Oracle Releases Massive Security Update 79
wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
No secure download (Score:5, Informative)
There is still no way of authenticating Java downloads? Either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS? This used to exist up until ~2 years ago, but now it is all insecure (the download can include drive-by malware).
Re: (Score:3)
Just so I know, you are kidding, right?
Re: (Score:2)
Just so I know, you are kidding, right?
Didn't you hear? TOR protects you from everything. It's even more effective than trojan condoms at preventing STD's and unwanted pregnancy.
Re:No secure download (Score:5, Insightful)
the download can include drive-by malware
Can? If memory serves, you have to opt-out of McAfee, in the Java installer.
Re: (Score:3)
Re: (Score:2, Informative)
For Standard Edition JDK or JRE:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
click which package you want to download, and then on the download page click the checksum link
https://www.oracle.com/webfolder/s/digest/8u31checksum.html
There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
Re: (Score:3)
For Standard Edition JDK or JRE:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
click which package you want to download, and then on the download page click the checksum link
https://www.oracle.com/webfolder/s/digest/8u31checksum.html
There's no bundleware like the Ask toolbar with the java installer from Oracle's website.
A simple checksum stored with the binary is not a means of authentication, it's only a means to validate that there was no file corruption on download (since an attacker can update the checksum(s) at the same time he modifies the binary). Something like a cryptographic signature would be needed for authentication (with a validated means of public key distribution)
Since the download link does not use SSL, even if you trust that no one has corrupted Oracle's repository, you have no assurance that the file you
Re: (Score:2, Informative)
Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page. If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
Geez, I can't believe this has to be explained on Slashdot.
Re:No secure download (Score:4, Informative)
Um, the checksum is the binary's MD5 hash. It's not "stored" with the binary. The hashes are listed in that second link I provided, which is an SSL page. To verify the binary's integrity, run a md5 sum generator on the binary and compare the hash you get with the hash listed on the SSL page.
That would be more meaningful if the link to the MD5 checksums was not on the same non-SSL page as the link to the binaries, so is subject to manipulation -- an attacker can make it point anywhere they want, and unless a user "knows" that the checksum page is supposed to be SSL, they'd never know (yes, you gave the SSL page, but how do I know that you're not an attacker and that you gave me a fake page that you happened to upload to an Oracle server?). Likewise, if someone can alter the binary on the repo, who is to say that they can't alter the checksum file as well?
There's one well-established method to validate downloads, and that is to use a cryptographic signature (with a well protected private key, the signature should be generated on a completely offline computer.
MD5 verification may be "good enough" for most uses, but it's very weak authentication.
If they match, you got a good download. If they don't, then you got a bad download and you shouldn't install it.
Geez, I can't believe this has to be explained on Slashdot.
You seem to be confusing download verification with authentication -- they are different concepts.
Re: (Score:2)
The Windows installer is cryptographically signed by Oracle. Don't know about the others.
That sounds promising, though I don't see a signature in the rpm download, just sha1/md5 checksums.
Re: (Score:1)
For the JRE, you can get it directly via a valid SSL download here:
https://www.java.com/en/downlo... [java.com]
For the JDK, I will try your method.
Thanks for the tip about the checksum!
Re: (Score:2)
Mod up!
Re: (Score:1)
Use ninite [ninite.com], and you will get the latest 32 bit and 64 bit JREs. Run the installer again and it updates again. No spyware pushed by updates. Also does more than Java.
If you prefer, you can install the JRE the normal way, and then in the Java Control Panel (start / type 'java' / click on 'Configure Java', or click the java icon in the control panel), go to advanced, scroll to the bottom, and check the last checkbox Suppress sponsor offers when installing or updating Java. All fixed, an
Re: (Score:1)
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties]
"install.disable.sponsor.offers"="true"
Re: (Score:1)
C:\Users\USERNAME\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
It has the same entries as in the registry. However, changing those also has no effect on the checkbox, either. In fact, when you reload that registry key and file, those settings will automatically change back to false. I'm baffled.
