Forgot your password?
typodupeerror
Bug Java Oracle Security

Java Exploit Patched? Not So Fast 87

Posted by timothy
from the few-beans-short dept.
PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"
This discussion has been archived. No new comments can be posted.

Java Exploit Patched? Not So Fast

Comments Filter:
  • Arrrrrg (Score:5, Insightful)

    by Haawkeye (2680377) on Friday August 31, 2012 @07:07PM (#41195557)
    Come on really! That's it java is coming off my machines!
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Sandbox it externally. Don't rely on JRE to do it for you.

      • Re:Arrrrrg (Score:5, Insightful)

        by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Friday August 31, 2012 @07:20PM (#41195645) Homepage Journal

        Using what, a VM? That's probably the easiest and most cross-platform, but that hardly makes it easy (especially since VMs that are designed for easy use make extremely poor sandboxes). AppArmor or SELinux or some such? Well beyond the capabilities of most users. A dedicated low-privilege user account? That's possible on pretty much any platform, but will still leave a mess that you'll have to clean up afterward.

        Besides, I'd really rather stop before the attacker gets arbitrary code execution on my machine. Java is disabled or simply not present on my machines, thank you.

        • Re:Arrrrrg (Score:5, Funny)

          by Jeremiah Cornelius (137) on Friday August 31, 2012 @07:24PM (#41195669) Homepage Journal

          Oracle should be "patched" by Anonymous.

        • by Anonymous Coward

          I personally use the sandbox tool part of the free Comodo Security Suite. It seems to pretty intuitive and easy to me. Anything out of the ordinary and it will prompt if I want to continue (it will automatically deny it, if I dont answer in the given time frame)

        • by reiisi (1211052)

          Well, I've been recommending [blogspot.jp] a sort-of simple procedure for *nix users, where you call your browser through a restricted, dedicated user account with no login privileges.

          By no means is it a perfect solution, but every speed bump and low wall helps a bit.

          One could (should?) basically set up such pseudo-users for specific required processes that will run a java vm, and refrain from using Java otherwise.

          Of course, any architecture that allows a server to feed a client a class that the client's machine will ins

          • by lindi (634828)

            Since you allow Java to talk to your X server it is trivial to break out of that sandbox. It can just simulate a few key presses to open a terminal and then inject whatever commands it wants. Or am I missing something here?

            • by reiisi (1211052)

              As I said, it's a speed bump, to be used in combination with other techniques, not a perfect solution.

              Relative to X11, the attack has to be aware that the user that the browser is running under is restricted and not a login browser, and decide to attack X11 instead of just dropping a keylogger and adding a line to the user's .bashrc to invoke it. Just buys you a little time, but that's not a bad thing.

        • Re:Arrrrrg (Score:5, Funny)

          by LordLimecat (1103839) on Friday August 31, 2012 @09:13PM (#41196405)

          Sandbox [Java VM] externally

          Using what, a VM?

          Yo dawg, I heard you liked virtual machines...

        • When VMWare Workstation was very, very young (2000) and had that beta new-software smell, the very first thing I did with it was create a dedicated browser appliance. Given that security has always been one aspect of what I do, it was extremely nice to have a machine that I could "nuke" after cruising the underground looking at existing (and sometimes upcoming) threats. If that doesn't do anything for your situation (use-case, blech!), Sandboxie or another sandbox software package might do the trick. Now
      • Re:Arrrrrg (Score:5, Informative)

        by Nerdfest (867930) on Friday August 31, 2012 @07:45PM (#41195821)

        I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

        • Re:Arrrrrg (Score:5, Insightful)

          by whoever57 (658626) on Friday August 31, 2012 @07:50PM (#41195855) Journal

          When was the last time you saw a Java applet?

          Try using Webex without Java enabled in your browser.

        • by wkcole (644783)

          I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets?

          Or Java Web Start, which is basically downloaded (rather than embedded) applets

          When was the last time you saw a Java applet?

          The last time I needed to work in a single-user interactive shell on the console on one of our servers. It's been a few weeks, but when I need it, I NEED IT. The access mechanism that actually works is a dynamically generated JWS applet with embedded temporary auth tokens. A rather slick way to do safe working console access compared to some of the broadly dysfunctional and/or unsafe approaches I've seen.

          Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

          I don't believe that an

        • Blackboard and Virtualmin are ones I'm forced to use on a regular basis.
        • by Anonymous Coward

          I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

          The last time I saw a Java applet? Every time I need to do Internet banking, which usually is several times a week. Switching to another bank is not only difficult and undesirable with my current mortgage, but most banks in my country (and many e-commerce sites) use the same Java-based standard for login. There are a few that don't, but they happen to be less desirable for a number of reasons, including mortgage terms.

        • by EvilIdler (21087)

          Denmark uses NemID, which is a Java applet-based login system for all sorts of official things. Norway uses it for many banks. It's not nearly as bad as South-Korea's over-reliance on ActiveX, but there are quite a few services you can't use fully without frickin' client-side Java. I can't even get a bank statement without going through that Java login, as the mobile banking doesn't support more than looking at what's on the account and transferring money.

