Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Develops Patch For Java Zero Day In 30 Minutes

Soulskill posted about 2 years ago | from the 30-minutes-or-less-or-your-zero-day-is-free dept.

Java 57

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

cancel ×

57 comments

Sorry! There are no comments related to the filter you selected.

Code review (4, Insightful)

danomac (1032160) | about 2 years ago | (#41745977)

They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

Re:Code review (4, Insightful)

wonkey_monkey (2592601) | about 2 years ago | (#41746303)

Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

Researcher Develops Patch For Java Zero Day

which isn't quite as immediately sexy.

Re:Code review (2)

sjames (1099) | about 2 years ago | (#41747323)

It does give us some idea of the extent of the patch (quite limited) and thus the effort required to revalidate the package (small as that sort of thing goes). I find that information useful in evaluating Oracle's response.

Re:Code review (1)

Likes Microsoft (662147) | about 2 years ago | (#41746989)

TFA incorrectly called this a zero day. It has to be known to be actively exploited in the wild first.

Re:Code review (0)

Anonymous Coward | about 2 years ago | (#41747497)

They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

Ha. You don't know Oracle. They won't push out any patch until you sign a multi-million dollar service contract!

Re:Code review (2)

StormReaver (59959) | about 2 years ago | (#41747885)

I doubt they'll push any patch out without testing it.

You must be new to Oracle. I envy you.

Fix has been released by Oracle (0)

Anonymous Coward | about 2 years ago | (#41754283)

Thankfully Oracle did go ahead and release this fix for Java, it's available right now and does credit Adam Gowdiak, the designer of this fix.

For Java 6 it's 6u37 and for Java 7 it's 7u9

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Tank it (1)

Anonymous Coward | about 2 years ago | (#41746079)

I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

Re:Tank it (1)

Nyder (754090) | about 2 years ago | (#41746179)

I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

Okay, this is weird. I happen to be watching the 30 Rock Season 7 premier right now.

Re:Tank it (1)

Anonymous Coward | about 2 years ago | (#41746319)

Are you saying it's weird because you're watching it or because you're an executive at Oracle?

Re:Tank it (1)

Smallpond (221300) | about 2 years ago | (#41746443)

Actually, it's weird because he's Alec Baldwin.

Re:Tank it (1)

sexconker (1179573) | about 2 years ago | (#41746561)

Actually, it's weird because he's Alec Baldwin.

Actually, it's weird because someone actually watches 30 Rock.

Actually, it's weird because someone actually watches NBC.

Re:Tank it (0)

Anonymous Coward | about 2 years ago | (#41746799)

Actually, it's weird because someone on slashdot actually watches TV.

The cost is rarely in coding the patch... (3, Insightful)

Anonymous Coward | about 2 years ago | (#41746097)

It's in testing it.

Re:The cost is rarely in coding the patch... (2)

pkinetics (549289) | about 2 years ago | (#41746187)

With Oracle products, it seldom is the testing of just the SE app. Its all their other apps that integrate into it that are the problem. Further down the chain, it is the vendors who use the Oracle products that are further more hosed, which end up holding up the deployment of the client.

Re:The cost is rarely in coding the patch... (1)

LordLimecat (1103839) | about 2 years ago | (#41748165)

Since when has Oracle / Sun cared about breaking compatibility with Java? IIRC many older Cisco web-config pages use Java 1.4.2 u7 (or something)-- any newer (update 8) and it breaks. And when JavaSE7 came out, it broke LibreOffice and basically every other app I used (I think CrashPlan too). Backwards compatible my foot.

Pretty sure the various iterations of BES break horribly if you try to update their java-- but that might not be a java issue per se.

Re:The cost is rarely in coding the patch... (1)

jroysdon (201893) | about 2 years ago | (#41748875)

Java 6 update 37 also broke the ASA ASDM interface. Works just fine with Java 6 update 33 (update 35 wasn't a real security fix for Java 6). TAC is reviewing and will probably post a bugid soon.