The only way that seems to
Re: (Score:3)
Whilst a non https download can totally include drive-by malware, what's even worse is Oracle insistence on bundling the Ask toolbar with the PC version of the JRE, with it selected by default in the installer .
Re: (Score:1)
Re: (Score:2)
Those languages strongly encourage you to produce your own security holes.
This is sage... No language can protect from a stupid programmer.
Of interest the security model and features in Java as far as I can tell has foundational .... and parts of the security
problems. The sandbox is not as well built as it might be
model are unverified and ill understood.
It is a notable language. It is not magically secure...
The moderately recent enhancements to the VM to permit other languages to use the VM are interesting.
Oracle has used Java for a long time and before they picked off Sun d
Re: (Score:2)
Then have a closer look [cvedetails.com].
Re: (Score:3)
Java protects against some of the common screwups that lead to security holes in C (and to a lesser extent C++) programs. It simply won't let you do things like read/write beyond the end/before the start of an array, perform an unprotected typecast between two object types or use memory that you have already freed. However there are many other classes of security hole it doesn't help with.
Java sees lots of security patches for a couple of reasons
1: Java provides sandboxing features intended to allow safe ru
Re: (Score:2)
You're comparing apples and oranges. The "remotely exploitable bugs" in this Java update, like all the others, are assuming you download and run malicious code in the sandbox. GCC and glibc don't have protecting you from malicious code as a goal, in fact Linux typically requires all software to be installed as root no matter what. Obviously if you never even
Re: (Score:2)
in fact Linux typically requires all software to be installed as root no matter what
Technically yes, running "make install", using a package manager or installing an rpm/deb almost certainly requires root/sudo. However, there is nothing stopping you from keeping it all within your home directory (provided the /home filesystem has space and isn't set to noexec), many cases only requiring a wrapper script to modify LD_LIBRARY_PATH. A good example of a complex program which works this way would be apache directory studio, you just untar and launch the executable.
Job security... (Score:2)
Re: (Score:2)
Re: (Score:3)
And what percentage of C/C++ code is well written?
Or, to put it another way, is there any evidence that Java applications are LESS secure, on average, than C/C++ applications?
Re: (Score:1)
A large percentage works just fine even with holes, and with greater performance and less overhead. The supposed claim to fame for java was that, while slower and resource intensive, it prevented programmers from writing exploitable code. Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats). I'm not a fan of such mediocrity
Re: (Score:2)
A large percentage works just fine even with holes, and with greater performance and less overhead.
You need benchmarks to prove such blanket statements. In my experience, Java code usually isn't far from C++ performance and it's actually faster when we're talking about high level "glue" code. It vastly outperforms C in string handling, because C's standard string routines are awful not only to the programmer, but to the processor, too. And then again, for maximum performance there's FORTRAN.
Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats).
Do you know any example of stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code ove
Re: (Score:1)
Obviously, the efficiency of the C lib functions will vary by hardware and by author competence, but here's no way virtualized code could run faster and with less cpu and ram overhead than well written (or compiler generated) native code on given hardware.
An interesting bench done with 7 year old software and hardware (perhaps things are better today?).
http://zi.fi/shootout/ [zi.fi]
While it's gotten a lot better since the 90s, ~35-50% slower is still significant (assuming you discount the 'compiled away' situations
Re: (Score:2)
I mean, when you qualify your comparisons by using ambiguous, ill-defined phrases like "well written," you can say anything. Novels are less interesting than a well written comic. Rules are less useful than a well written law.
Java is generally going to require less effort to port unless you're using platform-specific libraries, and that's easy to avoid since so much is included in the JDK.
As for the security of that code, everything may be within your control in C, but that doesn't come without some cost
Re: (Score:2)
Java isn't at all immune to the 3rd party library issue and in fact the Java world seems to have it far worse when you start developing complex applications.
What I find even more appalling is that fact projects that use maven seem to want to hoover down half of the internet, and you have to trust that the bundles/jars that it is pulling down are all of decent quality, and that the repository has not in fact been compromised.
