Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

Uninstall

[Dan+East]

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:Uninstall

[Pino+Grigio]

Yup. Me too. Can't stand it.

Re:Uninstall

Or you stop ragging on Oracle/Java and just not click Activate/Run on applets from untrusted sites! That way you don't have to uninstall Java. I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS. There is so much a company can do to secure it's users, the rest is up to the user.

Re:Uninstall

[DigitAl56K]

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:Uninstall

[holostarr]

Just because it's supposed to doesn't mean you should run untrusted code.

Re:Uninstall

[Deekin_Scalesinger]

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall

How can he look you in the eye in a web forum?

Re:Uninstall

[holostarr]

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:Uninstall

[I'm+New+Around+Here]

Well, what application did you have before that needed Java to start with?

I know everyone says Open Office, but that can't be the main reason so many people have Java installed.

As for the annoying update, I turned that feature off right away. I'll keep track of what I need to update, thank you very much oracle.

Re:Uninstall

[Deekin_Scalesinger]

Indeed and well said Sire. My faith in tech humanity and common sense is somewhat restored (at least for tonight).

Re:Uninstall

But the whole point of the Java security model is so that one isn't supposed to have to worry about whether they are running trusted or untrusted code. If it's untrusted code it's not supposed to be running at all.

Re:Uninstall

How do you know that you can trust the compiler? How do you know that the compiler can trust the hardware?
http://cm.bell-labs.com/who/ken/trust.html
http://it.slashdot.org/story/08/05/09/164201/fbi-says-military-had-counterfeit-cisco-routers

The lesson:
Don't trust someone or something just because it claims it can be trusted.

Re:Uninstall

[Decker-Mage]

Sadly, more than a few "security" tools here require Java or .NET.

Re:Uninstall

What does .Net have to do with this?

Re:Uninstall

[Technomancer]

Thats easy, just click on this llittle Java app.

Re:Uninstall

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Oh no no no, the browser plugin on most (many.. all?) systems is NOT, not any more than the browser processes themselves.
The Java code executed by the JVM is sandboxed. THAT's the sandbox being broken out of anyway. Well, not just breaking the sandbox, but executing custom code in the JVM process itself from what I understand.

If the PLUGIN was sandboxed, this wouldn't be such a big deal.

Re:Uninstall

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

The difference being what, an insurmountable level of effort with still no absolute certainty?

Re:Uninstall

[MemoryDragon]

Disabling the browser plugin also would have helped.

Re:Uninstall

[qaz123]

Windows Control Panel -> Java -> Security Uncheck the "Enable Java content in the browser" checkbox That would be enough

Re:Uninstall

[smash]

And the problem here lies in the fact that the source could be compromised. Hence, code signing - the software can be uploaded to the net, after being signed by the private key which is kept off-line. Trusting the server sending you stuff these days is no real security at all.

Re:Uninstall

I got rid of it. Too much hassle. Updates are always a hassle, and I don't miss it. If I want to edit my tiddlywikis, I have to use Firefox - but that is about it.

Re:Uninstall

[denis-The-menace]

The don't use Open Office.
Use LibreOffice instead. (https://www.libreoffice.org/)

You don't need Java to install or to run it UNLESS you use BASE.

Re:Uninstall

Did you uninstall java script? You missed that one didn't you, now get to it pronto!

Re:Uninstall

[Macgrrl]

Citrix for remote access to work. :(

Re:Uninstall

[netsentry]

Citrix for remote access to work. :(

Junos web access for the same reason ... sigh.

LOL

Stop installing malware like Java and Flash on your systems and you become an infinitely smaller attack target.

Re:LOL

[ls671]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

Here is my theory, I could be wrong...

Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:

1) Sun's former employees. The ones that haven't left yet but that are kind of resisting still from the inside.
2) Legacy Oracle employees.

Sun's employees are much closer to the real old school geeky Linux user style than Oracle employees that are closer to a Microsoft representative in their style. Sun's employees know this, they have also a strong ego.

So making Java look stupid would sure get a stab at those former Sun's employees that think they know everything and possibly make them easier to merge into the company mentality or cause them to resign.

When you bitch about Java, you may just be playing Oracle's game... But then again, could this theory possibly make sense to anybody else?

Re:LOL

[TheRaven64]

This has nothing to do with Oracle. The browser plugin has a long history of security holes going back well over a decade and the bitching has been going on since 1995. The problem is that writing a language implementation that is both fast and 100% correct is really hard. The safety properties of Java (and any other managed language) rely on the implementation being 100% correct. This is relatively easy for something like the Squeak Smalltalk VM, which is a single-threaded bytecode interpreter with a stop-the-world garbage collector, but people insist on the JVM doing all sorts of optimisations, supporting multiple threads and so on. The early complaints about Java were that it was slow. The more recent complaints are that it's not correct. Well, you have three choices:

• Have a slow VM.
• Have a fast, but incorrect, VM, and be aware that every error is a potential security hole.
• Formally verify your VM. Be aware that this will cost at least 30 times as much[1] as the non-verified version.

