Slashdot Mirror
Oracle Knew of Latest Java 0-Day Security Hole In August
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.
I use java solely for Eclipse development but I do not have the plugin installed on my browsers.
The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!
With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.
Shame on Oracle.
Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.
Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.
http://saveie6.com/
if Oracle knew about it in August
They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.
Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all
"Evil will always triumph, because Java is dumb".
... to allow this page to compromise your computer....
Ever since Java started down the "this isn't last week's zero-day" road, I pulled Java from my machines. Pisses the corporate types off because they want to have "net meetings" that require Java to be installed, so we can have presentations on "computer security", but I just tell them - "MY computer security policy doesn't allow Java to be installed."
Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.
I have just one program I need java for, is there a way to set up java with a whitelist so it only runs that one program, or is it always going to be a security nightmare?
I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?
Actually, I wonder how many apps count on the system wide Java install on Windows (I don't use Windows so I don't know). The apps I developed just brought their own JRE. It's better anyway, since you don't have to worry about broken installs, outdated installs, etc. Whoever needs Java on target machines should probably bring their own JRE anyway. There are plenty of apps (not Web) that use Java.
You can setup IE to use java internally on intranets only.
Instructions are here and is a must in 2013 for any IT support professional! They can still have their netmeetings and be secure at the same time. IE has security zones under preferences. One for Internet, another for intranet if you fiddle in the options. Under Internet disable java scripting, note this is not javascript. Under intranet enable java scripting.
Instructions for enabling java for intranet security zones only in group policies are here.
After that all your users are safe and they can still run their shit ERP apps and Netmeetings. At least this is a temporary solution until they upgrade their software as I agree. Internet wise there is no reason to run it except for a few banks.
http://saveie6.com/
Because it's useful? Are you seriously going to make an argument that because something can be exploited in any way we shouldn't create said something in the first place?
It's sometimes useful. Necessary infrastructure for all classes as public methods? I don't see it.
.
It has become apparent that Oracle either does not understand the concept of computer security....
- or -
Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.
What else can it be?
(btw, my bet is that Oracle is clueless regarding computing security)
I tried you back in the early days and you crashed me one too many times.. since then the bad taste never left and I have avoided you. I never got on the bandwagon when it was neat to be a Java guru and now Ive come to realize you are simply a pain in my ass. Begone.. I break with thee, I break with thee..I break with thee.
why cause a long time ago before the SUN set into the butt of oracle they and 20 other companies worked on DRM code used by , well everyone....too bad it got leaked eh?
While i see you could think they dont understand security its far more likely they just dont like java and wish to kill it.
This is the android phone revenge one might call it. So that they never again have to deal with it.
disable java - https://www.java.com/en/download/help/disable_browser.xml
a -150 (approx) day vulnerability?
Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.
Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.
So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?
I don't care if it's 90,000 hectares. That lake was not my doing.
I think the future here is Java not from Oracle. We don't use their engine on servers now so why the hell would we use it on clients?
Oracle haven't got their act together, and obviously without a decent revenue stream they're not going to try, so time to move on from them.
Everybody who wanders in those circles know about this one years ago. This is not the dawn of some new discovery - it's just when it became common knowledge to the rest of you. Java is crap nobody in their right mind would run in a browser. The "do not use" public warnings overlap each other. IE likewise is crap Pwned six ways from Sunday in every way possible - it's rapetacular. Office and Windows itself are just as bad, or worse. Calling it 0-day is kind of funny considering this is the normal condition all day every day.
There are dozens more as bad or worse in Java, and scores in all versions of IE that are freely passed around by those who know and let to the press only after they become common enough to be worth discarding. A few are so precious that only dozens know about them, and will be present until long after the current versions of this software bundles have been deprecated. These are the few nation-states use to meddle with each other. The disclosures overlap, so your Windows PC will not ever be and cannot ever be what a reasonable IT pro would consider "secure".
Proof. Some retard is going to ask me for proof again, probably yet another Microsoft Intern with absolute faith that This Is The Last Exploit. I don't have to give proof. Giving proof would defeat the purpose. Just wait and the proofs will be revealed unto you in time. Microsoft themselves have acknowledged that these come so often they can't be bothered to fix them as they are revealed and schedule fixes monthly, on "patch Tuesday". Pathological exams reveal these same exploits have been present and used for 15 years or more quite frequently. One year from now at least a dozen more that many know that you do not will be in this way revealed, and in the process that they had been used for a long time since before now also. That is my proof.
Some few though... they will not be found out. Those few are precious, secret and reserved. They give us access to your darkest secrets. We save those for the most important people.
Help stamp out iliturcy.
It drives me crazy- my kids have several java-based websites they are required to use for school. I'm not too worried if their laptops get borked- there's nothing of value on them. When the nasties spread across the network to my PC and my server, I've got real problems. What do I do besides complain to the school?
