A Tidal Wave of Java Flaw Exploitation 238
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack."
Several days ago, Oracle released a patch that fixed 29 Java security flaws.
How? (Score:5, Interesting)
The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?
Are we talking applets, Java web start, or some other mechanism?
Re:How? (Score:5, Informative)
CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.
Re:How? (Score:5, Informative)
Re: (Score:3, Informative)
I feel that NoScript is doing a greater and greater work in protecting me each and every day.
Re: (Score:3, Informative)
In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.
Re:How? (Score:5, Informative)
It sandboxes Java and Flash until we tell them to run, too.
You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.
Re: (Score:2)
You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.
Re: (Score:2)
Absolutely. And then I decide what I'm going to allow.
Re:How? (Score:4, Informative)
NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.
Re: (Score:2)
Re: (Score:2)
I agree, I am annoyed by always showing the donation page during it's very frequent updates
Somewhat off topic, but I've been wondering for a while what all those updates are for. I'm guessing that disabling javascript is not like an on/off switch?
Re:How? (Score:5, Informative)
CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.
CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009
CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010
The flaw may not be Windows specific, but OS X is not included in your list.
Re:How? (Score:5, Informative)
Re: (Score:2)
Well, those of us who update their Linux installation should be safe then. Windows is trickier of course with no centralized updates in place.
Re: (Score:2, Insightful)
Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
Theoretically it allows user to turn it off.
When I turn it off, close java config and reopen - schedule is still active.
Cutting in registry is the proper sollution.
Re: (Score:2)
When you update the JRE, it doesn't uninstall the old version. Can something exploiting these vulnerabilities request an older version? It would appear to be possible. I've always kept my JRE updated, but I still got hit with a couple of these this year before uninstalling Java entirely and throwing out any software that depends on it.
Re: (Score:3, Insightful)
Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.
An update tool should not attempt to install additional software.
Re: (Score:3, Informative)
oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?
Not so on Linux.
I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.
Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vul
Re: (Score:2)
Even if I had Java applets enabled (which I don't) on my Linux desktop then all this would provide would be a remote non-admin/non-root exploit.
meh for several reasons
Firstly on most desktop boxes even those running linux most important stuff happens under one user account. Pwn that account and you can do a lot of damage.
Secondly if you pwn a user account it's possible to modify that users menus and command line environment so that next time they do something that requires root privileges they give them to
Re: (Score:2)
I strongly suspect that the exploits try to inject platform-dependent malware, though.
Re: (Score:2)
But Lynx lacks that little button with "Allow scripts..." pop-up menu.
Re:How? (Score:5, Informative)
Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).
Re: (Score:2, Interesting)
according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start
Re: (Score:3, Informative)
Java applets require authorization (Score:3, Interesting)
Re: (Score:2)
If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.
Unless, of course, said exploit allowed the bypassing of the certificate requirement.
Re: (Score:2)
That still requires certificate acceptance before the applet can run.
If the certificate was signed by the trusted Certification Authority (CA) the user would not see warning - and the CA needs to be notifified so they can revoke the cert).
Of course even with these mechanism the malware applets are still dangerous to the "Click OK, OK, OK until you are done installing crowd".
Re: (Score:3, Informative)
Re: (Score:2)
Java ad with malware caused a buffer overflow condition (which was caught by McAfee) in JRE v11. Then it snuck in a malware executable (which was caught by McAfee) . Which then signaled other malware that I was open for business.
Uh. How the heck can it signal other malware if it was really caught by McAfee?
Nervous (Score:5, Funny)
Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.
Re:Nervous (Score:5, Funny)
Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.
Re: (Score:2)
Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.
"Linux, I am your father."
"NOOOOOO!!!!!"
PLEASE mod parent up (Score:2)
..laughed my cotton socks off. Thanks.
Re: (Score:2)
Seeing Oracle and Java all in the same sentence gives me a nervous tick
Well, seeing Oracle and "Eleonore, Crimepack and SEO Sploit Pack" in the same paragraph makes me nervous.
When Ellison's raiders see a money-making opportunity, they go for it.
Patches have been available for a long time (Score:4, Insightful)
FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.
So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
Re:Patches have been available for a long time (Score:5, Insightful)
I've run out of space in my head for all the different tools I need to seperately manage updates for.
Re:Patches have been available for a long time (Score:5, Funny)
I've run out of space in my head for all the different tools I need to seperately manage updates for.
Sounds like you need a computer.
Re: (Score:2)
Re: (Score:3, Informative)
Usually that is the case but
https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/659937 [launchpad.net]
The current version appears to be vulnerable. you can manually update or use the ppa
sudo add-apt-repository ppa:duh/sun-java6
and then the usual update upgrade
when the official packaging comes out it should overwrite the ppa version.
Re:Patches have been available for a long time (Score:5, Funny)
I guess Windows isn't ready for the desktop.
Re:Patches have been available for a long time (Score:4, Informative)
All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!
Re: (Score:3, Funny)
Indeed. Most of the Enterprise(tm) world is probably completely safe from these attacks. At least till 2027 when they upgrade to the vulnerable versions.
