×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Experts Develop 3rd-Party Patch For New Java Zero-Day

samzenpus posted about a year and a half ago | from the patch-it-up dept.

Java 154

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

154 comments

A better idea... (4, Insightful)

DrEnter (600510) | about a year and a half ago | (#41138639)

You know what would be better idea than patching Java? Uninstalling it.

Re:A better idea... (3, Insightful)

MyLongNickName (822545) | about a year and a half ago | (#41138789)

Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

Re:A better idea... (2)

gl4ss (559668) | about a year and a half ago | (#41138851)

you know what's funny? can't log into my web banking without it(it's only the signon flow where it's used, too).

though, I guess I should still just whitelist it on certain sites. however applets can be used in good ways.. it's just that nobody ever does that.

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139001)

Would you please provide a link to this bank? I have a hard time believing there are banks actually foisting client side java on customers. No financial institution I deal with does this.

Re:A better idea... (1)

JonJ (907502) | about a year and a half ago | (#41139361)

Every single bank in Norway does this.

Re:A better idea... (1)

EdIII (1114411) | about a year and a half ago | (#41139555)

Last time I checked USAA uses Java to deposit checks online too.

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139597)

This is why I use the Deposit@Mobile feature instead. No kidding.

Re:A better idea... (1)

snemarch (1086057) | about a year and a half ago | (#41141191)

For us people living in Denmark, there's pretty much no way to avoid Java. The nation-wide "digital signature" (that's what they call it - in fact it's really just a glorified single-signon) NemID ("Easy ID") requires Java. It's a big fscking mess, it's run by the banking industry but being shoved down our troaths for interfacing with the government, and there's already successful MITM attacks for it.

Oh yeah, and the signed Java applet is just a bootstrap that fetches unsigned applets from "whatever location", and it includes JNI binaries as well that snoops system info for "fingerprinting reasons"... perfect vector for the PET, the Danish version of NSA. Goodtimes.

Re:A better idea... (2)

LordLimecat (1103839) | about a year and a half ago | (#41142165)

In Chrome: Wrench-->Settings; Advanced Settings; Content settings; "Click to Play" under plugins.

Problem solved.

Re:A better idea... (1, Insightful)

Anonymous Coward | about a year and a half ago | (#41138927)

Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

A modest proposal to improve security. You know what be more effective than uninstalling Java? Uninstalling the network and other input devices. In fact, why don't you turn off the computer entirely?

The number one reason that Java has published security holes is that Java is used heavily. Non-java programs also have security holes. Yes, it makes sense to reduce dependency on Java now, because Java has the current serious security hole. However, your parent wasn't suggesting that. Your parent was suggesting that uninstalling Java was better than fixing the security hole.

Re:A better idea... (1)

Nabeel_co (1045054) | about a year and a half ago | (#41139027)

...Your parent was suggesting that uninstalling Java was better than fixing the security hole.

I think that was because he was implying that Java isn't used anywhere enough now a days to warrant it being installed on client systems, for the most part.

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139075)

Butthurt Oracle employee?

Re:A better idea... (2, Informative)

Anonymous Coward | about a year and a half ago | (#41139335)

Your parent was suggesting that uninstalling Java was better than fixing the security hole.

It *is* better than fixing the security hole. Fixing the security hole fixes ONE security problem. Uninstalling Java fixes that ONE security problem AND all unknown/future Java security problems.

Re:A better idea... (1)

pionzypher (886253) | about a year and a half ago | (#41140423)

This. I'm surprised that this is the first post to plainly say it after gp alluded to it.

You shouldn't have posted AC.

Re:A better idea... (2)

LordLimecat (1103839) | about a year and a half ago | (#41142223)

Your parent was suggesting that uninstalling Java was better than fixing the security hole.

It is, given the huge percentage of malware infections directly caused by Java and Adobe plugin exploits.

Patching this particular hole fixes the problem for about 2 weeks till the next 0-day drops. Some of us like to get off of that nasty little merry-go-round, and get rid of a plugin that has basically no use. If you really need it, set your plugins to Click-To-Play (through flashblock for firefox, or as detailed here [slashdot.org] for chrome)

Re:A better idea... (1)

snemarch (1086057) | about a year and a half ago | (#41142589)

Sorry, but Java has a really nasty track record of exploits - especially considering that client code runs not just in a sandbox, but a sandboxed virtual machine - and that the platform has had a lot of emphasis on security from day one.

