Oracle's Java framework is once again under attack, thanks to new vulnerability.
Read the whole story
Read the whole story
Critical flaw under active attack prompts calls to disable Java
- Thread starter JournalBot
- Start date
The really terrible thing about this exploit is that, reading the code, it is so *straightforward* that it all looks like intended behavior and you can read it three or four times wondering where on earth the actual exploit is. Here is jduck's reproduction of the original http://pastie.org/4594319
I'm not a Java person, so I'm not intimately familiar with the runtime, but I had to read disableSecurity() six times before concluding, yes, it really is just manually overwriting the bits of the current security context, and apparently the runtime will *let* it do that.
PS. If it's true that the patch isn't coming until October, I'mma have to (╯°□°)╯︵ ┻━┻. That'd be just criminally negligent.
I'm not a Java person, so I'm not intimately familiar with the runtime, but I had to read disableSecurity() six times before concluding, yes, it really is just manually overwriting the bits of the current security context, and apparently the runtime will *let* it do that.
PS. If it's true that the patch isn't coming until October, I'mma have to (╯°□°)╯︵ ┻━┻. That'd be just criminally negligent.
Upvote
0
(0
/
0)
Does anyone still use Java in the browser?
I make damn sure to disable the plug-in on all the computers where I need Java for other programs.
I make damn sure to disable the plug-in on all the computers where I need Java for other programs.
Upvote
0
(0
/
0)
Yet another reason to not have java installed. If you have java installed then you should disable the browser plugin portions. If you need those plugins, you should have them enabled ONLY in your least favorite browser out of the 7 you have installed, and use that when you have to go to one of the few sites that still requires java browser plugins.
Upvote
0
(0
/
0)
nikbackm":29qymz9h said:
unfortunately, Java for internal corporate webapps is the new Active-X for internal corporate webapps, and simply asking everyone to not use the apps needed to do their job is out of the question. This can be worked around with whitelisting but you have to overcome IT inertia to get it set up that way...
Upvote
0
(0
/
0)
I use it all the time at work. The good news is we're still on Java 1.6, which isn't affected by this.nikbackm":2436mg63 said:
Upvote
0
(0
/
0)
Browser and Java-based stuff has long since been light enough in terms of processor load that it can be run very easily inside a VM. Having a minimal "security" VM running for that isn't a bad idea, set it up, snapshot, and then have it rollback every day during normal use (update the core snapshot offline for security updates). Java doesn't seem to pop up much anymore though, I think the last time I saw it was in (ironically enough) VMware's support system.kleinma":38g3k745 said:
Upvote
0
(0
/
0)
And to think we just upgraded to Java 1.7u6 to support a new corporate application that requires 1.7. 
Oracle will hopefully have a fix shortly.
Oracle will hopefully have a fix shortly.
Upvote
0
(0
/
0)
Let me get this straight (based on the linked pastie code) as it's ages since I had to care about java's sandbox model.
Either java.beans.Expression *utterly* subverts the permission checks disallowing (private, i.e. invasive) reflection or this assumes you're running in a context where such reflection is allowed?
I would have thought such reflection implied full trust semantics right off the bat. Though if the sandbox is meant to allow this whilst not letting you outside of it then having that state maintained *inside the sandbox* beggars belief.
Either way it would imply breathtakingly idiotic security consciousness.
Either java.beans.Expression *utterly* subverts the permission checks disallowing (private, i.e. invasive) reflection or this assumes you're running in a context where such reflection is allowed?
I would have thought such reflection implied full trust semantics right off the bat. Though if the sandbox is meant to allow this whilst not letting you outside of it then having that state maintained *inside the sandbox* beggars belief.
Either way it would imply breathtakingly idiotic security consciousness.
Upvote
0
(0
/
0)
Gern Blaanston
Ars Scholae Palatinae
No software is perfect and no software will ever be perfect. But this is just absurd. There is no reason why there should be a never ending stream of exploits.
Upvote
0
(0
/
0)
Yes, most Norwegian banks requires it for their BankID identification system that you use to log in due to the "increased security". I don't think they have taken into account all the Java exploits, and now that plugins are abolished from iOS, Windows RT and Android, the decision to require Java is even more silly.nikbackm":11fnskdi said:
Upvote
0
(0
/
0)
Don't expect a bug report, but couldn't you give some general information about what the exploit is? What it lets malicious code do? What API is flawed?
