Java Exploit Patched? Not So Fast

PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"

Arrrrrg

[Haawkeye]

Come on really! That's it java is coming off my machines!

Re:

[Anonymous Coward]

Sandbox it externally. Don't rely on JRE to do it for you.

Re:Arrrrrg

[cbhacking]

Using what, a VM? That's probably the easiest and most cross-platform, but that hardly makes it easy (especially since VMs that are designed for easy use make extremely poor sandboxes). AppArmor or SELinux or some such? Well beyond the capabilities of most users. A dedicated low-privilege user account? That's possible on pretty much any platform, but will still leave a mess that you'll have to clean up afterward.

Besides, I'd really rather stop before the attacker gets arbitrary code execution on my machine. Java is disabled or simply not present on my machines, thank you.

Re:Arrrrrg

[Jeremiah Cornelius]

Oracle should be "patched" by Anonymous.

Re:

[Anonymous Coward]

I personally use the sandbox tool part of the free Comodo Security Suite. It seems to pretty intuitive and easy to me. Anything out of the ordinary and it will prompt if I want to continue (it will automatically deny it, if I dont answer in the given time frame)

Re:

[reiisi]

Well, I've been recommending [blogspot.jp] a sort-of simple procedure for *nix users, where you call your browser through a restricted, dedicated user account with no login privileges.

By no means is it a perfect solution, but every speed bump and low wall helps a bit.

One could (should?) basically set up such pseudo-users for specific required processes that will run a java vm, and refrain from using Java otherwise.

Of course, any architecture that allows a server to feed a client a class that the client's machine will ins

Re:

[lindi]

Since you allow Java to talk to your X server it is trivial to break out of that sandbox. It can just simulate a few key presses to open a terminal and then inject whatever commands it wants. Or am I missing something here?

Re:

[reiisi]

As I said, it's a speed bump, to be used in combination with other techniques, not a perfect solution.

Relative to X11, the attack has to be aware that the user that the browser is running under is restricted and not a login browser, and decide to attack X11 instead of just dropping a keylogger and adding a line to the user's .bashrc to invoke it. Just buys you a little time, but that's not a bad thing.

Re:about:addons

[Runaway1956]

Protip, your ass.

The real protip? If your bank requires you to enable java or flash to use their site, you're banking in the wrong place.

Now, pull your head out of your ass, and thing "security" instead of "convenience".

Re:

[BlackThorne_DK]

Oh well, welcome to my world. In Denmark, not only does the bank require Java. The _state_ require you to use the same braindead java-infested login (NemID), not only on all banks, but also on every public accessible site (Pensions, Healthcare, Unemployment benefits, Student benefits...).
No matter what I do, and which bank I choose, I need to use NemID, and Java.

I just disabled Java on my work machine. Now I need to make a virtual machine or something, if I actually want to pay my bills. :-(

Re:

[west]

Now, pull your head out of your ass, and think "security" instead of "convenience".

I cannot help but notice that you posted this on Slashdot, indicating that you have chosen to connect to the Internet instead of using pen and paper, thus choosing "convenience" over "security". Where does this place your head?

Every user must choose the *tradeoff* between convenience and security, and it will differ depending upon needs and desires. Claiming that anyone whose particular choice in this trade-off doesn't matc

Re:

[Runaway1956]

That's all so very politically correct, and so all-inclusive - I almost feel like calling for a group hug or something.

Meanwhile, there are tens, maybe hundreds of thousands of computer users who have NEVER had their computers compromised - and perhaps a billion others who have had their computers compromised. There are millions upon millions whose computers are routinely compromised.

Now, I'll admit to something here, that is somewhat embarrassing. I used to belong to the club whose computers were routine

Re:

[west]

Well, I'm certainly not going to criticize your parenting skills: If you can get a teenager to do his own formatting and re-installation, you're miles above most of us :-).

