Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Knew of Latest Java 0-Day Security Hole In August

timothy posted about 2 years ago | from the when-the-living-is-easy dept.

Java 265

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."

cancel ×

265 comments

Sorry! There are no comments related to the filter you selected.

0th (-1)

Anonymous Coward | about 2 years ago | (#42565059)

0th

first exploit (-1)

Anonymous Coward | about 2 years ago | (#42565063)

of slashdot's posting system by using a security hole in perl that allows idiots to posts (unpatched for years, i might add).

Remind me again (-1)

Anonymous Coward | about 2 years ago | (#42565073)

Why it's such a great feature for *every* Java or .NET class to have public support for reflection?

Re:Remind me again (1)

Anonymous Coward | about 2 years ago | (#42565229)

Because it's useful? Are you seriously going to make an argument that because something can be exploited in any way we shouldn't create said something in the first place?

Re:Remind me again (1)

Anonymous Coward | about 2 years ago | (#42565253)

It's sometimes useful. Necessary infrastructure for all classes as public methods? I don't see it.

Re:Remind me again (1)

AlphaBro (2809233) | about 2 years ago | (#42566007)

Yeah, I remember that time reflection based vulnerabilities in .NET were used in ~50% of cyber attacks. Oh, wait...

Burned (5, Interesting)

Anonymous Coward | about 2 years ago | (#42565075)

Had a few users burned by this today at work. One emergency security meeting later and we pulled Java from 3000 workstations this afternoon. Should have done this a year ago.

Re:Burned (3, Funny)

ILongForDarkness (1134931) | about 2 years ago | (#42565319)

But than how are you going to run Vuze?

Excuse to upgrade shitty intranet apps? (5, Interesting)

Billly Gates (198444) | about 2 years ago | (#42565105)

I use java solely for Eclipse development but I do not have the plugin installed on my browsers.

The people at work who still cling to IE 6 and IE 7 also are stuck in Java land and is the sole reason why XP is still alive kicking and screaming. Many still use NTLM version 1 security pre 1999 that can crack any account on AD because these apps wont work with anything newer than 13 years old!

With the department of homeland security recommendations perhaps we can finally move on and get rid of these dinosaurs that are a liability to our employers.

Shame on Oracle.

Java had such high hopes and Sun fucked up royally too beforehand. If Java could have native .exes and kept being updated perhaps it could be as good as .NET and we could all run Linux with our cross platform natively compiled apps in such an alternative universe.

Besides a few limited uses for mainframes I think it is time we said goodbye and put it to legacy ala Cobol 2.0? The question is what next? ... not language wise but richness in api wise and frameworks which is why .NET and Java are liked for complex 3-tier enterprise platforms.

Re:Excuse to upgrade shitty intranet apps? (1)

aztracker1 (702135) | about 2 years ago | (#42565387)

Web Applications... rich UI's (HTML5, Canvas, WebRTC), NodeJS (express, nunjucks, socket.io), MongoDB (Redis, Couch, etc.)

AAAAAAAAARRRRRRRRGGGGGHHHHHH NOOOOOOOO! (2, Insightful)

Anonymous Coward | about 2 years ago | (#42565743)

Javascript. Fuck me!

The only thing in computing more fucking brain dead than javascript is XML. You bastards! You've sucked the brain cells out of too many people with your bullshit non-programming and bullshit non-formats.

If java is dead and javascript is the answer then you've asked the wrong fucking question!

Re:AAAAAAAAARRRRRRRRGGGGGHHHHHH NOOOOOOOO! (4, Insightful)

isopropanol (1936936) | about 2 years ago | (#42565889)

Just because it is possible to code badly in an language does not mean you can only code badly.

Re:AAAAAAAAARRRRRRRRGGGGGHHHHHH NOOOOOOOO! (3, Funny)

Anonymous Coward | about 2 years ago | (#42565995)

Someone should tell enterprise Java developers that.

it's not 0-day (5, Insightful)

Anonymous Coward | about 2 years ago | (#42565109)

if Oracle knew about it in August

Re:it's not 0-day (5, Insightful)

Anonymous Coward | about 2 years ago | (#42565551)

And if they knew about it for that long then they should be able to be sued for negligence.

Perhaps when the software industry has to accept the same liability and culpability as anyone else they will take their job seriously.

Aircraft are extremely complex and they cant use that as a get out of jail free card, software should not be able to either. If they want protection and patents then they can accept the down side, liability.

Re:it's not 0-day (4, Insightful)

Lisias (447563) | about 2 years ago | (#42565709)

If they want protection and patents then they can accept the down side, liability.

+2 Really Insightful

Re:it's not 0-day (5, Insightful)

Ambassador Kosh (18352) | about 2 years ago | (#42565719)

This is why programming is not an engineering profession despite what many keep claiming.

Until they have the same standards as a mechanical, aerospace, chemical, etc engineers they are not really engineers.

Re:it's not 0-day (-1)

Anonymous Coward | about 2 years ago | (#42565803)

Bullshit! I haven't heard of any of the above mentioned "engineers" (or even companies for that matter) being sued for bad design.

Re:it's not 0-day (3, Interesting)

Ambassador Kosh (18352) | about 2 years ago | (#42566011)

It usually makes for very boring news so it is not covered very much except in things like trade journals. However real engineers are sued for design flaws when they don't do things correctly.

The laws acknowledge that no matter what there is always a chance of failure. If you did the work and can show that the odds of failure are .001% and the system still fails it will be investigated but as long as you are correct it is likely nothing will happen since rare events do happen.