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
Daniel Smith":1ph5onfm said:
Yeah, I've checked the links but I can't seem to find what exactly the 0-day exploit is within Java. I have it disabled in my browser on my desktop, however my Mom uses it to play crosswords and such on NYTimes website (I know, who the hell uses Java for something that simple?) but I have it "locked down" with EMET security mitigations.
However if this exploit bypasses or doesn't use memory corruption as its exploit, I'll have to tell her to disable Java until a patch is issued. A quick run-down of what exactly this exploit is using would be nice; or at least point to the right place I can go and find it.
Upvote
0
(0
/
0)
Did you test this yourself, or has it been confirmed already somewhere? I can't immediately find a source that mentions this, and as we're on 1.6 ourselves, I'd love to know for certain we are in the clear (for now).SirOmega":32xwocgf said:
Upvote
0
(0
/
0)
As far as I can tell from that pastie it in no way uses memory corruption. It either:
Uses an API that (idiotically) allows reflection security permission bypass (and then essentially elevates itself out of the sandbox)
Or someone put a critical piece of security state in an unprotected location of the runtime and perfectly legal code can change it.
either way I can't see the defenses you refer to an doing anything.
Running the browser in it's own sandbox (the I.E. and chrome protected modes) may mitigate it.
Upvote
0
(0
/
0)
Daniel Smith":3l0linm4 said:
SolidState89":3l0linm4 said:
The exploit is that 1.7 allows an unsigned, unprivileged process to overwrite its own security context token with reflection, assigning itself full privs.
Apparently no-one could get it working with 1.6, implying that it's a recent code change that "fixed" what ain't broke.
Upvote
0
(0
/
0)
abadidea":3eaiapmj said:
There is no palm or face combination in the world that is large enough...
Upvote
0
(0
/
0)
jdale":2123pga3 said:
I think NoScript can do it. It can tie it's JavaScript deactivation to all kinds of plugins like Flash and Java. And it has pretty good whitelisting powers.
Granted, if you whitelist a site, you get everything back: Java, Flash, JavaScript, etc.
Upvote
0
(0
/
0)
Since Mr. Goodin is asking everyone to please exit the pool for health and safety reasons, I hope he'll be considerate enough to write a followup to tell all those slowly dehumidifying people when it's finally safe to go back in the water? Unless the pool boy happens to look like Jennifer Aniston, I'm not stickin' around to watch.
Upvote
0
(0
/
0)
Ugh, my dad uses ADVFN.com which uses Java for its stock price streaming (the crazy thing is that they have an iPad-optimized website that uses purely JavaScript for equivalent functionality, so a Java applet shouldn't be necessary at all). This website is literally the only reason I've had to install Java on his computer. What can I do to mitigate this exploit short of uninstalling Java completely?
Upvote
0
(0
/
0)
Oracle continues to astound me with the quality and stability of their software products.. Every new version of the Oracle database breaks new things, just to make life interesting.
I've just heard that Oracle is changing the Java tagline to: write once, exploit everywhere!
I've just heard that Oracle is changing the Java tagline to: write once, exploit everywhere!
Upvote
0
(0
/
0)
nikbackm":va9wn72c said:
Sadly, there are certain business applications which require me to run java. I wish that weren't the case...
Upvote
0
(0
/
0)
Apple deserves some credit for how it works in recent versions of OS X:
* java is not pre-installed along with the system
* if you load a web page that requires java, it prompts you to install it after warning about possibly security vulnerabilities
* installing is easy
* once installed, if you do not use it regularly, it will be disabled automatically without prompting the user
And of course, Java simply doesn't exist at all on iOS which is already how the vast majority of Apple customers surf the web (and growing fast).
In my opinion, HTML/JavaScript is good enough now if you can't do it with that toolkit it's not a big ask to tell developers they need to drop right down to coding in C or Assembly. There is no need for any middle ground programming language that tries to achieve the power of C and the security of JavaScript.
* java is not pre-installed along with the system
* if you load a web page that requires java, it prompts you to install it after warning about possibly security vulnerabilities
* installing is easy
* once installed, if you do not use it regularly, it will be disabled automatically without prompting the user
And of course, Java simply doesn't exist at all on iOS which is already how the vast majority of Apple customers surf the web (and growing fast).
