Slashdot Mirror
Oracle Knew of Latest Java 0-Day Security Hole In August
An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."
Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.
I use java solely for Eclipse development but I do not have the plugin installed on my browsers.
The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!
With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.
Shame on Oracle.
Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.
Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.
http://saveie6.com/
if Oracle knew about it in August
They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.
Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all
Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.
I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?
You can setup IE to use java internally on intranets only.
Instructions are here and is a must in 2013 for any IT support professional! They can still have their netmeetings and be secure at the same time. IE has security zones under preferences. One for Internet, another for intranet if you fiddle in the options. Under Internet disable java scripting, note this is not javascript. Under intranet enable java scripting.
Instructions for enabling java for intranet security zones only in group policies are here.
After that all your users are safe and they can still run their shit ERP apps and Netmeetings. At least this is a temporary solution until they upgrade their software as I agree. Internet wise there is no reason to run it except for a few banks.
http://saveie6.com/
It's not going to hurt you to play minecraft, you don't have to pretend. Just don't install the fucking browser plugin.
.
It has become apparent that Oracle either does not understand the concept of computer security....
- or -
Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.
What else can it be?
(btw, my bet is that Oracle is clueless regarding computing security)
You kind of brought up my topic:
1. There is non-browser-related software that runs on Java. The software for my cheapo vector network analyzer is written in Java, for instance. Then you have other things, even system software such as Dalvik. Thus, even if we can make it go away in the browser, we can't everywhere else.
2. That brings up your point: my software didn't bring its own JRE. However, it turns out it runs just fine on OpenJRE. MY question: is OpenJDK/JRE vulnerable to this exploit? Is Dalvik? Or is this an inherent vulnerability to the language or interpreter (no matter who writes it) itself? (I hope that makes sense...)
Yep, they are all insecure. Dalvik? It is an interpretter and not run in a browser so no. OpenJDK is OracleJDK with a few proprietary libraries from Adobe and a few others replaced with equilivent functioning ones.
The exploit only works on a browser so disable it in IE and Firefox and you are good. If that program works in a browser you need to setup an IE zone and add an exception to your site, or use Firefox with noscript or set click to run as default?
http://saveie6.com/
disable java - https://www.java.com/en/download/help/disable_browser.xml
a -150 (approx) day vulnerability?
Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.
Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.
So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?
I don't care if it's 90,000 hectares. That lake was not my doing.
I think the future here is Java not from Oracle. We don't use their engine on servers now so why the hell would we use it on clients?
Oracle haven't got their act together, and obviously without a decent revenue stream they're not going to try, so time to move on from them.
It drives me crazy- my kids have several java-based websites they are required to use for school. I'm not too worried if their laptops get borked- there's nothing of value on them. When the nasties spread across the network to my PC and my server, I've got real problems. What do I do besides complain to the school?
I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"
There are a lot of problems with this simplistic response.
One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.
The other problem is that you have to consider the alternatives.
Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.
Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware, comparable to java applets and adobe reader.
Silverlight is only viable on Windows.
Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.
Find free books.
These are not primarily technical failures, they are institutional failures. The issue is not that Java has a zero day failure; these things happen. The critical failure is that Oracle knew what was going on before this hit the news and they could have avoided the problem with better practices.
The US has a Laissez-faire attitude towards computer security. It's all left up to the good will of the provider, which is clearly a mistake. Some organizations do a good job, but many fail. This is because security requires expending effort, and there is a natural tendency to cut corners to save money.
In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur. Neither the direct financial cost or the reputational costs are big enough to modify organizational behavior. That's why there is an never ending stream of these kinds of events.
Ironically, it seems that highly visible open source projects have a better track record then the private sector. This shows the high level of professionalism that open source organizations maintain.
Thing will never get any better until the cost of failure becomes much greater. This means having serious fines and/or larger payouts to those who are harmed by the security breach.
Right now the cost of cleanup after a security failure is so low that there is no meaningful incentive to be proactive. Is Oracle going to have any negative economic repercussions as a result of this screw up? Of course not. Therefore, they will do nothing to change their ways. Until there is some mechanism to hold providers responsible for failure to act there will be no change.
To clarify the point, the liability should be for failure to act once a problem is found, not for the existence of the original security problem. Having a SCADA device visible on the net with a default password is the kind of event that should cause liability. Likewise not fixing a critical security hole as soon as it is discovered as in this case with Oracle.
Why is Snark Required?
Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door? Why would Java be different?
If you are working on a non-trivial project, and you don't know about at least half a dozen horrible "zero-day" flaws, then you don't know your project very well!
In real life, businesses have to make trade-offs. They can't fix everything. Every release cycle, product managers have to make decisions about which fixes go in, and which fixes have to wait. I'm no Java fan, but with as many people poking around it as there are, I'm amazed that there aren't many more known vulnerabilities!
Javascript. Fuck me!
The only thing in computing more fucking brain dead than javascript is XML. You bastards! You've sucked the brain cells out of too many people with your bullshit non-programming and bullshit non-formats.
If java is dead and javascript is the answer then you've asked the wrong fucking question!
Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").
Oracle was notified of the vulnerability and attempted to fix it. Their fix was inadequate. So they're just incompetent instead of willfully dismissive of security concerns.
I am surprised that you find it amazing that list of obscure lumps of software all beginning with the word java confuse people.
Do you find it more, or less amazing that java (perhaps java dash some-obscure-addendum) has eclipsed flash and windows as the malware enabler of choice?
17 years ago java(-.*)* was unleashed, heralded as the saviour of robustness, security and apple pie at only the cost of a few âoemooreâ(TM)s incrementsâ and uniformly ugly interfaces. Now we have this steaming pile.
Now we have a feature to disable it. I bet that âfeatureâ(TM) becomes target #1 of the next wave of malware, so well intentioned people will only think they have disabled it?