Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com)

Posted by timothy on from the keepin'-it-tidy dept.

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

64 comments

  1. So... by Anonymous Coward · · Score: 0

    We should delete minecraft? Alright.

  2. Duplicate by Nicopa · · Score: 3, Informative

    Just hours ago: http://it.slashdot.org/story/1...

    1. Re:Duplicate by Anonymous Coward · · Score: 0

      keep them coming. another 4 or 5 posts on this topic and we'll be on track to meet our duplicate posts goals for the month.

    2. Re: Duplicate by Anonymous Coward · · Score: 0

      Hey did you know that this story was posted earlier ?

    3. Re:Duplicate by Frosty+Piss · · Score: 1

      Just hours ago...

      If it were not for your UID, I would have said "You Must Be New Here" ...

      --
      If you want news from today, you have to come back tomorrow.
    4. Re:Duplicate by simplypeachy · · Score: 4, Funny

      Naw, the other article was for a previous version of the JRE.

    5. Re:Duplicate by Mashiki · · Score: 1

      Looks like the old /. is coming back. Dupe articles are a good start...I think.

      --
      Om, nomnomnom...
    6. Re:Duplicate by buchner.johannes · · Score: 1

      It does sound like the same bug -- if that is the case all installers on Windows systems are affected, and this is not a JRE-specific bug, but a MS Windows design flaw (or security trade-off, if you prefer).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  3. Java again by Anonymous Coward · · Score: 0, Troll

    The benefits of java continue

  4. Clear my downloads folder? by Anonymous Coward · · Score: 0, Troll

    How about it's a good reason to never download Java in the first place?

    1. Re:Clear my downloads folder? by Ol+Olsoc · · Score: 1

      How about it's a good reason to never download Java in the first place?

      No no. This version is secure, just like all the other new versions of Java...... oh, never mind..

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Clear my downloads folder? by Anonymous Coward · · Score: 0

      This version is secure, just like all the other new versions of software...... oh, never mind..

      Fixed.

  5. That's why you should have a package manager by NotInHere · · Score: 5, Insightful

    nuget, apt-get, pacman, whatever. The package manager's installer code was written _once_. No need for reinventing the wheel for every damn installer in the world. No need for fixing the same bugs all over again. Just something that works, and offers updates out of the box without having to spam the user with update notices.

    1. Re:That's why you should have a package manager by Anonymous Coward · · Score: 0

      This is what annoys the HELL out of me with Microsoft.

      Back during the whole IE bundling nonsense, they had a real opportunity to make their own program store, similar to say the app-store.
      They offer their own software under a Microsoft tab, then 3rd party software.
      Allows a person to make a basic website for hosting the software for extra. (ie, money)
      Very basic stuff here, more so because the web was also very basic too, but it was still useful, especially for new software.
      They could even have had official MS Software discs you could sign up for to get the top-rated software and freeware like a typical PC magazine used to. (shareware discs, fun times)

      They could have gotten away with the bundling a pretty honest way.
      And given it would be best done with, yes, a package manager, it would have made life so much easier for installations.
      Nope. Just had to be a dick, didn't you ol Billy boy?
      Windows Installation is STILL SHIT. 2016. 3 major company changes in recent years.
      Come on Microsoft. Seriously.

    2. Re:That's why you should have a package manager by Cley+Faye · · Score: 1

      Be careful what you wish for. The windows store is a reality and... well it feels like reinventing the wheel one more time could be a good idea there.

    3. Re:That's why you should have a package manager by Anonymous Coward · · Score: 0

      Package manager is a good idea in many ways but it moves control away from you as to what you can install:
      - either you can only install software that was blessed by some third party repository,
      - or you can only install software that was packaged for the manager you're currently using (you're on dpkg but software was given to you as rpm? good luck!)

      So, it can work as long as there is no fragmentation, which on Windows means msi packages. But they are missing the 'central repository' use case and didn't exactly take the world by storm.

    4. Re:That's why you should have a package manager by Zaelath · · Score: 1

      Doesn't really address the problem here.

      In this case the installer is affected by DLL side loading, but it's not like installers are the only time this happens. Most of the examples in the previous link are in running installed executables, like Chrome.

      You're correct about package managers in that they've long had useful package signing, but then once things are installed there's a handful of people on earth that can properly maintain a SELinux configuration (accepting the vendor default doesn't count).

