Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

Posted by Unknown on from the brought-to-you-by-c-sharp dept.

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

8 of 165 comments (clear)

  1. Re:Only one program I miss by mcl630 · · Score: 5, Informative

    Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

  2. Warning: Oracle installs ask.com toolbar by icknay · · Score: 5, Informative

    Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

  3. Re:even worse than the vulns by gstoddart · · Score: 4, Informative

    Even worse than the vulnerabilities are the _constant_ nagging for updates.

    And proclivity for trying to install the Ask.com toolbar.

    Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

    --
    Lost at C:>. Found at C.
  4. Re:Only one program I miss by dissy · · Score: 4, Informative

    Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

    As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

  5. Re:Last Java 6 public update by Nimey · · Score: 3, Informative

    Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  6. It's Upload, Not Download by StormReaver · · Score: 3, Informative

    When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

    Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

  7. Re:OpenJDK .. by ChunderDownunder · · Score: 3, Informative

    So yes, probably.

    The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

    Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

  8. How do I disable Java in my browser by TrueSpeed · · Score: 3, Informative

    http://www.java.com/en/download/help/disable_browser.xml