As for your son's decision to value convenience over security, if he's willing to pay the price, I'd have a hard time arguing. (Okay, since he'd be bringing the infection inside *my* firewall, I would be arguing...)

Anyway, whenever I'm starting to get a bit huffy about users not willing to learn anything more than the bare minimum to do

Re:Arrrrrg

[LordLimecat]

Sandbox [Java VM] externally

Using what, a VM?

Yo dawg, I heard you liked virtual machines...

Re:

[Decker-Mage]

When VMWare Workstation was very, very young (2000) and had that beta new-software smell, the very first thing I did with it was create a dedicated browser appliance. Given that security has always been one aspect of what I do, it was extremely nice to have a machine that I could "nuke" after cruising the underground looking at existing (and sometimes upcoming) threats. If that doesn't do anything for your situation (use-case, blech!), Sandboxie or another sandbox software package might do the trick. Now

Re:Arrrrrg

[Nerdfest]

I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

Re:Arrrrrg

[whoever57]

When was the last time you saw a Java applet?

Try using Webex without Java enabled in your browser.

Re:Arrrrrg

[Nerdfest]

That product is pretty much a security exploit by its very nature.

Re:

[Bryansix]

So you are saying that Fastsupport.com is not secure. I think Citrix might want to know about that if its true.

Re:

[Anonymous Coward]

Better idea. Don't use Webex, period.

Re:

[mortonda]

Kinda hard, if your employer uses it, and it's the only way to join a remote meeting.

Re:

[wkcole]

I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets?

Or Java Web Start, which is basically downloaded (rather than embedded) applets

When was the last time you saw a Java applet?

The last time I needed to work in a single-user interactive shell on the console on one of our servers. It's been a few weeks, but when I need it, I NEED IT. The access mechanism that actually works is a dynamically generated JWS applet with embedded temporary auth tokens. A rather slick way to do safe working console access compared to some of the broadly dysfunctional and/or unsafe approaches I've seen.

Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

I don't believe that an

Re:

[DarwinSurvivor]

Blackboard and Virtualmin are ones I'm forced to use on a regular basis.

Re:

[Anonymous Coward]

I may have this wrong, but isn't this exploit only possible if you have Java enabled in your browser, which you only need to run Java applets? When was the last time you saw a Java applet? Disable it. I'm surprised it's still enabled by default (I think it's actually disabled in Chrome).

The last time I saw a Java applet? Every time I need to do Internet banking, which usually is several times a week. Switching to another bank is not only difficult and undesirable with my current mortgage, but most banks in my country (and many e-commerce sites) use the same Java-based standard for login. There are a few that don't, but they happen to be less desirable for a number of reasons, including mortgage terms.

Re:

[EvilIdler]

Denmark uses NemID, which is a Java applet-based login system for all sorts of official things. Norway uses it for many banks. It's not nearly as bad as South-Korea's over-reliance on ActiveX, but there are quite a few services you can't use fully without frickin' client-side Java. I can't even get a bank statement without going through that Java login, as the mobile banking doesn't support more than looking at what's on the account and transferring money.

Re:

[gtall]

DoD is filthy with java applets, that stuff won't get rewritten any time soon.

Re:

[antdude]

My employer's time card system and online courses/classes still uses Java. :( I hope v6 is OK.

Re:

[LordLimecat]

iDRAC uses it, as does (IIRC) Equallogic SAN.

Re:

[tqk]

Come on really! That's it java is coming off my machines!

Is it too soon for me to say, "I told you so"? Because I did. When it was released, it was a buggy, system security nightmare and even after all these years, it's continued in that vein. This is what corporations want running on their machines, and relying on the goodness of Oracle's/Ellison's heart for support? Why?

Not surprising

[cbhacking]

They've patched 6 of the 19 [security-e...ations.com] vulns that were reported back in April. Three were patched a couple months back as part of their usual 4-month patch cycle. As far as I know, those were never used in the wild. Three more were patched just recently, in response to rampant in-the-wild use and inclusion in exploit kits, etc.

