able mistake like that in Fortran.

      --
      Table-ized A.I.
    4. Re:BeenThereDoneThat by Rockoon · · Score: 1

      In c or c++ not much as it won't compile

      If it were true that it wont compile in all cases, then the semicolon wouldnt be needed at all.. the compiler could just insert them in the obvious places. The fact is that there are plenty of cases where you can forget a semicolon and never get a compile error.

      A simple example:

      int *foo = 1;
      int bar = 2
      *foo++;

      which gets parsed as:

      int bar = 2 * foo++;

      ..a perfectly legal statement, but certainly not what was intended.

      --
      "His name was James Damore."
  14. Install Java without being root... by Anonymous Coward · · Score: 1

    If you're working on a Linux box, there's a very simple way to deal with the uber fiasco that Java is: install it from the .tgz / .bz2 given by Oracle, as a non-root user.

    Do NOT install Java from the OpenJDK : most Linux distro have a major security issue in that they require you to be root to install packages (I'm using Linux since the mid-nineties and I swear by Linux but there's no frigging way I'll let any package install Java "system wide" on my Linux system).

    So go d/l the .tgz / .bz2 or whatever and then install it from on of your dev user account. Then use another user account to surf the Web.

    Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session.

    1. Re:Install Java without being root... by ls671 · · Score: 1

      Reading your post, at first glance, you seem to confuse who owns the executable and who runs the executable.

      Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session

      This should be sufficient to insure java only has permissions of the "web surfing" account. It doesn't matter who owns the executable really unless it has a sticky bit set and I have never seen a java executable with the sticky bit set yet in any install that I have done.

      --
      Everything I write is lies, read between the lines.
    2. Re:Install Java without being root... by ls671 · · Score: 1

      Look at:

      http://blogtech.oc9.com/index.php?view=article&catid=4%3Aasterisk&id=175%3A20080329astchroot&option=com_content&Itemid=8

      For the sticky bit issue. Search for:

      find / -type f -perm +7000 > tt.txt

      One should remove all setuid bits on programs on any system if not needed. Less and less programs need to set the sticky bit by default but still, it is an important concept to grasp if you are concerned about security. Xterm used to have the setuid bit set and to be owned by root and you can't imagine how many hosts with guest accounts have been compromised that way back in the old days.

      --
      Everything I write is lies, read between the lines.
    3. Re:Install Java without being root... by Anonymous Coward · · Score: 0

      I don't think java runs the way you think it does. Anyone who doesn't whitelist where java can run applets or turn it off entirely in their browser to start with is just asking for trouble anyway.

  15. Java SE by pahles · · Score: 1

    So, Java SE stands for Java Sandbox Escape... Interesting!

    --
    Sig?
  16. Yes, we had a chap who would fix things real fast by Rogerborg · · Score: 1

    Years later, we're still fixing his fixes.

    Patch speed is rarely critical, outside of Star Trek.

    --
    If you were blocking sigs, you wouldn't have to read this.
  17. "sticky bit?" by Medievalist · · Score: 2

    I don't think that means what you think it means.

    Hint: the setuid, setgid, and sticky bits are three different things with more than three different functions.

    1. Re:"sticky bit?" by ls671 · · Score: 1

      You are right, I do not know why I used "sticky". I was definitely referring to setuid and setgid. I know what sticky is, /tmp directory usually has the sticky bit set. Thanks to enlighten us.

      --
      Everything I write is lies, read between the lines.
  18. Impact on OpenJDK? by bill_mcgonigle · · Score: 1

    Can we assume this is dealt with or n/a for OpenJDK? Why aren't the large users of Java cooperating to remove Oracle's significance here?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  19. Fix has been released by Oracle by Anonymous Coward · · Score: 0

    Thankfully Oracle did go ahead and release this fix for Java, it's available right now and does credit Adam Gowdiak, the designer of this fix.

    For Java 6 it's 6u37 and for Java 7 it's 7u9

    http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
    http://www.oracle.com/technetwork/java/javase/downloads/index.html