In my opinion, HTML/JavaScript is good enough now if you can't do it with that toolkit it's not a big ask to tell developers they need to drop right down to coding in C or Assembly. There is no need for any middle ground programming language that tries to achieve the power of C and the security of JavaScript.
Upvote
0
(0
/
0)
Tafter":9vnz053z said:
Turn it off in your primary browser, and use some other browser (or even one of those standalone single-website ones) for running those business apps.
You could rely on browser plugins like NoScript or the "trusted sites" model in IE, but I probably wouldn't assume those are bulletproof. I would want it turned off completely. Especially on a "business" computer, where security is critical.
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
So if I read this correctly, somehow java.beans.Expression and/or java.beans.Statement can be used to call private member functions by getting their names and then their values and then applying the desired arguments in the private context?
edit: And that this works even with objects that should check that such access is legal?
edit: And that this works even with objects that should check that such access is legal?
Upvote
0
(0
/
0)
We need Java at work, many official websites require it to send the taxes forms, contracts, on-line banking, and the like. Because I keep all the computers fully updated, all of them have Java 1.7... Now I will have to roll back to 1.6 all of them until this is fixed. That's fine but there's a lot of people who don't bother updating and will have a vulnerable Java runtime for a long long time. This is a big failure.
Upvote
0
(0
/
0)
Major General Thanatos":3t00obx0 said:
If you're on Linux, that's OpenJRE. From the post:
I imagine they are feeling pretty good about that.
Upvote
0
(0
/
0)
abadidea":2fk9aldu said:
This...
How long will it be before there is a show-stopping exploit and IT gets with the program (no pun intended)?
It's disheartening to see how many blue-chip firms still stick with old tech due to intertia. Sure, people claim budgetary issues--but the potential costs of a security breach aren't factored in.
Upvote
0
(0
/
0)
lyme":19ba0smn said:
Do you think that Oracle may be thinking that they have maxed out their (potential) user base, and is now simply milking the existing customers with expensive upgrades that offer little new functionality and litigating potential competitors?
Upvote
0
(0
/
0)
ScottTFrazer":23inmw2e said:
Yes. Yes, we are.
Solution: Don't update Java. At least Chrome will require you to manually enable the plugin every time you need to use a plugin if it is outdated. It's a crazy world.
Upvote
0
(0
/
0)
Alfonse":2l30ymzh said:
The problem with NoScript and most modern web-sites is many sites have so many other sites, apis and other shit tying into them ... and many of them make certain api's or things mandatory in order to get some functionality working ... eg: if you want to get the comments box working, then you have to whitelist some special api which also acts as the adserver.
I go to some sites, and I look at the noscript dropdown ... like 10+ things show up in the exclusion list.
Just looking at Ars Technica alone ...
meincmagazine.com
googleapis.com
parsley.com
arstechnica.net
linkedin.com
stumbleupon.com
twitter.com
chartbeat.com
crwdcntrl.net
google-analytics.com
reddit.com
google.com
... on some web-sites, you can get frustrated whitelisting specific things that you just say "temporarily allow all". I know that's all up to the user, and it's the user shooting themselves in the foot by doing that. But really, it's caused by web-sites tying in so much crap these days.
So, even with noscript installed, I could see an exploit web-site work it's way through simply by exploiting the user's impatience to figuring out which component needs to white-list to get some function to work on a web-site, they temp allow all... boom ... exploit can now run.
Upvote
0
(0
/
0)
Oh, I wish I could get rid of Java and get it permanently off my computer! Unfortunately, our national digital ID system in Denmark (NemID, http://www.nemid.nu) is built on Java - yes, something that is supposed to be secure is built on the most insecure technology out there... This system is required for online banking, managing your student payments and many other things.
In short, most people in Denmark are forced to have Java installed and enabled because of this - and given the lack of automatic updates, most have old versions. It is a disaster waiting to happen...
In short, most people in Denmark are forced to have Java installed and enabled because of this - and given the lack of automatic updates, most have old versions. It is a disaster waiting to happen...
Upvote
0
(0
/
0)
bsiu":3gjnigdp said:
Come now. It's not broken. It working exactly as designed. Granted the design leaves lots to desire.
Upvote
0
(0
/
0)
- Status