I don't have a Java plugin in my browser, I consider that pretty much security suicide. Because I live in .dk, I have to use a browser with Java plugin from time to time, but I handle that in a locked down virtual machine that I use solely for that purpose.

Also: I kinda like Java as a language (even if it's verbose and the platform has a boatload of flaws), the JVM has a few nifty things here and there, and my day job involves Java coding. That doesn't mean I'm going to close my eyes and pretend it's a good thing to have installed on client systems, though.

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139537)

Wrong. Removing it from your browser plug-ins is sufficient. But hey, delete OS X and Windows if you really want to follow through with your logic.

Re:A better idea... (2)

simplypeachy (706253) | about a year and a half ago | (#41139815)

Not with Internet Explorer it isn't. Even setting the Java control panel not to use the plug-ins, disable them in IE's Add-Ons and then remove all references to them using AutoRuns and parts of the Java plug-in can still execute.

Re: Java is like IE 6 in business (1)

Anonymous Coward | about a year and a half ago | (#41139821)

Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.

Re: Java is like IE 6 in business (1)

JDG1980 (2438906) | about a year and a half ago | (#41140255)

Huge amount of banking and intranet sites in the office not only require it but require a specific version like 9 year old 1.4.2. No not 1.4.1, nor 1.4.3 but just 1.4.2 with 10 exploits. Kronos, bank of america, and others. The same financial institutions that dont require java for us do require ancient IE and old java for corporate functions. These desktops get infected constantly over and over.

In that case, the appropriate solution is to run these tasks from virtual machines, which are then wiped back to their original state at the end of each session. And to complain to the idiots who run these pages and clearly don't know the first thing about IT security.

Re: Java is like IE 6 in business (1)

LordLimecat (1103839) | about a year and a half ago | (#41142289)

I would in all honesty change banks if that happened, not just because of the security holes but because it can be a phenomenal pain to get such an old version to play nice with a modern browser. You have to jump through hoops to even get such an old version. It would be sufficiently problematic that I would end up not using the web interface, which is sufficiently annoying that I would want a bank that had useable / secure web access.

Re:A better idea... (2)

c0lo (1497653) | about a year and a half ago | (#41141031)

Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense.

Hmmm... seems you are right... the maximum security for a computer is achieved by uninstalling the OS and keeping the computer powered off. (I'm not saying you advice this, but just to put into evidence that security is not the objective that anyone would like maximized).

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41141081)

Security through obscurity is not security.

Re:A better idea... (1)

sapgau (413511) | about a year and a half ago | (#41141339)

Java is also used heavily on the browser in Colleges and Universities (Higher Ed.) for rich text editors, chat rooms and some other educational content.

Re:A better idea... (1)

hot soldering iron (800102) | about a year and a half ago | (#41142499)

It also happens to be embedded in Oracle Databases, and even though it isn't mentioned wither this 0-day affects Android, the Djarvik Engine is modeled after Java. Java is used in an incredible number of applications, it just doesn't get rubbed in your face all the time. Yeah, nobody uses Java anymore. Except... everybody.

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41138811)

Agreed.

If you don't need it. get rid of it. If you do, disable browser plugins, and if you need those, update and pray to god you don't run into a hijack website.

Re:A better idea... (1)

t4ng* (1092951) | about a year and a half ago | (#41139283)

Exactly! The only thing I ever need it for in a desktop environment is for apps use it, not for web pages.

The real problem, as I see it, would be for all those smartphones out there that use java for everything

Re:A better idea... (1)

Em Adespoton (792954) | about a year and a half ago | (#41140855)

Exactly! The only thing I ever need it for in a desktop environment is for apps use it, not for web pages.

The real problem, as I see it, would be for all those smartphones out there that use java for everything

iOS doesn't do Java, so all those sites out there that want to support iOS devices have to have an alternative. Because of this, Java Applets and J2ME sites always have a usable alternative these days.

Re:A better idea... (2)

udachny (2454394) | about a year and a half ago | (#41138915)

....
Java Zero Day VulnerabilityâoeIn my lab environment, I was able to successfully exploit my test machine against latest version of Firefox with JRE version 1.7 update 6 installed,â he wrote on the company blog.

