Oracle Rushes Emergency Java Update To Patch McRAT Vulnerabilities

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

Uninstall

[Dan East]

I uninstalled everything starting with "java" on my computers, and the only thing now missing is the every-other-day notification that Java needs to be updated.

Re:

[Pino Grigio]

Yup. Me too. Can't stand it.

Re:

[Decker-Mage]

Sadly, more than a few "security" tools here require Java or .NET.

Re:

[denis-The-menace]

The don't use Open Office.
Use LibreOffice instead. (https://www.libreoffice.org/)

You don't need Java to install or to run it UNLESS you use BASE.

Re:

[Macgrrl]

Citrix for remote access to work. :(

Re:

[MemoryDragon]

Disabling the browser plugin also would have helped.

Re:

[qaz123]

Windows Control Panel -> Java -> Security Uncheck the "Enable Java content in the browser" checkbox That would be enough

Re:Uninstall

[DigitAl56K]

I mean it's no different than me going around, running executables from random websites and then blaming Microsoft for not doing more to secure their OS.

It's entirely different, the plugin is supposed to be sandboxed.

Re:

[holostarr]

Just because it's supposed to doesn't mean you should run untrusted code.

Re:Uninstall

[Deekin_Scalesinger]

Look me in the eye and tell me you compile everything from source, after verifying each line of code. Do you trust Mozilla? Canonical? Berkeley? What an asinine statement.

Re:Uninstall

[holostarr]

Obviously sometimes you have no choice but to trust someone else's code, but there is a difference between blindly trusting all code versus evaluating the source of the code and deciding whether or not there is enough good faith for the source to be trusted.

Re:

[Deekin_Scalesinger]

Indeed and well said Sire. My faith in tech humanity and common sense is somewhat restored (at least for tonight).

Re:

[smash]

And the problem here lies in the fact that the source could be compromised. Hence, code signing - the software can be uploaded to the net, after being signed by the private key which is kept off-line. Trusting the server sending you stuff these days is no real security at all.

Re:Uninstall

[Technomancer]

Thats easy, just click on this llittle Java app.

Only one program I miss

[AG the other]

Open office won't work without Java. Maybe some day I'll be convinced that they have their stuff together again and I'll reinstall it.

Re:Only one program I miss

[mcl630]

Most of the Java vulnerabilities are in the browser plugin. You can always install Java and just disable the browser plugin.

Re:

[dissy]

I think you're mistaken. Open Office never ever has run in the browser plugin.
Or did you even bother to look at the conversation before spouting off?

Re:

[HaZardman27]

You see, once you disable the browser plugin, that's 99% of the raison d'etre of Java gone for most end users

That last time I needed to use the Java browser plugin was nearly a year ago for a WebEx meeting. My last job involved server-side Java code, and I use OpenOffice at home, and that pretty much sums up my need for Java, other than the occasional program I write with it(very rare since I typically find that another language would be more suited to what I'm doing, and even when I chose Java it's never for applets). I understand my use probably does not represent the average computer user, but I can't even be

Re:

[LordLimecat]

Equallogic SANs use java iirc, as does HP's iLO remote management. A number of bank sites also use java applets.

Re:

[Macgrrl]

A number of bank sites also use java applets

This.

Also utilities, ISPs and similar organisations for web forms that probably don't really need java to do what they do (probably, it's possible they actually do).

I can't pay my credit card from Safari on my desktop Mac at home because it can't get past the balance calculation applet, but I can on my iPad iOS app.

I tried logging a ticket with my ISP the other day and their website said they don't support Safari, Firefox or Chrome - use IE, which isn't available for Mac OS and hasn't been for years (Note I

Re:

[HaZardman27]

There are almost no legimimate java web apps anymore

Depends on how you define a Java web app. Applets are dead, sure, I won't disagree with that, but in my definition a web app that uses Javascript and AJAX calls to a server-side program running on a JVM and written in Java is still a Java web app.

Re:

[davydagger]

javascript != java.

and ajax has nothing to do with it. The point is there are better ways to do AJAX than java in 2013. In fact, Java is not the go to for ajax anymore. For most interactive web apps, I think flash has taken over from java

perl, python, php, and javascript, and now HTML5.