However if you falsify the work, falsify the calculations, end up with calculations that are far off of reality then you can and are held liable in many cases.

Re: it's not 0-day (3, Interesting)

Anonymous Coward | about 2 years ago | (#42565817)

You get what you pay for. "So, you want me to synthesize a new material, build a few skyscrapers with it, all on top of the landfill foundation the last team built, and make last at least 2 years before any substantial maintenance is performed? In a few months with a small team of survivalists?" I'm sure that'll work out great because those structural engineers are accredited.

Re: it's not 0-day (4, Insightful)

Ambassador Kosh (18352) | about 2 years ago | (#42566001)

If a structural engineer signs off on that without doing the actual calculations to show it is safe and that project is investigated they will lose their license.

They will also end up with criminal liability.

Re:it's not 0-day (0)

Anonymous Coward | about 2 years ago | (#42565859)

Yes but they earn more than plumbers, builders,electricians.... and yet has less liability than these trades people.

Re: it's not 0-day (3, Insightful)

Anonymous Coward | about 2 years ago | (#42566005)

The point is that even highly paid engineers cannot engineer the miraculous things that software systems are supposed to do in the equivalent allotted time, manpower and money, while maintaining the reliability and quality expected of their field.

Re: it's not 0-day (0)

Anonymous Coward | about 2 years ago | (#42566057)

yeah its not like software projects ever have cost over runs.... does zero day exploit say much about "reliability and quality", never mind the frequency of these exploits.

Want a real laugh, look at this for quality http://www.scoop.co.nz/stories/ED1210/S00131/school-principals-declare-pay-system-a-shambles.htm

Re: it's not 0-day (4, Interesting)

Ambassador Kosh (18352) | about 2 years ago | (#42566059)

That is absolutely true. The problem is that software is not delivering on all those things, it just promises all of those things.

For a real engineering profession you have the whole sign off system and if someone wants something done for a song and to do everything you don't sign off on it. If they try to get around that sign off there are some pretty serious legal consequences to that.

For programmers there is no legal way to say that the manpower involved is not sufficient to deliver the required quality. They will just be fired and replaced. Without programmers having some level of authority and the responsibility that goes with that you won't really see software getting better since there is no real incentive for it.

Look at some of the break in stats, 50% of windows break ins last year where form Java and IE made up about 3% yet Microsoft and IE are still blamed for all the security problems. Why should Java or Flash really try to do much better if the average person is not going to blame them or making purchasing decisions based on that anyways?

If you are a programming for Oracle and you say that X design is dangerous and you won't do it you will be fired.
If you are a chemical engineer and you say a certain reactor design is dangerous it will be fixed or it won't get used.
That is the real difference and that is what programmers need to have also.

Re:it's not 0-day (1)

Ambassador Kosh (18352) | about 2 years ago | (#42566021)

Yeah that part is pretty sad but is also looks like it is self correcting. It is easier to outsource programmers that plumbers for instance and that is being done. This is driving down prices for programmers.

Time to just remove Java (and Silverlight)? (5, Interesting)

gQuigs (913879) | about 2 years ago | (#42565115)

They are used on less than .2% of websites, and many are false positives. Yes some might not be detected as well. I am aware there is one very popular video service that uses Silverlight, can't say the same about Java.

Click on the language for more details
http://w3techs.com/technologies/overview/client_side_language/all [w3techs.com]

Re:Time to just remove Java (and Silverlight)? (4, Informative)

Billly Gates (198444) | about 2 years ago | (#42565135)

Silverlight is at least used for NetFlex and is much more secure and updated by MS.

Java is insanely popular with old IE in the enterprise market. Banks which support Chrome and Firefox for us with consumer banking sometimes only support IE 6 - 8 with Java 5 (no I did not mistype that) for corporate customers where security exploits are used in java so accountants can put ole excel spreadsheets inside their browser for the bank to see.

Apparently these banks have not discovered javascript yet and tools to read excel docs and reformat them internally. I guess many corps still use excel 2003 with binary data in their .xls files unlike .xlsx which make reading and parsing harder.

Anyway, this is who heavily still uses it.

Re:Time to just remove Java (and Silverlight)? (5, Insightful)

Samantha Wright (1324923) | about 2 years ago | (#42565375)

Dig hard enough and I'm sure you'll find equally arcane .NET setups. Remember, kids: the only difference between Java and .NET is that Java was paved with good intentions.

Re:Time to just remove Java (and Silverlight)? (1, Interesting)

Billly Gates (198444) | about 2 years ago | (#42565407)

At least Microsoft patches them and even activeX controls are signed by default, and even IE 6 will refuse to run unsigned activeX controls by default as well. Java is behind that 12 year old dinosaur!

MS may not have good intentions at all but they are moving forward and it was so frustrating when I was a java fan still last decade. You can upgrade your .NET apps and they are not browser dependent unless you put proprietary IE code in. We need a good biology anology for this one Samantha?

Java really does suck today.

Re:Time to just remove Java (and Silverlight)? (4, Interesting)

dbIII (701233) | about 2 years ago | (#42565755)

I remember back when it was coming out a big deal was made about how the VM was in a sandbox and couldn't nuke user or system files under any circumstances. Convenience killed good intentions and now we may as well be on activeX bullshit.