The exploit was found on a server in China, and if it successfully attacks a given endpoint, the payload that is delivered is hosted on the same server. While the IP address associated with the malicious box has been known to serve malware in the past, it isnâ(TM)t responding to browser connections. Nevertheless, the IP is live. ....
On Monday, the Metasploit Exploit team at Rapid7 said they found the PoC and had developed a working exploit that they say enables a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.

âoeAs a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available,â a blog post from Rapid7 notes.

Once again, itâ(TM)s wise to remove Java if it isnâ(TM)t absolutely needed in your environment. Most home users have little need for the software these days, and most experts agree the risk outweighs the reward when it comes to installing it.

I don't know why the OP is moderated Funny, maybe they have Java installed on their 'humour sensing unit'.

--

OTOH I wish IBM bought Sun back when Oracle made their bid, this lack of interest by Oracle is just perplexing at this point. If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.

Re:A better idea... (0)

JDG1980 (2438906) | about a year and a half ago | (#41139655)

If Ellison doesn't see a way to monetize Java environment, why not sell it? Have an auction, put it on Ebay.

It's about the patents. That's why Ellison bought Sun. Java for end-user computing doesn't even factor in at all. He wants to be able to patent troll Android (in large part because of his personal friendship with Steve Jobs).

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41140355)

Most home users, except those 6+ million who play Minecraft.

Re:A better idea... (1)

Anonymous Coward | about a year and a half ago | (#41138975)

But.. but.. then how can I play Minecraft? :(

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41140087)

On your phone (Minecraft Pocket Edition)?

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41140305)

But.. but.. then how can I play Minecraft? :(

On your phone (Minecraft Pocket Edition)?

Totally an acceptable drop-in replacement! (except not really)

Re:A better idea... (1)

KDR_11k (778916) | about a year and a half ago | (#41141063)

To elaborate, the mobile version of Minecraft:
- Is limited to a fixed world size, it does not expand as you explore like the PC one does.
- Has only a very limited selection of enemies.
- Lacks many of the tools, blocks, etc.
- Does not include enchanting or bow & arrow
- Doesn't apply gravity to sand and gravel
- Has been declared shit by Notch himself.

and many other restrictions. It's slowly evolving past the original release that was basically just creative mode but it hasn't come too far yet.

Re:A better idea... (1)

tlambert (566799) | about a year and a half ago | (#41142555)

But.. but.. then how can I play Minecraft? :(

I mentally translate "JRE" to "MRE" for Minecraft Runtime Environment.

In all seriousness, many banks run a captive Java application for login authentication using challenge/response as an anti-phishing mechanism to prevent storing the credentials. Given that Java is frequently exploited, this isn't a very effective strategy, given the current generation of online channel-breaking attacks.

An Even Better Idea (1)

RobertLTux (260313) | about a year and a half ago | (#41139013)

Why don't they make it so that you can download the installer (for use on other computers) without using TOP SECRET BURN BEFORE READING links??

oh btw a cool way to get all the "stuff" is http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/ [ninite.com] download that file and then run it to get everything installed (and yes i did include both chrome and firefox)

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139257)

This is what I do. My wife has 2 things that need it. I locked it down so *only* those 2 things can use it. One of them is not the web browser...

Just taking it out of running in the web browser cuts your surface area down. But not a lot. If you dont use it. Get rid of it.

Re:A better idea... (3, Funny)

monkeyhybrid (1677192) | about a year and a half ago | (#41139487)

I locked it down so *only* those 2 things can use it. One of them is not the web browser...

But the other one is the web browser? ;)

Re:A better idea... (1)

Hatta (162192) | about a year and a half ago | (#41139773)

I would love to uninstall Java. But what would I replace UGENE and ImageJ with? It seems like any free, cross platform, GUI, scientific software is written in Java.

Re:A better idea... (1)

Em Adespoton (792954) | about a year and a half ago | (#41140923)

So uninstall all plugins, etc. and only run pure Java apps. To go one better, only run them in a sandbox (a VM should do the trick). That way, you can still copy/paste the output and even share the files back, but as you aren't doing anything in that sandbox other than running that Java app, that instance of Java won't be exploited. You don't even need to upgrade for new features/security fixes!

Re:A better idea... (0)

Anonymous Coward | about a year and a half ago | (#41139873)

You know what would be a better idea than patching Windows/Linux/Office/Flash? Uninstalling it.
See how stupid you are.

Re:A better idea... (2)

93 Escort Wagon (326346) | about a year and a half ago | (#41140125)

You know what would be better idea than patching Java? Uninstalling it.

