Forgot your password?
typodupeerror
Oracle Java Security Windows News

A Tidal Wave of Java Flaw Exploitation 238

Posted by Soulskill
from the surf's-up dept.
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.
This discussion has been archived. No new comments can be posted.

A Tidal Wave of Java Flaw Exploitation

Comments Filter:
  • How? (Score:5, Interesting)

    by MrEricSir (398214) on Monday October 18, 2010 @04:10PM (#33937770) Homepage

    The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?

    Are we talking applets, Java web start, or some other mechanism?

    • Re:How? (Score:5, Informative)

      by adisakp (705706) on Monday October 18, 2010 @04:14PM (#33937842) Journal
      CVE Attacks Computers Description

      CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.

      CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.

      CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.
      • Re:How? (Score:5, Informative)

        by adisakp (705706) on Monday October 18, 2010 @04:16PM (#33937878) Journal
        The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.
        • Re: (Score:3, Informative)

          by hydrofix (1253498)

          I feel that NoScript is doing a greater and greater work in protecting me each and every day.

          • Re: (Score:3, Informative)

            by emkyooess (1551693)

            In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.

            • Re:How? (Score:5, Informative)

              by broken_chaos (1188549) on Monday October 18, 2010 @05:51PM (#33939332)

              It sandboxes Java and Flash until we tell them to run, too.

              You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.

          • You're Preaching to the Choir bucko but it's gotten to the point that NoScript goes onto every system I put Firefox on simply because of the various problems we've seen with J-Script and Java in general over the years.

        • Re:How? (Score:5, Informative)

          by Bill_the_Engineer (772575) on Monday October 18, 2010 @04:43PM (#33938362)

          CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.

          CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009

          CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010

          The flaw may not be Windows specific, but OS X is not included in your list.

          • Re:How? (Score:5, Informative)

            by Bill_the_Engineer (772575) on Monday October 18, 2010 @04:48PM (#33938440)
            After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
            • Well, those of us who update their Linux installation should be safe then. Windows is trickier of course with no centralized updates in place.

            • Re: (Score:2, Insightful)

              by Kvasio (127200)

              Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
              Theoretically it allows user to turn it off.
              When I turn it off, close java config and reopen - schedule is still active.
              Cutting in registry is the proper sollution.

            • by djdanlib (732853)

              When you update the JRE, it doesn't uninstall the old version. Can something exploiting these vulnerabilities request an older version? It would appear to be possible. I've always kept my JRE updated, but I still got hit with a couple of these this year before uninstalling Java entirely and throwing out any software that depends on it.

            • Re: (Score:3, Insightful)

              by WuphonsReach (684551)
              After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

              Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.

              An update tool should not attempt to install additional software.
    • Re:How? (Score:5, Informative)

      by Florian Weimer (88405) <fw@deneb.enyo.de> on Monday October 18, 2010 @04:14PM (#33937850) Homepage

      Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).

    • Re: (Score:2, Interesting)

      by JonySuede (1908576)

      according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start

    • Re: (Score:3, Informative)

      by doishmere (1587181)
      A few days ago smbc comics [smbc-comics.com] was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here [reddit.com]; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.
    • If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.
      • by Tanktalus (794810)

        If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

        Unless, of course, said exploit allowed the bypassing of the certificate requirement.

        • From the description the exploit appears to be due to a malware applet already downloaded and running in the user's browser.

          That still requires certificate acceptance before the applet can run.


          If the certificate was signed by the trusted Certification Authority (CA) the user would not see warning - and the CA needs to be notifified so they can revoke the cert).

          Of course even with these mechanism the malware applets are still dangerous to the "Click OK, OK, OK until you are done installing crowd".
  • Nervous (Score:5, Funny)

    by Konster (252488) on Monday October 18, 2010 @04:10PM (#33937774)

    Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.

  • by adisakp (705706) on Monday October 18, 2010 @04:11PM (#33937796) Journal

    FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

    So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

    • by lgw (121541) on Monday October 18, 2010 @04:16PM (#33937894) Journal

      I've run out of space in my head for all the different tools I need to seperately manage updates for.

    • by MozeeToby (1163751) on Monday October 18, 2010 @04:16PM (#33937898)

      For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.

      • by wjousts (1529427)
        The only virus I ever got was on my wife's laptop and it appeared to come in through Java. She was sick of being constantly nagged to update Java anyway, so I removed Java completely. I had to nuke her account to completely clean it.
      • Re: (Score:3, Insightful)

        by Darkness404 (1287218)
        Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

        Plus, the patch wants you to install a massive amount of crapware in order to patch your system.
        • by abigor (540274)

          You can always tell the people that don't work in "the biz" when they make comments like the parent's.

          • by vlm (69642) on Monday October 18, 2010 @05:09PM (#33938768)

            He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".

            The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.

      • Two or three java vulnerabilities ago, I disabled the Java plugin in my browser. Last vulnerability, I went to disable it again, only to discover that I never got around to reenabling it because I never came across a site with a Java applet in it. I presume there are still some out there, but I've not seen any for a very long time.
        • I've never run across a site that required Java (which I've always had disabled in Fireofox). I do have Java installed so that I can run applications that use it, but why should I enable it in my browser?

