×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Develops Patch For Java Zero Day In 30 Minutes

Soulskill posted about a year and a half ago | from the 30-minutes-or-less-or-your-zero-day-is-free dept.

Java 57

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

57 comments

Code review (4, Insightful)

danomac (1032160) | about a year and a half ago | (#41745977)

They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

Re:Code review (4, Insightful)

wonkey_monkey (2592601) | about a year and a half ago | (#41746303)

Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

Researcher Develops Patch For Java Zero Day

which isn't quite as immediately sexy.

Re:Code review (2)

sjames (1099) | about a year and a half ago | (#41747323)

It does give us some idea of the extent of the patch (quite limited) and thus the effort required to revalidate the package (small as that sort of thing goes). I find that information useful in evaluating Oracle's response.

Re:Code review (0)

Anonymous Coward | about a year and a half ago | (#41747497)

They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

Ha. You don't know Oracle. They won't push out any patch until you sign a multi-million dollar service contract!

Fix has been released by Oracle (0)

Anonymous Coward | about a year and a half ago | (#41754283)

Thankfully Oracle did go ahead and release this fix for Java, it's available right now and does credit Adam Gowdiak, the designer of this fix.

For Java 6 it's 6u37 and for Java 7 it's 7u9

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Tank it (1)

Anonymous Coward | about a year and a half ago | (#41746079)

I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

Re:Tank it (1)

Nyder (754090) | about a year and a half ago | (#41746179)

I'm pretty sure some executives at Oracle saw the 30 Rock season 7 premier and decided to tank it.

Okay, this is weird. I happen to be watching the 30 Rock Season 7 premier right now.

Re:Tank it (1)

Anonymous Coward | about a year and a half ago | (#41746319)

Are you saying it's weird because you're watching it or because you're an executive at Oracle?

Re:Tank it (1)

Smallpond (221300) | about a year and a half ago | (#41746443)

Actually, it's weird because he's Alec Baldwin.

Re:Tank it (1)

sexconker (1179573) | about a year and a half ago | (#41746561)

Actually, it's weird because he's Alec Baldwin.

Actually, it's weird because someone actually watches 30 Rock.

Actually, it's weird because someone actually watches NBC.

Re:Tank it (0)

Anonymous Coward | about a year and a half ago | (#41746799)

Actually, it's weird because someone on slashdot actually watches TV.

The cost is rarely in coding the patch... (3, Insightful)

Anonymous Coward | about a year and a half ago | (#41746097)

It's in testing it.

Re:The cost is rarely in coding the patch... (2)

pkinetics (549289) | about a year and a half ago | (#41746187)

With Oracle products, it seldom is the testing of just the SE app. Its all their other apps that integrate into it that are the problem. Further down the chain, it is the vendors who use the Oracle products that are further more hosed, which end up holding up the deployment of the client.

Re:The cost is rarely in coding the patch... (1)

LordLimecat (1103839) | about a year and a half ago | (#41748165)

Since when has Oracle / Sun cared about breaking compatibility with Java? IIRC many older Cisco web-config pages use Java 1.4.2 u7 (or something)-- any newer (update 8) and it breaks. And when JavaSE7 came out, it broke LibreOffice and basically every other app I used (I think CrashPlan too). Backwards compatible my foot.

Pretty sure the various iterations of BES break horribly if you try to update their java-- but that might not be a java issue per se.

Re:The cost is rarely in coding the patch... (1)

jroysdon (201893) | about a year and a half ago | (#41748875)

Java 6 update 37 also broke the ASA ASDM interface. Works just fine with Java 6 update 33 (update 35 wasn't a real security fix for Java 6). TAC is reviewing and will probably post a bugid soon.

Re:The cost is rarely in coding the patch... (0)

Anonymous Coward | about a year and a half ago | (#41746199)

Or in millions of machines infected with malware. Oh, right, that's not THEIR costs.

Re:The cost is rarely in coding the patch... (1)

Slashcrunch (626325) | about a year and a half ago | (#41747593)

You're 100% correct that a reasonable amount of effort is needed to test a patch that is going to be deployed to users and enterprise systems.

But here we have a known exploit, and Oracle with their huge pool of resources cannot manage to release patch for it before Feb 2013? You can believe that they don't have the resources to test the patch in a shorter time frame or even create a better one? I seriously doubt that it takes Oracle months to regression test a single patch.

The bottom line is that Oracle are the owners of Java, and they can't patch it in a timely fashion.

Companies and people running Java applications are OK with this?

I was once a huge fan of Java and in all seriousness, this is one of the exact reasons that I don't touch Java anymore. I don't even look at MS stuff either for similar reasons.

Re:The cost is rarely in coding the patch... (0)

Anonymous Coward | about a year and a half ago | (#41748209)

It's crap like this that is getting Java removed from web browsers by the shit loads each and every day. On the machines that don't require Java at all, Java is banned.

As a business you can't possibly operate under the imminent threat that Java's security holes represent. 4 more months for a critical patch for exploits that are in the wild now? Seriously?