Of course, that leaves 13 still unpatched, and while apparently quite a few of them are defense-in-depth (insufficient, on their own, for full compromise), when you've got that many unpatched vulns it is totally unsurprising that somebody can chain a few of them together into a working exploit.

Is Oracle's "proprietary" attitude the problem?

[reiisi]

We know that the license (for Oracle's release) is a charade.

Isn't the whole problem here derived from Oracle's attitude that they own this thing?

I don't think it's possible to keep a closed/proprietary attitude and make secure software. I don't mean that the form of the license guarantees anything, there are always exceptions where the license and the community attitude are out of sync, but I think it's clear that software products have to be open to the end user to be secure.

Re:

[jhol13]

Utter bullshit.

I use (X)Ubuntu 12.4. There is not a day without updates, usually somewhere 10-20 updates per day (mostly not security though).

This has gotten worse, never before has Ubuntu been so bad. If this is a trend, next year I will bee using more time patching my system than using it for work.

Re:

[Forty Two Tenfold]

Ubuntu 12.4. There is not a day without updates

Utter bullshit.

Re:

[thsths]

Ubuntu 12.04 had a lot of updates, that is true. Mostly kernel and libraries though, and the occasional Java update, of course.

However, now we have Ubuntu 12.04.01, and it is much more mature (as announced). We should see updates going back to the usual level of maybe once a week, and less for a base system.

There is not much Ubuntu can do about - the bugs are in the software used to make Ubuntu, and unless you prefer old (stale) versions like in Debian stable, you will get frequent updates.

WORE

[tobiasly]

Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

Re:

[cbhacking]

Ah, but ActiveX only ever ran on Microsoft platforms. With Java, you can exploit OS X, Linux, BSD, and so on through any browser with the Netscape plugin API (a.k.a. almost all of them)! Truly, a great day for the blackhats of the world.

On a more serious note, this does highlight two problems with modern computing:
1. Write-once-run-everywhere is convenient for developers, but puts a huge security purden on the platform developer (a burden which Oracle seems either unwilling or unable to bear). If you want t

Re:

[medv4380]

I don't believe there is all that much of a security burden that Oracle needs to bear. The problem is that Java is in essence executable code. It really is too powerful to be embedded into a web page and just trusted. Running Java in a web page is like running native executable and expecting the sandbox to work every time. If Java only ran when you wanted it to run then the exploiters wouldn't have such an easy attack vector. The user could still be hit but they'd have to do more then pull up a page.

Re:WORE

[cbhacking]

Normally I'd agree with you, but the exact same thing is true of JavaScript and yet very, very few people are calling for a universal end to that. Now, a handful of people (relative to the global computer userbase) use NoScript, but even among NoScript users most realize that it's either too complex or too difficult for most people to use correctly all the time.

As it happens, I do block plug-ins (especially Flash and Java) by default, permitting them only on a case-by-case basis, except where I can remove them entirely. However, even to my (highly technical; he's been coding since he was in high school) father, that's too much of a hassle. He expects (rightly, if not wisely) that software vendors will keep their software as secure as possible, and respond quickly to any threats. That's the standard to which I'm holding Oracle here, and they're failing to meet it.

Re:

[Tanktalus]

Briefly, thank[fully]? Really? As opposed to a security-vulnerable closed source Java app, as so many seem to be nowadays? At least the perl community seems to try to fix their security issues in a relatively timely manner, and, being open source, theoretically someone else can come out with a patch if the perl devs were too slow to fix it.

(PHP and Python obviously suffer from the same benefits as Perl, though I don't know their communities as well.)

And perl couldn't be embedded in a web page - it could

perlscript, I think

[reiisi]

I think the gp was talking about perlscript.

Re:

[SplashMyBandit]

Yes, but you can also attack through images (eg. the various JPEG attacks) and JavaScript. Should these be universally banned too?