    • by Florian Weimer (88405) <fw@deneb.enyo.de> on Monday October 18, 2010 @04:19PM (#33937944) Homepage

      Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

      • by ADRA (37398) on Monday October 18, 2010 @04:33PM (#33938194)

        Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

        That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

        • Re: (Score:2, Insightful)

          by tuffy (10202)

          "Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

          • by ADRA (37398) on Monday October 18, 2010 @05:01PM (#33938648)

            There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.

            It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.

      • If you still need 1.4 or 1.5, you can get support but it's going to cost you. I've got an install of JDK 6u11 in parallel with newer versions because of a Swing change that broke some Sun/NetBeans tooling. IIRC, 6u17 was another game changer.
      • by tlhIngan (30335)

        It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

        Including, surprisingly, Android.

        OpenJDK 1.6 works with Android, but if you want to use the official one they recommend, you have to use 1.5 (Java 5) because of some oddball parser issues in official Oracle JDK 1.6.

        So one's choices are ot use the unsupported OpenJDK 1.6 with Android, or the unsupported (but Android-supported) JDK 1.5. Bleh.

        I hope

    • by scdeimos (632778)

      So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

      Even patched machines are vulnerable as well, at least on Windows (don't know if it does this on other OSs). Java updates on Windows do not uninstall previous versions of Java, they just add a new one.

      Since Java apps can request specific versions of the JRE to run in, even patched machines are vulnerable until the user/admin Uninstalls the previous versions.

    • by jrumney (197329)
      I suspect part of the problem is that Sun introduced a way for a web page to request a specific version of Java in the OBJECT tag due to developers being uneasy about the possibility of their applet being run on a version of Java they hadn't tested with. Additionally, when you upgrade Java, it installs the new version alongside the older installs, so the old versions are still there to be exploited.
  • by Anonymous Coward

    This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.

    Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis

  • Patch bloat (Score:5, Interesting)

    by edxwelch (600979) on Monday October 18, 2010 @04:23PM (#33938022)

    What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

    • Re:Patch bloat (Score:5, Informative)

      by TubeSteak (669689) on Monday October 18, 2010 @05:01PM (#33938642) Journal

      What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

      If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.

      • Re: (Score:3, Informative)

        by _xeno_ (155264)

        Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.

    • What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

      chkconfig yum-cron on

      Presto will handle the deltarpms.

    • by poor_boi (548340)
      If you download Java (JRE or JDK) via the developer site, the installer doesn't have any toolbars or crapware embedded in it. Only the java.com-hosted installer has a toolbar "offer" during install. This is why I always download from java.sun.com (I suppose now it's http://www.oracle.com/technetwork/java/javase/downloads/index.html [oracle.com]).
    • You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

      77mb!?! Well, that pretty much fills up MY entire hard drive.

  • by gman003 (1693318) on Monday October 18, 2010 @04:24PM (#33938032)
    I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.
  • You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.

    Update available here. [java.com]

    DoublePlusKarmaWhoreGoodness: For best protection, run a Mozilla browser with the NoScript add-on [mozilla.org]. (AdBlockPlus [adblockplus.org] and RemoveItPermanently [mozdev.org] make great complements to NoScript, too.)

  • Since MS has posted this list of exploits that were fixed on Update 22(last spring!) is it safe to assume that Microsoft is simply trying to redirect people who complain about Adobe's security vulnerabilities to look at Java with bigger contempt so Microsoft can buy Adobe and still claim that their software is the most secure?

    Seems a bit odd to me that Microsoft would be trying to improve Adobe's image when they need to be looking at their own. Perhaps they ARE looking at their own image because Adobe will

    • by gtall (79522)

      I doubt it has anything to do with Adobe. It is probably simply yet another MS screwup that was reported to upper management as an Java insecurity and their marketing machine took over.

  • Is there a way to disable java across all browsers, but keep it installed for other software like openoffice?
    I.e. block all applet functionality, but still allow local java code to run?

    That would make maintaining friend's pcs a lot easier. They never update on time, and when they do, I always have to remove a new bundled browser toolbar again.

  • In other news, Microsoft profits were down somewhat this quarter. Sources at Microsoft cited an increase in overtime expenses as the cause.
  • Windows 7 kept nagging me off and on for weeks saying "jucheck.exe" was from an "Unknown Publisher" and asking whether I wanted to let it modify my system. I kept saying "no" because I'd never heard of this program (I don't use Java very often) and didn't have time to research it.

    When I finally had some time (and was fed up with the nagging), I typed "jucheck.exe unknown publisher" in Google. I waded my way through the hits warning me that it was probably a virus and that I should do a "free scan" with

  • It's not a surprise that there are a lot of unpatched systems out there. Java's stealth-mode installation pretty much guarantees it.

    I know what I'm doing. The machine on my desk is one I built myself from parts (won't do that again; these days an off the shelf system costs a great deal less than the sum of its parts). Every bit of software is there because I decided it should be--or so I thought. This post got me curious.

    I've never consciously installed or enabled java on this machine and yet, in the java p

  • The reason why Java's never updated is that it's automatic updater is annoying. It always shows up as soon as a boot up my computer, and then tells me I need to reboot. Now, given that normal people like to USE their computers; and given that many corporate computers take forever to boot up, something like this is going to remain ignored. Just think, after waiting 5+ minutes while my computer boots up, do you think I'm going to reboot again for something I've never heard of nor, as far as I know, use?

    The Ja

  • Unlike the Macrocost implementation of it C# or whatever.

    In other news OS2 is the most secure system ever, too bad no one is using it....

You've been Berkeley'ed!

Working...