No, its not. Silicone is not the same thing as silicon. And Jazelle isn't really an implementation of the JVM since it requires a software JVM, and only directly implements a subset of Java bytecodes and defers back to the software JVM for the rest.
I have come to be quite impressed with Java in terms of raw execution speed of actual work loads and know that its biggest hindrance in adoption or even wide respect has been its perception as slow because it takes 10years to load the VM. That will never change and people will always assume Java is slow old dog technology because of the time it takes to load the VM.
Considering the VM doesn't actually appear to protect people from squat it would be great if Java was just degayifed into a different kind of project and exported into a regular runtime like other languages are. I think its popularity would come back very hard.
I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"
There are a lot of problems with this simplistic response.
One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.
The other problem is that you have to consider the alternatives.
Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.
Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware, comparable to java applets and adobe reader.
Silverlight is only viable on Windows.
Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.
Find free books.
These are not primarily technical failures, they are institutional failures. The issue is not that Java has a zero day failure; these things happen. The critical failure is that Oracle knew what was going on before this hit the news and they could have avoided the problem with better practices.
The US has a Laissez-faire attitude towards computer security. It's all left up to the good will of the provider, which is clearly a mistake. Some organizations do a good job, but many fail. This is because security requires expending effort, and there is a natural tendency to cut corners to save money.
In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur. Neither the direct financial cost or the reputational costs are big enough to modify organizational behavior. That's why there is an never ending stream of these kinds of events.
Ironically, it seems that highly visible open source projects have a better track record then the private sector. This shows the high level of professionalism that open source organizations maintain.
Thing will never get any better until the cost of failure becomes much greater. This means having serious fines and/or larger payouts to those who are harmed by the security breach.
Right now the cost of cleanup after a security failure is so low that there is no meaningful incentive to be proactive. Is Oracle going to have any negative economic repercussions as a result of this screw up? Of course not. Therefore, they will do nothing to change their ways. Until there is some mechanism to hold providers responsible for failure to act there will be no change.
To clarify the point, the liability should be for failure to act once a problem is found, not for the existence of the original security problem. Having a SCADA device visible on the net with a default password is the kind of event that should cause liability. Likewise not fixing a critical security hole as soon as it is discovered as in this case with Oracle.
Why is Snark Required?
I have come to be quite impressed with Java in terms of raw execution speed of actual work loads and know that its biggest hindrance in adoption or even wide respect has been its perception as slow because it takes 10years to
load the VM. That will never change and people will always assume Java is slow old dog technology because of the time it takes to load the VM. Its just been a killer to the technology the whole time.
Considering the VM doesn't actually appear to protect people from squat it would be great if Java was just degayifed and exported into a regular runtime like other languages are. I think its popularity would come back very hard and get the respect it deserves.
Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door? Why would Java be different?
If you are working on a non-trivial project, and you don't know about at least half a dozen horrible "zero-day" flaws, then you don't know your project very well!
In real life, businesses have to make trade-offs. They can't fix everything. Every release cycle, product managers have to make decisions about which fixes go in, and which fixes have to wait. I'm no Java fan, but with as many people poking around it as there are, I'm amazed that there aren't many more known vulnerabilities!
Set up two networks--one "secure", one "insecure". I don't run my machines on the same network as my children. They cannot be trusted to practice safe computing. The wireless hub is on their network as well. Visitors and other "unsafe" machines have the same access to my "secure" network as the internet does.
Javascript. Fuck me!
The only thing in computing more fucking brain dead than javascript is XML. You bastards! You've sucked the brain cells out of too many people with your bullshit non-programming and bullshit non-formats.
If java is dead and javascript is the answer then you've asked the wrong fucking question!
Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").
We'd better remove JavaScript, too, because that has "Java" in it!
Yeah, I remember that time reflection based vulnerabilities in .NET were used in ~50% of cyber attacks. Oh, wait...
This is the first time I personally, have heard this argument. :-)
I have to admit that my mind was definitely blown...it was an almost spiritually moving 'light bulb' moment.
Wow! The simplicity....the 'rightness'...the 'total awesome!
Really, no sarcasm meant or implied. That was one of the best arguments on the subject of software patents I have seen to date.
Thank you very much, kind Mr./Ms. AC for this gem.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
as in "Java 0-days me time and again"
(sorry, couldn't resist -- but yes, I concur. We've got enough stupid buzzwords already)
This is a 120-day attack.
Oracle has operated this way for years, don't use their shit.
... Java will never reach any reasonable level of security. This must have drastic consequences for them or they will continue to invest the minimum amount of effort possible in Java security. Nothing else will help. The users are not mature enough to do anything, see all the people here that do not want to go without the Java plug-in even for a few days. (How stupid can you get??)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I presume OpenJDK 7 is also vulnerable, since Oracle JDK 7 is basically OpenJDK 7 with some proprietary libraries.