Re:The cost is rarely in coding the patch... (1)

LordLimecat (1103839) | about 2 years ago | (#41751633)

when the heck was update 37 released? U32 just came out in august.....

Re:The cost is rarely in coding the patch... (1)

jroysdon (201893) | about 2 years ago | (#41773855)

Keep up. U32 was released in April. U37 was last week.

Java 6 Updates [wikipedia.org]

Re:The cost is rarely in coding the patch... (0)

Anonymous Coward | about 2 years ago | (#41746199)

Or in millions of machines infected with malware. Oh, right, that's not THEIR costs.

Re:The cost is rarely in coding the patch... (1)

Slashcrunch (626325) | about 2 years ago | (#41747593)

You're 100% correct that a reasonable amount of effort is needed to test a patch that is going to be deployed to users and enterprise systems.

But here we have a known exploit, and Oracle with their huge pool of resources cannot manage to release patch for it before Feb 2013? You can believe that they don't have the resources to test the patch in a shorter time frame or even create a better one? I seriously doubt that it takes Oracle months to regression test a single patch.

The bottom line is that Oracle are the owners of Java, and they can't patch it in a timely fashion.

Companies and people running Java applications are OK with this?

I was once a huge fan of Java and in all seriousness, this is one of the exact reasons that I don't touch Java anymore. I don't even look at MS stuff either for similar reasons.

Re:The cost is rarely in coding the patch... (0)

Anonymous Coward | about 2 years ago | (#41748209)

It's crap like this that is getting Java removed from web browsers by the shit loads each and every day. On the machines that don't require Java at all, Java is banned.

As a business you can't possibly operate under the imminent threat that Java's security holes represent. 4 more months for a critical patch for exploits that are in the wild now? Seriously?

At my company right now you need to use a remote desktop session to use a vendor website that has Java apps. We work off white lists to prevent any connections to unauthorized websites.

If you have Java open and running in a web browser right now in a company, you're asking for it. I can't see how situations like this are encouraging further enterprise development of platforms that use Java either.

5 months? (1)

Nyder (754090) | about 2 years ago | (#41746171)

I don't see how it can be called critical updates if they only do them twice a year. That doesn't sound like the patches they put out on those days are very critical. Unless this is another word we are changing the meaning of...

Re:5 months? (1)

TaoPhoenix (980487) | about 2 years ago | (#41746317)

Glad to know someone else thought about that, too. In the one hand we have the frenetic "let's monitor the internet to make the web safer!" (A few stories back). Then on the other we get "Oh well, there's a security flaw that we won't fix until February."

Re:5 months? (4, Insightful)

Local ID10T (790134) | about 2 years ago | (#41746573)

Microsoft has Patch Tuesday, Oracle has Patch February...

Re:5 months? (0)

Anonymous Coward | about 2 years ago | (#41751407)

This just another shining example of why Oracle and Larry Ellison suck.

Re:5 months? (1)

cusco (717999) | about 2 years ago | (#41760095)

And Adobe just leaves security holes with known exploits in the wild for Acrobat open for two years, never fixes them in the free version of Reader, and then tells users they have to upgrade Reader even though it breaks things. Only software company I loathe more than Oracle.

Patch right here! (5, Funny)

Deathlizard (115856) | about 2 years ago | (#41746189)

Windows [java.com]

Linux [java.com]

Mac OS X [java.com]

Re:Patch right here! (1)

Anonymous Coward | about 2 years ago | (#41746327)

Stupid noob question: Does a vulnerability like this effect linux boxes that are running java?

Re:Patch right here! (2)

LordLimecat (1103839) | about 2 years ago | (#41748181)

Java vulns are typically cross platform.

Re:Patch right here! (1)

Anonymous Coward | about 2 years ago | (#41746403)

Well many of us do development with Java and wish to use it for developing server-based programs on Windows machines, but the installer insists on inserting its tendrils deep into any web browser it can find. Is there any way to prevent this because it is easy to overlook disabling this after the upgrade. Keeping it from installing the shovelware is bad enough.