Re:

[medv4380]

But unlike Applets JavaScript and JPEGs are actually used. Applets serve no valid purpose on the web any more. Letting them sit there rarely used except for off case uses and exploits is foolish. When was the last time you saw an applet being used productively in a web page that couldn't have been solved by using WebStart or just prompting the user for permission to run?

Re:

[SplashMyBandit]

Applets are legacy. I agree with you, WebStart is a vastly better solution (plus, I've noticed that when I converted a heavily-used applet I had written to WebStart it ran around an order of magnitude faster; the browser plugin for applets is relatively slow).

Re:WORE

[SplashMyBandit]

> With Java, you can exploit OS X, Linux, BSD, any ...
I know you say "Java applets" later on, but it is important to qualify this at every stage (since even the techie Slashdot readers appear to be horribly ignorant that there are differences between JavaScript, Java applets and Java applications).

Readers should take note:

1. 1) In general Java applications and web services are secure (in fact, more secure than C++ etc)
2. 2) It is malicious Java applets that pose a potential risk to users (just like malicious buffer-overrun inducing JPEG images do).

Now cue the hundreds of Java-hating posts that don't know the difference between JavaScript, Java applets and Java applications/servlets but still think that some other technology is more secure (hint: it is not - every tech out there has holes that get discovered from time to time - including your operating system).

Re:

[cbhacking]

Correct, but slightly missing the point I was trying to make. The Java vulns being discussed here are all ways to break out of the applet sandbox. Java applets *are* Java - they're exactly the same language, executing in exactly the same runtime - but there's supposed to be restrictions on the APIs that allow Java code to modify the system it runs on. These restrictions form the applet sandbox, and breaking them allows a website to gain arbitrary code execution on your system.

The important point that I was

Re:

[cbhacking]

Java spplets aren't a browser vulnerability, they're a Java vulnerability. The entry vector is through the browser, but that's beside the point - Java is supposed to provide a sandbox for applets and that sandbox's walls are awfully low. The problem isn't that the attacker can tell Java to execute arbitrary code, it's that Java will obey even when that code violates the security guarantees it is supposedly making.

Also, you should brush up on your computing history. Java applets are explicitly designed as a

Re:

[SplashMyBandit]

> There was a time when applets were viewed as *the* reason to learn Java, and the platform was marketed on the power of applets.
... and that time was around 1998. It's been nearly a decade and a half since then. Personally, I prefer Java WebStart to applets. Yes, there is a problem with the Oracle's implementation of Java sandboxing - the concept was sound though (and how many other development environments have this concept?).

Re:

[SplashMyBandit]

> A malformed JPEG may successfully execute shellcode on one broken image decoder/renderer, simply crash another, and be caught and thrown out by a third. Which thing happens to any given client (visitor to the page hosting it) will depend on the client's software environment: their browser, their OS, whether they use 32-bit or 64-bit, etc. If you want to make it cross-platform, you'll need to not only have an exploit that works on multiple image libraries (or a suite of exploits that together cover all

Re:

[cbhacking]

JPEG fuzzing is relatively easy, so the popular parsers of the format have become quite safe over time. As a general class of exploit, though, such things definitely still exist. They're nothing like the Java vulns under discussion here, except for the insignificant similarity that they can be used for remote attacks though a browser, but similar attacks targeting various complex binary formats (*cough*PDF*cough*) are still being developed.

Re:

[SplashMyBandit]

> How many malicious buffer-overrun JPEG images are there? I haven't see one in 5 years.
You haven't been looking?

RMI WORE

[reiisi]

.. Remote Method Invocation ..

I simply cannot imagine what Sun was smoking when they added this to Java. Even without an exploit, setting up the security manager/context is not something the end-user is going to do, so it is going to get left to the server-side, which is basically offering root to the vm to the server.

