Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com)

Posted by timothy on from the keepin'-it-tidy dept.

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

27 of 64 comments (clear)

  1. Duplicate by Nicopa · · Score: 3, Informative

    Just hours ago: http://it.slashdot.org/story/1...

    1. Re:Duplicate by Frosty+Piss · · Score: 1

      Just hours ago...

      If it were not for your UID, I would have said "You Must Be New Here" ...

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Duplicate by simplypeachy · · Score: 4, Funny

      Naw, the other article was for a previous version of the JRE.

    3. Re:Duplicate by Mashiki · · Score: 1

      Looks like the old /. is coming back. Dupe articles are a good start...I think.

      --
      Om, nomnomnom...
    4. Re:Duplicate by buchner.johannes · · Score: 1

      It does sound like the same bug -- if that is the case all installers on Windows systems are affected, and this is not a JRE-specific bug, but a MS Windows design flaw (or security trade-off, if you prefer).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  2. Re:Clear my downloads folder? by Ol+Olsoc · · Score: 1

    How about it's a good reason to never download Java in the first place?

    No no. This version is secure, just like all the other new versions of Java...... oh, never mind..

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  3. That's why you should have a package manager by NotInHere · · Score: 5, Insightful

    nuget, apt-get, pacman, whatever. The package manager's installer code was written _once_. No need for reinventing the wheel for every damn installer in the world. No need for fixing the same bugs all over again. Just something that works, and offers updates out of the box without having to spam the user with update notices.

    1. Re:That's why you should have a package manager by Cley+Faye · · Score: 1

      Be careful what you wish for. The windows store is a reality and... well it feels like reinventing the wheel one more time could be a good idea there.

    2. Re:That's why you should have a package manager by Zaelath · · Score: 1

      Doesn't really address the problem here.

      In this case the installer is affected by DLL side loading, but it's not like installers are the only time this happens. Most of the examples in the previous link are in running installed executables, like Chrome.

      You're correct about package managers in that they've long had useful package signing, but then once things are installed there's a handful of people on earth that can properly maintain a SELinux configuration (accepting the vendor default doesn't count).

    3. Re:That's why you should have a package manager by penguinoid · · Score: 1

      Having a package manager doesn't prevent third-party installers from working.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    4. Re:That's why you should have a package manager by Culture20 · · Score: 1

      Or compiling your own from source.

    5. Re:That's why you should have a package manager by Threni · · Score: 1

      Windows has a store? I'll have to fire up my windows vm and take a look. If I can find it; it's been a while. I'm sure I have a windows vm somewhere. You know, for when I really need to use windows for something.

    6. Re:That's why you should have a package manager by Cley+Faye · · Score: 1

      Not only you have to find your VM, you also have to update it to windows 10. And then, you'll have to do your best not to remove this scrap before checking it out.

  4. Enough already! by b1ng0 · · Score: 4, Informative

    Get rid of this paid itwbennett schill! Two articles in one day all going to the same website. Look at his post history. Every post goes to one of two sites! If this is what whiplash meant by improving Slashdot, there is no hope left for this site.

  5. They still patch Java 6?!? by supremebob · · Score: 2

    What I learned from this post is that Oracle still does Java security patches for Java 6. I thought that it was End Of Life three years ago!

    1. Re:They still patch Java 6?!? by Billly+Gates · · Score: 2

      Sure if you buy an expensive RDMS you don't need they will fix their own products

      --
      http://saveie6.com/
    2. Re:They still patch Java 6?!? by ImprovOmega · · Score: 1

      You can't download the 6u113 update unless you have a support contract with Oracle. Without one the latest version you can get in Java 6 is 6u45, from 2013, when it officially went end of life.

  6. You had me... by mortonda · · Score: 5, Insightful

    at "delete all the Java installers".

  7. and the now they have the store with centership by Joe_Dragon · · Score: 1

    and the now they have the store with censorship / apps limited in what they can do (limited mod's / user maps) for games. Also forced 20%/30% cut / dev's have to pay a fee (even for free apps) / etc.

    The app store is to anti trust. They needs fully open with no censorship (have a adults only room), a not (Political correct) room. As for sand boxing testing for spyware is ok but locking out/ limiting mods is not ok. Locking out stuff like steam DRM not ok. Locking out open GL not ok.

    1. Re:and the now they have the store with centership by Gr8Apes · · Score: 1

      In some ways, we're not ok with Apple's store policies. In fact, I hope some of them get changed, or do I? It's one of those be careful what you wish for things. Meanwhile I will continue to run a host of apps that are not store sourced, precisely because the store is too limiting in many many ways for the apps I want to run. Games, however, should have little issue in the Apple App store.

      --
      The cesspool just got a check and balance.
  8. Billions and billions served... by Aryeh+Goretsky · · Score: 1

    Hello,

    Not sure if it is still the case (it's been years since I've installed Java) but didn't the runtime installer display a message saying something like three billion devices run Java? I wonder if the reason for not uninstalling old version was to help inflate that count.

    Regards,

    Aryeh Goretsky

    --
    Dexter is a good dog.
  9. Shouldn't they clean up their own mess? by Maxo-Texas · · Score: 1

    Why should I go rooting around deleting things when they know what should be deleted in the first place?

    Seriously.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  10. 2010 phoned and wants its DLL exploit back .. by tetraverse · · Score: 1

    Nicopa: 'Just hours ago: link'

    What is dll hijacking?

  11. And they want you to trust them, too by drinkypoo · · Score: 1

    The latest JRE updater elevates permissions before it even needs to, so the first inkling you have that something is taking place is the UAC prompt. Only after denying it did I find out that it was from the Java updater... the prompt only said "Java". I don't know about y'all, but my first impulse upon getting a mystery UAC prompt from Java is not to grant permission to rape my PC

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Why some installer? by short · · Score: 1

    java-1.8.0-openjdk-1.8.0.71-1.b15.fc23.x86_64 installed fine by dnf/yum, who cares about Oracle?

  13. Post title has it wrong by jargonburn · · Score: 1

    Java Installer Flaw Shows Why You Should Not Install Java

    FTFY.

  14. Comment by WallyL · · Score: 1

    Wait, people let their Downloads directory fill up with stuff? Mine is cleaned at least weekly. I treat it like the os treats /tmp