Oracle Releases Massive Security Update

← Back to Stories (view on slashdot.org)

Oracle Releases Massive Security Update

Posted by samzenpus on Wednesday January 21, 2015 @09:45AM from the protect-ya-neck dept.

wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

4 of 79 comments (clear)

Min score:

Reason:

Sort:

No secure download by buchner.johannes · 2015-01-21 09:51 · Score: 5, Informative

There is still no way of authenticating Java downloads? Either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS? This used to exist up until ~2 years ago, but now it is all insecure (the download can include drive-by malware).

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:No secure download by Wootery · 2015-01-21 10:14 · Score: 4, Insightful
  
  the download can include drive-by malware
  Can? If memory serves, you have to opt-out of McAfee, in the Java installer.
2. Re:No secure download by hawguy · 2015-01-21 10:54 · Score: 3, Informative
  
  Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page.
  That would be more meaningful if the link to the MD5 checksums was not on the same non-SSL page as the link to the binaries, so is subject to manipulation -- an attacker can make it point anywhere they want, and unless a user "knows" that the checksum page is supposed to be SSL, they'd never know (yes, you gave the SSL page, but how do I know that you're not an attacker and that you gave me a fake page that you happened to upload to an Oracle server?). Likewise, if someone can alter the binary on the repo, who is to say that they can't alter the checksum file as well?
  There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.
  MD5 verification may be "good enough" for most uses, but it's very weak authentication.
  
  If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
  Geez, I can't believe this has to be explained on Slashdot.
  You seem to be confusing download verification with authentication -- they are different concepts.
Which "those" are "these"? by jtara · 2015-01-21 10:20 · Score: 4, Funny

"Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password."
Which?
The original bugs, or the new security fixes?