At my company right now you need to use a remote desktop session to use a vendor website that has Java apps. We work off white lists to prevent any connections to unauthorized websites.

If you have Java open and running in a web browser right now in a company, you're asking for it. I can't see how situations like this are encouraging further enterprise development of platforms that use Java either.

5 months? (1)

Nyder (754090) | about a year and a half ago | (#41746171)

I don't see how it can be called critical updates if they only do them twice a year. That doesn't sound like the patches they put out on those days are very critical. Unless this is another word we are changing the meaning of...

Re:5 months? (1)

TaoPhoenix (980487) | about a year and a half ago | (#41746317)

Glad to know someone else thought about that, too. In the one hand we have the frenetic "let's monitor the internet to make the web safer!" (A few stories back). Then on the other we get "Oh well, there's a security flaw that we won't fix until February."

Re:5 months? (4, Insightful)

Local ID10T (790134) | about a year and a half ago | (#41746573)

Microsoft has Patch Tuesday, Oracle has Patch February...

Re:5 months? (0)

Anonymous Coward | about a year and a half ago | (#41751407)

This just another shining example of why Oracle and Larry Ellison suck.

Re:5 months? (1)

cusco (717999) | about a year and a half ago | (#41760095)

And Adobe just leaves security holes with known exploits in the wild for Acrobat open for two years, never fixes them in the free version of Reader, and then tells users they have to upgrade Reader even though it breaks things. Only software company I loathe more than Oracle.

Patch right here! (5, Funny)

Deathlizard (115856) | about a year and a half ago | (#41746189)

Windows [java.com]

Linux [java.com]

Mac OS X [java.com]

Re:Patch right here! (1)

Anonymous Coward | about a year and a half ago | (#41746327)

Stupid noob question: Does a vulnerability like this effect linux boxes that are running java?

Re:Patch right here! (1)

Anonymous Coward | about a year and a half ago | (#41746403)

Well many of us do development with Java and wish to use it for developing server-based programs on Windows machines, but the installer insists on inserting its tendrils deep into any web browser it can find. Is there any way to prevent this because it is easy to overlook disabling this after the upgrade. Keeping it from installing the shovelware is bad enough.

Re:Patch right here! (3, Informative)

Deathlizard (115856) | about a year and a half ago | (#41746437)

1) install 64 bit java
2) Uninstall IE, or don't use IE 64 bit.
3) remember to update, because 64 bit java doesn't have an updater. Not that it works anyway.

The 32 bit browsers (chrome, firefox, even 32 bit IE) won't use the 64 bit java to run applets and since IE is the only 64 bit browser and cannot be set as the default browser, it will limit your attack surface.

Re:Patch right here! (0)

Anonymous Coward | about a year and a half ago | (#41747195)

since IE is the only 64 bit browser

Why is this? You can get 64-bit builds of Chromium or Firefox for Linux, why not for Windows?

Re:Patch right here! (0)

Anonymous Coward | about a year and a half ago | (#41748873)

Opera has 64bit builds too.

Re:Patch right here! (0)

Anonymous Coward | about a year and a half ago | (#41749137)

You don't have to install Java to use the JRE (or JDK)

You can copy the extracted JRE to your target machine then have your application start using that JRE

.\somefolder\jre\bin\java.exe -cp your.class.path id.you.app.Main

There is no registry entry and no browser plugin. Obviously setting environment vars, adding to paths and creating shortcuts/aliases etc will make things nicer.

Re:Patch right here! (0)

Anonymous Coward | about a year and a half ago | (#41746649)

In all seriousness, most people probably shouldn't have the browser vector enabled in the first place. It's not used for much anymore.

No reason you can't keep java on the desktop, though. It does have its uses.

Great, expect this in the wild in 4...3....2.... (3, Insightful)

NinjaTekNeeks (817385) | about a year and a half ago | (#41746209)

Provided to Oracle on the 19th and Oracle plans to patch it in February. This has got to be a dream come true for the bad guys, while Oracle tests the fix, they can find and start adding it to their exploit kits.

Interesting thought (0)

Anonymous Coward | about a year and a half ago | (#41746253)

We have had discussions on /. regarding developers being responsible for shoddy code.

What about being held responsible for leaving a known severe security hole open for months just because that's your patch cycle?

well... (4, Insightful)

SuperDre (982372) | about a year and a half ago | (#41746269)

writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..

Java on Windows zero-day vulnerability .. (2)

dgharmon (2564621) | about a year and a half ago | (#41746475)

Why doesn't this vuln run on OS X or Linux, why is Oracle discriminating against these?

What? He hacked Java? (0)

stanlyb (1839382) | about a year and a half ago | (#41746485)

I say, put him in jail. maximum security. For life. NO, 10 lifetimes. And let him watch Obama-Romney debate. Only. Day and night (wow, i am sooo cruel).

