Slashdot Mirror
First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers
An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.
There hasn't been a zero day for Java in two years?
If that's true, that sounds like the real news here.
It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.
Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!
Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM
Time for bed, said Zebedee - boing
Java is the recommended course of action.
FTFY. No need to include a timeframe.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I very much doubt a significant majority of websites use Java. Javascript, maybe.
And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.
If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.
I haven't seen a non-work related website requiring actual Java in years.
I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.
It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.
Lost at C:>. Found at C.
The PROBLEM with disabling Java, is that a significant majority of sites use it heavily
Uh, really? Can you name one website that uses Java heavily?
systemd is Roko's Basilisk.
The PROBLEM with disabling Java, is that a significant majority of sites use it heavily
Uh, really? Can you name one website that uses Java heavily?
Here is one: Verify your Java Version
Works fine on java 8 here. Just has to be run as administrator.
When the last Java plugin zero-day came out, I went to disable Java and then remembered that I'd done it the last time. I have not once noticed during browsing that a site has failed to work because it needs Java.
I am TheRaven on Soylent News
No you're wrong. They use JavaScript, not Java. Totally different things with similar names. I haven't had the Java plugin installed in any of my browsers for years and have never encountered one website that didn't work.
What sites depend on java on the client side? Name me one major site. Hell, even Oracle's site has no Java on it.
(aside from banking websties of a certain unstated country that some other person is complaining about, those banking sites are wrong)
I'm a good cook. I'm a fantastic eater. - Steven Brust
Uh, really? Can you name one website that uses Java heavily?
Here is one: Verify your Java Version [java.com]
Doesn't look too heavy of use to me.
With no Java in my browser, I can read all the text on that page, see all the menu links and even click them to go to the target pages, and see only a single Java applet (well, after clicking their agree button)
Even better, when I do try to detect my Java version I see text output on the page that is both
A) there and readable, and
B) factually correct!
It says it can't determine my Java version, which is fairly accurate as I have no Java for it to detect the version of.
It doesn't show a blank page, or an error that Java isn't installed, or have most of the page missing like the original poster claimed would happen.
I have to admit, and I hate saying it about a company like Oracle, but that page is both very light on Java usage and probably one of the best implementations of graceful fail back and browser plugin handling in general that I've seen.
Nvidia: Unlike (apparently) some people, I know what card, platform, and OS I'm using, and so get along just fine without the driver scanner, thanks.
KeepVid: Um, there's a Firefox extension for that, you know.
Il n'y a pas de Planet B.
The PROBLEM with disabling JavaSCRIPT, is that a significant majority of sites use it heavily.
FTFY. Of course you know that JavaSCRIPT has nothing whatever to do with Java, right?
The exploit resides in a plugin for Java - and it goes without saying that if there is no Java there the buggy plugin would not exist, either
But the most important question is this - How soon can the world have the Net _without_ having to enable Java?
You might be surprised at how much hardware has control interfaces that require Java. The people who manage the servers that the websites you visit often need Java and the browser options for this are shrinking all the time.
If Java were to disappear from the Internet then data centers would be fucked. They'd have to get new hardware whose control interfaces didn't need Java. This would be expensive. Who is gonna pay?
In the free world the media isn't government run; the government is media run.
Java != JavaScript
There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM
You don't do much system administration on physical hardware, do you.
In the free world the media isn't government run; the government is media run.
Not sure what you mean by this. Can you elaborate?
Time for bed, said Zebedee - boing
This is what VMs are for. There are appliances (older Sun disk arrays for example) that not just require Java, but only work with one version of the JVM, and will just throw exceptions and crash if one uses the latest version.
So, to interface with the legacy controllers, a browser and that correct Java runtime go into a VM and when it is done being used, it gets shut down and rolled back.
FTFY
Always disabling Java is the recommended course of action.
Java and Flash on the web are technologies that have come and gone. Now that HTML5 video is prevalent, I'm much more likely to get pwn3d by a zero day than I am to find anything in either Java or Flash that I'd actually miss.
As a network engineer, I hate to say it, but ICMP packet loss testing is as good as dead these days. I have not found a provider in the last 5 years that doesn't have some form of ICMP restriction baked into various levels of infrastructure.
Seeing ICMP packet loss these generally days does not correlate with link loss; it usually just displays that you're hitting a route that rate-limits ICMP traffic.
That's the problem. Java consists of a ton of moving parts which get lumped into one concept:
1: The Java language.
2: The Java bytecode.
3: The JVM/JRE.
4: The JDK.
5: The Web plugins.
The Java language is decent. It is arguably the modern day BASIC, where it is fairly easy to get a "hello world" program, and has decent functionality as a general purpose language.
