Zero-day Java exploit in the wild - first attempted patch still vulnerable

Just a heads-up that there's at least one zero-day exploit in the wild for Java, possibly two. Oracle apparently almost never patches Java out of cycle; they issue three patches per year, no matter what, and mid-October is the next targeted window.

I suspect they may be pressured into patching sooner, but in the interim, you should seriously consider just removing Java from your system altogether. If you can't do that, disabling the Java plugin in your browser will make you less vulnerable, but the hole in the language will still be present.

It's kind of funny for me, because I just updated java a few days ago for the NASA curiosity stuff. Yesterday I just uninstalled it for good.

Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.

Even the Win8 app store is unsurprisingly only for metro apps, but then MS seem to be on a course to cut off the legacy old windows in the next few windows version, and probably make stuff like Java irrelevant on their platforms, well, besides the enterprise stuff.

Scratched wrote:

Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.

I've been trying secunia PSI - http://www.secunia.com (as a 3rd party central update mechanism).

It seems to be relatively straightforward. Scans installed software and compares versions (either via checksum or possibly registry entries) to an external database. It tells you if your versions are out of date, and provides a "click to upgrade" button.

Unfortunately, this doesn't help with regards to things like this java vulnerability.

Would running NoScript help at all with this?

Tyrian wrote:
Scratched wrote:

Companies who make such runtimes need to get their head around good auto-updaters now. It's something I keep coming back to, but it's a damn shame there's no good central updater within windows for third parties, and windows update doesn't get used as much as it could be. I saw a skype update through WU last week, which I guess is only because MS own them.

I've been trying secunia PSI - http://www.secunia.com (as a 3rd party central update mechanism).

It seems to be relatively straightforward. Scans installed software and compares versions (either via checksum or possibly registry entries) to an external database. It tells you if your versions are out of date, and provides a "click to upgrade" button.

Unfortunately, this doesn't help with regards to things like this java vulnerability.

I've looked at/used that before (I think filehippo have a similar app based of the same framework), and it's kind of half-way to the solution. The companies involved in making the products need to place an emphasis on keeping their stuff up to date for anyone who's using it.

Is it really only three times a year? Seems like the bugger is always interrupting things to the extent a policy was put in place that I have to log into every conference room each morning and check for java updates, then turn off auto-updating again (because it always rechecks itself), just to make sure that one of the board doesn't get a popup in the middle of a presentation.

There's too many things that use java to just uninstall it.

Well, this is fantastic. Our time entry system at work runs off of Java and has both stand-alone and browser components that are required for it to work properly. Just great Oracle, just great.

Are you confusing Java and Flash, ibdoomed? It seems like Flash updates about every thirty seconds, as they find yet more security holes in that buggy piece of sh*t, but I haven't seen very many Java updates. And Flash does have that thing where it constantly defaults to updating itself, even when you tell it otherwise.

but then MS seem to be on a course to cut off the legacy old windows in the next few windows version,

Which, if they try to actually implement that idea, will probably also cut them off from their customers.

Malor wrote:

Are you confusing Java and Flash, ibdoomed? It seems like Flash updates about every thirty seconds, as they find yet more security holes in that buggy piece of sh*t, but I haven't seen very many Java updates. And Flash does have that thing where it constantly defaults to updating itself, even when you tell it otherwise.

but then MS seem to be on a course to cut off the legacy old windows in the next few windows version,

Which, if they try to actually implement that idea, will probably also cut them off from their customers.

Definitely not confused. We use flash a lot too but the new auto-updater is fantastic.

IMAGE(http://i.imgur.com/KLSMN.jpg)

This on the other hand, is almost always rechecked every morning.

Only Java 7 right? If you are on Java 6 you are fine. At least that seems to be what both articles are indicating. Only my laptop had Java 7 on it so I just removed it and installed Java 6 from here.

edit: Oh I see they are recommending not downgrading. Well, I'll stick with my downgrade for now, I have to have a JRE for my class so I'll stick with 6 for now, lesser of two evils and all that.

ibdoomed wrote:

Is it really only three times a year? Seems like the bugger is always interrupting things to the extent a policy was put in place that I have to log into every conference room each morning and check for java updates, then turn off auto-updating again (because it always rechecks itself), just to make sure that one of the board doesn't get a popup in the middle of a presentation.

There's too many things that use java to just uninstall it.

A quick Google search found 4 updates this year so far and we still have 4 months left in the year so there are definitely more than 3 a year.

From krev82's link, it's actually a pair of bugs in tandem; neither would be enough, alone, but both together are enough to instantly compromise any machine running Java 7, no matter what OS it's using. From his link:

"The beauty of this bug class is that it provides 100% reliability and is multiplatform," he said. "Hence this will shortly become the penetration test Swiss knife for the next couple of years."