Oracle is still learning consumer software (3, Insightful)

abirdman (557790) | about a year and a half ago | (#41746661)

Oracle hasn't in the past worked with a lot of end user software, and it shows. I get the impression Larry Ellison doesn't like the short turnaround required for desktop software updates. The out-of-band java update they released for (at least) Windows 7 a couple weeks ago was disorganized. Two support people at work managed to install separate versions on their own computers. Version 7 is actually a point update of version 6. They may be the same version, and only show differently in Control Panel. Our company uses a lot of java (and Oracle software) and it's getting difficult to keep it organized and keep Oracle products talking to other Oracle products.

I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.

BeenThereDoneThat (1)

Tablizer (95088) | about a year and a half ago | (#41746869)

I've had very quick turnarounds for certain fixes in the past. An example would be: "Oops, I forgot the semi-colon here...[type type]...Compile, there!"

Then the office goes, "Damn you're fast!" Tell them what happened?....naaaah.

Re:BeenThereDoneThat (1)

Rockoon (1252108) | about a year and a half ago | (#41747621)

Anyone care to take a shot at estimating how many man-years have been globally wasted finding missing semicolons?

A thousand? A hundred thousand?

Re:BeenThereDoneThat (0)

Anonymous Coward | about a year and a half ago | (#41748721)

In c or c++ not much as it won't compile and tells you the line number. If you deploy before even compiling then you have much bigger problems than a few man hours.

Re:BeenThereDoneThat (1)

Rockoon (1252108) | about a year and a half ago | (#41764213)

In c or c++ not much as it won't compile

If it were true that it wont compile in all cases, then the semicolon wouldnt be needed at all.. the compiler could just insert them in the obvious places. The fact is that there are plenty of cases where you can forget a semicolon and never get a compile error.

A simple example:

int *foo = 1;
int bar = 2
*foo++;

which gets parsed as:

int bar = 2 * foo++;

..a perfectly legal statement, but certainly not what was intended.

Re:BeenThereDoneThat (1)

Tablizer (95088) | about a year and a half ago | (#41748929)

There used to be an urban legend that one of the Mariner planet probes crashed due to comma in a Fortran program that was supposed to be a period. Although it was an urban legend, it is possible to make a compile-able mistake like that in Fortran.

Install Java without being root... (1)

Anonymous Coward | about a year and a half ago | (#41746923)

If you're working on a Linux box, there's a very simple way to deal with the uber fiasco that Java is: install it from the .tgz / .bz2 given by Oracle, as a non-root user.

Do NOT install Java from the OpenJDK : most Linux distro have a major security issue in that they require you to be root to install packages (I'm using Linux since the mid-nineties and I swear by Linux but there's no frigging way I'll let any package install Java "system wide" on my Linux system).

So go d/l the .tgz / .bz2 or whatever and then install it from on of your dev user account. Then use another user account to surf the Web.

Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session.

Re:Install Java without being root... (1)

ls671 (1122017) | about a year and a half ago | (#41747191)

Reading your post, at first glance, you seem to confuse who owns the executable and who runs the executable.

Simply "xhost +localhost" your X session so that the "web surfing" account can display its browser windows in your main X session

This should be sufficient to insure java only has permissions of the "web surfing" account. It doesn't matter who owns the executable really unless it has a sticky bit set and I have never seen a java executable with the sticky bit set yet in any install that I have done.

Re:Install Java without being root... (1)

ls671 (1122017) | about a year and a half ago | (#41747295)

Look at:

http://blogtech.oc9.com/index.php?view=article&catid=4%3Aasterisk&id=175%3A20080329astchroot&option=com_content&Itemid=8 [oc9.com]

For the sticky bit issue. Search for:

find / -type f -perm +7000 > tt.txt

One should remove all setuid bits on programs on any system if not needed. Less and less programs need to set the sticky bit by default but still, it is an important concept to grasp if you are concerned about security. Xterm used to have the setuid bit set and to be owned by root and you can't imagine how many hosts with guest accounts have been compromised that way back in the old days.

"sticky bit?" (2)

Medievalist (16032) | about a year and a half ago | (#41751341)

I don't think that means what you think it means.

Hint: the setuid, setgid, and sticky bits are three different things with more than three different functions.

Re:"sticky bit?" (1)

ls671 (1122017) | about a year and a half ago | (#41770395)

You are right, I do not know why I used "sticky". I was definitely referring to setuid and setgid. I know what sticky is, /tmp directory usually has the sticky bit set. Thanks to enlighten us.

Re:Install Java without being root... (0)

Anonymous Coward | about a year and a half ago | (#41748737)

I don't think java runs the way you think it does. Anyone who doesn't whitelist where java can run applets or turn it off entirely in their browser to start with is just asking for trouble anyway.

Yes, we had a chap who would fix things real fast (1)

Rogerborg (306625) | about a year and a half ago | (#41750473)

Years later, we're still fixing his fixes.

Patch speed is rarely critical, outside of Star Trek.

Impact on OpenJDK? (1)

bill_mcgonigle (4333) | about a year and a half ago | (#41752527)

Can we assume this is dealt with or n/a for OpenJDK? Why aren't the large users of Java cooperating to remove Oracle's significance here?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...