I didn't uninstall it; but several months ago I turned it off in my web browser(s). You know what? It hasn't impacted anything I do - none of the web sites I use rely on Java *at all*. Not the fun sites, not the banking sites, not the business sites...

I've certainly got some local software that requires Java; but if it's not available in my browser you're going to have a difficult time getting an exploit onto my computer.

Re:A better idea... (1)

edxwelch (600979) | about a year and a half ago | (#41140175)

In all fairness, Java is no less secure than .NET or any other middleware. Why not just deinstall everything? Then your really safe.

Quarterly security patch? (1)

Anonymous Coward | about a year and a half ago | (#41138671)

You have to be fucking kidding me.

Re:Quarterly security patch? (4, Funny)

plover (150551) | about a year and a half ago | (#41138729)

The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?

Re:Quarterly security patch? (1)

Milharis (2523940) | about a year and a half ago | (#41139097)

Luckily for criminals, those exploits are made public the day following the quarterly update.

Seriously though, they don't have out-of-schedule updates for critical security bugs?

Re:Quarterly security patch? (1)

_xeno_ (155264) | about a year and a half ago | (#41140837)

Seriously though, they don't have out-of-schedule updates for critical security bugs?

Well, it's Oracle, so I expect they do, they just cost extra. I mean, you are up to date on your Oracle Certified Java Security Support, right?

(Note: I'm joking. The actual service is called Oracle Premier Support for the Java SE Platform [oracle.com] and you only need it to get security patches for "old" versions of Java.)

Re:Quarterly security patch? (0)

Anonymous Coward | about a year and a half ago | (#41138815)

I never get why companies need a fixed patch cycle.
Why don't they release updates as vulnerabilities are fixed?
And what happens when it's time to release the next version but no new vulnerabilities have been found?
Do they just bump the version count?

Re:Quarterly security patch? (2, Informative)

Anonymous Coward | about a year and a half ago | (#41139007)

I'm not sure if you are trolling, but here's why:

There is a significant amount of work to test the software before doing a release.

The code base is big and old, there are a lot of targets, and I'm guessing that not all tests are automated.
Also, there is this issue of reducing the number of versions "out in the wild", at least for paying customers,
as more versions that costs money to provide support for.

All this will take resources away from fixing bugs and working on new features.
It's not as if there are nothing to do if no new bugs are found...

Re:Quarterly security patch? (0)

Anonymous Coward | about a year and a half ago | (#41139953)

I didn't think about it that way.
Either way, I think in a situation where a severe vulnerability is discovered they should issue a patch for it.
If their testing infrastructure sucks, that's their problem and they should fix that too.
It probably contributes to all the bugs being found.

Re:Quarterly security patch? (1)

another random user (2645241) | about a year and a half ago | (#41139089)

And what happens when it's time to release the next version but no new vulnerabilities have been found?

Don't worry about it, that's never going to happen.

Re:Quarterly security patch? (0)

Anonymous Coward | about a year and a half ago | (#41139369)

I never get why companies need a fixed patch cycle. Why don't they release updates as vulnerabilities are fixed? And what happens when it's time to release the next version but no new vulnerabilities have been found? Do they just bump the version count?

LOL! No new vulnerabilities?!? What are you--some sort of mythical BSD developer?

Re:Quarterly security patch? (1)

Forty Two Tenfold (1134125) | about a year and a half ago | (#41139405)

And what happens when it's time to release the next version but no new vulnerabilities have been found?

You can go GNOME3 on any software anytime.

Re:Quarterly security patch? (1)

sapgau (413511) | about a year and a half ago | (#41141395)

Users get upset when the server is rebooted/restarted on short notice.
You get alot of "I need two weeks in advance to prepare for this" complaints.

You know its funny (2, Interesting)

DarkOx (621550) | about a year and a half ago | (#41138765)

We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.

Its to bad someone finds a critical vulnerability in the platform every other month seemingly.

Re:You know its funny (1)

Anonymous Coward | about a year and a half ago | (#41138867)

Maybe it would help if they used Java to program the vm.
Then it would be impossible to have security vulnerabilities.

Re:You know its funny (3, Insightful)

binarylarry (1338699) | about a year and a half ago | (#41139037)

This isn't a flaw in Java itself but yet another flaw in the browser plugin.

Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?