Relying on software enforcement for security is just asking for trouble.

[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.

Re:LOL

Someone earns their living writing applets...

Re:LOL

[JDG1980]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

The problem is that, until very recently, the Java installer went out of its way to shove the browser plugin down your throat. Even if you removed it manually, it would come back the next time Java was updated. They changed it recently so you can disable the plugin in the control panel, but that's not really good enough – it ought to be turned off by default. In fact, it should probably be a separate download, with a warning that it's for legacy support only. Also, they really need to stop using the update process as an opportunity to try to make an extra buck with Ask Toolbar.

Re:LOL

That's a pretty elaborate conspiracy to manipulate some employees by trashing the companies products in public. I think in a big company like Oracle you just fire people who aren't "integrating" the way you want. Also, how many of the "Sun Employees" that are still with Oracle are you sufficiently familiar with to grade their geekiness vs. Oracle employees?

Re:LOL

[hraponssi]

Just to go completely offtopic and straight for the woods, if you do that 30-100xcost of formal verification (which goes on forever as you evolve your software), then what did you verify?

I had a look at that seL4 project as it sounds interesting. They claim to have used a theorem prover to "construct the proof". Does a threorem prover now read your specs, consult your experts, and construct the proof for you? Or does it just take what you write and your "constructing the proof" is writing all the specs yourself and running some prover to tell you how great your formal logics and nasty looking complex statements are? Like in "the logic of bugs"?

Who verifies the spec for what is to be proven in the first place? That is hard even in testing, which deals mostly with more human processable stuff.

Of course the project lists low-level details as being proven such as lack of buffer overflows, which don't really require much of a spec, so I suppose for those it can be nice with the 100 times overhead. Then you can address the rest of the security issues, which nicely would be much smaller though.

Anyway, that stuff would be nice if you could feed it a million LOC and press a button. Still waiting for the day..

Re:LOL

[TheRaven64]

In the seL4 case, they first write a formal specification. Then they (oversimplifying slightly) prove an equivalence of their implementation (in a restricted subset of C) and their specification. Then they prove properties (e.g. isolation) of their specification. You can't just take some C code and say 'is this correct' without a spec, and you typically can't take arbitrary C code and say 'do these properties hold for this code'. Even in the seL4 case, there are some issues, for example they correct functioning of the MMU is taken as axiomatic.

Only one program I miss

[AG+the+other]

Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.

Re:Only one program I miss

[mcl630]

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:Only one program I miss

[TsuruchiBrian]

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

Re:Only one program I miss

[Desler]

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Re:Only one program I miss

That reminds me of the old NT4 security rating that was achieved by disconnecting the machine from the network and restricting physical access. You see, once you disable the browser plugin, that's 99% of the raison d'etre of Java gone for most end users who are downloading the thing in the first place. Without any reason to keep it on your system, just uninstall it and be done.

Re:Only one program I miss

a voice of reason! unfortunately here all we really get are: I heard that java was compromised, so i smashed my monitor.

Re:Only one program I miss

[smash]

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:Only one program I miss

[antdude]

OpenOffice doesn't require Java for everything. What do you use for its Java?

Re:Only one program I miss

[etrusco]

I would agree, if only the installer had the option not to install the plugin and the option was kept when updating.

Re:Only one program I miss

[AG+the+other]

It says you can't install it unless you have Java installed or did the last time I tried to install it.
My wife has a multi PC copy of MS Office and I use that, most of the time anyway, for what little word processing I do that Google Docs won't do.

Re:Only one program I miss

[dissy]

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:Only one program I miss

[dissy]

I think you're mistaken. Open Office never ever has run in the browser plugin.
Or did you even bother to look at the conversation before spouting off?

Re:Only one program I miss

[rwyoder]

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

+1
I switched to Libre Office long ago, and can't find any reason anyone would still use OpenOffice.

Re:Only one program I miss

[davydagger]

"that's 99% of the raison d'etre of Java gone for most end users who are downloading the thing in the first place"

mabey in 1996. There are almost no legimimate java web apps anymore.The biggest use for Java today are cross platform executables like i2p, freenet, and other windows-mac-linux cross platform executables. Those are pretty rare too.

the only major mainstreamish(read non darknet), app I can think that needs it is libre office. Other than that its pretty worthless. For most cross platform dev work, I think python has taken over.

python is a far far far better language.

