Forgot your password?
typodupeerror
Java Security

Experts Develop 3rd-Party Patch For New Java Zero-Day 154

Posted by samzenpus
from the patch-it-up dept.
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
This discussion has been archived. No new comments can be posted.

Experts Develop 3rd-Party Patch For New Java Zero-Day

Comments Filter:
  • A better idea... (Score:4, Insightful)

    by DrEnter (600510) * on Monday August 27, 2012 @12:18PM (#41138639)
    You know what would be better idea than patching Java? Uninstalling it.
    • Re: (Score:3, Insightful)

      Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

      • by gl4ss (559668)

        you know what's funny? can't log into my web banking without it(it's only the signon flow where it's used, too).

        though, I guess I should still just whitelist it on certain sites. however applets can be used in good ways.. it's just that nobody ever does that.

        • In Chrome: Wrench-->Settings; Advanced Settings; Content settings; "Click to Play" under plugins.

          Problem solved.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

        A modest proposal to improve security. You know what be more effective than uninstalling Java? Uninstalling the network and other input devices. In fact, why don't you turn off the computer entirely?

        The number one reason that Java has published security holes is that Java is used heavily. Non-java programs also have security holes. Yes, it makes sense to reduce dependency on Java now, because Java has the current serious security hole. However, your parent wasn't suggesting that. Your parent was sugg

        • ...Your parent was suggesting that uninstalling Java was better than fixing the security hole.

          I think that was because he was implying that Java isn't used anywhere enough now a days to warrant it being installed on client systems, for the most part.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Your parent was suggesting that uninstalling Java was better than fixing the security hole.

          It *is* better than fixing the security hole. Fixing the security hole fixes ONE security problem. Uninstalling Java fixes that ONE security problem AND all unknown/future Java security problems.

          • This. I'm surprised that this is the first post to plainly say it after gp alluded to it.

            You shouldn't have posted AC.
        • Your parent was suggesting that uninstalling Java was better than fixing the security hole.

          It is, given the huge percentage of malware infections directly caused by Java and Adobe plugin exploits.

          Patching this particular hole fixes the problem for about 2 weeks till the next 0-day drops. Some of us like to get off of that nasty little merry-go-round, and get rid of a plugin that has basically no use. If you really need it, set your plugins to Click-To-Play (through flashblock for firefox, or as detailed here [slashdot.org] for chrome)

        • by snemarch (1086057)

          Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.

          I don't have a Java plugin in my browser, I consider that pretty much security suicide. Because I live in .dk, I have to use a browser with Java plugin from time to time, but I handle that in a locked down virtual machine that I use solely for that purpose.

          Also: I kinda like

          • Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.

            So what do you suggest as alternatives? Java does serve a function, you know. There are plenty of things that haven't had an emphasis on security from day one.

            The irresponsible thing here is Oracle's update schedule.

      • by Anonymous Coward

        Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.

        • by JDG1980 (2438906)

          Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.

          In that case, the appropriate solution is to run these tasks from virtual machines, which are then wiped back t

        • I would in all honesty change banks if that happened, not just because of the security holes but because it can be a phenomenal pain to get such an old version to play nice with a modern browser. You have to jump through hoops to even get such an old version. It would be sufficiently problematic that I would end up not using the web interface, which is sufficiently annoying that I would want a bank that had useable / secure web access.

      • by Exitar (809068)

        Attack vectors? Like the internet?

      • by c0lo (1497653)

        Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense.

        Hmmm... seems you are right... the maximum security for a computer is achieved by uninstalling the OS and keeping the computer powered off. (I'm not saying you advice this, but just to put into evidence that security is not the objective that anyone would like maximized).

      • by sapgau (413511)

        Java is also used heavily on the browser in Colleges and Universities (Higher Ed.) for rich text editors, chat rooms and some other educational content.

        • It also happens to be embedded in Oracle Databases, and even though it isn't mentioned wither this 0-day affects Android, the Djarvik Engine is modeled after Java. Java is used in an incredible number of applications, it just doesn't get rubbed in your face all the time. Yeah, nobody uses Java anymore. Except... everybody.

          • the Djarvik Engine is modeled after Java

            Well, I don't think it's likely that the exploit is at a level where Djallben would have inadverdently duplicated it.

      • by Baki (72515)

        When talking about java in a browser executing remote code: agree, avoid it if you can.

        When talking about java as platform (like .net or other platforms) for server side applications, then dumping java because of this bug is a bit drastic.

    • by udachny (2454394)

      ....
      Java Zero Day VulnerabilityâoeIn my lab environment, I was able to successfully exploit my test machine against latest version of Firefox with JRE version 1.7 update 6 installed,â he wrote on the company blog.

