Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

Uninstall

[Dan+East]

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:Uninstall

[Pino+Grigio]

Yup. Me too. Can't stand it.

Re:Uninstall

[DigitAl56K]

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:Uninstall

[holostarr]

Just because it's supposed to doesn't mean you should run untrusted code.

Re:Uninstall

[Deekin_Scalesinger]

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall

[holostarr]

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:Uninstall

[Deekin_Scalesinger]

Indeed and well said Sire. My faith in tech humanity and common sense is somewhat restored (at least for tonight).

Re:Uninstall

But the whole point of the Java security model is so that one isn't supposed to have to worry about whether they are running trusted or untrusted code. If it's untrusted code it's not supposed to be running at all.

Re:Uninstall

[Decker-Mage]

Sadly, more than a few "security" tools here require Java or .NET.

Re:Uninstall

[Technomancer]

Thats easy, just click on this llittle Java app.

Re:Uninstall

[MemoryDragon]

Disabling the browser plugin also would have helped.

Re:Uninstall

[qaz123]

Windows Control Panel -> Java -> Security Uncheck the "Enable Java content in the browser" checkbox That would be enough

Re:Uninstall

[smash]

And the problem here lies in the fact that the source could be compromised. Hence, code signing - the software can be uploaded to the net, after being signed by the private key which is kept off-line. Trusting the server sending you stuff these days is no real security at all.

Re:Uninstall

[denis-The-menace]

The don't use Open Office.
Use LibreOffice instead. (https://www.libreoffice.org/)

You don't need Java to install or to run it UNLESS you use BASE.

Re:Uninstall

[Macgrrl]

Citrix for remote access to work. :(

Re:Uninstall

[netsentry]

Citrix for remote access to work. :(

Junos web access for the same reason ... sigh.

Only one program I miss

[AG+the+other]

Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.

Re:Only one program I miss

[mcl630]

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:Only one program I miss

[TsuruchiBrian]

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

Re:Only one program I miss

[Desler]

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Re:Only one program I miss

[smash]

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:Only one program I miss

[antdude]

OpenOffice doesn't require Java for everything. What do you use for its Java?

Re:Only one program I miss

[etrusco]

I would agree, if only the installer had the option not to install the plugin and the option was kept when updating.

Re:Only one program I miss

[AG+the+other]

It says you can't install it unless you have Java installed or did the last time I tried to install it.
My wife has a multi PC copy of MS Office and I use that, most of the time anyway, for what little word processing I do that Google Docs won't do.

Re:Only one program I miss

[dissy]

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:Only one program I miss

[dissy]

I think you're mistaken. Open Office never ever has run in the browser plugin.
Or did you even bother to look at the conversation before spouting off?

Re:Only one program I miss

[rwyoder]

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

+1
I switched to Libre Office long ago, and can't find any reason anyone would still use OpenOffice.

Re:Only one program I miss

[Numtek]

It does here.

Re:Only one program I miss

[Nivag064]

You can use LibreOffice instead of OpenOffice, it does no depend on Java!

http://www.libreoffice.org/

Re:Only one program I miss

[smash]

This was on a 15 minute old install of debian stable, by the way. Not some bleeding edge or ricer-cflags distribution.

Re:Only one program I miss

This was on a 15 minute old install of debian stable, by the way.

So the bug has been fixed decades ago. Debian stable only guarantees that the program version is old enough that most critical bugs should have been found by now.

Re:Only one program I miss

[futhermocker]

There are WAY MORE java web apps you might think
Where I work we have at least 3 applications that only can be used through an applet.
Plus all our KVMs are java applets, thanks to HP...

Re:Only one program I miss

[kthreadd]

Some users may find the license more appropriate.

Re:Only one program I miss

[AG+the+other]

The last time I tried to install Libre Office on a relative's computer the installation failed and I haven't had another chance to try it again.

Re:Only one program I miss

[Nivag064]

Usually when I try to install software and it fails, I've made one or more mistakes myself! To makes matters worse, I'm not always aware of what I did wrong.