Re:Patches have been available for a long time (Score:5, Interesting)
For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.
Re: (Score:2)
Re: (Score:3, Insightful)
Plus, the patch wants you to install a massive amount of crapware in order to patch your system.
Re: (Score:2)
You can always tell the people that don't work in "the biz" when they make comments like the parent's.
Re:Patches have been available for a long time (Score:5, Interesting)
He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".
The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.
Re: (Score:2)
Re: (Score:2)
I've never run across a site that required Java (which I've always had disabled in Fireofox). I do have Java installed so that I can run applications that use it, but why should I enable it in my browser?
Re:Patches have been available for a long time (Score:5, Interesting)
Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).
Re:Patches have been available for a long time (Score:4, Insightful)
Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.
That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.
Re: (Score:2, Insightful)
"Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.
Re:Patches have been available for a long time (Score:5, Informative)
There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.
It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.
Re: (Score:2)
Re: (Score:2)
Including, surprisingly, Android.
OpenJDK 1.6 works with Android, but if you want to use the official one they recommend, you have to use 1.5 (Java 5) because of some oddball parser issues in official Oracle JDK 1.6.
So one's choices are ot use the unsupported OpenJDK 1.6 with Android, or the unsupported (but Android-supported) JDK 1.5. Bleh.
I hope
Re: (Score:2)
So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
Even patched machines are vulnerable as well, at least on Windows (don't know if it does this on other OSs). Java updates on Windows do not uninstall previous versions of Java, they just add a new one.
Since Java apps can request specific versions of the JRE to run in, even patched machines are vulnerable until the user/admin Uninstalls the previous versions.
Re: (Score:2)
Oracle just put me in a rough spot (Score:2, Interesting)
This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.
Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis
Patch bloat (Score:5, Interesting)
What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
Re:Patch bloat (Score:5, Informative)
What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.
Re: (Score:3, Informative)
Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.
Re: (Score:3, Informative)
Quite a few people who post on Slashdot are developers. I happen to be employed to write Java webapps. To do this, I need the JDK.
If you're doing the full 77MB download, you're grabbing the JDK. As I posted, as far as I know, Sun never offered patches for the JDK: your only choice was to redownload the entire thing. Oracle appears to be continuing that practice.
If all you're using is the JRE, the download is much smaller (16MB versus 77MB) and it should be able to automatically update via patches.
However fo
Re: (Score:2)
What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
Presto will handle the deltarpms.
Re: (Score:2)
Re: (Score:2)
You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
77mb!?! Well, that pretty much fills up MY entire hard drive.
This article speaks the truth (Score:5, Funny)
Re: (Score:2)
Not sure why you think this is a troll. I, too, have recently had a massive malware infection through a Java applet. I did manage to sort it out via an antivirus program, but it took over 3 days for it to clean all 375,000 infected files from my system. It would have been faster to reinstall.
Re: (Score:2)
Dude, stop it! I'm laughiong my ass off !!!!
Re: (Score:2)
I don't see that as trolling, the only reason my recent Java delivered infection wasn't orders of magnitude worse is because Avira contained the problem before it got out of hand. Yes, I suppose I should be angry that Avira let it get as far as it did (the initial infection was running and Avira couldn't stop or remove it), but I'm grateful that the 20+ infections that the first one tried to spawn weren't able to run. Even still it was a night's work.
Reboot to a live CD, run a scan and remove/repair infec
Re:Nice try (Score:4, Informative)
Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.
Me neither. I switched to Linux in 1996.
Re: (Score:2)
For its flaws, the removal tools in XP are phenomenal, and with combofix, rootkits become a minor annoyance.
Re: (Score:2)
And linux lacks a registry cleaner utility too. You might wonder why.
Really, should I even bother to look for removal tools when reinstalling aptosid from a usb live stick takes 4 minutes and gives me much more assurance that the system is clean? A dpkg get/setselections restores all other stuff I had installed and good luck for the malware to hide in the few text config file in /etc that I need to restore before being up and running again.
All of this is not linux gurus stuff it's in the installation manual
Checklist (Score:2)
1. Reformat/reinstall.
If something got by an anti-virus app, and managed an infection, a rootkit is almost certainly one of the first things downloaded by the malware (assuming that the malware is botnet-focused rather than just simple vandalism). The initial infection is almost never the one that carries the payload (the software that the person who deployed the malware really wants to run); the usual sequence is infect--rootkit--get instructions from a website/IRC channel--download payload--wait for ins
Re: (Score:2)
Reinstall.
Re: (Score:2)
Additionally, if you know the specific virus, there are specific
Re: (Score:2)
If you have a low-key organization but a VIP machine where reinstalling is heavily punished, read along. Unless your spyware used Group policy lockouts preventing "Run", cmd.exe, taskmgr, regedit and system restore for even your admin accounts. I don't get why paywalled MS Group Policy into XP Pro, but left it present enough that spyware can 0wn your non-domain Home machines. Stop and reinstall anyway if you do see the above issues.