    5. Re:That's why you should have a package manager by Anonymous Coward · · Score: 0

      nuget, apt-get, pacman, whatever. The package manager's installer code was written _once_. No need for reinventing the wheel for every damn installer in the world. No need for fixing the same bugs all over again. Just something that works, and offers updates out of the box without having to spam the user with update notices.

      There's Windows Installer, it solves half the problem you mentioned. Also, mixing and matching 3rd party repos is NOT a strong suit for any package management system I've ever seen, and that's what you'd have to do to get the latest 3rd party software. Nobody wants the version of Java that Microsoft, Apple, RedHat ships for example.

    6. Re:That's why you should have a package manager by Anonymous Coward · · Score: 0

      Microsoft has been through how many iterations of that?

      And they still don't have a package manager to update Windows in a sane manner.

    7. Re:That's why you should have a package manager by penguinoid · · Score: 1

      Having a package manager doesn't prevent third-party installers from working.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    8. Re:That's why you should have a package manager by Culture20 · · Score: 1

      Or compiling your own from source.

    9. Re:That's why you should have a package manager by Anonymous Coward · · Score: 0

      Having a package manager doesn't prevent third-party installers from working.

      Then we've come full circle, what does a package manager have to do with fixing broken third party installers on Windows, you know, what TFA is about?

    10. Re:That's why you should have a package manager by Threni · · Score: 1

      Windows has a store? I'll have to fire up my windows vm and take a look. If I can find it; it's been a while. I'm sure I have a windows vm somewhere. You know, for when I really need to use windows for something.

    11. Re:That's why you should have a package manager by Cley+Faye · · Score: 1

      Not only you have to find your VM, you also have to update it to windows 10. And then, you'll have to do your best not to remove this scrap before checking it out.

  6. Enough already! by b1ng0 · · Score: 4, Informative

    Get rid of this paid itwbennett schill! Two articles in one day all going to the same website. Look at his post history. Every post goes to one of two sites! If this is what whiplash meant by improving Slashdot, there is no hope left for this site.

    1. Re:Enough already! by Anonymous Coward · · Score: 0

      I see that Bennett is spending mod points all over, in an attempt to bury people pointing out what he's doing. That, if anything, should be a rather clear indication that he, as a poster, at the very least should be throttled.

    2. Re:Enough already! by Anonymous Coward · · Score: 0

      I don't get it. So what, that it's the same website? Maybe he frequents it. Why would he not link it?
      Surely there are tendencies as to what sites get linked more frequently. There are frequent readers of other sites. There are frequent slashdot submitters. What do you expect exactly, all sites on the internet to be equally represented in a uniform distribution?
      Not saying bennett doesn't have an interest. Just that your argument doesn't make sense. You need something more substantial.

    3. Re:Enough already! by Anonymous Coward · · Score: 0

      itwbennett is not Bennett Haselton. Haselton has his own account that he posts comments (but not stories) from. 30 seconds with Google tells me that csoonline is owned by IDG. IDG, in turn, owns IT World where an Amy Bennett posts frequently. And, lo and behold, she also posts at csoonline.

      Your tinfoil hat is a little too tight. Not all people with the name 'Bennett' are His Bennettness. This is just an example of someone writing for a publication and firing much of it through the firehose to see what sticks.

  7. They still patch Java 6?!? by supremebob · · Score: 2

    What I learned from this post is that Oracle still does Java security patches for Java 6. I thought that it was End Of Life three years ago!

    1. Re:They still patch Java 6?!? by Billly+Gates · · Score: 2

      Sure if you buy an expensive RDMS you don't need they will fix their own products

      --
      http://saveie6.com/
    2. Re:They still patch Java 6?!? by Anonymous Coward · · Score: 0

      Because they're obligated to support it for eternity for free, uh-huh. It just the right thing to do.

    3. Re:They still patch Java 6?!? by ImprovOmega · · Score: 1

      You can't download the 6u113 update unless you have a support contract with Oracle. Without one the latest version you can get in Java 6 is 6u45, from 2013, when it officially went end of life.

  8. You had me... by mortonda · · Score: 5, Insightful

    at "delete all the Java installers".

  9. and the now they have the store with centership by Joe_Dragon · · Score: 1

    and the now they have the store with censorship / apps limited in what they can do (limited mod's / user maps) for games. Also forced 20%/30% cut / dev's have to pay a fee (even for free apps) / etc.

    The app store is to anti trust. They needs fully open with no censorship (have a adults only room), a not (Political correct) room. As for sand boxing testing for spyware is ok but locking out/ limiting mods is not ok. Locking out stuff like steam DRM not ok. Locking out open GL not ok.