If installing LIbreOffice, or any other open source software, fails and you have not made any mistakes that you are aware of - then I advise you to file a bug report.

I am a software developer, and I know from my own experience, that any moderately complicated piece of software always has bugs - no matter how thoroughly you think you have tested it!

Re:Only one program I miss

[LordLimecat]

Equallogic SANs use java iirc, as does HP's iLO remote management. A number of bank sites also use java applets.

Re:Only one program I miss

[HaZardman27]

You see, once you disable the browser plugin, that's 99% of the raison d'etre of Java gone for most end users

That last time I needed to use the Java browser plugin was nearly a year ago for a WebEx meeting. My last job involved server-side Java code, and I use OpenOffice at home, and that pretty much sums up my need for Java, other than the occasional program I write with it(very rare since I typically find that another language would be more suited to what I'm doing, and even when I chose Java it's never for applets). I understand my use probably does not represent the average computer user, but I can't even begin to imagine what all of those people you mention would be doing with Java applets.

Re:Only one program I miss

[HaZardman27]

There are almost no legimimate java web apps anymore

Depends on how you define a Java web app. Applets are dead, sure, I won't disagree with that, but in my definition a web app that uses Javascript and AJAX calls to a server-side program running on a JVM and written in Java is still a Java web app.

Re:Only one program I miss

[AG+the+other]

Unfortunately I was helping a relative set up a new computer, I had already spent several hours working on the computer and was exhausted so when the install failed I just changed to Open Office when the install failed.

Re:Only one program I miss

[jandrese]

Firefox (and I'm pretty sure all of the other major browsers) will remember that a plugin is disabled even when it is updated. Just let it install and then go and disable it in your browser(s).

Re:Only one program I miss

[Nivag064]

So my first paragraph applies - especially when one is very tired.

Initially, I was only going to comment along the lines of my second paragraph - but I felt that would come across as too harsh & likely to provoke irritation/anger!

All the best for your next attempt.

Re:Only one program I miss

[Macgrrl]

A number of bank sites also use java applets

This.

Also utilities, ISPs and similar organisations for web forms that probably don't really need java to do what they do (probably, it's possible they actually do).

I can't pay my credit card from Safari on my desktop Mac at home because it can't get past the balance calculation applet, but I can on my iPad iOS app.

I tried logging a ticket with my ISP the other day and their website said they don't support Safari, Firefox or Chrome - use IE, which isn't available for Mac OS and hasn't been for years (Note I used to be able to log faults through their website). I'm trying to log a fault at the exchange that causes random dropouts.

Re:Only one program I miss

[davydagger]

all three of them too.

Re:Only one program I miss

[davydagger]

javascript != java.

and ajax has nothing to do with it. The point is there are better ways to do AJAX than java in 2013. In fact, Java is not the go to for ajax anymore. For most interactive web apps, I think flash has taken over from java

perl, python, php, and javascript, and now HTML5.

Re:Only one program I miss

[Trogre]

Interesting. OpenOffice.org or Libreoffice?

Re:Only one program I miss

[OdinOdin_]

A "webapp" is a server side application, think like what PHP is mainly used for. There are a huge number Java Servlet Containers running Java webapp's in the world. Note the use of the term "webapp" was coined by Java back 12+ years ago to mean use of Servlets. From my view of the world only MS .NET with ASP.NET comes close to the capabilities possible with Java webapps. Sure today some other technologies have hijacked the term for their own use.

No one does Java Applets anymore, except as noted for corporate equipment vendors and this is usually because those large corporations (IBM, HP, Equalogic, VMware, Oracle, etc...) use the Java language for everything so they can reuse in-house knowledge. But no general public facing business uses Java Applets anymore, only closed portals or contracted for services.