Re: (Score:1)
I wonder what percent of typical security flaws are caused by language-specific features versus poor design decisions and human error (such as passing the wrong variable). I suspect most are the latter.
Solaris (Score:1)
Looking forward to when I migrate the last Solaris 10 server over to Solaris 11 (or 12?) and get a real package manager.
Re: (Score:3)
Re: (Score:3)
Does it balance against all the horrible command changes? Like changing IP/hostname/DNS?
Re: (Score:1)
ipadm is pretty good once you get used to it.
I still don't care for the move of nearly everything in /etc into the SMF though. That's just annoying to modify, and I don't see any added benefit to it.
Re: (Score:2)
ipadm doesn't do DNS.
SMF does, and it's obnoxiously bad for just setting DNS.
http://docs.oracle.com/cd/E238... [oracle.com]
Hackers must be salivating... (Score:2)
This [massive] update will surely provide fertile playground for those hacker boys.
I can almost guarantee that we will be asking ourselves whether Oracle did anything useful with this update within a year.
Which "those" are "these"? (Score:5, Funny)
"Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password."
Which?
The original bugs, or the new security fixes?
Re: (Score:2)
Also, for a tech site, this lack of comprehension is offensive:
The two halves of this sentence say exactly the same thing, but present it as two statements.
Why users need Java today - scary! (Score:2)
Well, letsee, I'm a developer, I hate Java programming, I don't write Java, but I need to have it installed. Why?
- Android developers need Java, even if they don't write Java. Writing a hybrid app using, say, PhoneGap/Cordova, Rhodes, Titanium, etc? You need Java.
- Backup with CrashPlan? You need Java. CrashPlan is not alone here. Many similar programs need Java.
- Many other disk/file type utilities use Java. Pretty much any of those nifty applications that show you what's using all your disk space using gr
Java 8 broke my system (Score:1)
Impressive (Score:3)
How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?
Never understood how Oracle is allowed to continue to operate like this. The only thing worse than a multi-billion dollar software company failing to exercise any discipline over their systems unauthenticated attack surface is length of time they must have sat on all of these exploits just so they could package it up and release all at once.
Re: (Score:2)
Not many, I should imagine, but your comment is irrelevant because there were no such bugs fixed in this Java update. The way Oracle describes these bugs is horribly confusing. Normally we expect "remotely exploitable without authentication" to mean you can send a packet across the network and pwn the box. If you actually check the CVEs you will see that there's only one bug like that, and it's an SSL downgrade attack -
I don't know about the rest of you... (Score:3)
I don't know about the rest of you... but I, for one, am very happy that Oracle's products are now Massively Secure.
But I still get prompted to install the Ask Bar! (Score:3)
Does anyone see a conflict of interest here?
Re: (Score:2)
Still wondering if they will be able to publicly release their java MSI package.
I know they have one, because I see it on the downloads and support page for JDE E1. However I don't have access to the inner working of our corporate licence and work out if we are eligible to deploy it.
It would be possible just to download the MSI and deploy it. But Oracle do keep auditing us. So, better safe than sorry. (For various values of the word 'safe').
same old story for them (Score:2)
Oracle seem to be the one organization that doesn't appear to be getting better with security, if anything they have deteriorated over the last few years. wonder what it will take for them to take security seriously.
So much for progress (Score:2)
We buy the Solaris 9 patch support. The changes for this cycle are 1) TimeZone files updated, 2) Fix to zip and 3) Java fixes
The last kernel patch which required a reboot was 122300-68 from June 2013.
My Solaris 11.2 box gets rebooted way too often to replace other production servers and its better than Sol 10.
Someone at Oracle should learn the difference between an operating system and an operating environment and making sure the OS is rock solid.
Re: (Score:2)
Yet if the OS isn't broken so bad it needs patches every few weeks, then I don't need to make that decision.
IT is to support my business. It isn't my business. Downtime due to idiot coders who didn't test new features that I don't need isn't good for my business.
What's the big news? (Score:2)
Seriously, what's the big news here?
They have been pushing out bundled security patches every quarter for years with their Critical Patch Update [oracle.com] program. This is just another CPU.