Create a new passworded admin account just in case your next boot automagica
Re: (Score:2)
Java Vulnerabilities Patched in 1.6.0_22 (Score:2)
You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.
Update available here. [java.com]
DoublePlusKarmaWhoreGoodness: For best protection, run a Mozilla browser with the NoScript add-on [mozilla.org]. (AdBlockPlus [adblockplus.org] and RemoveItPermanently [mozdev.org] make great complements to NoScript, too.)
MS and Adobe to join? (Score:2)
Since MS has posted this list of exploits that were fixed on Update 22(last spring!) is it safe to assume that Microsoft is simply trying to redirect people who complain about Adobe's security vulnerabilities to look at Java with bigger contempt so Microsoft can buy Adobe and still claim that their software is the most secure?
Seems a bit odd to me that Microsoft would be trying to improve Adobe's image when they need to be looking at their own. Perhaps they ARE looking at their own image because Adobe will
Re: (Score:2)
I doubt it has anything to do with Adobe. It is probably simply yet another MS screwup that was reported to upper management as an Java insecurity and their marketing machine took over.
disable java in browser? (Score:2)
Is there a way to disable java across all browsers, but keep it installed for other software like openoffice?
I.e. block all applet functionality, but still allow local java code to run?
That would make maintaining friend's pcs a lot easier. They never update on time, and when they do, I always have to remove a new bundled browser toolbar again.
Re: (Score:2)
Re: (Score:2)
Thanks!
Seems like it only lists settings for IE and firefox, not chrome or opera, but it's a start.
In Other News (Score:2)
jucheck.exe and "Unknown publisher" (Score:2)
When I finally had some time (and was fed up with the nagging), I typed "jucheck.exe unknown publisher" in Google. I waded my way through the hits warning me that it was probably a virus and that I should do a "free scan" with
It's not a surprise (Score:2)
It's not a surprise that there are a lot of unpatched systems out there. Java's stealth-mode installation pretty much guarantees it.
I know what I'm doing. The machine on my desk is one I built myself from parts (won't do that again; these days an off the shelf system costs a great deal less than the sum of its parts). Every bit of software is there because I decided it should be--or so I thought. This post got me curious.
I've never consciously installed or enabled java on this machine and yet, in the java p
The Java Automatic Updater is annoying (Score:2)
The reason why Java's never updated is that it's automatic updater is annoying. It always shows up as soon as a boot up my computer, and then tells me I need to reboot. Now, given that normal people like to USE their computers; and given that many corporate computers take forever to boot up, something like this is going to remain ignored. Just think, after waiting 5+ minutes while my computer boots up, do you think I'm going to reboot again for something I've never heard of nor, as far as I know, use?
The Ja
Re: (Score:2)
It is vulnerable because it is popular. (Score:2)
Unlike the Macrocost implementation of it C# or whatever.
In other news OS2 is the most secure system ever, too bad no one is using it....
Re:Nerd rage (Score:5, Insightful)
Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?
Re: (Score:2)
I doubt it, but there is definitely a strong time correlation between the increase of java attacks and oracle's sun acquisition. My guess would be that because Oracle doesn't know how to monetize java (without suing others), attention is shifting away from java and the code is getting a thin film of dust over it.
Re: (Score:2)
To date, Oracle is only suing Google for creating Near Java, I'm a bit fuzzy about how they feel they are entitled to do this given Google isn't using any Sun tech but then Oracle is probably fuzzy on this point as well. Anyhow, how many organizations are producing Java versions? Why should yer basic Fortune 500 give a rat's ass about Oracle suing for mutant Java implementations when all they doing is using either Oracle's or IBM's version? And IBM just bent over to receive the Uncle Larry's teenie weenie t
Re: (Score:2)
So fix your broken government department's IT policy.
Re: (Score:2)
Re: (Score:2)
I happen to be in charge of our government IT policy. I will henceforth dictate that all government departments' IT policy be fixed to accomodate Oracle products henceforth. There, howzzat?
Re: (Score:2)
Yeah, because nobody ever runs Java applets on Windows...
Re:JVM on Windows? (Score:5, Funny)
Yeah, they should have used ActiveX, right?
Re: (Score:2)
So far there has not been a single buffer overflow targetting pure Java code because, well... The Java specs simply make this impossible (or the hypotetical JVM that would be affected wouldn't be complying with the Sun/Oracle Java specs and hence wouldn't be a "JVM")
Clearly the solution is to rewrite the JVM in Java.
Re: (Score:2)
It depends how they are using them. If they are keeping private copies and only using them to run trusted software I don't see any big problem.
OTOH if they are installing old versions systemwide that is BAD.
Re: (Score:2)
That's why I suggested this years ago:
http://lists.w3.org/Archives/Public/www-html/2002May/0021.html [w3.org]
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html [mail-archive.com]
I think mozilla are finally trying to do something about it:
https://developer.mozilla.org/en/Security/CSP [mozilla.org]
But after so many years, worms and exploits...