Now the issue with JavaScript and AJAX this is talking about the HTTP client side of things, so the JavaScript != Java is not relevant to the original comments (since they were talking about "webapps" and therefore server side Java, but you confuse it with client side; that no one does). Currently NodeJS is about the only technology that can be said to have an edge on Java for server side processing of AJAX/WebSockets. But there are at least 2 major projects for Java making use of the NIO/Event processing model that should be able to scale better than NodeJS. The Servlet specification has an update to ratify WebSockets as at least 4 Java webserver implementations have already supported WebSockets to some degree already but in slightly different ways, so now we have a new standard.

My current choices are: Ruby for the offline development tools for content processing and generation (css/sprites/etc...), AngularJS for MVVM in HTML5, Java Servlets on Servlet container for service side programming model.

Seems like /. is stuck on repeat...

I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!

Re:Seems like /. is stuck on repeat...

[davydagger]

the worst part about this is the statement is inherently untrue.

If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

here is a hint its the type that destroys the hardware.

I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.

Re:Seems like /. is stuck on repeat...

[Nimey]

It'd be more effective if the attacker would use hot grits instead.

Re:Seems like /. is stuck on repeat...

[Macgrrl]

Or a petrified Natalie Portman.

Re:Seems like /. is stuck on repeat...

[davydagger]

hosnap, you both are bringing back my 1996

even worse than the vulns

[csumpi]

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:even worse than the vulns

[GodfatherofSoul]

Compared to Adobe?

Re:even worse than the vulns

I think java 7 installs updates in place - no more need to uninstall old versions.
It says it does this somewhere on the oracle updater site, & it seems
to be working for me on a number of platforms.

Re:even worse than the vulns

[Nimey]

What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

Re:even worse than the vulns

http://docs.oracle.com/javase/7/docs/webnotes/install/windows/patch-in-place-and-static-jre-installation.html
Haven't the faintest why this isn't documented more clearly
in their other pages related to installation & patching.

Re:even worse than the vulns

[gstoddart]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:even worse than the vulns

[Nimey]

Because Java 7 ignores previous Java 6 installs. New Java 7 updates will remove previous Java 7 instances.

It probably makes sense in some use cases.

Re:even worse than the vulns

[smash]

Even worse - a recent Java update decided to upgrade me from Java 6 to Java 7 (I know this is the case, because I don't install Java 7 myself). It left Java 1.6u38 installed, and no update to Java 6. I have applications that do not run on Java 7. So i'll be running Java 6. Which is still insecure on my machine.

Re:even worse than the vulns

[smash]

Confirmed on a second machine.

Re:even worse than the vulns

[dinfinity]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

1. Remove the scheduled updater task.
2. Install Secunia PSI
3. Profit.

Also, the JRE is updated nowadays. Only old JDKs are not removed, but that makes sense (to a developer).

Re:even worse than the vulns

[jandrese]

And frankly, I suspect that Ask.com bar is full of security holes too.

Re:even worse than the vulns

[gstoddart]

I certainly assume it is ... every thing you install these days wants to install some form of search bar or browser plugin.

The answer is always "no".

Last Java 6 public update

[yuhong]

http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html
After this one you will need to pay for a support contract or upgrade to Java 7.

Re:Last Java 6 public update

[viperidaenz]

I was checking java 6 builds the other day and I'm almost positive that "This is the last release" message was in the update 41 release notes before 43 was released.

Re:Last Java 6 public update

[yuhong]

Not this one:
http://www.oracle.com/technetwork/java/javase/6u41-relnotes-1907743.html
Keep in mind this update is out of band.

Re:Last Java 6 public update

[Nimey]

Marvelous. We just bought a package that requires 6 to work and doesn't with 7, /and/ it needs the browser plugin.

Eat a bag of dicks, Ellison.

Re:Last Java 6 public update

[yuhong]

Just bought? The support lifecycle for Java is public: http://www.oracle.com/technetwork/java/eol-135779.html

Re:Last Java 6 public update

[Nimey]

I wasn't involved in the purchase, but the program requires JavaFX and does not appear to work with any Java 7 REs I've tried.