Re:

[davydagger]

all three of them too.

Re:

[Macgrrl]

Does anyone else periodically feel like throwing their computer out the window with the constant nag screens to update Adobe Flash or Acrobat Reader that seem to appear every week or so.

Re:

[jandrese]

Firefox (and I'm pretty sure all of the other major browsers) will remember that a plugin is disabled even when it is updated. Just let it install and then go and disable it in your browser(s).

Re:Only one program I miss

[TsuruchiBrian]

You can have the java virtual machine installed without using the java applet plugin for your browser. The recent security problems are only for the java applet browser plugin, which is now disabled by default by firefox and probably other browsers as well.

Re:Only one program I miss

[Desler]

Open office won't work without Java.

Sure it does. The only parts that really required Java were a couple of wizards and the RDBMS.

Re:Only one program I miss

[smash]

.... and Base is pretty damn broken anyhow. I tested it a couple of months back - create new database. create a single table with 2 fields, a primary key and a name. It crashed when I tried to save the table design. Doesn't exactly inspire confidence as far as holding my data goes, which is somewhat crucial for a DATABASE.

Re:

[smash]

This was on a 15 minute old install of debian stable, by the way. Not some bleeding edge or ricer-cflags distribution.

Re:

[Trogre]

Interesting. OpenOffice.org or Libreoffice?

Re:

[Anonymous Coward]

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

Re:

[rwyoder]

I use Libre Office just fine without Java installed. Maybe some plugins still need it, but I've never had it complain that I was missing it.

+1
I switched to Libre Office long ago, and can't find any reason anyone would still use OpenOffice.

Re:

[kthreadd]

Some users may find the license more appropriate.

Re:

[antdude]

OpenOffice doesn't require Java for everything. What do you use for its Java?

Re:

[AG the other]

It says you can't install it unless you have Java installed or did the last time I tried to install it.
My wife has a multi PC copy of MS Office and I use that, most of the time anyway, for what little word processing I do that Google Docs won't do.

Re:Only one program I miss

[dissy]

Just install 64 bit java JRE only. There are no browser plugins in the 64 bit JRE, only the 32 bit JRE, so none of the vulnerabilities released in the past 3 or 4 years will affect you.

As a bonus, since there are no browser addons in 64 bit JRE, you won't ever see that annoying ask toolbar garbage from them again.

Re:

[AG the other]

The last time I tried to install Libre Office on a relative's computer the installation failed and I haven't had another chance to try it again.

Re:

[AG the other]

Unfortunately I was helping a relative set up a new computer, I had already spent several hours working on the computer and was exhausted so when the install failed I just changed to Open Office when the install failed.

Seems like /. is stuck on repeat...

[Anonymous Coward]

I have Java on my computer, but it is warm, tasty, and resides in a mug, but most importantly is exploit proof!

Re:

[davydagger]

the worst part about this is the statement is inherently untrue.

If an attacker where to gain physical access to your machine, I could easily picture a nice denial of service attack one could perform with a hot cup of java on your computer.

here is a hint its the type that destroys the hardware.

I don't know your setup, but I'd also question the stability of your java platform(and the cup too). If you get a user panic error, you could easily destroy your machine.

Re:

[Nimey]

It'd be more effective if the attacker would use hot grits instead.

Re:

[Macgrrl]

Or a petrified Natalie Portman.

Re:

[davydagger]

hosnap, you both are bringing back my 1996

even worse than the vulns

[csumpi]

Even worse than the vulnerabilities are the _constant_ nagging for updates. Then on top of it, the way java updates is stupid. With every update a new version is installed, and the old ones are left uninstalled. So it got uninstalled. All of it.

The language is ok, but everything else about java just plain sucks.

Re:

[GodfatherofSoul]

Compared to Adobe?

Re:

[Anonymous Coward]

I think java 7 installs updates in place - no more need to uninstall old versions.
It says it does this somewhere on the oracle updater site, & it seems
to be working for me on a number of platforms.

Re:

[Anonymous Coward]

http://docs.oracle.com/javase/7/docs/webnotes/install/windows/patch-in-place-and-static-jre-installation.html
Haven't the faintest why this isn't documented more clearly
in their other pages related to installation & patching.