Re:Only one program I miss

[Numtek]

It does here.

Re:Only one program I miss

[Nivag064]

You can use LibreOffice instead of OpenOffice, it does no depend on Java!

http://www.libreoffice.org/

Re:Only one program I miss

[smash]

This was on a 15 minute old install of debian stable, by the way. Not some bleeding edge or ricer-cflags distribution.

Re:Only one program I miss

Uhm... If you can't tell the difference between Java (JVM) and browser plugin, you should not be installing any programs on your computer without tech savvy supervision to begin with.

Re:Only one program I miss

That's interesting because I've compiled it with Java support disabled. Works fine without Java...

Re:Only one program I miss

This was on a 15 minute old install of debian stable, by the way.

So the bug has been fixed decades ago. Debian stable only guarantees that the program version is old enough that most critical bugs should have been found by now.

Re:Only one program I miss

[futhermocker]

There are WAY MORE java web apps you might think
Where I work we have at least 3 applications that only can be used through an applet.
Plus all our KVMs are java applets, thanks to HP...

Re:Only one program I miss

Yes it does, I've been using it (well, LibreOffice these days) for years without it.

Some parts of the suite don't work, like most of the database app. I guess it depends on what you require from it.

Re:Only one program I miss

I did more - I read *further* in the conversation and discovered that OpenOffice doesn't require Java. So other than a rather lame browser plugin for executing code like ActiveX, what's the point of Java any more?

Re:Only one program I miss

There are WAY MORE java web apps you might think Where I work we have at least 3 applications that only can be used through an applet.

Yes, but are they legimimate?

Re:Only one program I miss

Wow - 3! You're right, that is way more than I might have thought. :)

Re:Only one program I miss

Java is around. Netbeans, Idea, Open Office. Just not the plugin. As far as I know that is the problem.

Re:Only one program I miss

I did more - I read *further* in the conversation and discovered that OpenOffice doesn't require Java. So other than a rather lame browser plugin for executing code like ActiveX, what's the point of Java any more?

Enterprise applications. That's all I use Java for, and will remove it in a heartbeat when I lose my job and end up having to give handjobs to finance my faberge egg habit.

Re:Only one program I miss

[kthreadd]

Some users may find the license more appropriate.

Re:Only one program I miss

[AG+the+other]

The last time I tried to install Libre Office on a relative's computer the installation failed and I haven't had another chance to try it again.

Re:Only one program I miss

[Nivag064]

Usually when I try to install software and it fails, I've made one or more mistakes myself! To makes matters worse, I'm not always aware of what I did wrong.

If installing LIbreOffice, or any other open source software, fails and you have not made any mistakes that you are aware of - then I advise you to file a bug report.

I am a software developer, and I know from my own experience, that any moderately complicated piece of software always has bugs - no matter how thoroughly you think you have tested it!

Re:Only one program I miss

You see, jethro.rose@gmail.com, it really would have been better if you had just counted your karma on the original comment you made and walked away. You managed to get one troll modded interesting, congratulations! Pat yourself and your cuntrag friends in #debian on the back for a job well done, then go back to trying to get some packages out that aren't five fucking years old.

Re:Only one program I miss

[LordLimecat]

Equallogic SANs use java iirc, as does HP's iLO remote management. A number of bank sites also use java applets.

Re:Only one program I miss

[HaZardman27]

You see, once you disable the browser plugin, that's 99% of the raison d'etre of Java gone for most end users

That last time I needed to use the Java browser plugin was nearly a year ago for a WebEx meeting. My last job involved server-side Java code, and I use OpenOffice at home, and that pretty much sums up my need for Java, other than the occasional program I write with it(very rare since I typically find that another language would be more suited to what I'm doing, and even when I chose Java it's never for applets). I understand my use probably does not represent the average computer user, but I can't even begin to imagine what all of those people you mention would be doing with Java applets.

Re:Only one program I miss

[HaZardman27]

There are almost no legimimate java web apps anymore

Depends on how you define a Java web app. Applets are dead, sure, I won't disagree with that, but in my definition a web app that uses Javascript and AJAX calls to a server-side program running on a JVM and written in Java is still a Java web app.

Re:Only one program I miss

[AG+the+other]

Unfortunately I was helping a relative set up a new computer, I had already spent several hours working on the computer and was exhausted so when the install failed I just changed to Open Office when the install failed.

Re:Only one program I miss

[jandrese]

Firefox (and I'm pretty sure all of the other major browsers) will remember that a plugin is disabled even when it is updated. Just let it install and then go and disable it in your browser(s).

Re:Only one program I miss

[Nivag064]

So my first paragraph applies - especially when one is very tired.