Re:Last Java 6 public update

[willie150]

We're lucky to get that one. Oracle have publicly stated that there wont be any updates to Java 6 post February 2012. http://java.com/en/download/faq/java_6.xml

Re:Last Java 6 public update

[yuhong]

Yep, this update is out of band which is probably why.

Re:Last Java 6 public update

[wmac1]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Re:Last Java 6 public update

[viperidaenz]

They changed the release notes for 41.
That's my story and I'm sticking to it. Even though the google cache of that page on the 25th says otherwise. Wikipedia hasn't been updated yet and says 41 is the last.

Re:Last Java 6 public update

[Nimey]

It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

I mean, fuck. They've managed to take the crappy security award away from Adobe.

Re:Last Java 6 public update

[Kenshin]

Brilliant. That's like buying new software that requires Windows XP.

Re:Last Java 6 public update

[Nimey]

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

Re:Last Java 6 public update

[cbhacking]

Who, previously, had taken it from MS. Guys, *stop* chasing that award. It's not actually a good thing! I think MS was pretty happy to give it up (after all the security work that went into NT6.x, the IE sandbox, etc.), and Adobe is showing signs of acting that way too (the Reader sandbox was a huge improvement, though Flash is still iffy), but Oracle seems dead-set on holding onto it.

Re:Last Java 6 public update

[pedestrian+crossing]

Cisco ASDM (configuration/management software for ASA firewalls) doesn't work on Java 7...

Re:Last Java 6 public update

[DeDmeTe]

It's running fine for me on 7.17 (ASDM 6.4)

Re:Last Java 6 public update

[Rich0]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Uh, their latest version is only guaranteed support until July 2014 according to their website. Sure, I guess nobody is paying for it, but I'm not sure I'd base my software off of a platform that is not guaranteed to get security updates for more than a year.

The seven years Java 6 got isn't too bad, assuming it was announced that way back in the beginning. However, it still pales compared to the stability of win32/etc.

Re:Last Java 6 public update

[Rich0]

I wouldn't complain too much about XP.

XP was introduced in Dec 2001 and is supported until April 2014.

Java 7 (SEVEN - not six - ie the latest version) was introduced in July 2011, and is supported until July 2014 (it might or might not go later, but no promises).

If you used something more sane like Windows 7 then you're supported until 2020.

If you deployed a new piece of software that requires XP you'd only be three months worse off than deploying a new piece of software that requires Java 7.

Warning: Oracle installs ask.com toolbar

[icknay]

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:Warning: Oracle installs ask.com toolbar

[Qwavel]

But that's just Oracle - and always has been Oracle. Being aggressive and obnoxious hasn't hurt them before (check their stock price).

Re:Warning: Oracle installs ask.com toolbar

If running Windows use ninite (ninite.com) to install java and other stuff w/o getting any of the toolbars. Added bonus you only have to download the installer once, it will still update everything to latest version. It does install both 32 and 64 bit java if you're running 64 bit windows.

Re:Warning: Oracle installs ask.com toolbar

Petition: Oracle, stop bundling Ask toolbar with the java installer

Re:Warning: Oracle installs ask.com toolbar

[smash]

Also - watch out, it may also re-enable the Java plugin in your browser if you had previously turned it off, on at least one box I've updated on (previous update).

Re:Warning: Oracle installs ask.com toolbar

[bloodhawk]

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

OpenJDK ..

[dgharmon]

Does this exploit work under the OpenJDK Runtime Environment?

Re:OpenJDK ..

[sourcerror]

As far as I know, OpenJDK is not really a fork, just a stripped down version of the Oracle JDK.

Re:OpenJDK ..

[ChunderDownunder]

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

Java and Flash remind me of this song..

[DigitAl56K]

http://en.wikipedia.org/wiki/There's_a_Hole_in_My_Bucket

So, Oracle managed to mess this one up as well...

[SpaceCracker]

All these security holes are loosing credibility for Java.
That's good news for .Net.
What about the rest of us?

It seems like the right time for a new alternative to show up. Any takers?

I'll stick with the Java that I can drink.