Re:Time to just remove Java (and Silverlight)? (1)

slapout (93640) | about 2 years ago | (#42565243)

There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

Re:Time to just remove Java (and Silverlight)? (4, Interesting)

93 Escort Wagon (326346) | about 2 years ago | (#42565269)

There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

That may be so; but it's not really a reason for people to keep Java enabled in their browsers.

Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

Re:Time to just remove Java (and Silverlight)? (2)

Jah-Wren Ryel (80510) | about 2 years ago | (#42565309)

Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

I had the exact same experience. Kind of sad actually given all the potential we could see when java was first announced. But in this world, java on the web is effectively dead.

Re:Time to just remove Java (and Silverlight)? (2)

Billly Gates (198444) | about 2 years ago | (#42565383)

Several months ago I disabled the Java plugins/extensions in all the browsers I use. Know what I noticed? Absolutely nothing. No sites that I frequent used Java *at all*. My experience browsing the web didn't change an iota.

I had the exact same experience. Kind of sad actually given all the potential we could see when java was first announced. But in this world, java on the web is effectively dead.

You know its bad when ActiveX from 2001/IE6 era at least had trust signed applets witn security turning unsigned applets off by default . Fucking pathetic and shows how out of date Java really is even back in 2001! Sun really let it out to rot while Oracle wont even release fixes until a quarterly update.

May Java RIP.

I really wanted to like it as I thought with native compiler or a fat binary we could all be using Linux now with a gui framework next to none. Swing is really powerfull but ugly and slow in 1999 era hardware with JIT. .NET is the future but it is tied to Windows for server apps as I can see until the next big thing has an answer and HUGE framework.

Java should be studied in I.T. management courses of greatly engineered products killed by incompetent management. Yes, java was hot and even secure shit back in 1990s! It just was never really updated extensively.

I still have found memories of programming in it even if the syntax was verbose and I shudder at the idea of Linux dying due to everyone using .NET now in the server room. If JavaFX had been around in the 1990s with real compilers and signed applets perhaps we would not have flash today.

Android is a classic example of what Java could have been 10 years ago in the browser if Sun got their shit together.

Re:Time to just remove Java (and Silverlight)? (-1)

Anonymous Coward | about 2 years ago | (#42565813)

Learn to tell the difference between an Applet and a language, idiot. As for .NET, that pig is being patched every tuesday.

Re:Time to just remove Java (and Silverlight)? (2)

TubeSteak (669689) | about 2 years ago | (#42565787)

But in this world, java on the web is effectively dead.

What killed it?
My experience seems to be that flash has replaced everything that java was supposed to do.

Re:Time to just remove Java (and Silverlight)? (5, Insightful)

TopSpin (753) | about 2 years ago | (#42566055)

java on the web is effectively dead

What killed it?

It's clunky. That's the shortest correct explanation I can provide. The whole user experience is just awful.

The first thing you experience when you encounter a Java applet is a sinking feeling as the browser becomes unresponsive with a large gray void somewhere on the page that will eventually render the applet. Sometimes this is alleviated slightly by a progress indicator in some weird JVM font that looks like it was salvaged from OpenBoot. All this "loading" takes large amounts of RAM so the OS starts paging which creates more anxiety for the user as the drive LED indicates vast amounts of mysterious IO. In any case the process takes too long and by the time the applet has rendered something meaningful most users have lost patience.

At this point the applet has started rendering. Frequently this is a bad thing because many Java applets are tragically ugly. Repulsive, really. So bad they look like hastily made email phishing attempts. It would have been better if the "loading" had never ended leaving the user to seek alternatives. The moment a user sees those fonts they squint, groan a bit inside and consider calling someone for help. The GUI widgets look weird. Things don't work right, like copy and paste or common GUI hot keys. And everything lags; you can feel extra tens of milliseconds of lag with every UI operation; click, scroll, whatever. It all lags.

Finally whatever unfortunate task led our victim here has been accomplished and it's time to leave. You click 'home' or some link or whatever to be on your way and BOOM!, the browser segfaults and closes. Recent browsers mitigate this habit by isolating applets (and other plug-ins) in process sandboxes, but the user still gets that extra little poke in the eye to top off the rest of the 'experience.' The sort of effort required to make the JVM run smoothly inside common browsers has never been applied and to this day it is a fragile and crashy combination.

People that care about the user experience, people with tens or hundreds of millions of users using their site(s), don't tolerate this heinous shit. So Java applets die the death they deserve.

Re:Time to just remove Java (and Silverlight)? (1)

Anonymous Coward | about 2 years ago | (#42565271)

Android is java. At least 70% java. You can disable java plugins in your browser and still be safe. I am surprised slashdotters are not posting this more.

I hava java 6 safely setup this way on my computer. Java is disabled in all my browsers as I have not used it in 5 years at least on the open internet.

Re:Time to just remove Java (and Silverlight)? (1)

medv4380 (1604309) | about 2 years ago | (#42565277)

What Android device would actually have a JRE installed? I believe you're mistaken the Java Language for the Virtual Machine. I could be mistaken. Someone may have gone crazy and developed and packaged one for Android, but i doubt it.

Re:Time to just remove Java (and Silverlight)? (1)

Anonymous Coward | about 2 years ago | (#42565461)

Some ARM processors used in Android devices include Jazelle [wikipedia.org] which is an implementation of the Java VM in silicone. (At which point it's no longer a VM...). Normal Android apks are Dalvik bytecode and interpreted in software but Samsung's pre-loaded software is actually JVM icode that runs native with Jazelle (that's why Samsung is faster than Motorola or HTC which uses dalvik). I verified on my Galaxy SIII [wikipedia.org] that the Java Reflection API is present but I haven't been able to exploit the security hole yet.

