Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Oracle Security

Oracle Releases Massive Security Update 79

wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
This discussion has been archived. No new comments can be posted.

Oracle Releases Massive Security Update

Comments Filter:
  • No secure download (Score:5, Informative)

    by buchner.johannes ( 1139593 ) on Wednesday January 21, 2015 @04:51PM (#48869641) Homepage Journal

    There is still no way of authenticating Java downloads? Either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS? This used to exist up until ~2 years ago, but now it is all insecure (the download can include drive-by malware).

    • by Wootery ( 1087023 ) on Wednesday January 21, 2015 @05:14PM (#48869883)

      the download can include drive-by malware

      Can? If memory serves, you have to opt-out of McAfee, in the Java installer.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      For Standard Edition JDK or JRE:

      http://www.oracle.com/technetwork/java/javase/downloads/index.html

      click which package you want to download, and then on the download page click the checksum link

      https://www.oracle.com/webfolder/s/digest/8u31checksum.html

      There's no bundleware like the Ask toolbar with the java installer from Oracle's website.

      • by hawguy ( 1600213 )

        For Standard Edition JDK or JRE:

        http://www.oracle.com/technetwork/java/javase/downloads/index.html

        click which package you want to download, and then on the download page click the checksum link

        https://www.oracle.com/webfolder/s/digest/8u31checksum.html

        There's no bundleware like the Ask toolbar with the java installer from Oracle's website.

        A simple checksum stored with the binary is not a means of authentication, it's only a means to validate that there was no file corruption on download (since an attacker can update the checksum(s) at the same time he modifies the binary). Something like a cryptographic signature would be needed for authentication (with a validated means of public key distribution)

        Since the download link does not use SSL, even if you trust that no one has corrupted Oracle's repository, you have no assurance that the file you

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page. If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
          Geez, I can't believe this has to be explained on Slashdot.

          • by hawguy ( 1600213 ) on Wednesday January 21, 2015 @05:54PM (#48870297)

            Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page.

            That would be more meaningful if the link to the MD5 checksums was not on the same non-SSL page as the link to the binaries, so is subject to manipulation -- an attacker can make it point anywhere they want, and unless a user "knows" that the checksum page is supposed to be SSL, they'd never know (yes, you gave the SSL page, but how do I know that you're not an attacker and that you gave me a fake page that you happened to upload to an Oracle server?). Likewise, if someone can alter the binary on the repo, who is to say that they can't alter the checksum file as well?

            There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.

            MD5 verification may be "good enough" for most uses, but it's very weak authentication.

            If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
            Geez, I can't believe this has to be explained on Slashdot.

            You seem to be confusing download verification with authentication -- they are different concepts.

        • For the JRE, you can get it directly via a valid SSL download here:
          https://www.java.com/en/downlo... [java.com]

          For the JDK, I will try your method.
          Thanks for the tip about the checksum!

      • Mod up!

      • Other workarounds:
        Use ninite [ninite.com], and you will get the latest 32 bit and 64 bit JREs. Run the installer again and it updates again. No spyware pushed by updates. Also does more than Java.

        If you prefer, you can install the JRE the normal way, and then in the Java Control Panel (start / type 'java' / click on 'Configure Java', or click the java icon in the control panel), go to advanced, scroll to the bottom, and check the last checkbox Suppress sponsor offers when installing or updating Java. All fixed, an
        • Ah, I found it. It is in the registry:

          Windows Registry Editor Version 5.00

          [HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties]
          "install.disable.sponsor.offers"="true"
          • This is infuriating. You can change the registry value above - doesn't work, and the program resets it for you. Digging around on the filesystem, I found this gem:
            C:\Users\USERNAME\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
            It has the same entries as in the registry. However, changing those also has no effect on the checkbox, either. In fact, when you reload that registry key and file, those settings will automatically change back to false. I'm baffled.

            The only way that seems to
    • Whilst a non https download can totally include drive-by malware, what's even worse is Oracle insistence on bundling the Ask toolbar with the PC version of the JRE, with it selected by default in the installer .

  • As a security remediation specialist, I'll look forward to seeing the Nessus scan spreadsheet that identifies the systems that has a Java vulnerability that wasn't automatically updated. Last time I only had 3,600 systems to fix over a six week period. Thanks, Oracle!
    • by armanox ( 826486 )
      You'll have wait for us to add that to the Nessus plugins! I'm looking forward to all the tickets coming in tomorrow (We need package xxx from Oracle for Nessus plugins...))!
  • by Anonymous Coward

    Looking forward to when I migrate the last Solaris 10 server over to Solaris 11 (or 12?) and get a real package manager.

  • This [massive] update will surely provide fertile playground for those hacker boys.

    I can almost guarantee that we will be asking ourselves whether Oracle did anything useful with this update within a year.

  • by jtara ( 133429 ) on Wednesday January 21, 2015 @05:20PM (#48869937)

    "Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password."

    Which?

    The original bugs, or the new security fixes?

    • Also, for a tech site, this lack of comprehension is offensive:

      may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password

      The two halves of this sentence say exactly the same thing, but present it as two statements.

  • Even trying to go back to version 7u71 doesn't work now. Never had java problems until this update. YMMV.
  • by WaffleMonster ( 969671 ) on Wednesday January 21, 2015 @06:15PM (#48870473)

    How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?

    Never understood how Oracle is allowed to continue to operate like this. The only thing worse than a multi-billion dollar software company failing to exercise any discipline over their systems unauthenticated attack surface is length of time they must have sat on all of these exploits just so they could package it up and release all at once.

    • How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?

      Not many, I should imagine, but your comment is irrelevant because there were no such bugs fixed in this Java update. The way Oracle describes these bugs is horribly confusing. Normally we expect "remotely exploitable without authentication" to mean you can send a packet across the network and pwn the box. If you actually check the CVEs you will see that there's only one bug like that, and it's an SSL downgrade attack -

  • by tlambert ( 566799 ) on Wednesday January 21, 2015 @06:42PM (#48870659)

    I don't know about the rest of you... but I, for one, am very happy that Oracle's products are now Massively Secure.

  • by djnanite ( 1979686 ) on Wednesday January 21, 2015 @07:46PM (#48871127) Homepage
    Oracle releases a Java SE update to plug security vulnerabilities, but the installer still prompts me to install the 'Ask Search App' by default.

    Does anyone see a conflict of interest here?
  • Oracle seem to be the one organization that doesn't appear to be getting better with security, if anything they have deteriorated over the last few years. wonder what it will take for them to take security seriously.

  • We buy the Solaris 9 patch support. The changes for this cycle are 1) TimeZone files updated, 2) Fix to zip and 3) Java fixes

    The last kernel patch which required a reboot was 122300-68 from June 2013.

    My Solaris 11.2 box gets rebooted way too often to replace other production servers and its better than Sol 10.

    Someone at Oracle should learn the difference between an operating system and an operating environment and making sure the OS is rock solid.

  • Seriously, what's the big news here?

    They have been pushing out bundled security patches every quarter for years with their Critical Patch Update [oracle.com] program. This is just another CPU.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...