Forgot your password?
typodupeerror
Java Oracle Security

Researcher Develops Patch For Java Zero Day In 30 Minutes 57

Posted by Soulskill
from the 30-minutes-or-less-or-your-zero-day-is-free dept.
Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."
This discussion has been archived. No new comments can be posted.

Researcher Develops Patch For Java Zero Day In 30 Minutes

Comments Filter:
  • Code review (Score:5, Insightful)

    by danomac (1032160) on Tuesday October 23, 2012 @06:21PM (#41745977)

    They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

    • Re:Code review (Score:5, Insightful)

      by wonkey_monkey (2592601) on Tuesday October 23, 2012 @07:02PM (#41746303) Homepage
      Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

      A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

      And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

      Researcher Develops Patch For Java Zero Day

      which isn't quite as immediately sexy.

      • by sjames (1099)

        It does give us some idea of the extent of the patch (quite limited) and thus the effort required to revalidate the package (small as that sort of thing goes). I find that information useful in evaluating Oracle's response.

    • TFA incorrectly called this a zero day. It has to be known to be actively exploited in the wild first.
    • I doubt they'll push any patch out without testing it.

      You must be new to Oracle. I envy you.

  • by Anonymous Coward

    I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

    • by Nyder (754090)

      I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

      Okay, this is weird. I happen to be watching the 30 Rock Season 7 premier right now.

      • by Anonymous Coward

        Are you saying it's weird because you're watching it or because you're an executive at Oracle?

        • by Smallpond (221300)

          Actually, it's weird because he's Alec Baldwin.

          • Actually, it's weird because he's Alec Baldwin.

            Actually, it's weird because someone actually watches 30 Rock.

            Actually, it's weird because someone actually watches NBC.

  • by Anonymous Coward on Tuesday October 23, 2012 @06:33PM (#41746097)

    It's in testing it.

    • by pkinetics (549289)
      With Oracle products, it seldom is the testing of just the SE app. Its all their other apps that integrate into it that are the problem. Further down the chain, it is the vendors who use the Oracle products that are further more hosed, which end up holding up the deployment of the client.
      • Since when has Oracle / Sun cared about breaking compatibility with Java? IIRC many older Cisco web-config pages use Java 1.4.2 u7 (or something)-- any newer (update 8) and it breaks. And when JavaSE7 came out, it broke LibreOffice and basically every other app I used (I think CrashPlan too). Backwards compatible my foot.

        Pretty sure the various iterations of BES break horribly if you try to update their java-- but that might not be a java issue per se.

        • by jroysdon (201893)

          Java 6 update 37 also broke the ASA ASDM interface. Works just fine with Java 6 update 33 (update 35 wasn't a real security fix for Java 6). TAC is reviewing and will probably post a bugid soon.

    • You're 100% correct that a reasonable amount of effort is needed to test a patch that is going to be deployed to users and enterprise systems.

      But here we have a known exploit, and Oracle with their huge pool of resources cannot manage to release patch for it before Feb 2013? You can believe that they don't have the resources to test the patch in a shorter time frame or even create a better one? I seriously doubt that it takes Oracle months to regression test a single patch.

      The bottom line is that Oracle are

  • I don't see how it can be called critical updates if they only do them twice a year. That doesn't sound like the patches they put out on those days are very critical. Unless this is another word we are changing the meaning of...

    • Glad to know someone else thought about that, too. In the one hand we have the frenetic "let's monitor the internet to make the web safer!" (A few stories back). Then on the other we get "Oh well, there's a security flaw that we won't fix until February."

    • Re:5 months? (Score:5, Insightful)

      by Local ID10T (790134) <ID10T.L.USER@gmail.com> on Tuesday October 23, 2012 @07:43PM (#41746573) Homepage

      Microsoft has Patch Tuesday, Oracle has Patch February...

      • by cusco (717999)
        And Adobe just leaves security holes with known exploits in the wild for Acrobat open for two years, never fixes them in the free version of Reader, and then tells users they have to upgrade Reader even though it breaks things. Only software company I loathe more than Oracle.
  • by Deathlizard (115856) on Tuesday October 23, 2012 @06:46PM (#41746189) Homepage Journal

    Windows [java.com]

    Linux [java.com]

    Mac OS X [java.com]

    • by Anonymous Coward

      Stupid noob question: Does a vulnerability like this effect linux boxes that are running java?