Re:Time to just remove Java (and Silverlight)? (1)

Desler (1608317) | about 2 years ago | (#42565511)

Jazelle has pretty much nothing to do with the Oracle JRE.

Re:Time to just remove Java (and Silverlight)? (0)

Anonymous Coward | about 2 years ago | (#42565541)

Where did you get that nonsense from? Jazelle doesn't even exist on the latest ARM architectures, mostly because it manages to be even slower than JIT conpiled Java.
Even its successor ThumbEE is deprecated.

Re:Time to just remove Java (and Silverlight)? (1)

DragonWriter (970822) | about 2 years ago | (#42565647)

Jazelle doesn't even exist on the latest ARM architectures

Technically, it does, but in a form that doesn't actually do anything (the way Jazelle is defined, you can't actually count on it doing anything, you need a full software JVM and when Jazelle is invoked it will directly executed the bytecodes it implements and defer back to the software JVM for anything else -- it remains required for ARM processors, but current versions defer everything back to the software JVM.)

Silicone != Silicon (1)

DragonWriter (970822) | about 2 years ago | (#42565637)

Some ARM processors used in Android devices include Jazelle which is an implementation of the Java VM in silicone.

No, its not. Silicone [wikipedia.org] is not the same thing as silicon [wikipedia.org] . And Jazelle isn't really an implementation of the JVM since it requires a software JVM, and only directly implements a subset of Java bytecodes and defers back to the software JVM for the rest.

Re:Time to just remove Java (and Silverlight)? (4, Informative)

BradleyUffner (103496) | about 2 years ago | (#42565379)

There's quiet a few Android devices running Java. And developers need Java on their PCs to write apps for them

Android is NOT running java. It's applications are written in the java language, but are not compiled to java byte-code.

Re:Time to just remove Java (and Silverlight)? (2)

ChunderDownunder (709234) | about 2 years ago | (#42565819)

Android runs Dalvik. It's a clean-room partial implementation but uses a different architecture. Perhaps, theoretically, it's vulnerable to the same problem but Android doesn't include applet nor java web start functionality.

As for developing using the JDK, don't install the public JRE. The 64bit version is safer since, last time I checked, browsers for 64bit Windows are still 32bit and hence the plugin won't work!

Re:Time to just remove Java (and Silverlight)? (1)

mwvdlee (775178) | about 2 years ago | (#42565973)

I don't think I've ever seen an Android device running Java, certainly not Oracle's Java distribution which is at stake here.

Re:Time to just remove Java (and Silverlight)? (1)

Trepidity (597) | about 2 years ago | (#42565613)

Unfortunately, a lot of European banks use Java applets as part of their login process. Many EU countries were a bit ahead of the curve in requiring better logins than just user/pass in the early 2000s (e.g. two-factor authentication), which at the time was a good idea, but the downside is that a lot of those systems were built in Java, since that was the obvious choice circa 2001 (doing serious client-side stuff in JavaScript wasn't really done at the time), and now there's a bunch of legacy cruft still stuck using it.

As a wise man once said... (0, Funny)

Anonymous Coward | about 2 years ago | (#42565131)

"Evil will always triumph, because Java is dumb".

Additional plugins are required ... (0)

WoodstockJeff (568111) | about 2 years ago | (#42565133)

... to allow this page to compromise your computer....

Ever since Java started down the "this isn't last week's zero-day" road, I pulled Java from my machines. Pisses the corporate types off because they want to have "net meetings" that require Java to be installed, so we can have presentations on "computer security", but I just tell them - "MY computer security policy doesn't allow Java to be installed."

Re:How to run java on the intranet safely (4, Informative)

Billly Gates (198444) | about 2 years ago | (#42565177)

You can setup IE to use java internally on intranets only.

Instructions are here [microsoft.com] and is a must in 2013 for any IT support professional! They can still have their netmeetings and be secure at the same time. IE has security zones under preferences. One for Internet, another for intranet if you fiddle in the options. Under Internet disable java scripting, note this is not javascript. Under intranet enable java scripting.

Instructions for enabling java for intranet security zones only in group policies are here [grouppolicy.biz] .

After that all your users are safe and they can still run their shit ERP apps and Netmeetings. At least this is a temporary solution until they upgrade their software as I agree. Internet wise there is no reason to run it except for a few banks.

Non Oracle Java (2, Interesting)

Anonymous Coward | about 2 years ago | (#42565437)

I think the future here is Java not from Oracle. We don't use their engine on servers now so why the hell would we use it on clients?

Oracle haven't got their act together, and obviously without a decent revenue stream they're not going to try, so time to move on from them.

Please, can we stop with "0-day"? (5, Insightful)

Anonymous Coward | about 2 years ago | (#42565149)

Can we please, please, please stop using the term "0-day"? It's completely meaningless here. Actually, it's worse than meaningless as it's used incorrectly and just makes things confusing. Is it a noun? Is it an adjective? Depends on who's writing the Slashdot headline! Try reading the headline and article while omitting the text "0-day" and you'll see it reads just fine and actually makes sense now.

Re:Please, can we stop with "0-day"? (1)

darkfeline (1890882) | about 2 years ago | (#42565275)

Someone give this AC a cookie and a +1 Insightful.

Re:Please, can we stop with "0-day"? (1)

Anonymous Coward | about 2 years ago | (#42565297)

Someone give this AC a cookie

He should just check "Accept third party cookies" in his browser setup. He'll get lots.