Is OpenJDK 6 vulnerable? It's actually OpenJDK 7 cut down to pass JCK 6. Has anyone tested it?
http://rocknerd.co.uk
"Nobody is using $product anymore" is the new "First Post!"
none
We switched our major control system from VB to Java about 5 years back, and it has paid off hugely in handling the complexity integrating work of multiple developers AND letting us move Windows->Linux with minimal effort. Non of this involves java applets, it's all standard applications.
We're in a pretty security conscious environment, so now we're going to have to deal with freaking-out customers and perhaps reactionary IT policies irrelevant to our situation.
It's only a 0-day if they had 0 days to respond to it. This is a known flaw they did nothing about.
Sappeur:
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/
Just 10k lines of code for the Sappeur-to-C++ translator.
Destructors. Stack Allocation. RAII. Deterministic object destruction. Memory Safety even for multithreading.
Meanwhile C++ keeps truckin' along beautifully.
C++. The few. The strong. The proud.
I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics.
Thermodynamics was taught quite well before the advent of Java or even computers. And science it MUCH more fun when you're actually doing an expirement than watching an animation.
Yes, I understand it adds to the learning experience and may make the material a little easier for some to understand, but the point is Java isn't a necessity.
Oracle does not care about security exploits if Oracle does not stand to make money from fixing them. Java on PCs? Something Oracle gives away. Where is the incentive for money making machine to fix problems if product is free give away?
Remember, Oracle care only about the money. If security helps Oracle make money then Oracle is interested in security. If security exploit does not result in loss of money then why would Oracle care about the exploit?
Oracle is not clueless.
Oracle has one interest and one interest only: money.
Everything that oracle has done after it bought Sun fits this simple realization.
The only reason I keep the Java browser plugin installed on Linux is for WebEx. Does anyone know if it is possible to use WebEx on Linux without Java?
Oracle was notified of the vulnerability and attempted to fix it. Their fix was inadequate. So they're just incompetent instead of willfully dismissive of security concerns.
It is useful that every class has it, rather than only those you plan to use reflection on?
If something can be exploited, it should only be available when explicitly requested.
The Tao of math: The numbers you can count are not the real numbers.
I am surprised that you find it amazing that list of obscure lumps of software all beginning with the word java confuse people.
Do you find it more, or less amazing that java (perhaps java dash some-obscure-addendum) has eclipsed flash and windows as the malware enabler of choice?
17 years ago java(-.*)* was unleashed, heralded as the saviour of robustness, security and apple pie at only the cost of a few âoemooreâ(TM)s incrementsâ and uniformly ugly interfaces. Now we have this steaming pile.
Now we have a feature to disable it. I bet that âfeatureâ(TM) becomes target #1 of the next wave of malware, so well intentioned people will only think they have disabled it?
Several years ago there was a flame-war between iDefense and the then-CEO of Oracle about this very thing. Oracle has a poor track record.
Do they also have this problem?
dart dude
Liberty freedom are no1, not dicks in suits.
They're quick to threaten others about Java, I think it would be funny if they were sued (on perhaps equally shaky legal grounds) for negligence. Just a thought...
I wish I had mod points for this sentence alone. It should be studied, could get an award of an economic type.
In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur.
BlameBillCosby.com
You know Slashdot is using it when the comment that mistakes requiring passwords to access pages in a website with the applet sandbox gets modded up, but the comment explaining how completely boneheaded that is gets modded down.
The problem is with applets. Web apps may have "apps" in them, but they're two entirely different things.
Would one of you please provide some non-wonk information useful to average users. How to disable Java? What effects will that have on the browser, operating system, and apps, if any. What millions of users have now is a warning to disable Java, without any idea of the effect it will have on their system.
Freedom to become an Alcoholic
Freedom to die of fattiness
Freedom to jump off a bridge
Freedom to crash into a concrete wall at 100 km/h
Freedom to write a book
Freedom to fuck without a condom
Freedom to fuck with a condom
Freedom to fuck a different girl every Weekend
Freedom to fuck just one woman for years
Freedom to enjoy Perl
Freedom to suffer Java
Freedom to enjoy Pascal
Freedom to suffer Ruby
Now, what's wrong with all that ? Some people are sado-masochists and the FSM made Java happen for them. Be a bit more tolerant and simply use Perl instead, if you don't share that mindset.
WTF??? Seriously, this has nothing to do with terrorism. Why is DHS getting involved, and what the hell are their standards for recommending people disable or uninstall something? Are they going to recommend people uninstall Windows when the next zero day exploit comes out for it???
Disprove my points here -> http://developers.slashdot.org/comments.pl?sid=3377059&cid=42568101
* GO FOR IT, & good luck (you'll NEED it).
(It's a PROVEN "layered-security"/"defense-in-depth" measure OPERA has implemented since nearly day 1... other browers don't natively!)
APK
P.S.=> Lastly, if/when the "best you've got" is unjustifiable downmods? You only prove my point, & running from a FAIR CHALLENGE only does it moreso...
... apk
if so: why not simply switch to openjdk?