Re:

[Nimey]

What do you mean "the old ones are left uninstalled"? Are you griping about it getting rid of old vulnerable versions, or do you have really ancient copies of Java prior to 6.0 update 10 still installed? Java 6u10 was the first version to be automatically removable by subsequent versions, so 6u7 and earlier must be manually uninstalled.

The updater still sucks in that it requires manual intervention instead of updating in the background, yes.

Re:

[Nimey]

Because Java 7 ignores previous Java 6 installs. New Java 7 updates will remove previous Java 7 instances.

It probably makes sense in some use cases.

Re:even worse than the vulns

[gstoddart]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

And proclivity for trying to install the Ask.com toolbar.

Currently that is my biggest beef with Java -- after the fact that it seems to be glaringly insecure, and I can't figure out if they broke it, or it was always broken. :-P

Re:

[jandrese]

And frankly, I suspect that Ask.com bar is full of security holes too.

Re:

[gstoddart]

I certainly assume it is ... every thing you install these days wants to install some form of search bar or browser plugin.

The answer is always "no".

Re:

[smash]

Even worse - a recent Java update decided to upgrade me from Java 6 to Java 7 (I know this is the case, because I don't install Java 7 myself). It left Java 1.6u38 installed, and no update to Java 6. I have applications that do not run on Java 7. So i'll be running Java 6. Which is still insecure on my machine.

Re:

[smash]

Confirmed on a second machine.

Re:

[dinfinity]

Even worse than the vulnerabilities are the _constant_ nagging for updates.

1. Remove the scheduled updater task.
2. Install Secunia PSI
3. Profit.

Also, the JRE is updated nowadays. Only old JDKs are not removed, but that makes sense (to a developer).

Last Java 6 public update

[yuhong]

http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html [oracle.com]
After this one you will need to pay for a support contract or upgrade to Java 7.

Re:

[viperidaenz]

I was checking java 6 builds the other day and I'm almost positive that "This is the last release" message was in the update 41 release notes before 43 was released.

Re:

[yuhong]

Not this one:
http://www.oracle.com/technetwork/java/javase/6u41-relnotes-1907743.html [oracle.com]
Keep in mind this update is out of band.

Re:

[viperidaenz]

They changed the release notes for 41.
That's my story and I'm sticking to it. Even though the google cache of that page on the 25th says otherwise. Wikipedia hasn't been updated yet and says 41 is the last.

Re:

[Nimey]

Marvelous. We just bought a package that requires 6 to work and doesn't with 7, /and/ it needs the browser plugin.

Eat a bag of dicks, Ellison.

Re:

[yuhong]

Just bought? The support lifecycle for Java is public: http://www.oracle.com/technetwork/java/eol-135779.html [oracle.com]

Re:

[Nimey]

I wasn't involved in the purchase, but the program requires JavaFX and does not appear to work with any Java 7 REs I've tried.

Re:

[wmac1]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Re:

[Nimey]

It's a lot easier to bitch about Oracle, especially given how shoddily written their software is.

I mean, fuck. They've managed to take the crappy security award away from Adobe.

Re:

[cbhacking]

Who, previously, had taken it from MS. Guys, *stop* chasing that award. It's not actually a good thing! I think MS was pretty happy to give it up (after all the security work that went into NT6.x, the IE sandbox, etc.), and Adobe is showing signs of acting that way too (the Reader sandbox was a huge improvement, though Flash is still iffy), but Oracle seems dead-set on holding onto it.

Re:

[Rich0]

How about expecting the new software's company to support their newly sold software (and update it to support 7) instead of asking Oracle to support its many years old free software?

Uh, their latest version is only guaranteed support until July 2014 according to their website. Sure, I guess nobody is paying for it, but I'm not sure I'd base my software off of a platform that is not guaranteed to get security updates for more than a year.

The seven years Java 6 got isn't too bad, assuming it was announced that way back in the beginning. However, it still pales compared to the stability of win32/etc.

Re:

[Kenshin]

Brilliant. That's like buying new software that requires Windows XP.