Jave whitelist? (0)

Anonymous Coward | about 2 years ago | (#42565155)

I have just one program I need java for, is there a way to set up java with a whitelist so it only runs that one program, or is it always going to be a security nightmare?

Re:Jave whitelist? (3, Insightful)

Anonymous Coward | about 2 years ago | (#42565195)

It's not going to hurt you to play minecraft, you don't have to pretend. Just don't install the fucking browser plugin.

Re:Jave whitelist? (0)

Anonymous Coward | about 2 years ago | (#42565231)

Not minecraft, there is a program that allows you to use a midi keyboard to play music instruments in Lord of the Rings Online, but unfortunately it uses java. I didn't know the browser plugins were optional, but that makes sense, thanks.

Re:Jave whitelist? (0)

Anonymous Coward | about 2 years ago | (#42565273)

I just installed java and unfortunately the program is a whore, it spreads itself everywhere. I had to disable IE and firefox java plugins despite not giving it permission to do that.

The hole is only relevant to the Java plugin? (4, Informative)

mark_osmd (812581) | about 2 years ago | (#42565165)

I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?

Re:The hole is only relevant to the Java plugin? (4, Informative)

Anonymous Coward | about 2 years ago | (#42565203)

I was reading that the vulnerability is not in general standalone Java but only in the Java plugin in your browser, that is, you can secure from the issue by disabling the Java plugin in your web browsers but it's not that big of a risk to a standalone Java app. Is that true?

Yep. Instructions are here [microsoft.com] to disable it. Or enable it for corporate folks in a seperate secure zone. IE 6 - 9 maybe retarded in HTML rendering, but knows when it is on the net vs a lan and loads different security settings.

If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE. You are secure at this point. The security exploit is not java per say but the browser as it executes by default unsigned with no authentication nor permission! A HUGE security risk. BUt without access to run it can't do anything.

Re:The hole is only relevant to the Java plugin? (2)

TubeSteak (669689) | about 2 years ago | (#42565809)

If you are just a home user go under addons in Firefox and IE and disable sun/oracle and java. DONE.

I just updated yesterday to the latest Java (addons v7.10.2.18 in FF, v7.0.100.18 in IE) and I swear that the update re-enabled my previously disabled plugins in FF and IE.

I only checked on a whim after reading your post.

Re:The hole is only relevant to the Java plugin? (1)

Anonymous Coward | about 2 years ago | (#42565235)

Since through the browser is the only way most people would ever run untrusted Java code, disabling the plugin will have the same effect as uninstalling Java.

Re:The hole is only relevant to the Java plugin? (1)

Anonymous Coward | about 2 years ago | (#42565367)

Since through the browser is the only way most people would ever run untrusted Java code, disabling the plugin will have the same effect as uninstalling Java.

Hardly, since most Java programs are NOT ran in a browser. That is, the need to run non-trusted Java programs is almost zilch anyway.

Re:The hole is only relevant to the Java plugin? (4, Insightful)

thue (121682) | about 2 years ago | (#42565693)

Standalone Java apps already have full arbitrary code execution and full access to the system. What would be the point of using an exploit to gain access to a system you can already access. If you are running a standalone Java app, you have already chosen to trust the code completely, unlike a sandboxed app in a browser.

Re:The hole is only relevant to the Java plugin? (1)

_xeno_ (155264) | about 2 years ago | (#42565839)

Conceptually the hole is in all Java apps, though, it just only really matters in the browser setting.

If you have a Java app (say, a Java-based web server) that in fact runs untrusted code (say, third-party web applications) and places them in a Java sandbox, then they can use this exploit to leave the sandbox.

So it's effectively only an issue for browsers, since that's the real-life example where many people have Java installed in such a way that they might unexpectedly receive hostile code. But it can also, theoretically, apply to any other Java app.

In any case, I'd highly recommend going the "nuclear" route and just uninstalling Java if it's installed. It's the route the company I work for is going, and it's not like anyone uses Java for anything useful anyway.

Re:The hole is only relevant to the Java plugin? (4, Insightful)

sourcerror (1718066) | about 2 years ago | (#42565969)

that in fact runs untrusted code (say, third-party web applications) and places them in a Java sandbox, then they can use this exploit to leave the sandbox.

Only applets run in sandbox so there's nothing to leave. On the server side there are two choices:

- shared hosting (Tomcat): everyone uses the same VM just like with PHP so we are sparing memory, but increasing the security risk
- virtual private server: everyone uses the their own VM and everyone is secure

Bring your own Java? (0)

Anonymous Coward | about 2 years ago | (#42565167)

Actually, I wonder how many apps count on the system wide Java install on Windows (I don't use Windows so I don't know). The apps I developed just brought their own JRE. It's better anyway, since you don't have to worry about broken installs, outdated installs, etc. Whoever needs Java on target machines should probably bring their own JRE anyway. There are plenty of apps (not Web) that use Java.

Re:Bring your own Java? (1)

storkus (179708) | about 2 years ago | (#42565257)

You kind of brought up my topic:

1. There is non-browser-related software that runs on Java. The software for my cheapo vector network analyzer [miniradiosolutions.com] is written in Java, for instance. Then you have other things, even system software such as Dalvik. Thus, even if we can make it go away in the browser, we can't everywhere else.