    1. Re:and the now they have the store with centership by Anonymous Coward · · Score: 0

      To be fair, everyone was perfectly fine with the 30% cut that APL takes. They effectively set precedence, and everyone's been using this percentage since.

    2. Re:and the now they have the store with centership by Gr8Apes · · Score: 1

      In some ways, we're not ok with Apple's store policies. In fact, I hope some of them get changed, or do I? It's one of those be careful what you wish for things. Meanwhile I will continue to run a host of apps that are not store sourced, precisely because the store is too limiting in many many ways for the apps I want to run. Games, however, should have little issue in the Apple App store.

      --
      The cesspool just got a check and balance.
    3. Re:and the now they have the store with centership by Anonymous Coward · · Score: 0

      To be fair, everyone was perfectly fine with the 30% cut that APL takes. They effectively set precedence, and everyone's been using this percentage since.

      You mean "the precedent".

  10. Billions and billions served... by Aryeh+Goretsky · · Score: 1

    Hello,

    Not sure if it is still the case (it's been years since I've installed Java) but didn't the runtime installer display a message saying something like three billion devices run Java? I wonder if the reason for not uninstalling old version was to help inflate that count.

    Regards,

    Aryeh Goretsky

    --
    Dexter is a good dog.
  11. Re:dmbasso is a pedophile by Anonymous Coward · · Score: 0

    This is the best you bullies can do for censorship? Go back to twitter.

    Perhaps he said manga is not child pornography because there's no children? Is this even a real conversation?

  12. Shouldn't they clean up their own mess? by Maxo-Texas · · Score: 1

    Why should I go rooting around deleting things when they know what should be deleted in the first place?

    Seriously.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  13. 2010 phoned and wants its DLL exploit back .. by tetraverse · · Score: 1

    Nicopa: 'Just hours ago: link'

    What is dll hijacking?

  14. And they want you to trust them, too by drinkypoo · · Score: 1

    The latest JRE updater elevates permissions before it even needs to, so the first inkling you have that something is taking place is the UAC prompt. Only after denying it did I find out that it was from the Java updater... the prompt only said "Java". I don't know about y'all, but my first impulse upon getting a mystery UAC prompt from Java is not to grant permission to rape my PC

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Why some installer? by short · · Score: 1

    java-1.8.0-openjdk-1.8.0.71-1.b15.fc23.x86_64 installed fine by dnf/yum, who cares about Oracle?

    1. Re:Why some installer? by Anonymous Coward · · Score: 0

      java-1.8.0-openjdk-1.8.0.71-1.b15.fc23.x86_64 installed fine by dnf/yum, who cares about Oracle?

      http://openjdk.java.net
      © 2016 Oracle Corporation and/or its affiliates

      Just saying.

    2. Re:Why some installer? by Anonymous Coward · · Score: 0

      Doesn't mean anything really, it's just a copyright notice. You don't remove them when you fork and package open source.

  16. Post title has it wrong by jargonburn · · Score: 1

    Java Installer Flaw Shows Why You Should Not Install Java

    FTFY.

  17. Does it matter? Leave him alone... apk by Anonymous Coward · · Score: 0

    See subject: As long as the story material's good I don't see your point & as long as others don't submit the same link beforehand getting 'snubbed' for Bennett's links instead, then you have NO point.

    * A "workaround" for THAT would be to "dual credit" both SOURCES & BOTH SUBMITTERS in the same article on /., that way EVERYONE gets face-time (for lack of a better expression) EQUALLY & users/readers get to see different alternate perspectives on the issue @ hand from DIFFERENT sources too (everyone wins).

    APK

    P.S.=> Admittedly, & POSSIBLY IN YOUR FAVOR:

    I have SEEN that happen here before & Brian Kreb's posts were put up BEFORE another submitters (who submitted WELL BEFORE the Krebs story appeared)!

    THAT I also had issue with, same material but different source, but yet Krebs' story was put ahead of the one submitted before it... apk

  18. Re:Alternate title: Don't install windows by Gr8Apes · · Score: 0

    That's actually the more accurate title. I checked on the CVEs, there's not much to see there at all.

    --
    The cesspool just got a check and balance.
  19. Comment by WallyL · · Score: 1

    Wait, people let their Downloads directory fill up with stuff? Mine is cleaned at least weekly. I treat it like the os treats /tmp