Re:Last Java 6 public update

[Nimey]

Ever dealt with "enterprise" vendors? With that attitude I bet you haven't.

Re:

[pedestrian crossing]

Cisco ASDM (configuration/management software for ASA firewalls) doesn't work on Java 7...

Re:

[DeDmeTe]

It's running fine for me on 7.17 (ASDM 6.4)

Re:

[Rich0]

I wouldn't complain too much about XP.

XP was introduced in Dec 2001 and is supported until April 2014.

Java 7 (SEVEN - not six - ie the latest version) was introduced in July 2011, and is supported until July 2014 (it might or might not go later, but no promises).

If you used something more sane like Windows 7 then you're supported until 2020.

If you deployed a new piece of software that requires XP you'd only be three months worse off than deploying a new piece of software that requires Java 7.

Re:

[willie150]

We're lucky to get that one. Oracle have publicly stated that there wont be any updates to Java 6 post February 2012. http://java.com/en/download/faq/java_6.xml [java.com]

Re:

[yuhong]

Yep, this update is out of band which is probably why.

Warning: Oracle installs ask.com toolbar

[icknay]

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis [zdnet.com] of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Re:

[Qwavel]

But that's just Oracle - and always has been Oracle. Being aggressive and obnoxious hasn't hurt them before (check their stock price).

Re:

[smash]

Also - watch out, it may also re-enable the Java plugin in your browser if you had previously turned it off, on at least one box I've updated on (previous update).

Re:Warning: Oracle installs ask.com toolbar

[bloodhawk]

It's a damn slap in the face. You install updates to protect yourself and you get the fucking ask.com malware as your reward.

OpenJDK ..

[dgharmon]

Does this exploit work under the OpenJDK [wikipedia.org] Runtime Environment?

Re:

[sourcerror]

As far as I know, OpenJDK is not really a fork, just a stripped down version of the Oracle JDK.

Re:OpenJDK ..

[ChunderDownunder]

So yes, probably.

The security flaw isn't necessarily in the browser plugin per se. Rather it's in the class libraries that are 'sandboxed' when running in a security manager.

Were one to substitute, say, the IcedTea browser plugin, one would still be accessing the same underlying libraries and security manager implementations. i.e. following each security patch to Java, a Red Hat employee is quick to roll out a new IcedTea release with those patches.

Java and Flash remind me of this song..

[DigitAl56K]

http://en.wikipedia.org/wiki/There's_a_Hole_in_My_Bucket [wikipedia.org]

So, Oracle managed to mess this one up as well...

[SpaceCracker]

All these security holes are loosing credibility for Java.
That's good news for .Net.
What about the rest of us?

It seems like the right time for a new alternative to show up. Any takers?

Re:

[TheSunborn]

Sorry, but I will keep using java server side. I just hope I don't end up with that "Ask toolbar" on our server :}

And the fact that the Java Security Manager is as safe as an open door, does not really matter because 99% of all server side java code, is running without the security manager. (Or at least without relaying on the Security manager to provide security).

 

It's Upload, Not Download

[StormReaver]

When someone is transferring something to your computer, they are uploading. They managed to upload the McRAT trojan. They did not manage to download the McRAT trojan; They already had it, and weren't trying to get it from the victims' computers.

Please don't try learning your computer terminology from Hollywood, as they get it wrong 99% of the time. I think in all seven years of STTNG, they got it right only once.

Re:

[ChaseTec]

Why? You downloaded an applet from a website which then downloaded the McRAT trojan. The article was misleading about who or what was doing the download but not the initiator of the transfer.

Re:

[StormReaver]

Consider the context of the sentence: "[A]ttackers exploiting the flaw were able to..."

They were able to...what? Uploading and downloading are terms used within the context of who is doing what. When a file is being transferred, uploading and downloading are occurring simultaneously. One side of the transmission is downloading, and the other side of the transmission is uploading. The side of the transmission that is receiving the data is downloading, and the side of the transmission that is sending the

Re:

[slimjim8094]

It's completely correct. The user's computer downloaded the applet, which then proceeded to download the trojan from some Internet location and install it through this vulnerability. Uploading implies that the attackers were the "active" party; that would generally be a worm.

