Slashdot Mirror
Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities
msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."
I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.
Better known as 318230.
Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.
Non bene pro toto libertas venditur auro
I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!
Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.
The language is ok, but everything else about java just plain sucks.
http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html
After this one you will need to pay for a support contract or upgrade to Java 7.
Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.
Does this exploit work under the OpenJDK Runtime Environment?
AccountKiller
http://en.wikipedia.org/wiki/There's_a_Hole_in_My_Bucket
All these security holes are loosing credibility for Java. .Net.
That's good news for
What about the rest of us?
It seems like the right time for a new alternative to show up. Any takers?
sigo ergo sum
And Barry Allen.
Take this sig and smoke it.
Well no, because the VM is installed by Open Office. So you get Open Office, without all that Java plugin nonsense.
But these days I let Firefox simply leave the plugin switched off, and only activate it if I use a website I trust that uses it (my stock broker).
I think Adobe and Oracle really have lost their way. The last update to flash was the player crashier than before. I think they have a crap programmer on the team and he seems to be twiddling and breaking stuff. Oracle on the other hand, well that's about the standard I find all Oracle products.
here's one way of doing things: the right tool for the job. when the fuck did computer science become computer ass-hattery?
web:
server side web: node.js
client side web: javascript
systems:
embedded/kernel/drivers/network/etc: C
scripting: bash, perl, clphp, python
application:
C++
notice: there are 2 real language types here. C and perl. (i am taking the liberty of looping the shells in with the perl family.). Java is in the C family anyway, and going from OOP to non-OOP is easy (other way around not so much). i thought java was bad in the clutches of sun, but i still loved it. now it is useless.
second route:
fuck the java standard and make due with gcj or something like that. it isnt compatible with oracle because it doesnt implement everything, but so what? write more code lamer. why did programming change from algorithms and procedures to prepackaged function calls against standard libraries? why?! WHY?!
for the record C++ is still a piece of shit, just less so than before. new standard should implement orthogonality and make iostream less retarded. that said until we liberate java by ditching oracles standard it is ok i guess. /rant
Sorry, but I will keep using java server side. I just hope I don't end up with that "Ask toolbar" on our server :}
And the fact that the Java Security Manager is as safe as an open door, does not really matter because 99% of all server side java code, is running without the security manager. (Or at least without relaying on the Security manager to provide security).
I love java, and about a year ago starting writing little programs in java, although I usually turn javascript off in the browser or run noscript.
lot of people tend to think javascript == java but it's 2 different creatures all together. http://kb.mozillazine.org/JavaScript_is_not_Java
I've made a few little fun gadgets for personal use, a winamp type clone using the jlayer library to stream shoutcast/icecast stations as well as my own playlists. Spent weeks learning java swing mainly manually before I started playing with Eclipse windowbuilder plugin for swing/awt/etc. the windowbuilder plugin made it so simple for me to make my little winamp clone skinnable. :)
course i've spent a year or little more learning Java and have just now started playing with opengl 3d graphics but can't make up my mind which opengl library I like best yet, so far I've played around with JOGL and LWJGL, which I think are the 2 most popular libraries, Minecraft and most the indie steam games use LWJGL.
So I've sorta been sticking with it.
Anyhow you have the option to uninstall Java browser plugin and just keep the SDK installed, but I usually just disable it in browser just in case I ever do come across a need for it I can enable it for a specific site if need be.
Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.
Here is my theory, I could be wrong...
Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:
1) Sun's former employees. The ones that haven't left yet but that are kind of resisting still from the inside.
2) Legacy Oracle employees.
Sun's employees are much closer to the real old school geeky Linux user style than Oracle employees that are closer to a Microsoft representative in their style. Sun's employees know this, they have also a strong ego.
So making Java look stupid would sure get a stab at those former Sun's employees that think they know everything and possibly make them easier to merge into the company mentality or cause them to resign.
When you bitch about Java, you may just be playing Oracle's game... But then again, could this theory possibly make sense to anybody else?
Everything I write is lies, read between the lines.
Just say no. I've lived without it on the client side for almost 2 years. On the server side, it's only the JVM that's of any use and using the java language on it is now totally optional. The raft of JVM languages means total portability and architectural freedom without being tied to the language.
Organization? You must be joking..
same AC here...
given you want to keep java and this mess is happening around us, that is a good strategy if it is implemented well (and i'm not saying that you don't implement it well).
if you are depending less and less on oracle's java ecosystem in its entirety, you could probably eventually just stick to the commenly implemented features in alternative implementations of JVM/compiler/etc. if you did (carefully i would add), your code would be compatible with with oracles JVM if you needed that level of portability at some point. (because it would be an overlapping subset of what oracle provides). we have a decent level of compatibility between weblogic, tomcat, jboss, glassfish, etc... if someone were careful they could write code that could run in all environments with little more than minor tweaks for each... we need to do this for JDK.