The Java bytecode is also robust. It would be nice if it were more like .NET's IL, where one can use any language of choice, and the compiled output winds up being bytecode, separating the language from the compiled code... but it is what it is.
The JVM/JRE is a headache-maker. I've seen AIX systems with 10-15 different Java executables, all in various sundry directories. Similar with Windows, with some programs using their own JVM, and multiple JVMs present systemwide. Only real answer is to have a VM dedicated for handling interacting with a Java website (usually an older appliance) that has the right JVM in it.
The JDK is not really an issue, but it is lumped in with Java.
Finally the Web plugins. As is stated on /. and other places, the most common vector for intrusion are compromised browsers or browser plug-ins. This will continue to bite us until stronger isolation is put in place, similar to IE's low security mode, but with true filesystem isolation and separation of browser instances, so a compromised window/tab can't infect another.
Main solution with dealing with Java is virtualization or containers. Serverside, it is extremely useful, but for applets, its time is long gone.
Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.
Oracle employee here. We have VERY strict corporate standards regarding accessibility, governed in part by the Americans with Disabilities Act. And a team specifically tasked with dropping in on other teams, unannounced, to review their work to make sure it meets these guidelines.
I'm sure they felt good about themselves after they wrote it.
Il n'y a pas de Planet B.
In certain niches Java Applets are still very common, online banking being one very important example. So for many people the options are simply: a) enable Java plugin; or b) have no access to your money.
>using a website to test shit that has the same functionality built into the OS.
Learn to use your brain. No reason to use a website to test packet loss when the functionality is built into the OS. Hell, I even have speed test software on my system. No need for Java, or Javashit.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
But even that might be more than you need. My FireFox always asks if I want to allow Flash or Java to run on any new site.. Another dialog comes up to display the code signing details. This seems pretty safe.
That said, the code signing and sandboxing situation for Java IS a holy mess.
I'm sure millions of college students, when sent to an educational site that uses Java, will heed your advice. Java is still widely used in academia as well as the corporate world. It may be frustrating, but a lot of people are required to have Java running to get the shit that they are required to do done. Does it suck? Yes. Can you just disable and ignore vulnerabilities like this? No.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
As much as I tend to poke fun at your corporate overlords policies, a big congrats and thumbs up are in order to both the review team and whomever made that part of the java.com website!
don't forget ACS! And I have some stupid Avocent OOB thing that of course requires JAVA.
Network people who are scared of windows and force this java crapfest are so damned 1997 annoying. Then there are the Oracle heads. Just wish this crap would finally die.
"The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit"
Is it possible to design a browser that can't be compromised by navigating to a 'suspicious URLs'?
c) enable java and let everyone else have access to your money (apparently?)
So...you need your (J)VM in a VM? Yo dawg...
Ezekiel 23:20
I can not recall the last time I saw an applet, servlet. or JaveServer Page... My banks, all of them, have never used Java ever, ever, ever... I do tend to use smaller banks and, mostly, credit unions so that may have something to do with it. They have used JavaScript but most of that devolves to pain HTML if there is no JavaScript enabled.
What is odd, and an aside, is the number of low UIDs that seemingly are conflating Java and JavaScript. I would, and do, think that they have seen this conversation enough to know the difference even if they are not programmers or web developers. It seems that this is not something that is ever going to end until one of the two goes away. Java is 20 years old this year and JavaScript showed up in Netscape 2.0 also in 1995. It seems unlikely that either of them will be going anywhere in the immediate future.
"So long and thanks for all the fish."
Both are 20 years old this year. I think LiveScript changed to JavaScript in 1997 though. I too have no idea why they went and made the name so close as Java was already out and applets were already in use when LiveScript changed their name to JavaScript. The oft cited "fact" that Java was made for coffee makers is not true either. (It was for cable television. It was too complex for interactive television at the time.)
"So long and thanks for all the fish."
They do not just keep your money if you have no access to the web interface. "no access to your money." No, you still have access. You just do not have it with your computer if you do not use their Java applet in some cases. You can still visit them or, sometimes, use an app on a phone or even just use your little plastic card to get access to your money.
"So long and thanks for all the fish."
Speaking of talking out of one's ass... I do not recall a time when the majority of sites required Java to render their pages properly. In fact, Java has pretty much nothing to do with page rendering. Perhaps you do not know what you are talking about...
"So long and thanks for all the fish."
Firefox and other browsers (and Flash) had 0-day security exploids like forever, but nobody recomends to just stop using the Internet. Also, you can chose to run the Java Applet in a sandbox. There are tons of very useful Japa Apples still there, why should I deactivate Java and stop using them now? How is that 0-day exploid going to affect me in any way? It isn't and it won't, especially because Java Apps ask for permission to be run.
https://sites.google.com/site/...
