Researcher Develops Patch For Java Zero Day In 30 Minutes 57
Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."
Code review (Score:5, Insightful)
They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...
Re:Code review (Score:5, Insightful)
A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce
And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to
Researcher Develops Patch For Java Zero Day
which isn't quite as immediately sexy.
Re: (Score:3)
It does give us some idea of the extent of the patch (quite limited) and thus the effort required to revalidate the package (small as that sort of thing goes). I find that information useful in evaluating Oracle's response.
Re: (Score:1)
Re: (Score:3)
I doubt they'll push any patch out without testing it.
You must be new to Oracle. I envy you.
Tank it (Score:1)
I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.
Re: (Score:2)
I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.
Okay, this is weird. I happen to be watching the 30 Rock Season 7 premier right now.
Re: (Score:1)
Are you saying it's weird because you're watching it or because you're an executive at Oracle?
Re: (Score:2)
Actually, it's weird because he's Alec Baldwin.
Re: (Score:1)
Actually, it's weird because he's Alec Baldwin.
Actually, it's weird because someone actually watches 30 Rock.
Actually, it's weird because someone actually watches NBC.
The cost is rarely in coding the patch... (Score:3, Insightful)
It's in testing it.
Re: (Score:3)
Re: (Score:2)
Since when has Oracle / Sun cared about breaking compatibility with Java? IIRC many older Cisco web-config pages use Java 1.4.2 u7 (or something)-- any newer (update 8) and it breaks. And when JavaSE7 came out, it broke LibreOffice and basically every other app I used (I think CrashPlan too). Backwards compatible my foot.
Pretty sure the various iterations of BES break horribly if you try to update their java-- but that might not be a java issue per se.
Re: (Score:2)
Java 6 update 37 also broke the ASA ASDM interface. Works just fine with Java 6 update 33 (update 35 wasn't a real security fix for Java 6). TAC is reviewing and will probably post a bugid soon.
Re: (Score:2)
when the heck was update 37 released? U32 just came out in august.....
Re: (Score:2)
Keep up. U32 was released in April. U37 was last week.
Java 6 Updates [wikipedia.org]
Re: (Score:2)
You're 100% correct that a reasonable amount of effort is needed to test a patch that is going to be deployed to users and enterprise systems.
But here we have a known exploit, and Oracle with their huge pool of resources cannot manage to release patch for it before Feb 2013? You can believe that they don't have the resources to test the patch in a shorter time frame or even create a better one? I seriously doubt that it takes Oracle months to regression test a single patch.
The bottom line is that Oracle are
5 months? (Score:2)
I don't see how it can be called critical updates if they only do them twice a year. That doesn't sound like the patches they put out on those days are very critical. Unless this is another word we are changing the meaning of...
Re: (Score:2)
Glad to know someone else thought about that, too. In the one hand we have the frenetic "let's monitor the internet to make the web safer!" (A few stories back). Then on the other we get "Oh well, there's a security flaw that we won't fix until February."
Re:5 months? (Score:5, Insightful)
Microsoft has Patch Tuesday, Oracle has Patch February...
Re: (Score:2)
Patch right here! (Score:5, Funny)
Windows [java.com]
Linux [java.com]
Mac OS X [java.com]
Re: (Score:1)
Stupid noob question: Does a vulnerability like this effect linux boxes that are running java?
Re: (Score:3)
Java vulns are typically cross platform.
Re: (Score:1)
Well many of us do development with Java and wish to use it for developing server-based programs on Windows machines, but the installer insists on inserting its tendrils deep into any web browser it can find. Is there any way to prevent this because it is easy to overlook disabling this after the upgrade. Keeping it from installing the shovelware is bad enough.
Re:Patch right here! (Score:4, Informative)
1) install 64 bit java
2) Uninstall IE, or don't use IE 64 bit.
3) remember to update, because 64 bit java doesn't have an updater. Not that it works anyway.
The 32 bit browsers (chrome, firefox, even 32 bit IE) won't use the 64 bit java to run applets and since IE is the only 64 bit browser and cannot be set as the default browser, it will limit your attack surface.
Great, expect this in the wild in 4...3....2.... (Score:4, Insightful)
well... (Score:4, Insightful)
Oracle was a zero day vulnerability... (Score:1)
...patched by Google not long ago.
Java on Windows zero-day vulnerability .. (Score:3)
What? He hacked Java? (Score:1)
Oracle is still learning consumer software (Score:4, Insightful)
I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.
BeenThereDoneThat (Score:1)
I've had very quick turnarounds for certain fixes in the past. An example would be: "Oops, I forgot the semi-colon here...[type type]...Compile, there!"
Then the office goes, "Damn you're fast!" Tell them what happened?....naaaah.
Re: (Score:2)
A thousand? A hundred thousand?
Re: (Score:2)
In c or c++ not much as it won't compile
If it were true that it wont compile in all cases, then the semicolon wouldnt be needed at all.. the compiler could just insert them in the obvious places. The fact is that there are plenty of cases where you can forget a semicolon and never get a compile error.
..a perfectly legal statement, but certainly not what was intended.
A simple example:
int *foo = 1;
int bar = 2
*foo++;
which gets parsed as:
int bar = 2 * foo++;
Re: (Score:2)
There used to be an urban legend that one of the Mariner planet probes crashed due to comma in a Fortran program that was supposed to be a period. Although it was an urban legend, it is possible to make a compile-able mistake like that in Fortran.
Install Java without being root... (Score:1)
If you're working on a Linux box, there's a very simple way to deal with the uber fiasco that Java is: install it from the .tgz / .bz2 given by Oracle, as a non-root user.
Do NOT install Java from the OpenJDK : most Linux distro have a major security issue in that they require you to be root to install packages (I'm using Linux since the mid-nineties and I swear by Linux but there's no frigging way I'll let any package install Java "system wide" on my Linux system).
So go d/l the .tgz / .bz2 or whatever and t
Re: (Score:2)
Reading your post, at first glance, you seem to confuse who owns the executable and who runs the executable.
Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session
This should be sufficient to insure java only has permissions of the "web surfing" account. It doesn't matter who owns the executable really unless it has a sticky bit set and I have never seen a java executable with the sticky bit set yet in any install that I have done.
Re: (Score:2)
Look at:
http://blogtech.oc9.com/index.php?view=article&catid=4%3Aasterisk&id=175%3A20080329astchroot&option=com_content&Itemid=8 [oc9.com]
For the sticky bit issue. Search for:
find / -type f -perm +7000 > tt.txt
One should remove all setuid bits on programs on any system if not needed. Less and less programs need to set the sticky bit by default but still, it is an important concept to grasp if you are concerned about security. Xterm used to have the setuid bit set and to be owned by root and you ca
"sticky bit?" (Score:3)
I don't think that means what you think it means.
Hint: the setuid, setgid, and sticky bits are three different things with more than three different functions.
Re: (Score:2)
You are right, I do not know why I used "sticky". I was definitely referring to setuid and setgid. I know what sticky is, /tmp directory usually has the sticky bit set. Thanks to enlighten us.
Java SE (Score:2)
Yes, we had a chap who would fix things real fast (Score:2)
Years later, we're still fixing his fixes.
Patch speed is rarely critical, outside of Star Trek.
Impact on OpenJDK? (Score:2)
Can we assume this is dealt with or n/a for OpenJDK? Why aren't the large users of Java cooperating to remove Oracle's significance here?