      The exploit was found on a server in China, and if it successfully attacks a given endpoint, the payload that is delivered is hosted on the same server. While the IP address associated with the malicious box has been known to serve malware in the past, it isnâ(TM)t responding to browser connections. Nevertheless, the IP is live. ....
      On Monday, the Metasploit Exploit team at Rapid7 said they found the PoC and had developed a working exploit that they say enables a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.

      âoeAs a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available,â a blog post from Rapid7 notes.

      Once again, itâ(TM)s wise to remove Java if it isnâ(TM)t absolutely needed in your environment. Most home users have little need for the software these days, and most experts agree the risk outweighs the reward when it comes to installing it.

      I don't know why the OP is moderated Funny, maybe they have Java installed on their 'humour sensing unit'.

      --

      OTOH I wish IBM bought Sun back when Oracle made their bid, this lack of interest by Oracle is just perplexing at this point. If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.

      • If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay. [youtube.com]

      • by JDG1980 (2438906)

        If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.

        It's about the patents. That's why Ellison bought Sun. Java for end-user computing doesn't even factor in at all. He wants to be able to patent troll Android (in large part because of his personal friendship with Steve Jobs).

    • by Anonymous Coward

      But.. but.. then how can I play Minecraft? :(

      • by tlambert (566799)

        But.. but.. then how can I play Minecraft? :(

        I mentally translate "JRE" to "MRE" for Minecraft Runtime Environment.

        In all seriousness, many banks run a captive Java application for login authentication using challenge/response as an anti-phishing mechanism to prevent storing the credentials. Given that Java is frequently exploited, this isn't a very effective strategy, given the current generation of online channel-breaking attacks.

      • by snemarch (1086057)
        Keep away from the browser plugin and install just the JRE. You'll still be 0wned by clicking on "Olsen twins hot lesbian session.mpg                             .jar", but you'll be safe from browser drive-by attacks.
    • Why don't they make it so that you can download the installer (for use on other computers) without using TOP SECRET BURN BEFORE READING links??

      oh btw a cool way to get all the "stuff" is http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/ [ninite.com] download that file and then run it to get everything installed (and yes i did include both chrome and firefox)

    • by Hatta (162192)

      I would love to uninstall Java. But what would I replace UGENE and ImageJ with? It seems like any free, cross platform, GUI, scientific software is written in Java.

      • So uninstall all plugins, etc. and only run pure Java apps. To go one better, only run them in a sandbox (a VM should do the trick). That way, you can still copy/paste the output and even share the files back, but as you aren't doing anything in that sandbox other than running that Java app, that instance of Java won't be exploited. You don't even need to upgrade for new features/security fixes!

    • You know what would be better idea than patching Java? Uninstalling it.

      I didn't uninstall it; but several months ago I turned it off in my web browser(s). You know what? It hasn't impacted anything I do - none of the web sites I use rely on Java *at all*. Not the fun sites, not the banking sites, not the business sites...

      I've certainly got some local software that requires Java; but if it's not available in my browser you're going to have a difficult time getting an exploit onto my computer.

  • by Anonymous Coward

    You have to be fucking kidding me.

    • by plover (150551) * on Monday August 27, 2012 @12:25PM (#41138729) Homepage Journal

      The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?

      • by Fuzzums (250400)

        Don't make fun of this. Metrics don't lie. Seriously.

      • by Milharis (2523940)

        Luckily for criminals, those exploits are made public the day following the quarterly update.

        Seriously though, they don't have out-of-schedule updates for critical security bugs?

        • by _xeno_ (155264)

          Seriously though, they don't have out-of-schedule updates for critical security bugs?

          Well, it's Oracle, so I expect they do, they just cost extra. I mean, you are up to date on your Oracle Certified Java Security Support, right?

          (Note: I'm joking. The actual service is called Oracle Premier Support for the Java SE Platform [oracle.com] and you only need it to get security patches for "old" versions of Java.)

          • So, in order to play Minecraft safely (requires Sun Java 6, sucks with OpenJDK or later versions for some reason), I need to pay Oracle $3300? Got it.

            • by _xeno_ (155264)

              Nah, you only will need to pay once Java 6 reaches end of life last month. I mean, November. I mean, next February.

              (And, yes, seriously - the Java 6 EOL date has been pushed forward twice so far. Presumably because Java 7 still isn't quite ready on all platforms.)

  • You know its funny (Score:3, Interesting)

    by DarkOx (621550) on Monday August 27, 2012 @12:29PM (#41138765) Journal

    We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.

