Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

Uninstall

[Dan+East]

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:Uninstall

[DigitAl56K]

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:Uninstall

[Deekin_Scalesinger]

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall

[holostarr]

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:Uninstall

[Technomancer]

Thats easy, just click on this llittle Java app.

Re:Only one program I miss

[mcl630]

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:Only one program I miss

[TsuruchiBrian]

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

even worse than the vulns

[csumpi]

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:even worse than the vulns

[gstoddart]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:Only one program I miss

[Desler]

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Warning: Oracle installs ask.com toolbar

[icknay]

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:Warning: Oracle installs ask.com toolbar

[bloodhawk]

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

OpenJDK ..

[dgharmon]

Does this exploit work under the OpenJDK Runtime Environment?

Re:OpenJDK ..

[ChunderDownunder]

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

Re:Only one program I miss

[smash]

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:Only one program I miss

[dissy]

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:Last Java 6 public update

[Nimey]

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

It's Upload, Not Download

[StormReaver]

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

How to stop applets from running

[TrueSpeed]

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

How do I disable Java in my browser

[TrueSpeed]

http://www.java.com/en/download/help/disable_browser.xml

Re:LOL

[TheRaven64]

This has nothing to do with Oracle. The browser plugin has a long history of security holes going back well over a decade and the bitching has been going on since 1995. The problem is that writing a language implementation that is both fast and 100% correct is really hard. The safety properties of Java (and any other managed language) rely on the implementation being 100% correct. This is relatively easy for something like the Squeak Smalltalk VM, which is a single-threaded bytecode interpreter with a stop-the-world garbage collector, but people insist on the JVM doing all sorts of optimisations, supporting multiple threads and so on. The early complaints about Java were that it was slow. The more recent complaints are that it's not correct. Well, you have three choices:

• Have a slow VM.
• Have a fast, but incorrect, VM, and be aware that every error is a potential security hole.
• Formally verify your VM. Be aware that this will cost at least 30 times as much[1] as the non-verified version.

Relying on software enforcement for security is just asking for trouble.

[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.