[Darth+Twon]

And Barry Allen.

Re:So, Oracle managed to mess this one up as well.

[TheSunborn]

Sorry, but I will keep using java server side. I just hope I don't end up with that "Ask toolbar" on our server :}

And the fact that the Java Security Manager is as safe as an open door, does not really matter because 99% of all server side java code, is running without the security manager. (Or at least without relaying on the Security manager to provide security).

 

Re:LOL

[ls671]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

Here is my theory, I could be wrong...

Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:

1) Sun's former employees. The ones that haven't left yet but that are kind of resisting still from the inside.
2) Legacy Oracle employees.

Sun's employees are much closer to the real old school geeky Linux user style than Oracle employees that are closer to a Microsoft representative in their style. Sun's employees know this, they have also a strong ego.

So making Java look stupid would sure get a stab at those former Sun's employees that think they know everything and possibly make them easier to merge into the company mentality or cause them to resign.

When you bitch about Java, you may just be playing Oracle's game... But then again, could this theory possibly make sense to anybody else?

It's Upload, Not Download

[StormReaver]

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

Re:It's Upload, Not Download

[ChaseTec]

Why? You downloaded an applet from a website which then downloaded the McRAT trojan. The article was misleading about who or what was doing the download but not the initiator of the transfer.

Re:It's Upload, Not Download

[slimjim8094]

It's completely correct. The user's computer downloaded the applet, which then proceeded to download the trojan from some Internet location and install it through this vulnerability. Uploading implies that the attackers were the "active" party; that would generally be a worm.

Re:It's Upload, Not Download

[Phrogman]

Technically they got the user's system to download the McRAT Trojan surreptitiously by exploiting the vulnerability in Java :)

Client to Server: Upload
Server to Client: Download

So its correct but not very grammatically clear

Re:It's Upload, Not Download

[StormReaver]

Consider the context of the sentence: "[A]ttackers exploiting the flaw were able to..."

They were able to...what? Uploading and downloading are terms used within the context of who is doing what. When a file is being transferred, uploading and downloading are occurring simultaneously. One side of the transmission is downloading, and the other side of the transmission is uploading. The side of the transmission that is receiving the data is downloading, and the side of the transmission that is sending the data is uploading. It doesn't matter if it's client/server, peer to peer, or Morse code through flashlights; the rule is the same: the sender is uploading, and the receiver is downloading. It similarly doesn't matter who initiated the transfer.

The article was not in any way misleading about who was doing what. The victims were downloading, and the attackers were uploading.

Troolbar

[snsh]

Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?

Evil Masterminds

[bill_mcgonigle]

I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.

I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.

Re:Evil Masterminds

[MadKeithV]

Who would benefit?

Everyone who doesn't have Java installed gets a good laugh out of it, for starters.

Re:Evil Masterminds

[Nimey]

Anybody who doesn't like Larry Ellison, i.e. everyone who's dealt with him personally.

How to stop applets from running

[TrueSpeed]

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

How do I disable Java in my browser

[TrueSpeed]

http://www.java.com/en/download/help/disable_browser.xml

This one is different

Sounds like they have run out of pure sandbox vulnerabilities. Most of the previous ones were exploiting a properly running client sandbox and hence were pretty straightforward and reliable.

  This one is apparently related to JPG image handling. It just tries to corrupt JVM memory and often crashes it.

My guess is, the rate at which vulnerabilities are discovered now is going to be a lot slower. The language sandbox is now probably fairly decent. Exploit writers are going to have to resort to finding bugs in native libraries used by JVM. I would not expect any new ones soon.