Re:

[binarylarry]

Good thing no one uses RMI ;)

Re:

[SplashMyBandit]

So you are saying your C# application is possibly insecure? since the article is about Java the parent's post stands: no one uses Java in modern apps - instead they use REST or SOAP webservices (much more secure - assuming you know what you are doing).

... in a trusted environment

[reiisi]

I don't believe in trusted environments, not when the end-user can change his IP and/or MAC, etc.

The effort you have to go through to set up the certificates the chain-of-trust, the execution context, constantly checks, etc., and I tend to think the out-of-band solutions work better.

Re:WORE

[sjames]

Honest to God, when I glanced at the subject, I read it as "WHORE" which seems somewhat apt for Java these days.

Re:

[PCM2]

Oracle should be commended for finally bringing their "Write Once, Run Everywhere(tm)" vision to the exploit community.

Funny, but it brings up an important point. These have all been Java bugs that allow attackers to execute malicious code. The malicious code itself, though, is not Java -- it's a binary payload. So while the vulnerabilities are cross-platform, and hence so are the exploits, the actual exploits that have been discovered in the wild so far would only really harm Windows systems. They actually included a little branching JavaScript that said, essentially, "Got Windows? Download payload.exe. Else Do Nothing." I

Not so fast

[MobileTatsu-NJG]

Not so fast.

Isn't that Java's mission statement?

Re:

[MROD]

No, Java is an exceptional language: At the slightest provocation is throws one.

Why would I run Java on my browser?

[NicknamesAreStupid]

I've had no need for it. Who does?

Re:

[isorox]

I've had no need for it. Who does?

Lights out management of servers?

Re:

[cbhacking]

No, I don't know how many times Apache got caught for such stupidity. Care to share some references?

There's a huge difference between "ship with no known bugs" and "ship with no externally known security exploits". The former is unrealistic of any major piece of software. The latter is (or should be) mandatory of any major software vendor. The folks who reported the 19 vulns originally also sent Oracle 12 distinct POCs for those vulnerabilities. To date (over four months later), Oracle has patched only 6 of

The total FAIL of Norway

[fluor2]

In Norway, all banks use a common login-system called BankID [google.com] (a joint-developed PKI solution).

This solution requires Java to be installed at client.

It's quite hilarious.
This basically leaves a complete country vulnerable when these exploits go wild.

Re:

[TheLink]

Solution: use a different browser running as a different user for banking. Or run it in a VM. Then make sure Java does not work on the browsers you use for other stuff.

In fact you should do this for your banking stuff even if your bank doesn't require Java. Keep a separate banking browser+user account or VM for that.

Re:

[fa2k]

In Norway, all banks use a common login-system called BankID [google.com] (a joint-developed PKI solution).

It's nothing new that banks require insecure technology. Remember things like "this page only runs on IE"? Anyway, what you say is incorrect, I have an account with Storebrand and they only have a key generator dongle, not a smart card. I would also argue that moving an entire country to two-factor authentication is a net security *win*.

Re:

[Miamicanes]

> Who's in the enterprise world using Java 1.7 anyway?

Enterprise applications requiring Java 7 are rare. Enterprise applications requiring Java 6 or better are not.

Unfortunately, Java 6 doesn't exist for OS X (ie, Macintosh). Java 7 is the first real version of Java Mac users have had in literally *years*.

For Mac users, the next step down from Java 7 isn't Java 6... it's Apple's broken, obsolete, Steve-shackled Java 5. If a Mac user wants to run Netbeans 7, in particular, he has exactly two choices: inst

OpenJDK vs. Oracle Java?

[someones]

I switched to OpenJDK a while back.
In its early days it was bugged and crashed all the time, but that time seems long forgotten past.

Is there a reason to favor Oracle's Java over OpenJDK?

Send security reports to RH/Canonical

[David Gerard]

White hats who discover Java exploits should also send a security report to the Java teams at Red Hat and Canonical (the latter do Java on Ubuntu and Debian). Oracle might sit on a 'sploit for months, but Debian isn't going to.