Java Zero Day

  • (2 Pages)
  • +
  • 1
  • 2

26 Replies - 13407 Views - Last Post: 10 March 2013 - 09:52 PM

#16 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10647
  • View blog
  • Posts: 39,539
  • Joined: 27-December 08

Re: Java Zero Day

Posted 11 January 2013 - 10:30 PM

As a result of this exploit, Apple has disabled the Java 7 plugin on OS X through the anti-malware system.

http://appleinsider....ava-7-from-os-x
Was This Post Helpful? 0
  • +
  • -

#17 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 849
  • View blog
  • Posts: 2,591
  • Joined: 29-July 11

Re: Java Zero Day

Posted 12 January 2013 - 06:58 AM

View Postjon.kiparsky, on 12 January 2013 - 02:29 AM, said:

So to try to bring us back around to the topic: can anyone help me figure out exactly what's at risk here?
As far as I can tell, the exploit targets the browser plug-in. The java developer who doesn't run random applets faces no added security risk for having java on their machine.


It's a new exploit found after the patching of two previous ones, which makes statements similar to: "I'm starting to think that Java doesn't care about security" or "Java is unablle to keep anything secure." completely idiotic.
Was This Post Helpful? 0
  • +
  • -

#18 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7874
  • View blog
  • Posts: 13,355
  • Joined: 19-March 11

Re: Java Zero Day

Posted 12 January 2013 - 08:37 AM

The date of that article is August 29, 2012. Today's date is January 12, 2013.

What's a reasonable turnaround time for this kind of thing, in your opinion? Six months? A year?
Was This Post Helpful? 0
  • +
  • -

#19 xclite  Icon User is offline

  • LIKE A BOSS
  • member icon


Reputation: 911
  • View blog
  • Posts: 3,178
  • Joined: 12-May 09

Re: Java Zero Day

Posted 12 January 2013 - 09:27 AM

View Postfarrell2k, on 12 January 2013 - 08:58 AM, said:

View Postjon.kiparsky, on 12 January 2013 - 02:29 AM, said:

So to try to bring us back around to the topic: can anyone help me figure out exactly what's at risk here?
As far as I can tell, the exploit targets the browser plug-in. The java developer who doesn't run random applets faces no added security risk for having java on their machine.


It's a new exploit found after the patching of two previous ones, which makes statements similar to: "I'm starting to think that Java doesn't care about security" or "Java is unablle to keep anything secure." completely idiotic.

http://developers.sl...-hole-in-august

I think that 4-5 months is a little bit "Oracle isn't doing enough about security."

http://www.forbes.co...itical-bug-fix/

Quote

Oracle, which confirmed receipt of the Polish researchers’ find Friday, has already been criticized for taking months to address the original set of security flaws highlighted by the Polish researchers in April, and even then only fixing a small subset of the issues. In a post to the BugTraq mailing list Friday, Security Explorations explained that a new security issue it found within hours of Oracle’s update “made exploitation of some of our not yet addressed bugs possible to exploit again.”

This post has been edited by xclite: 12 January 2013 - 09:30 AM

Was This Post Helpful? 0
  • +
  • -

#20 Dogstopper  Icon User is offline

  • The Ninjaducky
  • member icon



Reputation: 2874
  • View blog
  • Posts: 11,047
  • Joined: 15-July 08

Re: Java Zero Day

Posted 12 January 2013 - 09:35 AM

Just think if Sun Microsystems still controlled Java. This issue would have been fixed in no time at all. Also, a side question. Does the OpenJDK also suffer from these expoits?
Was This Post Helpful? 0
  • +
  • -

#21 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 849
  • View blog
  • Posts: 2,591
  • Joined: 29-July 11

Re: Java Zero Day

Posted 12 January 2013 - 05:44 PM

View Postjon.kiparsky, on 12 January 2013 - 03:37 PM, said:

The date of that article is August 29, 2012. Today's date is January 12, 2013.

What's a reasonable turnaround time for this kind of thing, in your opinion? Six months? A year?


I only posted that because you wanted some technical info about the bugs.

Turn around time for a fix? The sooner the better, I suppose.

View PostDogstopper, on 12 January 2013 - 04:35 PM, said:

Also, a side question. Does the OpenJDK also suffer from these expoits?


Good question. Regarding the last bug:
"Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin)."

I'd assume it is vulnerable as well.

This post has been edited by farrell2k: 12 January 2013 - 05:49 PM

Was This Post Helpful? 1
  • +
  • -

#22 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7874
  • View blog
  • Posts: 13,355
  • Joined: 19-March 11

Re: Java Zero Day

Posted 13 January 2013 - 08:18 PM

Some new news:

Quote

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers. These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java. The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same. To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website. The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets.

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default. The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

cite
Was This Post Helpful? 2
  • +
  • -

#23 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10647
  • View blog
  • Posts: 39,539
  • Joined: 27-December 08

Re: Java Zero Day

Posted 13 January 2013 - 08:22 PM

The patch doesn't seem to fix the vulnerabilities, according to a Java security Expert.

Quote

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak, a researcher with Poland's Security Explorations.

An Oracle spokeswoman declined to comment on Gowdiak's analysis.


http://news.yahoo.co...05--sector.html
Was This Post Helpful? 1
  • +
  • -

#24 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7874
  • View blog
  • Posts: 13,355
  • Joined: 19-March 11

Re: Java Zero Day

Posted 13 January 2013 - 08:23 PM

No, it looks like it does very little. Disappointing, isn't it?
If anyone's taken the time to look at the details, please fill us in - but based on the quoted post, it doesn't look like there's much there.

This post has been edited by jon.kiparsky: 13 January 2013 - 08:26 PM

Was This Post Helpful? 0
  • +
  • -

#25 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 849
  • View blog
  • Posts: 2,591
  • Joined: 29-July 11

Re: Java Zero Day

Posted 15 January 2013 - 06:52 AM

I hope it's not one of those bugs that fixing means a compatibility loss. It seems to have something to do with SecurityManager and accessing the local file system.
Was This Post Helpful? 0
  • +
  • -

#26 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10647
  • View blog
  • Posts: 39,539
  • Joined: 27-December 08

Re: Java Zero Day

Posted 17 January 2013 - 02:31 PM

I found an interesting article on why fixing the Java flaw will take so long.

Quote

By now you've heard about the latest, very serious problem with Oracle's Java runtime. You may also have heard that it could take a very long time to fix. Here's why: The flaw uncovered by security researchers last week devolves not to one issue, but to a series of issues, one knocking into the other like dominoes. Oracle has fixed one of the dominos with a patch, but there are likely to be other ways to tip over the entire row.


http://www.javaworld...java-patch.html
Was This Post Helpful? 0
  • +
  • -

#27 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10647
  • View blog
  • Posts: 39,539
  • Joined: 27-December 08

Re: Java Zero Day

Posted 10 March 2013 - 09:52 PM

It looks like the same people that attacked the security firm Bit9 were responsible for the Java Exploit attacks.

http://www.javaworld...-bit9-hack.html
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2