    • by Anonymous Coward

      Well many of us do development with Java and wish to use it for developing server-based programs on Windows machines, but the installer insists on inserting its tendrils deep into any web browser it can find. Is there any way to prevent this because it is easy to overlook disabling this after the upgrade. Keeping it from installing the shovelware is bad enough.

      • Re:Patch right here! (Score:4, Informative)

        by Deathlizard (115856) on Tuesday October 23, 2012 @07:22PM (#41746437) Homepage Journal

        1) install 64 bit java
        2) Uninstall IE, or don't use IE 64 bit.
        3) remember to update, because 64 bit java doesn't have an updater. Not that it works anyway.

        The 32 bit browsers (chrome, firefox, even 32 bit IE) won't use the 64 bit java to run applets and since IE is the only 64 bit browser and cannot be set as the default browser, it will limit your attack surface.

  • by NinjaTekNeeks (817385) on Tuesday October 23, 2012 @06:49PM (#41746209)
    Provided to Oracle on the 19th and Oracle plans to patch it in February. This has got to be a dream come true for the bad guys, while Oracle tests the fix, they can find and start adding it to their exploit kits.
  • well... (Score:4, Insightful)

    by SuperDre (982372) on Tuesday October 23, 2012 @06:57PM (#41746269) Homepage
    writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..
  • ...patched by Google not long ago.

  • by dgharmon (2564621) on Tuesday October 23, 2012 @07:28PM (#41746475) Homepage
    Why doesn't this vuln run on OS X or Linux, why is Oracle discriminating against these?
  • I say, put him in jail. maximum security. For life. NO, 10 lifetimes. And let him watch Obama-Romney debate. Only. Day and night (wow, i am sooo cruel).
  • Oracle hasn't in the past worked with a lot of end user software, and it shows. I get the impression Larry Ellison doesn't like the short turnaround required for desktop software updates. The out-of-band java update they released for (at least) Windows 7 a couple weeks ago was disorganized. Two support people at work managed to install separate versions on their own computers. Version 7 is actually a point update of version 6. They may be the same version, and only show differently in Control Panel. Our company uses a lot of java (and Oracle software) and it's getting difficult to keep it organized and keep Oracle products talking to other Oracle products.

    I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.
  • I've had very quick turnarounds for certain fixes in the past. An example would be: "Oops, I forgot the semi-colon here...[type type]...Compile, there!"

    Then the office goes, "Damn you're fast!" Tell them what happened?....naaaah.

    • by Rockoon (1252108)
      Anyone care to take a shot at estimating how many man-years have been globally wasted finding missing semicolons?

      A thousand? A hundred thousand?
      • by Tablizer (95088)

        There used to be an urban legend that one of the Mariner planet probes crashed due to comma in a Fortran program that was supposed to be a period. Although it was an urban legend, it is possible to make a compile-able mistake like that in Fortran.

  • by Anonymous Coward

    If you're working on a Linux box, there's a very simple way to deal with the uber fiasco that Java is: install it from the .tgz / .bz2 given by Oracle, as a non-root user.

    Do NOT install Java from the OpenJDK : most Linux distro have a major security issue in that they require you to be root to install packages (I'm using Linux since the mid-nineties and I swear by Linux but there's no frigging way I'll let any package install Java "system wide" on my Linux system).

    So go d/l the .tgz / .bz2 or whatever and t

    • by ls671 (1122017)

      Reading your post, at first glance, you seem to confuse who owns the executable and who runs the executable.

      Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session

      This should be sufficient to insure java only has permissions of the "web surfing" account. It doesn't matter who owns the executable really unless it has a sticky bit set and I have never seen a java executable with the sticky bit set yet in any install that I have done.

  • So, Java SE stands for Java Sandbox Escape... Interesting!
  • Years later, we're still fixing his fixes.

    Patch speed is rarely critical, outside of Star Trek.

  • Can we assume this is dealt with or n/a for OpenJDK? Why aren't the large users of Java cooperating to remove Oracle's significance here?

Men love to wonder, and that is the seed of science.

Working...