2. That brings up your point: my software didn't bring its own JRE. However, it turns out it runs just fine on OpenJRE. MY question: is OpenJDK/JRE vulnerable to this exploit? Is Dalvik? Or is this an inherent vulnerability to the language or interpreter (no matter who writes it) itself? (I hope that makes sense...)

Re:Bring your own Java? (2)

Billly Gates (198444) | about 2 years ago | (#42565283)

You kind of brought up my topic:

1. There is non-browser-related software that runs on Java. The software for my cheapo vector network analyzer [miniradiosolutions.com] is written in Java, for instance. Then you have other things, even system software such as Dalvik. Thus, even if we can make it go away in the browser, we can't everywhere else.

2. That brings up your point: my software didn't bring its own JRE. However, it turns out it runs just fine on OpenJRE. MY question: is OpenJDK/JRE vulnerable to this exploit? Is Dalvik? Or is this an inherent vulnerability to the language or interpreter (no matter who writes it) itself? (I hope that makes sense...)

Yep, they are all insecure. Dalvik? It is an interpretter and not run in a browser so no. OpenJDK is OracleJDK with a few proprietary libraries from Adobe and a few others replaced with equilivent functioning ones.

The exploit only works on a browser so disable it in IE and Firefox and you are good. If that program works in a browser you need to setup an IE zone and add an exception to your site, or use Firefox with noscript or set click to run as default?

Re:Bring your own Java? (0)

Anonymous Coward | about 2 years ago | (#42565905)

Java is not vulnerable to anything to begin with. Just the sandbox used by Java web applets is not secure. Any sort of language sandboxing is not very reliable. In many cases (like Python) it comes with warnings and supported sort of half way.

The only problem is Java browser plugin and Java web applets. Just disable it in browsers and sleep well from that point on.

Still, for us developers I do not see why not just bring JRE along with your application. It makes things much easier. There is a ton of non-browser software. Not just the server side, but client-side as well. Editors, IDE, SQL clients. In fact majority of the software I use on Linux other than browsers is written in Java.

It is so obvious... (3, Interesting)

QuietLagoon (813062) | about 2 years ago | (#42565281)

It is so obvious, why do not the Java users see this...

.
It has become apparent that Oracle either does not understand the concept of computer security....

- or -

Oracle does understand the concept of computer security, and they are using these exploits to kill off Java, which they do not want to support anymore.

What else can it be?

(btw, my bet is that Oracle is clueless regarding computing security)

Wrong. They want to kill java. (0)

Anonymous Coward | about 2 years ago | (#42565325)

why cause a long time ago before the SUN set into the butt of oracle they and 20 other companies worked on DRM code used by , well everyone....too bad it got leaked eh?
While i see you could think they dont understand security its far more likely they just dont like java and wish to kill it.
This is the android phone revenge one might call it. So that they never again have to deal with it.

Re:Wrong. They want to kill java. (1, Informative)

QuietLagoon (813062) | about 2 years ago | (#42565381)

While i see you could think they dont understand security its far more likely they just dont like java and wish to kill it.

That's my second choice. :)

.
However, I cannot shake the feeling that Oracle is just not able to respond quickly to security exploits, that a security vulnerability is something they wish would just "go away" instead of Oracle resolving the root cause of said vulnerability.

In summary, I think Oracle is clueless about security at the client level..

Re:It is so obvious... (2)

Junta (36770) | about 2 years ago | (#42565549)

Why does Oracle's incompetency and disinterest in Java have to be mutually exclusive propositions?

Of course, for having spent 7.4 billion dollars acquiring Sun, Oracle hasn't put much effort into preseving the value of the assets from that acquisition. Solaris is stagnant, all the Sun efforts to *try* to compete with Linux seem abandoned. Java is a security nightmare on top of being generally despised on end user client platforms. Java's biggest success as a platform has been in Android, and Oracle's response is trying to undermine Google through legal action.

It seems the biggest issue is not Oracle's technical competency or lack thereof, but the business competency certainly seems dubious....

Re:It is so obvious... (0)

Anonymous Coward | about 2 years ago | (#42565759)

Users can't tell the difference between ransomware and Oracle marketing/sales/license enforcement?

Re:It is so obvious... (1)

phantomfive (622387) | about 2 years ago | (#42566029)

It sure makes you want to go look for vulnerabilities in OracleDB, doesn't it?

Oh Java... (1)

SuperCharlie (1068072) | about 2 years ago | (#42565321)

I tried you back in the early days and you crashed me one too many times.. since then the bad taste never left and I have avoided you. I never got on the bandwagon when it was neat to be a Java guru and now Ive come to realize you are simply a pain in my ass. Begone.. I break with thee, I break with thee..I break with thee.

Wouldn't that make this... (4, Insightful)

segoy (641704) | about 2 years ago | (#42565361)

a -150 (approx) day vulnerability?

What happened to Java? (5, Interesting)

Jeremi (14640) | about 2 years ago | (#42565433)

Back in college (when Java was the new thing) one of its big touted features was security -- all applets would run in a sandbox, Java would be written in bytecode that would be automatically verified before it was executed, array access indices would be bounds-checked, etc etc. This all made Java execute more slowly than the alternatives (er, ActiveX?), but the (expected) upside was that Java would be super-secure and we wouldn't have to worry about our computers getting exploited by evil web pages that we accidentally loaded.

Now it's 2013 and Java (at least in the context of a web browser) is turning into an unreliable bug-fest.