        • by gtall (79522)

          DoD is filthy with java applets, that stuff won't get rewritten any time soon.

        • by antdude (79039)

          My employer's time card system and online courses/classes still uses Java. :( I hope v6 is OK.

        • iDRAC uses it, as does (IIRC) Equallogic SAN.

    • by tqk (413719)

      Come on really! That's it java is coming off my machines!

      Is it too soon for me to say, "I told you so"? Because I did. When it was released, it was a buggy, system security nightmare and even after all these years, it's continued in that vein. This is what corporations want running on their machines, and relying on the goodness of Oracle's/Ellison's heart for support? Why?

  • Not surprising (Score:5, Interesting)

    by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Friday August 31, 2012 @07:15PM (#41195609) Homepage Journal

    They've patched 6 of the 19 [security-e...ations.com] vulns that were reported back in April. Three were patched a couple months back as part of their usual 4-month patch cycle. As far as I know, those were never used in the wild. Three more were patched just recently, in response to rampant in-the-wild use and inclusion in exploit kits, etc.

    Of course, that leaves 13 still unpatched, and while apparently quite a few of them are defense-in-depth (insufficient, on their own, for full compromise), when you've got that many unpatched vulns it is totally unsurprising that somebody can chain a few of them together into a working exploit.

    • We know that the license (for Oracle's release) is a charade.

      Isn't the whole problem here derived from Oracle's attitude that they own this thing?

      I don't think it's possible to keep a closed/proprietary attitude and make secure software. I don't mean that the form of the license guarantees anything, there are always exceptions where the license and the community attitude are out of sync, but I think it's clear that software products have to be open to the end user to be secure.

      • by jhol13 (1087781)

        Utter bullshit.

        I use (X)Ubuntu 12.4. There is not a day without updates, usually somewhere 10-20 updates per day (mostly not security though).

        This has gotten worse, never before has Ubuntu been so bad. If this is a trend, next year I will bee using more time patching my system than using it for work.

        • Ubuntu 12.4. There is not a day without updates

          Utter bullshit.

        • by thsths (31372)

          Ubuntu 12.04 had a lot of updates, that is true. Mostly kernel and libraries though, and the occasional Java update, of course.

          However, now we have Ubuntu 12.04.01, and it is much more mature (as announced). We should see updates going back to the usual level of maybe once a week, and less for a base system.

          There is not much Ubuntu can do about - the bugs are in the software used to make Ubuntu, and unless you prefer old (stale) versions like in Debian stable, you will get frequent updates.

  • WORE (Score:5, Funny)

    by tobiasly (524456) on Friday August 31, 2012 @07:25PM (#41195679) Homepage

    Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

    • Re:WORE (Score:4, Funny)

      by sjames (1099) on Friday August 31, 2012 @08:07PM (#41195969) Homepage

      Honest to God, when I glanced at the subject, I read it as "WHORE" which seems somewhat apt for Java these days.

    • by PCM2 (4486)

      Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

      Funny, but it brings up an important point. These have all been Java bugs that allow attackers to execute malicious code. The malicious code itself, though, is not Java -- it's a binary payload. So while the vulnerabilities are cross-platform, and hence so are the exploits, the actual exploits that have been discovered in the wild so far would only really harm Windows systems. They actually included a little branching JavaScript that said, essentially, "Got Windows? Download payload.exe. Else Do Nothing." I

  • Not so fast (Score:5, Funny)

    by MobileTatsu-NJG (946591) on Friday August 31, 2012 @10:29PM (#41196783)

    Not so fast.

    Isn't that Java's mission statement?

    • by MROD (101561)
      No, Java is an exceptional language: At the slightest provocation is throws one.
  • I've had no need for it. Who does?
  • In Norway, all banks use a common login-system called BankID [google.com] (a joint-developed PKI solution).

    This solution requires Java to be installed at client.

    It's quite hilarious.
    This basically leaves a complete country vulnerable when these exploits go wild.

    • by TheLink (130905)
      Solution: use a different browser running as a different user for banking. Or run it in a VM. Then make sure Java does not work on the browsers you use for other stuff.

      In fact you should do this for your banking stuff even if your bank doesn't require Java. Keep a separate banking browser+user account or VM for that.
    • by fa2k (881632)

      In Norway, all banks use a common login-system called BankID [google.com] (a joint-developed PKI solution).

      It's nothing new that banks require insecure technology. Remember things like "this page only runs on IE"? Anyway, what you say is incorrect, I have an account with Storebrand and they only have a key generator dongle, not a smart card. I would also argue that moving an entire country to two-factor authentication is a net security *win*.

  • by someones (2687911) on Saturday September 01, 2012 @08:58AM (#41198961)

    I switched to OpenJDK a while back.
    In its early days it was bugged and crashed all the time, but that time seems long forgotten past.

    Is there a reason to favor Oracle's Java over OpenJDK?

  • White hats who discover Java exploits should also send a security report to the Java teams at Red Hat and Canonical (the latter do Java on Ubuntu and Debian). Oracle might sit on a 'sploit for months, but Debian isn't going to.

Life is difficult because it is non-linear.

Working...