Maybe the real issue is a shitty plugin API and/or implementation?

Re:You know its funny (2, Informative)

Anonymous Coward | about a year and a half ago | (#41140319)

Not true...

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/52ca1083c22de7022baf7dca8a1756909f803341/entry/external/source/exploits/CVE-2012-XXXX/Exploit.java

It's a bug in how java bean statements interact with security domains, as far as I can tell. Definitely a JRE bug.
It really is just more reason why you should never let your language's runtime get completely out of hand - this kind of stuff should have been in libraries, not in the runtime.

Re:You know its funny (0)

Anonymous Coward | about a year and a half ago | (#41141039)

> Maybe the real issue is a shitty plugin API and/or implementation?

Nope. These browser plugins are all vastly complicated though, each incorporating a full programming language (javascript, actionscript, java), complicated object models, and lots and lots of file format parsers. Basically you're bolting three proprietary, poorly maintained web browsers onto your shiny main webbrowser. Guess where the bugs are going to be?

Re:You know its funny (2)

sapgau (413511) | about a year and a half ago | (#41141475)

Will we ever be safe from all that?
Oh, it's Java bashing time, sorry...

Don't browse with Java (5, Informative)

JDG1980 (2438906) | about a year and a half ago | (#41138831)

There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.

Re:Don't browse with Java (3, Informative)

Megahard (1053072) | about a year and a half ago | (#41138961)

Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.

Re:Don't browse with Java (1)

tokul (682258) | about a year and a half ago | (#41141727)

Now with dynamic HTML, Canvas, SVG, and AJAX

Java has all app-like stuff contained in single object. All above tools only create mashed soup on top of html with different browser specific quirks.

Re:Don't browse with Java (1)

amicusNYCL (1538833) | about a year and a half ago | (#41142511)

All above tools only create mashed soup on top of html with different browser specific quirks.

...while eliminating all security issues around Java. If you think that's a bad tradeoff, please point to the Java version of Facebook, or the Java version of Youtube, or Gmail, etc.

Re:Don't browse with Java (0)

Anonymous Coward | about a year and a half ago | (#41141757)

HTML5-as-we-know-it is pretty recent. But Java hasn't been an acceptable (to me at least) way to implement app-like stuff in the browser for at least a decade.

I "fondly" remember how when IE5 came out the "dynamic html" stuff actually worked (as compared to Netscape 4.x). There wasn't anything like jQuery back then, but still there was almost nothing that you *needed* to implement in Java. The graphics intensive stuff that was beyond capabilities of Javascript were often implemented with Flash.

Re:Don't browse with Java (2, Informative)

Anonymous Coward | about a year and a half ago | (#41139081)

Better yet, disable all plugins by default (or set for "click to run"), and whitelist sites you regularly visit and trust. You should have a minimal attack surface when visiting *any* site you don't explicitly trust.

Re:Don't browse with Java (1)

CAIMLAS (41445) | about a year and a half ago | (#41140489)

It's exploits like this which make me pine for someone to re-implement VMS security mechanisms for modern operating systems. If I could get that kind of granular control at the IP level of a network, I'd be even happier. "Prohibit all traffic from to anywhere except sites x, y, z". It wouldn't be a fix, but it'd sure help.

I know I can do it with layer 7 filtering, but it's still a huge headache today.

Re:Don't browse with Java (1)

antdude (79039) | about a year and a half ago | (#41142287)

I have it disabled 99% of the times. My work's time card system and online classes/courses require Java. Lame, I know! :(

fuck3r (-1)

Anonymous Coward | about a year and a half ago | (#41138905)

theorists - Due to the troubles ASSOCIATION OF of the GGNA I of Walnut Creek, guest and never get

It's Worse for Apple Users (0)

Carcass666 (539381) | about a year and a half ago | (#41138933)

For MacOS, Apple handles all Java releases directly. R19 had new security features which basically broke many applets which called a webservice. On Windows and Linux, when Sun released a fix, our users were able to patch. Unfortunately, our Mac users had to wait until Apple got around to packaging the fix/update, which took weeks longer. The Java model has degenerated to Write Once, Debug Everywhere and Wait...

Re:It's Worse for Apple Users (0)

Anonymous Coward | about a year and a half ago | (#41139111)

It's worse than you think. Apple has stopped maintaining their JVM now and deprecated it. It's up to Sun to release a JVM for OS X now, and over a year has gone by so far, without any update to our JVM.