So, what happened? Is it just a matter of incompetence at Oracle (and/or Sun)? Or is Java's security model fundamentally broken in some way that other in-web-browser languages (particularly JavaScript) are not? Where are all these security holes coming from?

Re:What happened to Java? (2, Informative)

Anonymous Coward | about 2 years ago | (#42565477)

The problem is that security cost usability.

Completely disable the ability of Java to read/write files on the local filesystem and it'd be a lot more secure for example, but then it'd be more useful as well.
"" direct access to graphics hardware, "" - well pretty much everything. And once you crack the door open a little it's really hard to find and close all the corner cases that open up.

Re:What happened to Java? (4, Informative)

Dolda2000 (759023) | about 2 years ago | (#42565527)

It's mostly a matter of incompetence in the implementation, indeed. The Java vulnerabilities I have followed have always included calling some obscure part of the Java class library which is implemented using native code (mostly for optimization reasons) that happened to be buggy in some way.

It should be said in this case, however, that the new Java 7 dynamic language support infrastructure, which is one of the things Oracle added since they took Java over. Many of the things Oracle has done to Java lately (and especially as additions in Java 7) have struck me as poorly designed features that just allowed Oracle to check of some feature-lists to make Java appear as "feature-complete" as dotnet.

Re:What happened to Java? (4, Interesting)

phantomfive (622387) | about 2 years ago | (#42566039)

Theo de Raadt once said, "these guys can't write a secure OS, why would you expect them to write a secure VM?"

These bugs have always existed in Java, but no one went out to exploit them because there were easier vulnerabilities available. Now as Microsoft has put more emphasis on security, the low-hanging fruit has become Acrobat reader, then Flash, now Java. Used to be you could smash the Microsoft stack any time you wanted. Now they are randomizing the stack and it's not so easy.....

Whoopty freaking do (1, Troll)

symbolset (646467) | about 2 years ago | (#42565453)

Everybody who wanders in those circles know about this one years ago. This is not the dawn of some new discovery - it's just when it became common knowledge to the rest of you. Java is crap nobody in their right mind would run in a browser. The "do not use" public warnings overlap each other. IE likewise is crap Pwned six ways from Sunday in every way possible - it's rapetacular. Office and Windows itself are just as bad, or worse. Calling it 0-day is kind of funny considering this is the normal condition all day every day.

There are dozens more as bad or worse in Java, and scores in all versions of IE that are freely passed around by those who know and let to the press only after they become common enough to be worth discarding. A few are so precious that only dozens know about them, and will be present until long after the current versions of this software bundles have been deprecated. These are the few nation-states use to meddle with each other. The disclosures overlap, so your Windows PC will not ever be and cannot ever be what a reasonable IT pro would consider "secure".

Proof. Some retard is going to ask me for proof again, probably yet another Microsoft Intern with absolute faith that This Is The Last Exploit. I don't have to give proof. Giving proof would defeat the purpose. Just wait and the proofs will be revealed unto you in time. Microsoft themselves have acknowledged that these come so often they can't be bothered to fix them as they are revealed and schedule fixes monthly, on "patch Tuesday". Pathological exams reveal these same exploits have been present and used for 15 years or more quite frequently. One year from now at least a dozen more that many know that you do not will be in this way revealed, and in the process that they had been used for a long time since before now also. That is my proof.

Some few though... they will not be found out. Those few are precious, secret and reserved. They give us access to your darkest secrets. We save those for the most important people.

Re:Whoopty freaking do (0)

Anonymous Coward | about 2 years ago | (#42565953)

I piss on your "precious" piece of junk. There are more important things in life than knowing somebody's "secrets", but you need something more than animalistic instincts to understand that.

Java is required? (2)

BigBunion (2578693) | about 2 years ago | (#42565521)

It drives me crazy- my kids have several java-based websites they are required to use for school. I'm not too worried if their laptops get borked- there's nothing of value on them. When the nasties spread across the network to my PC and my server, I've got real problems. What do I do besides complain to the school?

Two networks (0)

Anonymous Coward | about 2 years ago | (#42565699)

Set up two networks--one "secure", one "insecure". I don't run my machines on the same network as my children. They cannot be trusted to practice safe computing. The wireless hub is on their network as well. Visitors and other "unsafe" machines have the same access to my "secure" network as the internet does.

Re:Java is required? (1)

Bearhouse (1034238) | about 2 years ago | (#42565715)

Install decent security on your network, auto scan your kids pcs whenever they connect, don't share devices that contain sensitive information on the network, (like the drive, or folder that contains your bank details..), use a server with a non-windows OS...

Or just get the kids a dedicated nas if they need the extra space. A cheap wifi box to allow them to share your internet connnection and you're done.

Re:Java is required? (0)

Anonymous Coward | about 2 years ago | (#42565955)

install virtualbox on the kids' machines, download a winXP .iso off of bittorrent for the guest OS, and instruct your children to only use the virtual machine to access the school's java-based websites, and nothing else.

DHS advice (-1)

Anonymous Coward | about 2 years ago | (#42565643)

This one single piece of "good advice" does NOT excuse DHS from being currently in opposition to the US Constitution.
DHS needs to be DE-ACTIVATED.

Some one should just degayify Java (0)

Anonymous Coward | about 2 years ago | (#42565653)

I have come to be quite impressed with Java in terms of raw execution speed of actual work loads and know that its biggest hindrance in adoption or even wide respect has been its perception as slow because it takes 10years to load the VM. That will never change and people will always assume Java is slow old dog technology because of the time it takes to load the VM.