Initially, I was only going to comment along the lines of my second paragraph - but I felt that would come across as too harsh & likely to provoke irritation/anger!

All the best for your next attempt.

Re:Only one program I miss

[Macgrrl]

A number of bank sites also use java applets

This.

Also utilities, ISPs and similar organisations for web forms that probably don't really need java to do what they do (probably, it's possible they actually do).

I can't pay my credit card from Safari on my desktop Mac at home because it can't get past the balance calculation applet, but I can on my iPad iOS app.

I tried logging a ticket with my ISP the other day and their website said they don't support Safari, Firefox or Chrome - use IE, which isn't available for Mac OS and hasn't been for years (Note I used to be able to log faults through their website). I'm trying to log a fault at the exchange that causes random dropouts.

Re:Only one program I miss

[davydagger]

all three of them too.

Re:Only one program I miss

[davydagger]

javascript != java.

and ajax has nothing to do with it. The point is there are better ways to do AJAX than java in 2013. In fact, Java is not the go to for ajax anymore. For most interactive web apps, I think flash has taken over from java

perl, python, php, and javascript, and now HTML5.

Re:Only one program I miss

[Trogre]

Interesting. OpenOffice.org or Libreoffice?

Re:Only one program I miss

[OdinOdin_]

A "webapp" is a server side application, think like what PHP is mainly used for. There are a huge number Java Servlet Containers running Java webapp's in the world. Note the use of the term "webapp" was coined by Java back 12+ years ago to mean use of Servlets. From my view of the world only MS .NET with ASP.NET comes close to the capabilities possible with Java webapps. Sure today some other technologies have hijacked the term for their own use.

No one does Java Applets anymore, except as noted for corporate equipment vendors and this is usually because those large corporations (IBM, HP, Equalogic, VMware, Oracle, etc...) use the Java language for everything so they can reuse in-house knowledge. But no general public facing business uses Java Applets anymore, only closed portals or contracted for services.

Now the issue with JavaScript and AJAX this is talking about the HTTP client side of things, so the JavaScript != Java is not relevant to the original comments (since they were talking about "webapps" and therefore server side Java, but you confuse it with client side; that no one does). Currently NodeJS is about the only technology that can be said to have an edge on Java for server side processing of AJAX/WebSockets. But there are at least 2 major projects for Java making use of the NIO/Event processing model that should be able to scale better than NodeJS. The Servlet specification has an update to ratify WebSockets as at least 4 Java webserver implementations have already supported WebSockets to some degree already but in slightly different ways, so now we have a new standard.

My current choices are: Ruby for the offline development tools for content processing and generation (css/sprites/etc...), AngularJS for MVVM in HTML5, Java Servlets on Servlet container for service side programming model.

Seems like /. is stuck on repeat...

I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!

Re:Seems like /. is stuck on repeat...

[davydagger]

the worst part about this is the statement is inherently untrue.

If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

here is a hint its the type that destroys the hardware.

I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.

Re:Seems like /. is stuck on repeat...

[Nimey]

It'd be more effective if the attacker would use hot grits instead.

Re:Seems like /. is stuck on repeat...

[Macgrrl]

Or a petrified Natalie Portman.

Re:Seems like /. is stuck on repeat...

[davydagger]

hosnap, you both are bringing back my 1996

even worse than the vulns

[csumpi]

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:even worse than the vulns

[GodfatherofSoul]

Compared to Adobe?

Re:even worse than the vulns

I think java 7 installs updates in place - no more need to uninstall old versions.
It says it does this somewhere on the oracle updater site, & it seems
to be working for me on a number of platforms.

Re:even worse than the vulns

[Nimey]

What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

Re:even worse than the vulns

http://docs.oracle.com/javase/7/docs/webnotes/install/windows/patch-in-place-and-static-jre-installation.html
Haven't the faintest why this isn't documented more clearly
in their other pages related to installation & patching.

Re:even worse than the vulns

Flash? No. It's no better. I was comparing to not having either of them installed. It's frustrating at times (some things don't work), but compared to the constant nagging about updates, I prefer it.

Re:even worse than the vulns

Wa wa wa. For the 13 current comments on this article, someone is already complaining about OpenOffice, about Java being the worse thing ever, and that it's updates suck.

Do you people ever read and understand what you read? Java update articles have been on Slashdot long enough for you to know better.

