Forgot your password?
typodupeerror
Java Oracle Security

Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities 165

Posted by Unknown Lamer
from the brought-to-you-by-c-sharp dept.
msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."
This discussion has been archived. No new comments can be posted.

Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

Comments Filter:
  • Uninstall (Score:5, Funny)

    by Dan East (318230) on Monday March 04, 2013 @08:37PM (#43074545) Homepage Journal

    I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

  • Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.

    • by mcl630 (1839996) on Monday March 04, 2013 @08:51PM (#43074621)

      Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

    • by TsuruchiBrian (2731979) on Monday March 04, 2013 @08:53PM (#43074623)
      You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.
    • by Desler (1608317) on Monday March 04, 2013 @08:59PM (#43074649)

      Open office won't work without Java.

      Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

      • by smash (1351) on Monday March 04, 2013 @09:31PM (#43074859) Homepage Journal
        .... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.
        • by smash (1351)
          This was on a 15 minute old install of debian stable, by the way. Not some bleeding edge or ricer-cflags distribution.
        • by Trogre (513942)

          Interesting. OpenOffice.org or Libreoffice?

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.
      • by rwyoder (759998)

        I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

        +1
        I switched to Libre Office long ago, and can't find any reason anyone would still use OpenOffice.

    • by antdude (79039)

      OpenOffice doesn't require Java for everything. What do you use for its Java?

      • It says you can't install it unless you have Java installed or did the last time I tried to install it.
        My wife has a multi PC copy of MS Office and I use that, most of the time anyway, for what little word processing I do that Google Docs won't do.

    • by dissy (172727) on Monday March 04, 2013 @10:51PM (#43075235)

      Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

      As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

  • by Anonymous Coward

    I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!

    • the worst part about this is the statement is inherently untrue.

      If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

      here is a hint its the type that destroys the hardware.

      I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.
  • by csumpi (2258986) on Monday March 04, 2013 @08:56PM (#43074637)
    Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

    The language is ok, but everything else about java just plain sucks.
    • Compared to Adobe?

    • by Anonymous Coward

      I think java 7 installs updates in place - no more need to uninstall old versions.
      It says it does this somewhere on the oracle updater site, & it seems
      to be working for me on a number of platforms.

      • by Anonymous Coward

        http://docs.oracle.com/javase/7/docs/webnotes/install/windows/patch-in-place-and-static-jre-installation.html
        Haven't the faintest why this isn't documented more clearly
        in their other pages related to installation & patching.

    • by Nimey (114278)

      What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

      The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

    • by gstoddart (321705) on Monday March 04, 2013 @09:43PM (#43074945) Homepage

      Even worse than the vulnerabilities are the _constant_ nagging for updates.

      And proclivity for trying to install the Ask.com toolbar.

      Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

      • by jandrese (485)
        And frankly, I suspect that Ask.com bar is full of security holes too.
        • by gstoddart (321705)

          I certainly assume it is ... every thing you install these days wants to install some form of search bar or browser plugin.

          The answer is always "no".

    • by smash (1351)
      Even worse - a recent Java update decided to upgrade me from Java 6 to Java 7 (I know this is the case, because I don't install Java 7 myself). It left Java 1.6u38 installed, and no update to Java 6. I have applications that do not run on Java 7. So i'll be running Java 6. Which is still insecure on my machine.
    • Even worse than the vulnerabilities are the _constant_ nagging for updates.

      1. Remove the scheduled updater task.
      2. Install Secunia PSI
      3. Profit.

      Also, the JRE is updated nowadays. Only old JDKs are not removed, but that makes sense (to a developer).

  • http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html [oracle.com]
    After this one you will need to pay for a support contract or upgrade to Java 7.

    • I was checking java 6 builds the other day and I'm almost positive that "This is the last release" message was in the update 41 release notes before 43 was released.

    • by Nimey (114278)

      Marvelous. We just bought a package that requires 6 to work and doesn't with 7, /and/ it needs the browser plugin.

      Eat a bag of dicks, Ellison.

      • by yuhong (1378501)

        Just bought? The support lifecycle for Java is public: http://www.oracle.com/technetwork/java/eol-135779.html [oracle.com]

        • by Nimey (114278)

          I wasn't involved in the purchase, but the program requires JavaFX and does not appear to work with any Java 7 REs I've tried.

          • by wmac1 (2478314)

            How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

            • by Nimey (114278)

              It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

              I mean, fuck. They've managed to take the crappy security award away from Adobe.