Re:It's Worse for Apple Users (0)

Anonymous Coward | about a year and a half ago | (#41139137)

And, just as I say that, I decide to check back. Apparently Sun IS now releasing a JVM for OS X.
Yay!

So we were both wrong.

Re:It's Worse for Apple Users (1)

Forty Two Tenfold (1134125) | about a year and a half ago | (#41139983)

Apparently Sun IS now releasing a JVM for OS X. Yay!

So we were both wrong.

Some more than others. 2009 called and asked to tell you that. 4/20 to be exact.

Re:It's Worse for Apple Users (4, Funny)

Anonymous Coward | about a year and a half ago | (#41139423)

It's up to Sun to release a JVM for OS X now

Boy, are you Apple users in trouble!

Re:It's Worse for Apple Users (0)

Anonymous Coward | about a year and a half ago | (#41139381)

This is known to be false and has been pointed out in the same thread but is still modded up? The anti-Apple bias is out of hand around here.

If I remind well (5, Interesting)

Vapula (14703) | about a year and a half ago | (#41139223)

During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...

But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

Re:If I remind well (2)

Sponge Bath (413667) | about a year and a half ago | (#41139571)

Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

Larry Ellison glances at his screwdriver...

Re:If I remind well (2)

RabidReindeer (2625839) | about a year and a half ago | (#41139779)

During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...

But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

Well, Oracle doesn't need to fix Java. Oracle is "Unbreakable"[TM]

Vulnerable? (-1)

Anonymous Coward | about a year and a half ago | (#41139671)

Why is this vulnerability not going to affect us much?

- it tries to access a domain that has xxx in its name - such domain names are blocked
- it tries to download a .exe - such downloads are blocked for users
- it downloads the .exe into the temp dir and run it - running .exe in the user profile (and thus the temp dir) is blocked by policy
- it tries to modify the system - but the users have no admin privilege and cannot modify C:\WINDOWS
- the .exe it downloads is recognized as a trojan by the virus scanner

So there are at least 5 hurdles between this exploit and the system.
Now, we are just a humble company with mediocre system admins.
I wonder why this kind of exploit always seems to affect high profile companies and government organizations.
Are the admins there totally incapable nitwits, or what?

Re:Vulnerable? (1)

Eristone (146133) | about a year and a half ago | (#41140151)

Or what. :)

xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie [imdb.com] perhaps.
.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let someone else download it becomes a department road block.

downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.

Modify the system - while it has gotten better, depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows
.exe picked up as trojan - this should be a hurdle.

It isn't a case of mediocre sysadmins so much as corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things. And the bigger the company, the harder it is to get it to turn that sort of corner. Add to that the rules involved in changing procedures (not to mention the money) and you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.

Re:Vulnerable? (0)

Anonymous Coward | about a year and a half ago | (#41141331)

I read this "my work requires it!" claim a lot.
I think it is hogwash.
Work requires a stable system. Work does not require access to xxx, download of .exe, run of .exe outside of installed apps, change of the system.
The admins are just hiding that they don't know how to implement measures like this.
It is the same breed that never updated IE6 "because we depend on it".

They will be owned. But they just don't care.
I bet a lot of those companies have outsourced admin and the admin company only performs to the minimal SLA, which in a corner states that security breaches and virus outbreaks are cured on time and material basis, with no possibility for damage compensation.

Re:Vulnerable? (0)

Anonymous Coward | about a year and a half ago | (#41141539)

xxx - something else has that which has been allowed through the domain filters because "xxx" doesn't always designate pornography, it can also be part of the size of a t-shirt or a movie [imdb.com] perhaps.

You don't need to be shirt-shopping or checking out a Vin Diesel movie at work. Block remains in effect.

.exe download - many larger organizations let their users download executable files from the Internet because their job requires downloading these sorts of things and having requests to let somepony else download it becomes a department road block.

HAHAHAHAHAHA. No.

downloads .exe to temp directory and tries to run it - group policy may block but legacy applications (that you can't rewrite or replace because a department or division runs on it) may require the same type of behavior.

Which will be given exceptions on a case-by-case basis. Not letting everything on the whole system just go nuts with permissions.

depending on your end-user and apps they are running, they might need admin privileges and or the ability to modify c:\windows .exe

If you actually need this kind of access, you'd best fucking know better than to get infected with this shit.