Re:

[Phrogman]

Technically they got the user's system to download the McRAT Trojan surreptitiously by exploiting the vulnerability in Java :)

Client to Server: Upload
Server to Client: Download

So its correct but not very grammatically clear

Troolbar

[snsh]

Will this update install the Google toobar, Yahoo toolbar, Bing toolbar, or Ask.com toolbar?

Evil Masterminds

[bill_mcgonigle]

I get the impression that a group of hackers is working on a collection of Java vulnerabilities with the goal of releasing a new 0-day for the Java plugin a day after every Oracle update.

I can think of a half-dozen ways Oracle could respond to such a tactic and each is a bit more chuckle-inducing than the last.

Re:

[Nimey]

Anybody who doesn't like Larry Ellison, i.e. everyone who's dealt with him personally.

How to stop applets from running

[TrueSpeed]

The Java Control Panel (in the Windows control panel) contains a checkbox under the Security Panel called "Enable Java content in the Browser". Uncheck this if you do not want applets to run. This selection stays persisted each time you update the JRE.

Once again,

Windows Control Panel->Java Control Panel->Security Panel. Make sure the "Enable Java content in the Browser" checkbox is unchecked.

How do I disable Java in my browser

[TrueSpeed]

http://www.java.com/en/download/help/disable_browser.xml [java.com]

delta patches please

[X0563511]

I'm getting very tired of installing a new JRE and JDK over and over again, including the JCE.

Can we please get an in-place delta patch, Oracle? It's 2013, we have these things you know.

Pretty simple solution

[boorack]

Don't force users to install browser plugin crapola. One simple checkbox in setup program (unchecked by default) would make lives better for many, many people (mainly developers). Unfortunately, Oracle chose to use JDK to force lots of crap down our throats (JavaFX, browser plugin plus some other browser crapola), so virtually everyone using Java for any purose is affected by Java security holes. Unfortunate situation that boils down to by stubborn Oracle managos... is there anything in the world that Larr

Re:

[ls671]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

Here is my theory, I could be wrong...

Sun and Oracle philosophy were pretty different. Since Sun's was acquired by Oracle, Oracle is spilt in 2 camps and stuck with a problem:

1) Sun's for

Re:LOL

[TheRaven64]

This has nothing to do with Oracle. The browser plugin has a long history of security holes going back well over a decade and the bitching has been going on since 1995. The problem is that writing a language implementation that is both fast and 100% correct is really hard. The safety properties of Java (and any other managed language) rely on the implementation being 100% correct. This is relatively easy for something like the Squeak Smalltalk VM, which is a single-threaded bytecode interpreter with a stop-the-world garbage collector, but people insist on the JVM doing all sorts of optimisations, supporting multiple threads and so on. The early complaints about Java were that it was slow. The more recent complaints are that it's not correct. Well, you have three choices:

• Have a slow VM.
• Have a fast, but incorrect, VM, and be aware that every error is a potential security hole.
• Formally verify your VM. Be aware that this will cost at least 30 times as much[1] as the non-verified version.

Relying on software enforcement for security is just asking for trouble.

[1] The factor of 30 comes from seL4 which, to mu knowledge, is the formally verified project that managed the smallest overhead. Other estimates from other projects are 100 or more times the cost.

Re:

[TheRaven64]

In the seL4 case, they first write a formal specification. Then they (oversimplifying slightly) prove an equivalence of their implementation (in a restricted subset of C) and their specification. Then they prove properties (e.g. isolation) of their specification. You can't just take some C code and say 'is this correct' without a spec, and you typically can't take arbitrary C code and say 'do these properties hold for this code'. Even in the seL4 case, there are some issues, for example they correct fun

Re:

[JDG1980]

Ok, I am sick of this. Java is a fine language and platform and it doesn't deserve all the bad press it got lately just because it is poorly managed at the moment in one specific area: browser plugins. Banks and other corporate customers that feed Oracle couldn't care less about the flaws because they use Java server-side.

The problem is that, until very recently, the Java installer went out of its way to shove the browser plugin down your throat. Even if you removed it manually, it would come back the nex

Re:

[MemoryDragon]

They also dont use the Java Plugin which is the problem there :-)