    Its to bad someone finds a critical vulnerability in the platform every other month seemingly.

    • Every other month? Seems closer to every other day.

    • by Anonymous Coward

      Maybe it would help if they used Java to program the vm.
      Then it would be impossible to have security vulnerabilities.

    • Re: (Score:3, Insightful)

      by binarylarry (1338699)

      This isn't a flaw in Java itself but yet another flaw in the browser plugin.

      Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?

      Maybe the real issue is a shitty plugin API and/or implementation?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Not true...

        http://dev.metasploit.com/redmine/projects/framework/repository/revisions/52ca1083c22de7022baf7dca8a1756909f803341/entry/external/source/exploits/CVE-2012-XXXX/Exploit.java

        It's a bug in how java bean statements interact with security domains, as far as I can tell. Definitely a JRE bug.
        It really is just more reason why you should never let your language's runtime get completely out of hand - this kind of stuff should have been in libraries, not in the runtime.

    • by sapgau (413511)

      Will we ever be safe from all that?
      Oh, it's Java bashing time, sorry...

    • Assuming they were written by programmers of roughly equal competence Java applications in general probablly are safer than their counterparts in more traditional languages due to the fact that certain categories of exploit basically can't happen.

      The java related security problems mainly come from software (most notablly the browser plugin) that uses the java runtime's sandboxing features to run untrusted code. The sandboxing system is highly complex and as such prone to bugs and when bugs do happen they of

  • by JDG1980 (2438906) on Monday August 27, 2012 @12:33PM (#41138831)

    There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.

    • by Megahard (1053072) on Monday August 27, 2012 @12:43PM (#41138961)
      Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Better yet, disable all plugins by default (or set for "click to run"), and whitelist sites you regularly visit and trust. You should have a minimal attack surface when visiting *any* site you don't explicitly trust.

    • by CAIMLAS (41445)

      It's exploits like this which make me pine for someone to re-implement VMS security mechanisms for modern operating systems. If I could get that kind of granular control at the IP level of a network, I'd be even happier. "Prohibit all traffic from to anywhere except sites x, y, z". It wouldn't be a fix, but it'd sure help.

      I know I can do it with layer 7 filtering, but it's still a huge headache today.

    • by antdude (79039)

      I have it disabled 99% of the times. My work's time card system and online classes/courses require Java. Lame, I know! :(

  • If I remind well (Score:5, Interesting)

    by Vapula (14703) on Monday August 27, 2012 @01:04PM (#41139223)

    During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...

    But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

    • Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

      Larry Ellison glances at his screwdriver...

      • by snemarch (1086057)

        Larry Ellison glances at his screwdriver...

        ...then laughs manically, and screws everybody over. Again.

    • During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...

      But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

      Well, Oracle doesn't need to fix Java. Oracle is "Unbreakable"[TM]

  • Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows

  • Lots of vendors like to ship custom Java versions which their programs use (installed in their applications' subdirectories), and they rarely update the Java versions when a vulnerability is found for the version they based their custom job on.
  • by jlusk4 (2831) on Tuesday August 28, 2012 @08:14AM (#41147507)

    My JRE wants to update itself every time I turn around, and I say "why, yes, go ahead". Where does this "quarterly update cycle" statement come from?

  • They must not have looked at Java's security history since about version 6r16 when they decided to do quarterly updated. Although, they've broken many, many, many installs of Java by releasing 3 or 4 updates in 1 month. Maybe they should just build it with some sort of security in mind and they wouldn't have this problem.
  • by seandiggity (992657) on Tuesday August 28, 2012 @07:02PM (#41159303) Homepage
    If you know you need a JRE, try GCJ or IcedTea/OpenJDK version 6, and see if your Java program will still run (or if you can tweak settings to get it to run). This comparison of Java VMs is helpful: http://en.wikipedia.org/wiki/Comparison_of_Java_virtual_machines [wikipedia.org]

    For GNU/Linux users, there are a lot of choices to avoid this, if our platforms are even targeted. For Windows and Mac OSX users, I've been recommending:
    1. Uninstall all versions of Sun/Oracle Java JRE
    2. Install OpenJDK 6, only if needed (easy install packages here http://www.openscg.com/se/openjdk/index.jsp [openscg.com] )

    ^ that link also has install packages for GNU/Linux, but obviously you'll want to use your distro's package manager if you have one. Also, I recommend uninstalling *all versions* of Sun/Oracle Java, not just 7, because it's a simpler instruction for users. I find a lot of people hit a cognitive wall when they have to check software versions, even if the info is right in front of them.

No man is an island if he's on at least one mailing list.

Working...