Re:Patch right here! (3, Informative)

Deathlizard (115856) | about 2 years ago | (#41746437)

1) install 64 bit java
2) Uninstall IE, or don't use IE 64 bit.
3) remember to update, because 64 bit java doesn't have an updater. Not that it works anyway.

The 32 bit browsers (chrome, firefox, even 32 bit IE) won't use the 64 bit java to run applets and since IE is the only 64 bit browser and cannot be set as the default browser, it will limit your attack surface.

Re:Patch right here! (0)

Anonymous Coward | about 2 years ago | (#41747195)

since IE is the only 64 bit browser

Why is this? You can get 64-bit builds of Chromium or Firefox for Linux, why not for Windows?

Re:Patch right here! (0)

Anonymous Coward | about 2 years ago | (#41748873)

Opera has 64bit builds too.

Re:Patch right here! (0)

Anonymous Coward | about 2 years ago | (#41749137)

You don't have to install Java to use the JRE (or JDK)

You can copy the extracted JRE to your target machine then have your application start using that JRE

.\somefolder\jre\bin\java.exe -cp your.class.path id.you.app.Main

There is no registry entry and no browser plugin. Obviously setting environment vars, adding to paths and creating shortcuts/aliases etc will make things nicer.

Re:Patch right here! (0)

Anonymous Coward | about 2 years ago | (#41746649)

In all seriousness, most people probably shouldn't have the browser vector enabled in the first place. It's not used for much anymore.

No reason you can't keep java on the desktop, though. It does have its uses.

Great, expect this in the wild in 4...3....2.... (3, Insightful)

NinjaTekNeeks (817385) | about 2 years ago | (#41746209)

Provided to Oracle on the 19th and Oracle plans to patch it in February. This has got to be a dream come true for the bad guys, while Oracle tests the fix, they can find and start adding it to their exploit kits.

Interesting thought (0)

Anonymous Coward | about 2 years ago | (#41746253)

We have had discussions on /. regarding developers being responsible for shoddy code.

What about being held responsible for leaving a known severe security hole open for months just because that's your patch cycle?

well... (4, Insightful)

SuperDre (982372) | about 2 years ago | (#41746269)

writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..

Oracle was a zero day vulnerability... (1)

Mister Liberty (769145) | about 2 years ago | (#41746347)

...patched by Google not long ago.

Java on Windows zero-day vulnerability .. (2)

dgharmon (2564621) | about 2 years ago | (#41746475)

Why doesn't this vuln run on OS X or Linux, why is Oracle discriminating against these?

What? He hacked Java? (0)

stanlyb (1839382) | about 2 years ago | (#41746485)

I say, put him in jail. maximum security. For life. NO, 10 lifetimes. And let him watch Obama-Romney debate. Only. Day and night (wow, i am sooo cruel).

Oracle is still learning consumer software (3, Insightful)

abirdman (557790) | about 2 years ago | (#41746661)

Oracle hasn't in the past worked with a lot of end user software, and it shows. I get the impression Larry Ellison doesn't like the short turnaround required for desktop software updates. The out-of-band java update they released for (at least) Windows 7 a couple weeks ago was disorganized. Two support people at work managed to install separate versions on their own computers. Version 7 is actually a point update of version 6. They may be the same version, and only show differently in Control Panel. Our company uses a lot of java (and Oracle software) and it's getting difficult to keep it organized and keep Oracle products talking to other Oracle products.

I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.

BeenThereDoneThat (1)

Tablizer (95088) | about 2 years ago | (#41746869)

I've had very quick turnarounds for certain fixes in the past. An example would be: "Oops, I forgot the semi-colon here...[type type]...Compile, there!"

Then the office goes, "Damn you're fast!" Tell them what happened?....naaaah.

Re:BeenThereDoneThat (1)

Rockoon (1252108) | about 2 years ago | (#41747621)

Anyone care to take a shot at estimating how many man-years have been globally wasted finding missing semicolons?

A thousand? A hundred thousand?