When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.
Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.
Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?
I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.
I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Oracle needs to reconfigure Java to automatically check for updates daily, not monthly. Why are they so ignorant of the stupidity of monthly updates for a proven virus magnet?
The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.
Once again,
Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.
http://www.java.com/en/download/help/disable_browser.xml
Sounds like they have run out of pure sandbox vulnerabilities. Most of the previous ones were exploiting a properly running client sandbox and hence were pretty straightforward and reliable.
This one is apparently related to JPG image handling. It just tries to corrupt JVM memory and often crashes it.
My guess is, the rate at which vulnerabilities are discovered now is going to be a lot slower. The language sandbox is now probably fairly decent. Exploit writers are going to have to resort to finding bugs in native libraries used by JVM. I would not expect any new ones soon.
They also dont use the Java Plugin which is the problem there :-)
Relying on software enforcement for security is just asking for trouble.
[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.
I am TheRaven on Soylent News
Someone earns their living writing applets...
When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.
Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.
"Upload" vs "download" is from the perspective of the user in question.
If bits are going away from the system the user is in control of, then it's an upload.
If bits are coming toward the system the user is in control of, then it's a download.
In this case the trojan bits came from a remote distribution site to the end users' systems. So it was downloaded.
Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.
The problem is that, until very recently, the Java installer went out of its way to shove the browser plugin down your throat. Even if you removed it manually, it would come back the next time Java was updated. They changed it recently so you can disable the plugin in the control panel, but that's not really good enough – it ought to be turned off by default. In fact, it should probably be a separate download, with a warning that it's for legacy support only. Also, they really need to stop using the update process as an opportunity to try to make an extra buck with Ask Toolbar.
I'm getting very tired of installing a new JRE and JDK over and over again, including the JCE.
Can we please get an in-place delta patch, Oracle? It's 2013, we have these things you know.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Don't force users to install browser plugin crapola. One simple checkbox in setup program (unchecked by default) would make lives better for many, many people (mainly developers). Unfortunately, Oracle chose to use JDK to force lots of crap down our throats (JavaFX, browser plugin plus some other browser crapola), so virtually everyone using Java for any purose is affected by Java security holes. Unfortunate situation that boils down to by stubborn Oracle managos... is there anything in the world that Larry won't be able to turn into crap just by touching it ?
That's a pretty elaborate conspiracy to manipulate some employees by trashing the companies products in public. I think in a big company like Oracle you just fire people who aren't "integrating" the way you want. Also, how many of the "Sun Employees" that are still with Oracle are you sufficiently familiar with to grade their geekiness vs. Oracle employees?
Just to go completely offtopic and straight for the woods, if you do that 30-100xcost of formal verification (which goes on forever as you evolve your software), then what did you verify?
I had a look at that seL4 project as it sounds interesting. They claim to have used a theorem prover to "construct the proof". Does a threorem prover now read your specs, consult your experts, and construct the proof for you? Or does it just take what you write and your "constructing the proof" is writing all the specs yourself and running some prover to tell you how great your formal logics and nasty looking complex statements are? Like in "the logic of bugs"?
Who verifies the spec for what is to be proven in the first place? That is hard even in testing, which deals mostly with more human processable stuff.
Of course the project lists low-level details as being proven such as lack of buffer overflows, which don't really require much of a spec, so I suppose for those it can be nice with the 100 times overhead. Then you can address the rest of the security issues, which nicely would be much smaller though.
Anyway, that stuff would be nice if you could feed it a million LOC and press a button. Still waiting for the day..
In the seL4 case, they first write a formal specification. Then they (oversimplifying slightly) prove an equivalence of their implementation (in a restricted subset of C) and their specification. Then they prove properties (e.g. isolation) of their specification. You can't just take some C code and say 'is this correct' without a spec, and you typically can't take arbitrary C code and say 'do these properties hold for this code'. Even in the seL4 case, there are some issues, for example they correct functioning of the MMU is taken as axiomatic.
I am TheRaven on Soylent News
I stopped updating Java because of those insane new "Do you want to run this application?" prompts. At first glance it sounds like a good idea, but once you try accessing your companies equipment management system that uses JSP you'll find that you have to dismiss about 300 of those prompts every day for a week before you finally get them all. A Java update resets all those warnings, so fuck updates.
Good going Oracle. You've finally made me into one of those people who refuse to update.