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
Webstart is not a plugin, webstart is a "native" program with its own sandbox. You can disable the applet plugin just fine and still run jplp by just having those handled by javaws.
So disabling the applet will not break the equipment you are talking about, it will break stuff like iLO.
Sorry, I'd play you some music but I put my tiny violin somewhere and now I can't find it without a magnifying glass. Found a megaphone, though:
FUCKING STOP FINANCIALLY REWARDING COMPANIES THAT REQUIRE JAVA APPLETS!
When was the last time you refreshed your hardware, any of it? If it was in the last five years (and I'm being generous there, Java applets were known to be idiotic before that, too) and you purchased anything that requires a Java applet, then you are part of the problem and I have *no* sympathy for you. Make a migration timeline, get bids from vendors, include a specific requirement prohibiting dependencies on things like the Java plugin, and try actually making the world a better place. I don't expect that you can drop it all tomorrow, but you can damn well start on a plan to drop it today...
There's no place I could be, since I've found Serenity...
Do they control hardwares with Java plugin? You must be confused with Java the language/VM and Java plug-in for browsers.
The hardware has web-based control panels which use Java in the browser requiring a plug-in.
In the free world the media isn't government run; the government is media run.
You can petition the professor (and loop in whoever is responsible for IT security, and work your way up the university bureaucracy as needed, pointing out that Java browser plugins are insecure and the university is putting student data and university network infrastructure at risk by requiring them to be enabled. Far better cause than most of the things I saw student petitions about, and a lot of those were addressed anyhow.
For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.
Admittedly, universities are... lets say "not the most security-conscious" of environments. But I still say there's no excuse for ongoing use of Java (and it does put student and university machines at risk). It's really not actually required in the academic world, and there *are* alternatives.
There's no place I could be, since I've found Serenity...
Great post.
For the record, though, IE's sandbox is pretty bad. It allows read (though not write) access a lot of stuff. It also turns off by default when visiting a page on the local network. This sounds sane until you realize that:
A) A sandbox is only useful for containing a browser compromise.
B) A compromised browser can probably run arbitrary code.
C) You can run a web server from inside the sandbox.
D) Localhost counts as a local network page.
E) If you've got a browser compromise, you can definitely direct the compromised browser to web server hosting another copy of the exploit.
So yeah, most of the time the IE sandbox is going to be a speedbump at best. Chrome's sandbox (on Windows, at least) uses similar mechanisms, but runs at even lower privileges and additionally has a bunch of other restrictions; it's so unprivileged that it can't even launch another executable under its own privilege level. On the other hand, Firefox still just runs as your user account without even a speedbump to accessing anything you can access if it should get compromised.
There's no place I could be, since I've found Serenity...
Dell iDRAC doesn't depend on the Java browser plugin, it uses a Java Web Start application. But assuming you mean you want to get rid of the Java requirement altogether, rather than just the browser plugin, how do you suggest doing that? How would you make an OS-agnostic remote keyboard/mouse/video/storage client? The storage part is very important, we need to be able to mount virtual media to install operating systems and perform firmware upgrades. Java is the shittiest solution to the problem, apart from all the other solutions anyone's tried.
>> For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.
You're lucky, in the late 90's it was impossible to get a CS degree without at some point installing Java in your brain. Still not as bad as the C++ course where the lab portion was some crashtastic IDE on Mac OS 9.
From TFA: "downgrading Java to one of the older versions is not a good idea because they are vulnerable to other attacks"
well, which attacks, and are they not patched?
Atari rules... ermm... ruled.
OK, so I got the Java* terminology mixed up... with so many variants, it's an easy mistake, so cut me some slack. Why do so many people have to be so bloody vicious? Good grief.
If Java* is left disabled, my bank's WEBsite doesn't work. Facebook doesn't work. Youtube doesn't work. Some online retail sites don't work. The streaming audio from my workplace doesn't work. (We lease a server, it's not our code.) My Web-based e-mail doesn't work... a significant number of sites that I use often, don't work.
So I will still stand by what I originally said, but with some rather brutal public corrections applied.
Willie...
Tell that to my bank.
Willie...
OK, fine. From now on, I will just say Java*
Willie...
All of the management pages for:
- EMC Storage
- Brocade FC switches
- Dell and HP managed ethernet switches
- Dell and HP DRAC/iLO remote management components
- Dell and Avocent IP KVMs
And I'm sure there are more. The best part is, none of the above works correctly with anything newer than Java 6! I have a VM running Windows 7, a working version of Firefox ESR, and Java 6. And I still have to constantly tell the VM that I don't want to update anything, and to just enable the darn plugins.