1) OpenOffice and LibreOffice don't require Java.
2) A buggy browser plugin doesn't mean the entire language and JVM and bad as well. No one ran around spreading fear and trying to get everyone to uninstall everything remotely related to Adobe because of Flash plugin bugs (they wanted Adobe gone for other reasons such as bloat).
3) A full Java installation doesn't break old software. Tons of people complain every time Firefox updates and breaks something. Java doesn't do that because you still have the older version. Whichever update method you pick, someone will always complain. There are pros and cons to both methods. Simply complaining about one way is only whining. It is also possible to have Java auto-update without bugging you or to turn updates off. There's no harm from the current problems if you turn updates off and disable the browser plugin.

Sorry csumpi, I'm not trying to personally attack you even if it sounds that way.

Re:even worse than the vulns

[gstoddart]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:even worse than the vulns

Not to mention they're (or at least were, the last time I noticed this) terrible at including the version info in the string that is read by the installed programs 'control panel', so you're left with multiple (virtually) identical entries, trying to puzzle out which one is safe to remove. Fortunately MS seems to have realized things like this were and issue, and made more information available to you about each entry in the 'Add/Remove Programs' CP (or whatever it's called in 7+).

Re:even worse than the vulns

So why have I had to manually uninstall Java 6 Update 31 on about 150 users at my work the past few weeks after Java 7 updates installed but Chrome still detected outdated Java?

I fucking HATE the JRE and wish my employer wouldn't use it for the client apps. The worst part is the 2 client apps we use Java for could easily be just a simple HTML form.

Sigh I can't wait till I die from all the alcohol I drink from dealing with my job.

Sorry about that last sentence I'm drunk and I blame Oracle!

Re:even worse than the vulns

[Nimey]

Because Java 7 ignores previous Java 6 installs. New Java 7 updates will remove previous Java 7 instances.

It probably makes sense in some use cases.

Re:even worse than the vulns

[smash]

Even worse - a recent Java update decided to upgrade me from Java 6 to Java 7 (I know this is the case, because I don't install Java 7 myself). It left Java 1.6u38 installed, and no update to Java 6. I have applications that do not run on Java 7. So i'll be running Java 6. Which is still insecure on my machine.

Re:even worse than the vulns

[smash]

Confirmed on a second machine.

Re:even worse than the vulns

[dinfinity]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

1. Remove the scheduled updater task.
2. Install Secunia PSI
3. Profit.

Also, the JRE is updated nowadays. Only old JDKs are not removed, but that makes sense (to a developer).

Re:even worse than the vulns

For what is worth Java 7 has the option to disable the java plugin and Java 6 doesn't.

Re:even worse than the vulns

[jandrese]

And frankly, I suspect that Ask.com bar is full of security holes too.

Re:even worse than the vulns

[gstoddart]

I certainly assume it is ... every thing you install these days wants to install some form of search bar or browser plugin.

The answer is always "no".

Last Java 6 public update

[yuhong]

http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html
After this one you will need to pay for a support contract or upgrade to Java 7.

Re:Last Java 6 public update

[viperidaenz]

I was checking java 6 builds the other day and I'm almost positive that "This is the last release" message was in the update 41 release notes before 43 was released.

Re:Last Java 6 public update

[yuhong]

Not this one:
http://www.oracle.com/technetwork/java/javase/6u41-relnotes-1907743.html
Keep in mind this update is out of band.

Re:Last Java 6 public update

[Nimey]

Marvelous. We just bought a package that requires 6 to work and doesn't with 7, /and/ it needs the browser plugin.

Eat a bag of dicks, Ellison.

Re:Last Java 6 public update

[yuhong]

Just bought? The support lifecycle for Java is public: http://www.oracle.com/technetwork/java/eol-135779.html

Re:Last Java 6 public update

[Nimey]

I wasn't involved in the purchase, but the program requires JavaFX and does not appear to work with any Java 7 REs I've tried.

Re:Last Java 6 public update

[willie150]

We're lucky to get that one. Oracle have publicly stated that there wont be any updates to Java 6 post February 2012. http://java.com/en/download/faq/java_6.xml

Re:Last Java 6 public update

[yuhong]

Yep, this update is out of band which is probably why.

Re:Last Java 6 public update

[wmac1]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Re:Last Java 6 public update

[viperidaenz]

They changed the release notes for 41.
That's my story and I'm sticking to it. Even though the google cache of that page on the 25th says otherwise. Wikipedia hasn't been updated yet and says 41 is the last.

Re:Last Java 6 public update

[Nimey]

It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

I mean, fuck. They've managed to take the crappy security award away from Adobe.

Re:Last Java 6 public update

[Kenshin]

Brilliant. That's like buying new software that requires Windows XP.

Re:Last Java 6 public update

that would be fine if 7 wasn't a messed up bucket of shit that has caused more problems than it solved. so many things broke with this supposedly write once run anywhere technology.