A little further down:

The discovery of the Java 7 vulnerabilities has led numerous security experts to recommend that enterprises disable Java in browsers. US-CERT Tuesday released a security alert noting that "disabling the Java browser plug-in may prevent a malicious webpage from exploiting this vulnerability." In addition, for Firefox users, it said that "using the ... NoScript extension to whitelist websites that can run scripts and access installed plug-ins will mitigate this vulnerability."

Users of systems targeted by the exploit likely wouldn't notice the attack. "It does not crash browsers, the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word 'Loading,'" according to an analysis published by Andre' M. DiMino and Mila Parkour at DeepEnd Research.

So NoScript will keep the attack from working, as long as you don't click on the applet, but you're better off disabling the Java plugin if you can. If you are hacked, it's invisible, you won't even know it.

You can test yourself for vulnerability here.

Aaaand uninstalled. Gracias.

garion333 wrote:

Aaaand uninstalled. Gracias.

Ditto

Oracle reportedly knew of critical Java bugs under attack for 4 months

edit: in the article they link to, it turns out that Oracle was given 19 separate bugs, 16 of which were full sandbox compromises, in early April -- and they decided they weren't going to bother patching them until October. 16 separate, full compromises, and they just didn't care enough to fix them timely.

I think Java and I are done.

Okay, so if anyone out there, like me up to about a minute ago, doesn't know the difference between Java and JavaScript, this link alternates between being informative and hilarious. For example:

JavaScript was named this way by Netscape to confuse the unwary into thinking it had something to do with Java, the buzzword of the day, and it succeeded.

The two languages are entirely distinct.

The more you know (which settings to leave checked in your browser's security preferences).

Had Java6, uninstalled it before I read it was about version 7. Ah well, not taking chances anyway.

Eh, I never enable Java in the browser. A carry-over from the bad old days when Java applets were everywhere and every single one of them was a vector for infection. Seems we're still in the bad old days...

Malor - Oracle has never cared about Java the language only as a platform for delivering their crappy tools; I don't know that this is all that surprising.

The only thing I use Java for is playing Minecraft. I'm going to have to think about this.

Thanks for the head's up, though. I sent it up to our CTO in case he hadn't seen it and didn't realize that it does affect some of our processes at work.

momgamer wrote:

The only thing I use Java for is playing Minecraft. I'm going to have to think about this.

I swear I've seen some games in the past use some form of embedded java just for their game. Techland ones I think. That's probably only of minimal use to Mojang though, seeing as they're a few years down the road they're on already, and I doubt they want to spend time working around someone else's problem, even if it has a major impact on them.

Thanks for the reminder. I read about this on Ars, didn't turn on my computer for a couple of days then forgot about it.

Sparhawk wrote:

Had Java6, uninstalled it before I read it was about version 7. Ah well, not taking chances anyway.

Does this only concern 7?

This specific set of bugs only works on Java 7. But the researchers have reported 16 sandbox-breaking vulnerabilities to Oracle, none of which have been patched or even acknowledged. It seems pretty unlikely that all of them are 7-only, so you would be wise to rid yourself of Java immediately, perhaps permanently.

I wonder if OpenJDK or any of the other Javas are a possible fix. I feel for any enterprise developers that are stuck between a rock and a hard place.

I just went ahead and uninstalled Java 7 and 6 and FX. Basically anything Java got yanked from all 3 systems here at home, and I'll yank it from the Mac shortly, just in case.
I don't need Java until I decide to build an Android app, so bye-bye Java.

Note, however, that we don't know the status of the 15ish other sandbox-breaking bugs.

*Legion* wrote:

Patched - u7 released

maybe after h-online or Malory tells me the fix actually fixes it, I'll reinstall. Certainly not taking Oracle's word for it.

Malor wrote:

It seems pretty unlikely that all of them are 7-only, so you would be wise to rid yourself of Java immediately, perhaps permanently.

I can't exactly do that on my two work machines. They are both running 6 and, the one can barely see the web so I think it will be OK.

Well, at least disable the browser plugins. If you can't do that, install NoScript, and then only allow Java on the sites you need to use.

Malor wrote:

Well, at least disable the browser plugins. If you can't do that, install NoScript, and then only allow Java on the sites you need to use.

Do the second part anyway.

Selectively whitelist sites for scripting & plugins, don't just let anything that wants to go running crap in your browser.

Chrome has this ability for plug-ins built right in:

IMAGE(http://i.stack.imgur.com/rrapd.png)

(screenshot slightly out-of-date but the option still looks just like that)