Oracle Releases Massive Security Update

← Back to Stories (view on slashdot.org)

Oracle Releases Massive Security Update

Posted by samzenpus on Wednesday January 21, 2015 @09:45AM from the protect-ya-neck dept.

wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

17 of 79 comments (clear)

Min score:

Reason:

Sort:

No secure download by buchner.johannes · 2015-01-21 09:51 · Score: 5, Informative

There is still no way of authenticating Java downloads? Either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS? This used to exist up until ~2 years ago, but now it is all insecure (the download can include drive-by malware).

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:No secure download by Wootery · 2015-01-21 10:14 · Score: 4, Insightful
  
  the download can include drive-by malware
  Can? If memory serves, you have to opt-out of McAfee, in the Java installer.
2. Re:No secure download by Anonymous Coward · 2015-01-21 10:15 · Score: 2, Informative
  
  For Standard Edition JDK or JRE:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  click which package you want to download, and then on the download page click the checksum link
  https://www.oracle.com/webfolder/s/digest/8u31checksum.html
  There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
3. Re:No secure download by Wootery · 2015-01-21 10:18 · Score: 2
  
  Just so I know, you are kidding, right?
4. Re:No secure download by hawguy · 2015-01-21 10:24 · Score: 2
  
  For Standard Edition JDK or JRE:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  click which package you want to download, and then on the download page click the checksum link
  https://www.oracle.com/webfolder/s/digest/8u31checksum.html
  There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
  A simple checksum stored with the binary is not a means of authentication, it's only a means to validate that there was no file corruption on download (since an attacker can update the checksum(s) at the same time he modifies the binary). Something like a cryptographic signature would be needed for authentication (with a validated means of public key distribution)
  Since the download link does not use SSL, even if you trust that no one has corrupted Oracle's repository, you have no assurance that the file you download hasn't been modified in-transit using a man-in-the-middle attack.
5. Re:No secure download by Anonymous Coward · 2015-01-21 10:33 · Score: 2, Informative
  
  Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page. If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
  Geez, I can't believe this has to be explained on Slashdot.
6. Re:No secure download by hawguy · 2015-01-21 10:54 · Score: 3, Informative
  
  Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page.
  That would be more meaningful if the link to the MD5 checksums was not on the same non-SSL page as the link to the binaries, so is subject to manipulation -- an attacker can make it point anywhere they want, and unless a user "knows" that the checksum page is supposed to be SSL, they'd never know (yes, you gave the SSL page, but how do I know that you're not an attacker and that you gave me a fake page that you happened to upload to an Oracle server?). Likewise, if someone can alter the binary on the repo, who is to say that they can't alter the checksum file as well?
  There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.
  MD5 verification may be "good enough" for most uses, but it's very weak authentication.
  
  If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
  Geez, I can't believe this has to be explained on Slashdot.
  You seem to be confusing download verification with authentication -- they are different concepts.
7. Re:No secure download by JazzXP · 2015-01-21 12:14 · Score: 2
  
  Close, Ask.com toolbar. Why Oracle need to do that is beyond me....
8. Re:No secure download by PhunkySchtuff · 2015-01-21 21:40 · Score: 2
  
  Whilst a non https download can totally include drive-by malware, what's even worse is Oracle insistence on bundling the Ask toolbar with the PC version of the JRE, with it selected by default in the installer .
  
  --
  Specialist Mac support for creative pros, Melbourne
Re:lol, Java by MightyMartian · 2015-01-21 10:11 · Score: 2

And what percentage of C/C++ code is well written?
Or, to put it another way, is there any evidence that Java applications are LESS secure, on average, than C/C++ applications?

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Re:Solaris by armanox · 2015-01-21 10:17 · Score: 2

I think the pkg command was the single greatest change in Solaris 11.

--
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Which "those" are "these"? by jtara · 2015-01-21 10:20 · Score: 4, Funny

"Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password."
Which?
The original bugs, or the new security fixes?
Re:Solaris by NatasRevol · 2015-01-21 10:23 · Score: 2

Does it balance against all the horrible command changes? Like changing IP/hostname/DNS?

--
There are two types of people in the world: Those who crave closure
Impressive by WaffleMonster · 2015-01-21 11:15 · Score: 2

How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?
Never understood how Oracle is allowed to continue to operate like this. The only thing worse than a multi-billion dollar software company failing to exercise any discipline over their systems unauthenticated attack surface is length of time they must have sat on all of these exploits just so they could package it up and release all at once.
I don't know about the rest of you... by tlambert · 2015-01-21 11:42 · Score: 2

I don't know about the rest of you... but I, for one, am very happy that Oracle's products are now Massively Secure.
But I still get prompted to install the Ask Bar! by djnanite · 2015-01-21 12:46 · Score: 2

Oracle releases a Java SE update to plug security vulnerabilities, but the installer still prompts me to install the 'Ask Search App' by default.

Does anyone see a conflict of interest here?
Re:But Java... by petermgreen · 2015-01-22 01:38 · Score: 2

Java protects against some of the common screwups that lead to security holes in C (and to a lesser extent C++) programs. It simply won't let you do things like read/write beyond the end/before the start of an array, perform an unprotected typecast between two object types or use memory that you have already freed. However there are many other classes of security hole it doesn't help with.
Java sees lots of security patches for a couple of reasons
1: Java provides sandboxing features intended to allow safe running of untrusted code. Unfortunately such sandboxes seem to be very difficult to get right (whether it's java applets, flash or javascript in browsers).
2: Java provides a massive standard library. It's virtually an OS within an OS and that means lots of code to be potentially vulnerable (especially in light of point 1)

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register