Re:Last Java 6 public update

[Nimey]

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

Re:Last Java 6 public update

[cbhacking]

Who, previously, had taken it from MS. Guys, *stop* chasing that award. It's not actually a good thing! I think MS was pretty happy to give it up (after all the security work that went into NT6.x, the IE sandbox, etc.), and Adobe is showing signs of acting that way too (the Reader sandbox was a huge improvement, though Flash is still iffy), but Oracle seems dead-set on holding onto it.

Re:Last Java 6 public update

[pedestrian+crossing]

Cisco ASDM (configuration/management software for ASA firewalls) doesn't work on Java 7...

Re:Last Java 6 public update

[DeDmeTe]

It's running fine for me on 7.17 (ASDM 6.4)

Re:Last Java 6 public update

That is a problem with Cisco, not Java.

Re:Last Java 6 public update

(the Reader sandbox was a huge improvement, though Flash is still iffy)

I'd rather use a standalone Chrome PDF reader, if one existed, since Google cares a lot more about their sand-boxing.

Re:Last Java 6 public update

[Rich0]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Uh, their latest version is only guaranteed support until July 2014 according to their website. Sure, I guess nobody is paying for it, but I'm not sure I'd base my software off of a platform that is not guaranteed to get security updates for more than a year.

The seven years Java 6 got isn't too bad, assuming it was announced that way back in the beginning. However, it still pales compared to the stability of win32/etc.

Re:Last Java 6 public update

[Rich0]

I wouldn't complain too much about XP.

XP was introduced in Dec 2001 and is supported until April 2014.

Java 7 (SEVEN - not six - ie the latest version) was introduced in July 2011, and is supported until July 2014 (it might or might not go later, but no promises).

If you used something more sane like Windows 7 then you're supported until 2020.

If you deployed a new piece of software that requires XP you'd only be three months worse off than deploying a new piece of software that requires Java 7.

Warning: Oracle installs ask.com toolbar

[icknay]

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:Warning: Oracle installs ask.com toolbar

http://www.java.com/en/download/manual.jsp

Re:Warning: Oracle installs ask.com toolbar

[Qwavel]

But that's just Oracle - and always has been Oracle. Being aggressive and obnoxious hasn't hurt them before (check their stock price).

Re:Warning: Oracle installs ask.com toolbar

If running Windows use ninite (ninite.com) to install java and other stuff w/o getting any of the toolbars. Added bonus you only have to download the installer once, it will still update everything to latest version. It does install both 32 and 64 bit java if you're running 64 bit windows.

Re:Warning: Oracle installs ask.com toolbar

Petition: Oracle, stop bundling Ask toolbar with the java installer

Re:Warning: Oracle installs ask.com toolbar

Remember, Oracle cares about one thing and one thing only: money.

Re:Warning: Oracle installs ask.com toolbar

[smash]

Also - watch out, it may also re-enable the Java plugin in your browser if you had previously turned it off, on at least one box I've updated on (previous update).

Re:Warning: Oracle installs ask.com toolbar

[bloodhawk]

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

Re:Warning: Oracle installs ask.com toolbar

On Windows, go get the installer packages
http://www.java.com/en/download/manual.jsp
and run them with the /s option
(I also add IEXPLORER=1 MOZILLA=1 but I think that is obsolete)
no toolbars, no intervention on your part

OpenJDK ..

[dgharmon]

Does this exploit work under the OpenJDK Runtime Environment?

Re:OpenJDK ..

[sourcerror]

As far as I know, OpenJDK is not really a fork, just a stripped down version of the Oracle JDK.

Re:OpenJDK ..

[ChunderDownunder]

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

Java and Flash remind me of this song..

[DigitAl56K]

http://en.wikipedia.org/wiki/There's_a_Hole_in_My_Bucket

So, Oracle managed to mess this one up as well...

[SpaceCracker]

All these security holes are loosing credibility for Java.
That's good news for .Net.
What about the rest of us?

It seems like the right time for a new alternative to show up. Any takers?

I'll stick with the Java that I can drink.

[Darth+Twon]

And Barry Allen.

And Open Office still runs

Well no, because the VM is installed by Open Office. So you get Open Office, without all that Java plugin nonsense.

But these days I let Firefox simply leave the plugin switched off, and only activate it if I use a website I trust that uses it (my stock broker).

I think Adobe and Oracle really have lost their way. The last update to flash was the player crashier than before. I think they have a crap programmer on the team and he seems to be twiddling and breaking stuff. Oracle on the other hand, well that's about the standard I find all Oracle products.

Re:And Open Office still runs

[Macgrrl]

Does anyone else periodically feel like throwing their computer out the window with the constant nag screens to update Adobe Flash or Acrobat Reader that seem to appear every week or so.

