[macosxnerd101]

As a result of this exploit, Apple has disabled the Java 7 plugin on OS X through the anti-malware system.

http://appleinsider....ava-7-from-os-x

[farrell2k]

jon.kiparsky, on 12 January 2013 - 02:29 AM, said:

So to try to bring us back around to the topic: can anyone help me figure out exactly what's at risk here?
As far as I can tell, the exploit targets the browser plug-in. The java developer who doesn't run random applets faces no added security risk for having java on their machine.

It's a new exploit found after the patching of two previous ones, which makes statements similar to: "I'm starting to think that Java doesn't care about security" or "Java is unablle to keep anything secure." completely idiotic.

[jon.kiparsky]

The date of that article is August 29, 2012. Today's date is January 12, 2013.

What's a reasonable turnaround time for this kind of thing, in your opinion? Six months? A year?

[xclite]

farrell2k, on 12 January 2013 - 08:58 AM, said:

jon.kiparsky, on 12 January 2013 - 02:29 AM, said:

So to try to bring us back around to the topic: can anyone help me figure out exactly what's at risk here?
As far as I can tell, the exploit targets the browser plug-in. The java developer who doesn't run random applets faces no added security risk for having java on their machine.

It's a new exploit found after the patching of two previous ones, which makes statements similar to: "I'm starting to think that Java doesn't care about security" or "Java is unablle to keep anything secure." completely idiotic.

http://developers.sl...-hole-in-august

I think that 4-5 months is a little bit "Oracle isn't doing enough about security."

http://www.forbes.co...itical-bug-fix/

Quote

Oracle, which confirmed receipt of the Polish researchers’ find Friday, has already been criticized for taking months to address the original set of security flaws highlighted by the Polish researchers in April, and even then only fixing a small subset of the issues. In a post to the BugTraq mailing list Friday, Security Explorations explained that a new security issue it found within hours of Oracle’s update “made exploitation of some of our not yet addressed bugs possible to exploit again.”

This post has been edited by xclite: 12 January 2013 - 09:30 AM

[Dogstopper]

Just think if Sun Microsystems still controlled Java. This issue would have been fixed in no time at all. Also, a side question. Does the OpenJDK also suffer from these expoits?

[farrell2k]

jon.kiparsky, on 12 January 2013 - 03:37 PM, said:

The date of that article is August 29, 2012. Today's date is January 12, 2013.

What's a reasonable turnaround time for this kind of thing, in your opinion? Six months? A year?

I only posted that because you wanted some technical info about the bugs.

Turn around time for a fix? The sooner the better, I suppose.

Dogstopper, on 12 January 2013 - 04:35 PM, said:

Also, a side question. Does the OpenJDK also suffer from these expoits?

Good question. Regarding the last bug:
"Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin)."

I'd assume it is vulnerable as well.

This post has been edited by farrell2k: 12 January 2013 - 05:49 PM

[jon.kiparsky]

Some new news:

Quote

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers. These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java. The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same. To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website. The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets.

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default. The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

cite

[macosxnerd101]

The patch doesn't seem to fix the vulnerabilities, according to a Java security Expert.

Quote

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak, a researcher with Poland's Security Explorations.

An Oracle spokeswoman declined to comment on Gowdiak's analysis.

http://news.yahoo.co...05--sector.html

[jon.kiparsky]

No, it looks like it does very little. Disappointing, isn't it?
If anyone's taken the time to look at the details, please fill us in - but based on the quoted post, it doesn't look like there's much there.

This post has been edited by jon.kiparsky: 13 January 2013 - 08:26 PM

[farrell2k]

I hope it's not one of those bugs that fixing means a compatibility loss. It seems to have something to do with SecurityManager and accessing the local file system.

[macosxnerd101]

I found an interesting article on why fixing the Java flaw will take so long.

Quote

By now you've heard about the latest, very serious problem with Oracle's Java runtime. You may also have heard that it could take a very long time to fix. Here's why: The flaw uncovered by security researchers last week devolves not to one issue, but to a series of issues, one knocking into the other like dominoes. Oracle has fixed one of the dominos with a patch, but there are likely to be other ways to tip over the entire row.

http://www.javaworld...java-patch.html

[macosxnerd101]

It looks like the same people that attacked the security firm Bit9 were responsible for the Java Exploit attacks.

http://www.javaworld...-bit9-hack.html