Re:BeenThereDoneThat (0)

Anonymous Coward | about 2 years ago | (#41748721)

In c or c++ not much as it won't compile and tells you the line number. If you deploy before even compiling then you have much bigger problems than a few man hours.

Re:BeenThereDoneThat (1)

Rockoon (1252108) | about 2 years ago | (#41764213)

In c or c++ not much as it won't compile

If it were true that it wont compile in all cases, then the semicolon wouldnt be needed at all.. the compiler could just insert them in the obvious places. The fact is that there are plenty of cases where you can forget a semicolon and never get a compile error.

A simple example:

int *foo = 1;
int bar = 2
*foo++;

which gets parsed as:

int bar = 2 * foo++;

..a perfectly legal statement, but certainly not what was intended.

Re:BeenThereDoneThat (1)

Tablizer (95088) | about 2 years ago | (#41748929)

There used to be an urban legend that one of the Mariner planet probes crashed due to comma in a Fortran program that was supposed to be a period. Although it was an urban legend, it is possible to make a compile-able mistake like that in Fortran.

Install Java without being root... (1)

Anonymous Coward | about 2 years ago | (#41746923)

If you're working on a Linux box, there's a very simple way to deal with the uber fiasco that Java is: install it from the .tgz / .bz2 given by Oracle, as a non-root user.

Do NOT install Java from the OpenJDK : most Linux distro have a major security issue in that they require you to be root to install packages (I'm using Linux since the mid-nineties and I swear by Linux but there's no frigging way I'll let any package install Java "system wide" on my Linux system).

So go d/l the .tgz / .bz2 or whatever and then install it from on of your dev user account. Then use another user account to surf the Web.

Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session.

Re:Install Java without being root... (1)

ls671 (1122017) | about 2 years ago | (#41747191)

Reading your post, at first glance, you seem to confuse who owns the executable and who runs the executable.

Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session

This should be sufficient to insure java only has permissions of the "web surfing" account. It doesn't matter who owns the executable really unless it has a sticky bit set and I have never seen a java executable with the sticky bit set yet in any install that I have done.

Re:Install Java without being root... (1)

ls671 (1122017) | about 2 years ago | (#41747295)

Look at:

http://blogtech.oc9.com/index.php?view=article&catid=4%3Aasterisk&id=175%3A20080329astchroot&option=com_content&Itemid=8 [oc9.com]

For the sticky bit issue. Search for:

find / -type f -perm +7000 > tt.txt

One should remove all setuid bits on programs on any system if not needed. Less and less programs need to set the sticky bit by default but still, it is an important concept to grasp if you are concerned about security. Xterm used to have the setuid bit set and to be owned by root and you can't imagine how many hosts with guest accounts have been compromised that way back in the old days.

"sticky bit?" (2)

Medievalist (16032) | about 2 years ago | (#41751341)

I don't think that means what you think it means.

Hint: the setuid, setgid, and sticky bits are three different things with more than three different functions.

Re:"sticky bit?" (1)

ls671 (1122017) | about 2 years ago | (#41770395)

You are right, I do not know why I used "sticky". I was definitely referring to setuid and setgid. I know what sticky is, /tmp directory usually has the sticky bit set. Thanks to enlighten us.

Re:Install Java without being root... (0)

Anonymous Coward | about 2 years ago | (#41748737)

I don't think java runs the way you think it does. Anyone who doesn't whitelist where java can run applets or turn it off entirely in their browser to start with is just asking for trouble anyway.

Java SE (1)

pahles (701275) | about 2 years ago | (#41749119)

So, Java SE stands for Java Sandbox Escape... Interesting!

Yes, we had a chap who would fix things real fast (1)

Rogerborg (306625) | about 2 years ago | (#41750473)

Years later, we're still fixing his fixes.

Patch speed is rarely critical, outside of Star Trek.

Impact on OpenJDK? (1)

bill_mcgonigle (4333) | about 2 years ago | (#41752527)

Can we assume this is dealt with or n/a for OpenJDK? Why aren't the large users of Java cooperating to remove Oracle's significance here?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>