Re:So, Oracle managed to mess this one up as well.

here's one way of doing things: the right tool for the job. when the fuck did computer science become computer ass-hattery?

web:
server side web: node.js
client side web: javascript

systems:
embedded/kernel/drivers/network/etc: C
scripting: bash, perl, clphp, python

application:
C++

notice: there are 2 real language types here. C and perl. (i am taking the liberty of looping the shells in with the perl family.). Java is in the C family anyway, and going from OOP to non-OOP is easy (other way around not so much). i thought java was bad in the clutches of sun, but i still loved it. now it is useless.

second route:
fuck the java standard and make due with gcj or something like that. it isnt compatible with oracle because it doesnt implement everything, but so what? write more code lamer. why did programming change from algorithms and procedures to prepackaged function calls against standard libraries? why?! WHY?!

for the record C++ is still a piece of shit, just less so than before. new standard should implement orthogonality and make iostream less retarded. that said until we liberate java by ditching oracles standard it is ok i guess. /rant

Re:So, Oracle managed to mess this one up as well.

[TheSunborn]

Sorry, but I will keep using java server side. I just hope I don't end up with that "Ask toolbar" on our server :}

And the fact that the Java Security Manager is as safe as an open door, does not really matter because 99% of all server side java code, is running without the security manager. (Or at least without relaying on the Security manager to provide security).

 

"3 Billion Devices Run Java

[RudySolis]

Computers, Printers, Routers, Cell Phones, ATMs, Home Security Systems"... and none can be updated because of compatibility issues.


Great isn't it?

Re:"3 Billion Devices Run Java

[MemoryDragon]

They also dont use the Java Plugin which is the problem there :-)

Love Java, but dislike Javascript

[Cito]

I love java, and about a year ago starting writing little programs in java, although I usually turn javascript off in the browser or run noscript.

lot of people tend to think javascript == java but it's 2 different creatures all together. http://kb.mozillazine.org/JavaScript_is_not_Java

I've made a few little fun gadgets for personal use, a winamp type clone using the jlayer library to stream shoutcast/icecast stations as well as my own playlists. Spent weeks learning java swing mainly manually before I started playing with Eclipse windowbuilder plugin for swing/awt/etc. the windowbuilder plugin made it so simple for me to make my little winamp clone skinnable. :)

course i've spent a year or little more learning Java and have just now started playing with opengl 3d graphics but can't make up my mind which opengl library I like best yet, so far I've played around with JOGL and LWJGL, which I think are the 2 most popular libraries, Minecraft and most the indie steam games use LWJGL.
So I've sorta been sticking with it.

Anyhow you have the option to uninstall Java browser plugin and just keep the SDK installed, but I usually just disable it in browser just in case I ever do come across a need for it I can enable it for a specific site if need be.

Re:Love Java, but dislike Javascript

I'm confused as to the title of your post - what does disliking javascript and using noscript have to do with the article, i.e. vulnerabilities in the completely unrelated-to-javascript Oracle Java browser plugins?

Re:Love Java, but dislike Javascript

[Cito]

Firefox states that the browser javascript plugin is vulnerable and automatically turns it off.

http://www.h-online.com/security/news/item/New-holes-discovered-in-latest-Java-versions-1810990.html

firefox now default turns off javascript in the browser unless you specifically tell it to accept, similar to noscript.

which is the same bug as the original article fixes. But firefox is still refusing to allow javascript by default and until further notice all javascript plugins will be disabled by default in firefox.

I was pointing out some people are confusing Java and Javascript, I explained they are 2 totally different creatures.

Java?

[h8sg8s]

Just say no. I've lived without it on the client side for almost 2 years. On the server side, it's only the JVM that's of any use and using the java language on it is now totally optional. The raft of JVM languages means total portability and architectural freedom without being tied to the language.

Re:So, Oracle managed to mess this one up as well.

same AC here...

given you want to keep java and this mess is happening around us, that is a good strategy if it is implemented well (and i'm not saying that you don't implement it well).

if you are depending less and less on oracle's java ecosystem in its entirety, you could probably eventually just stick to the commenly implemented features in alternative implementations of JVM/compiler/etc. if you did (carefully i would add), your code would be compatible with with oracles JVM if you needed that level of portability at some point. (because it would be an overlapping subset of what oracle provides). we have a decent level of compatibility between weblogic, tomcat, jboss, glassfish, etc... if someone were careful they could write code that could run in all environments with little more than minor tweaks for each... we need to do this for JDK.

It's Upload, Not Download

[StormReaver]

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

Re:It's Upload, Not Download

[ChaseTec]

Why? You downloaded an applet from a website which then downloaded the McRAT trojan. The article was misleading about who or what was doing the download but not the initiator of the transfer.