It isn't a case of mediocre sysadmins

Keep telling yourself that.

corporate inertia and legacy stupidity that stands in the way of preventing these sorts of things

We play a support role. For most businesses, the primary objective is not IT. Make it work like the rest of us do.

you'll understand why the high profile (read larger) companies and gov't organizations are still behind on being able to mitigate a lot of these things.

As someone on the inside, it still looks an awful lot like technological incompetence to me.

And this is why I don't have Java Installed (0)

fast turtle (1118037) | about a year and a half ago | (#41140027)

Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows

Re:And this is why I don't have Java Installed (1)

njahnke (757694) | about a year and a half ago | (#41140507)

Simply put, I have absolutely no apps that depend on JAVA and this is exactly why. As someone else said, the best solution is to removed JAVA entirely and never let it near your system again. Friends don't let friends install Java and we don't do windows

awesome grammar nazi troll. i was getting all excited and then it was suddenly as though you realized java isn't an acronym right before the end of your post.

Vendors shipping custom Java versions (1)

Culture20 (968837) | about a year and a half ago | (#41140619)

Lots of vendors like to ship custom Java versions which their programs use (installed in their applications' subdirectories), and they rarely update the Java versions when a vulnerability is found for the version they based their custom job on.

Re:Vendors shipping custom Java versions (0)

Anonymous Coward | about a year and a half ago | (#41140757)

Where I work IBM WebSphere is widely deployed, and I have noticed they do a good job of patching Java.

Curiously Oracle usually supplies it's own stash for Oracle Financials, etc, and they seem to do a good job of patching that too. They are generally running 1.6

Re:Vendors shipping custom Java versions (1)

Anonymous Coward | about a year and a half ago | (#41141499)

But then those environments seldomly run .jar files that get in from the outside, like a browser plugin would.

Persuasion without coercion (-1)

Anonymous Coward | about a year and a half ago | (#41141297)

Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes [imdb.com]

"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily spend one fifth of their lives sitting in front of a *box* with pictures? Fifteen years sitting in prison is punishment. But 15 years sitting in front of a television set is entertainment. And the average American now spends more than one and a half years of his life just watching television commercials. Fifty minutes, every day of his life, watching commercials. Now, that's power."

##

"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover: http://www.imdb.com/name/nm0000417/bio [imdb.com]

##

"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man." - Mel Gibson (from an interview)

##

"We'll know our disinformation program is complete when everything the American public believes is false." - William Casey, CIA Director

##

George Carlin:

"The real owners are the big wealthy business interests that control things and make all the important decisions. Forget the politicians, they're an irrelevancy. The politicians are put there to give you the idea that you have freedom of choice. You don't. You have no choice. You have owners. They own you. They own everything. They own all the important land. They own and control the corporations. They've long since bought and paid for the Senate, the Congress, the statehouses, the city halls. They've got the judges in their back pockets. And they own all the big media companies, so that they control just about all of the news and information you hear. They've got you by the balls. They spend billions of dollars every year lobbying lobbying to get what they want. Well, we know what they want; they want more for themselves and less for everybody else.

But I'll tell you what they don't want. They don't want a population of citizens capable of critical thinking. They don't want well-informed, well-educated people capable of critical thinking. They're not interested in that. That doesn't help them. That's against their interests. They don't want people who are smart enough to sit around the kitchen table and figure out how badly they're getting fucked by a system that threw them overboard 30 fucking years ago.

You know what they want? Obedient workers people who are just smart enough to run the machines and do the paperwork but just dumb enough to passively accept all these increasingly shittier jobs with the lower pay, the longer hours, reduced benefits, the end of overtime and the vanishing pension that disappears the minute you go to collect it. And, now, they're coming for your Social Security. They want your fucking retirement money. They want it back, so they can give it to their criminal friends on Wall Street. And you know something? They'll get it. They'll get it all, sooner or later, because they own this fucking place. It's a big club, and you ain't in it. You and I are not in the big club.

This country is finished."

##

We now return you Americans to your media: Corporate, Government sponsored and controlled (rigged) elections..

Most of you are all so asleep it's time you woke up!

Ok let's get a clue (0)

Anonymous Coward | about a year and a half ago | (#41141397)

There's "Java" as in "JVM" or "JDK" and there are "various Java plugins for browsers". The latter have very little to do with Java proper and it's not clear why they are even needed these days.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...