Considering the VM doesn't actually appear to protect people from squat it would be great if Java was just degayifed into a different kind of project and exported into a regular runtime like other languages are. I think its popularity would come back very hard.

Be careful what you wish for. (4, Insightful)

bcrowell (177657) | about 2 years ago | (#42565663)

I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"

There are a lot of problems with this simplistic response.

One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.

The other problem is that you have to consider the alternatives.

Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.

Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware [net-security.org] , comparable to java applets and adobe reader.

Silverlight is only viable on Windows.

Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.

Re:Be careful what you wish for. (0, Insightful)

Anonymous Coward | about 2 years ago | (#42565985)

The other problem is that you have to consider the alternatives.

Yes, for anyone who argues that Java should just go away, show me an alternative that does everything I need:

  • portability - I just zip up my Java byte code in a single "jar" file and then all anyone needs to run my program is a recent Java Runtime Environment. I don't have to cross compile binaries for all kinds of different architectures or require my users to have a full development environment with just the right libraries (and header files) available.
  • GUI - I can write a program with a responsive/fast full featured graphical user interface (menus, 2D drawing, etc) using a standard API.
  • data structures - I can develop sophisticated object-oriented data structures (like C++) and even get bounds checking and garbage collection as an added bonus.
  • speed - the JIT compiling of byte code to native does hurt the start-up time but, once my program is up and running, the speed is very close to that of C/C++/etc.
  • longevity - I don't want to invest a lot of time learning some hot new technology only to see it abandoned a couple years down the road and, what with all the enterprise use of Java, Java's got at least another decade in it if not more.

Now, maybe Google will eventually come up with some (JavaScript-based?) solution that does everything I need and more. But, until then, for me, and people like me, Java will fill an important niche in the software tool ecosystem.

This is like the online SCADA vulnerability issue (4, Insightful)

Required Snark (1702878) | about 2 years ago | (#42565677)

This is remarkably similar the recent post on SCADA devices being vulnerable because they were directly accessible on the net. http://slashdot.org/index2.pl?fhfilter=scada [slashdot.org]

These are not primarily technical failures, they are institutional failures. The issue is not that Java has a zero day failure; these things happen. The critical failure is that Oracle knew what was going on before this hit the news and they could have avoided the problem with better practices.

The US has a Laissez-faire attitude towards computer security. It's all left up to the good will of the provider, which is clearly a mistake. Some organizations do a good job, but many fail. This is because security requires expending effort, and there is a natural tendency to cut corners to save money.

In theory, the market will be self correcting, because of the cost associated with failure. In practice, this does not occur. Neither the direct financial cost or the reputational costs are big enough to modify organizational behavior. That's why there is an never ending stream of these kinds of events.

Ironically, it seems that highly visible open source projects have a better track record then the private sector. This shows the high level of professionalism that open source organizations maintain.

Thing will never get any better until the cost of failure becomes much greater. This means having serious fines and/or larger payouts to those who are harmed by the security breach.

Right now the cost of cleanup after a security failure is so low that there is no meaningful incentive to be proactive. Is Oracle going to have any negative economic repercussions as a result of this screw up? Of course not. Therefore, they will do nothing to change their ways. Until there is some mechanism to hold providers responsible for failure to act there will be no change.

To clarify the point, the liability should be for failure to act once a problem is found, not for the existence of the original security problem. Having a SCADA device visible on the net with a default password is the kind of event that should cause liability. Likewise not fixing a critical security hole as soon as it is discovered as in this case with Oracle.

Java should just be degayified. (1)

Anonymous Coward | about 2 years ago | (#42565683)

I have come to be quite impressed with Java in terms of raw execution speed of actual work loads and know that its biggest hindrance in adoption or even wide respect has been its perception as slow because it takes 10years to

load the VM. That will never change and people will always assume Java is slow old dog technology because of the time it takes to load the VM. Its just been a killer to the technology the whole time.

Considering the VM doesn't actually appear to protect people from squat it would be great if Java was just degayifed and exported into a regular runtime like other languages are. I think its popularity would come back very hard and get the respect it deserves.

Why so horrified? (3, Insightful)

Tony Isaac (1301187) | about 2 years ago | (#42565685)

Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door? Why would Java be different?

If you are working on a non-trivial project, and you don't know about at least half a dozen horrible "zero-day" flaws, then you don't know your project very well!

In real life, businesses have to make trade-offs. They can't fix everything. Every release cycle, product managers have to make decisions about which fixes go in, and which fixes have to wait. I'm no Java fan, but with as many people poking around it as there are, I'm amazed that there aren't many more known vulnerabilities!

Horrified because professionalism is expected (3, Interesting)

dbIII (701233) | about 2 years ago | (#42565801)

Has nobody on this site actually had to meet a deadline? Has nobody had to make some trade-offs to get a product out the door?

Because it's used by others so effectively infrastructure, thus irresponsible to cut corners before release. To invoke a car analogy it's like opening a bridge on the announced date without finishing it in one lane so that cars driving from one direction keep falling into the water. Such an example appears so ridiculous because it's comparing a carefully planned engineering project on one hand (the bridge) with a room full of blindfolded basketweavers trying to weave bits of an elephant shaped basket while being shouted at in a language they cannot understand and none of them know what an elephant looks like (a typical mismanaged software project like your above example with your "tradeoffs").

Better Remove JavaScript, too (0)

Anonymous Coward | about 2 years ago | (#42565831)

We'd better remove JavaScript, too, because that has "Java" in it!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?