Re:It's Upload, Not Download

[slimjim8094]

It's completely correct. The user's computer downloaded the applet, which then proceeded to download the trojan from some Internet location and install it through this vulnerability. Uploading implies that the attackers were the "active" party; that would generally be a worm.

Re:It's Upload, Not Download

[Phrogman]

Technically they got the user's system to download the McRAT Trojan surreptitiously by exploiting the vulnerability in Java :)

Client to Server: Upload
Server to Client: Download

So its correct but not very grammatically clear

Re:It's Upload, Not Download

[StormReaver]

Consider the context of the sentence: "[A]ttackers exploiting the flaw were able to..."

They were able to...what? Uploading and downloading are terms used within the context of who is doing what. When a file is being transferred, uploading and downloading are occurring simultaneously. One side of the transmission is downloading, and the other side of the transmission is uploading. The side of the transmission that is receiving the data is downloading, and the side of the transmission that is sending the data is uploading. It doesn't matter if it's client/server, peer to peer, or Morse code through flashlights; the rule is the same: the sender is uploading, and the receiver is downloading. It similarly doesn't matter who initiated the transfer.

The article was not in any way misleading about who was doing what. The victims were downloading, and the attackers were uploading.

Troolbar

[snsh]

Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?

Evil Masterminds

[bill_mcgonigle]

I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.

I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.

Re:Evil Masterminds

Who would benefit?
Perhaps a certain corporation in Redmond, Washington.

Re:Evil Masterminds

[MadKeithV]

Who would benefit?

Everyone who doesn't have Java installed gets a good laugh out of it, for starters.

Re:Evil Masterminds

[Nimey]

Anybody who doesn't like Larry Ellison, i.e. everyone who's dealt with him personally.

Monthly update check

Oracle needs to reconfigure Java to automatically check for updates daily, not monthly. Why are they so ignorant of the stupidity of monthly updates for a proven virus magnet?

How to stop applets from running

[TrueSpeed]

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

How do I disable Java in my browser

[TrueSpeed]

http://www.java.com/en/download/help/disable_browser.xml

Re:So, Oracle managed to mess this one up as well.

The rest of us (not using Windows) pretty much run everything on Java. In fact, except for browsers, all software that I use daily is written in Java.

Like it or not, .NET is irrelevant due to it's single platform nature and nobody these days wants to bother developing UI in C/C++.

I would get used to it (Java). And, do disable the plugin.

As far as system-wide JVM install on Windows, I wouldn't worry too much: those app that need JVM can and should bring their own.

This one is different

Sounds like they have run out of pure sandbox vulnerabilities. Most of the previous ones were exploiting a properly running client sandbox and hence were pretty straightforward and reliable.

  This one is apparently related to JPG image handling. It just tries to corrupt JVM memory and often crashes it.

My guess is, the rate at which vulnerabilities are discovered now is going to be a lot slower. The language sandbox is now probably fairly decent. Exploit writers are going to have to resort to finding bugs in native libraries used by JVM. I would not expect any new ones soon.

Re:This one is different

My guess would be there's a rather large backlog of vulnerabilities being trickled out one by one. I may not personally like Java at all for a variety of reasons, but it does appear like someone has intentionally set out to discredit the language by making it look fundamentally insecure.

No, it's not.

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

"Upload" vs "download" is from the perspective of the user in question.

If bits are going away from the system the user is in control of, then it's an upload.

If bits are coming toward the system the user is in control of, then it's a download.

In this case the trojan bits came from a remote distribution site to the end users' systems. So it was downloaded.

delta patches please

[X0563511]

I'm getting very tired of installing a new JRE and JDK over and over again, including the JCE.

Can we please get an in-place delta patch, Oracle? It's 2013, we have these things you know.

Pretty simple solution

[boorack]

Don't force users to install browser plugin crapola. One simple checkbox in setup program (unchecked by default) would make lives better for many, many people (mainly developers). Unfortunately, Oracle chose to use JDK to force lots of crap down our throats (JavaFX, browser plugin plus some other browser crapola), so virtually everyone using Java for any purose is affected by Java security holes. Unfortunate situation that boils down to by stubborn Oracle managos... is there anything in the world that Larry won't be able to turn into crap just by touching it ?

Anybody Else?

I stopped updating Java because of those insane new "Do you want to run this application?" prompts. At first glance it sounds like a good idea, but once you try accessing your companies equipment management system that uses JSP you'll find that you have to dismiss about 300 of those prompts every day for a week before you finally get them all. A Java update resets all those warnings, so fuck updates.

Good going Oracle. You've finally made me into one of those people who refuse to update.