              • by cbhacking (979169)

                Who, previously, had taken it from MS. Guys, *stop* chasing that award. It's not actually a good thing! I think MS was pretty happy to give it up (after all the security work that went into NT6.x, the IE sandbox, etc.), and Adobe is showing signs of acting that way too (the Reader sandbox was a huge improvement, though Flash is still iffy), but Oracle seems dead-set on holding onto it.

            • by Rich0 (548339)

              How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

              Uh, their latest version is only guaranteed support until July 2014 according to their website. Sure, I guess nobody is paying for it, but I'm not sure I'd base my software off of a platform that is not guaranteed to get security updates for more than a year.

              The seven years Java 6 got isn't too bad, assuming it was announced that way back in the beginning. However, it still pales compared to the stability of win32/etc.

      • by Kenshin (43036)

        Brilliant. That's like buying new software that requires Windows XP.

        • by Nimey (114278) on Tuesday March 05, 2013 @12:15AM (#43075707) Homepage Journal

          Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

        • Cisco ASDM (configuration/management software for ASA firewalls) doesn't work on Java 7...
        • by Rich0 (548339)

          I wouldn't complain too much about XP.

          XP was introduced in Dec 2001 and is supported until April 2014.

          Java 7 (SEVEN - not six - ie the latest version) was introduced in July 2011, and is supported until July 2014 (it might or might not go later, but no promises).

          If you used something more sane like Windows 7 then you're supported until 2020.

          If you deployed a new piece of software that requires XP you'd only be three months worse off than deploying a new piece of software that requires Java 7.

    • by willie150 (95414)
      We're lucky to get that one. Oracle have publicly stated that there wont be any updates to Java 6 post February 2012. http://java.com/en/download/faq/java_6.xml [java.com]
  • by icknay (96963) on Monday March 04, 2013 @09:13PM (#43074743)
    Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis [zdnet.com] of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.
  • OpenJDK .. (Score:4, Interesting)

    by dgharmon (2564621) on Monday March 04, 2013 @09:22PM (#43074811) Homepage
    Does this exploit work under the OpenJDK [wikipedia.org] Runtime Environment?
    • As far as I know, OpenJDK is not really a fork, just a stripped down version of the Oracle JDK.

      • Re:OpenJDK .. (Score:4, Informative)

        by ChunderDownunder (709234) on Tuesday March 05, 2013 @01:24AM (#43076013)

        So yes, probably.

        The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

        Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

  • All these security holes are loosing credibility for Java.
    That's good news for .Net.
    What about the rest of us?

    It seems like the right time for a new alternative to show up. Any takers?

  • by StormReaver (59959) on Tuesday March 05, 2013 @12:20AM (#43075741)

    When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

    Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

    • by ChaseTec (447725)

      Why? You downloaded an applet from a website which then downloaded the McRAT trojan. The article was misleading about who or what was doing the download but not the initiator of the transfer.

      • Consider the context of the sentence: "[A]ttackers exploiting the flaw were able to..."

        They were able to...what? Uploading and downloading are terms used within the context of who is doing what. When a file is being transferred, uploading and downloading are occurring simultaneously. One side of the transmission is downloading, and the other side of the transmission is uploading. The side of the transmission that is receiving the data is downloading, and the side of the transmission that is sending the

    • It's completely correct. The user's computer downloaded the applet, which then proceeded to download the trojan from some Internet location and install it through this vulnerability. Uploading implies that the attackers were the "active" party; that would generally be a worm.

    • by Phrogman (80473)

      Technically they got the user's system to download the McRAT Trojan surreptitiously by exploiting the vulnerability in Java :)

      Client to Server: Upload
      Server to Client: Download

      So its correct but not very grammatically clear

  • by snsh (968808)

    Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?

  • I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.

    I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.

  • by TrueSpeed (576528) on Tuesday March 05, 2013 @01:54AM (#43076155)

    The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

    Once again,

    Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

  • I'm getting very tired of installing a new JRE and JDK over and over again, including the JCE.

    Can we please get an in-place delta patch, Oracle? It's 2013, we have these things you know.

  • Don't force users to install browser plugin crapola. One simple checkbox in setup program (unchecked by default) would make lives better for many, many people (mainly developers). Unfortunately, Oracle chose to use JDK to force lots of crap down our throats (JavaFX, browser plugin plus some other browser crapola), so virtually everyone using Java for any purose is affected by Java security holes. Unfortunate situation that boils down to by stubborn Oracle managos... is there anything in the world that Larr

/earth: file system full.

Working...