Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

Uninstall

[Dan+East]

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:Uninstall

[DigitAl56K]

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:Uninstall

[holostarr]

Just because it's supposed to doesn't mean you should run untrusted code.

Re:Uninstall

[Deekin_Scalesinger]

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall

[holostarr]

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:Uninstall

[Decker-Mage]

Sadly, more than a few "security" tools here require Java or .NET.

Re:Uninstall

[Technomancer]

Thats easy, just click on this llittle Java app.

Re:Uninstall

[MemoryDragon]

Disabling the browser plugin also would have helped.

Re:Uninstall

[qaz123]

Windows Control Panel -> Java -> Security Uncheck the "Enable Java content in the browser" checkbox That would be enough

Re:Only one program I miss

[mcl630]

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:Only one program I miss

[TsuruchiBrian]

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

even worse than the vulns

[csumpi]

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:even worse than the vulns

[Nimey]

What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

Re:even worse than the vulns

[gstoddart]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:even worse than the vulns

[Nimey]

Because Java 7 ignores previous Java 6 installs. New Java 7 updates will remove previous Java 7 instances.

It probably makes sense in some use cases.

Re:Only one program I miss

[Desler]

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Warning: Oracle installs ask.com toolbar

[icknay]

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:Warning: Oracle installs ask.com toolbar

[smash]

Also - watch out, it may also re-enable the Java plugin in your browser if you had previously turned it off, on at least one box I've updated on (previous update).

Re:Warning: Oracle installs ask.com toolbar

[bloodhawk]

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

OpenJDK ..

[dgharmon]

Does this exploit work under the OpenJDK Runtime Environment?

Re:OpenJDK ..

[ChunderDownunder]

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

Re:Only one program I miss

[smash]

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:Last Java 6 public update

[wmac1]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Re:Last Java 6 public update

[Nimey]

It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

I mean, fuck. They've managed to take the crappy security award away from Adobe.

Re:Only one program I miss

[dissy]

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:LOL

[ls671]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

Here is my theory, I could be wrong...

Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:

1) Sun's former employees. The ones that haven't left yet but that are kind of resisting still from the inside.
2) Legacy Oracle employees.

Sun's employees are much closer to the real old school geeky Linux user style than Oracle employees that are closer to a Microsoft representative in their style. Sun's employees know this, they have also a strong ego.

So making Java look stupid would sure get a stab at those former Sun's employees that think they know everything and possibly make them easier to merge into the company mentality or cause them to resign.

When you bitch about Java, you may just be playing Oracle's game... But then again, could this theory possibly make sense to anybody else?

Re:Last Java 6 public update

[Nimey]

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

It's Upload, Not Download

[StormReaver]

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

Re:Seems like /. is stuck on repeat...

[davydagger]

the worst part about this is the statement is inherently untrue.

If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

here is a hint its the type that destroys the hardware.

I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.

How to stop applets from running

[TrueSpeed]

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

How do I disable Java in my browser

[TrueSpeed]

http://www.java.com/en/download/help/disable_browser.xml

Re:Last Java 6 public update

[pedestrian+crossing]

Cisco ASDM (configuration/management software for ASA firewalls) doesn't work on Java 7...

Re:LOL

[TheRaven64]

This has nothing to do with Oracle. The browser plugin has a long history of security holes going back well over a decade and the bitching has been going on since 1995. The problem is that writing a language implementation that is both fast and 100% correct is really hard. The safety properties of Java (and any other managed language) rely on the implementation being 100% correct. This is relatively easy for something like the Squeak Smalltalk VM, which is a single-threaded bytecode interpreter with a stop-the-world garbage collector, but people insist on the JVM doing all sorts of optimisations, supporting multiple threads and so on. The early complaints about Java were that it was slow. The more recent complaints are that it's not correct. Well, you have three choices:

• Have a slow VM.
• Have a fast, but incorrect, VM, and be aware that every error is a potential security hole.
• Formally verify your VM. Be aware that this will cost at least 30 times as much[1] as the non-verified version.

Relying on software enforcement for security is just asking for trouble.

[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.