Re:"3 Billion Devices Run Java

[MemoryDragon]

They also dont use the Java Plugin which is the problem there :-)

Re:LOL

[TheRaven64]

This has nothing to do with Oracle. The browser plugin has a long history of security holes going back well over a decade and the bitching has been going on since 1995. The problem is that writing a language implementation that is both fast and 100% correct is really hard. The safety properties of Java (and any other managed language) rely on the implementation being 100% correct. This is relatively easy for something like the Squeak Smalltalk VM, which is a single-threaded bytecode interpreter with a stop-the-world garbage collector, but people insist on the JVM doing all sorts of optimisations, supporting multiple threads and so on. The early complaints about Java were that it was slow. The more recent complaints are that it's not correct. Well, you have three choices:

• Have a slow VM.
• Have a fast, but incorrect, VM, and be aware that every error is a potential security hole.
• Formally verify your VM. Be aware that this will cost at least 30 times as much[1] as the non-verified version.

Relying on software enforcement for security is just asking for trouble.

[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.

Re:LOL

[JDG1980]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

The problem is that, until very recently, the Java installer went out of its way to shove the browser plugin down your throat. Even if you removed it manually, it would come back the next time Java was updated. They changed it recently so you can disable the plugin in the control panel, but that's not really good enough – it ought to be turned off by default. In fact, it should probably be a separate download, with a warning that it's for legacy support only. Also, they really need to stop using the update process as an opportunity to try to make an extra buck with Ask Toolbar.

delta patches please

[X0563511]

I'm getting very tired of installing a new JRE and JDK over and over again, including the JCE.

Can we please get an in-place delta patch, Oracle? It's 2013, we have these things you know.

Pretty simple solution

[boorack]

Don't force users to install browser plugin crapola. One simple checkbox in setup program (unchecked by default) would make lives better for many, many people (mainly developers). Unfortunately, Oracle chose to use JDK to force lots of crap down our throats (JavaFX, browser plugin plus some other browser crapola), so virtually everyone using Java for any purose is affected by Java security holes. Unfortunate situation that boils down to by stubborn Oracle managos... is there anything in the world that Larry won't be able to turn into crap just by touching it ?

Re:LOL

[hraponssi]

Just to go completely offtopic and straight for the woods, if you do that 30-100xcost of formal verification (which goes on forever as you evolve your software), then what did you verify?

I had a look at that seL4 project as it sounds interesting. They claim to have used a theorem prover to "construct the proof". Does a threorem prover now read your specs, consult your experts, and construct the proof for you? Or does it just take what you write and your "constructing the proof" is writing all the specs yourself and running some prover to tell you how great your formal logics and nasty looking complex statements are? Like in "the logic of bugs"?

Who verifies the spec for what is to be proven in the first place? That is hard even in testing, which deals mostly with more human processable stuff.

Of course the project lists low-level details as being proven such as lack of buffer overflows, which don't really require much of a spec, so I suppose for those it can be nice with the 100 times overhead. Then you can address the rest of the security issues, which nicely would be much smaller though.

Anyway, that stuff would be nice if you could feed it a million LOC and press a button. Still waiting for the day..

Re:LOL

[TheRaven64]

In the seL4 case, they first write a formal specification. Then they (oversimplifying slightly) prove an equivalence of their implementation (in a restricted subset of C) and their specification. Then they prove properties (e.g. isolation) of their specification. You can't just take some C code and say 'is this correct' without a spec, and you typically can't take arbitrary C code and say 'do these properties hold for this code'. Even in the seL4 case, there are some issues, for example they correct functioning of the MMU is taken as axiomatic.

Re:Love Java, but dislike Javascript

[Cito]

Firefox states that the browser javascript plugin is vulnerable and automatically turns it off.

http://www.h-online.com/security/news/item/New-holes-discovered-in-latest-Java-versions-1810990.html

firefox now default turns off javascript in the browser unless you specifically tell it to accept, similar to noscript.

which is the same bug as the original article fixes. But firefox is still refusing to allow javascript by default and until further notice all javascript plugins will be disabled by default in firefox.

I was pointing out some people are confusing Java and Javascript, I explained they are 2 totally different creatures.

Re:And Open Office still runs

[Macgrrl]

Does anyone else periodically feel like throwing their computer out the window with the constant nag screens to update Adobe Flash or Acrobat Reader that seem to appear every week or so.