Sun Pushes Emergency Java Patch

Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

Re:PHB syndrome

[ILuvRamen]

They assume white hats are smarter and faster because they have jobs and are being paid. What they don't realize is that black hats also have "jobs" and are being paid.

Re:White Hats

[poetmatt]

that sounds nice and all, but there are currently very real legal risks involved even if you are a white hat and employed by a company to look for this stuff.

I agree that white hats should do it anyway - one way or the other the legal system will get around to protecting it, probably as whistleblowing/free speech, but in the meantime I think plenty are afraid to be taken to court for disclosing vulnerabilities and/or not being employed for future whitehat jobs.

Oracle

[farble1670]

there is no company or organization called "sun" ... there is only oracle now.

Saw this earlier today

[VGPowerlord]

The Register mentioned this earlier today, and I immediately informed our local IT guy, who contacted someone higher up at Enterprise Security.

Then Worf came to my desk and said I needed to test the Java upgrade before they deployed it to everyone.

...

Ok, not Worf, just one of our tech guys. Since I'm one of two Java developers on this floor as well as the one who reported it, I got the fun job of making sure everything i have (Eclipse, OC4J, Oracle SQLDeveloper, Oracle JDeveloper, etc...) still worked.

Java 1.5 users are screwed

[Anonymous Coward]

Due to development constraints, I run JDK 5 Update 22 on my system.
As of Nov 3rd 2009, Update 22 is the last public release of version 5.
I used the exploit demo link to see if it is also vulnerable, and sure enough it attempted to launch a program.
So now the still-quite-large-installed-base of 1.5.0_x users are screwed!!!

Fortunately though, my AVG quickly blocked it, reporting it as "Exploit JSE WebStart (type 1067)"

Re:Which toolbar does this patch?

[Kaboom13]

The Java SE page has downloads that don't have the obnoxious toolbar/trial crap in them
http://java.sun.com/javase/downloads/index.jsp [sun.com]

Re:PHB syndrome

[Anonymous Coward]

True, but the last stable release (update 19) is crap already. Unfortunately, 19 was also a critical security update so we had to start deploying it. It has broken at least 5 major applications already (for example a resource scheduling application - to reserve meeting rooms and equipment, a publishing application used to move internal web code from test to production, and several more). Sun's habit of breaking stuff with every release is really a serious problem.

Re:PHB syndrome

[IdleTime]

You can read the published advisory here:
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html [oracle.com]

Update Links

[kcbnac]

For Java, here's a quick link to see what version you have installed, and if there's a new version available or not:

www.java.com/en/download/installed.jsp?detect=jre&try=1

Here's one for Adobe Flash Player:

http://www.adobe.com/software/flash/about/ [adobe.com]

What other plugins are there links for like this?

I'd love to have a page set up that I can just click through a set of links to verify each app is current when checking PCs. If the update process is painless enough, just have friends and family run through it every so often, or when they hear of a "java exploit" or "flash bug" or whatever. (I train most of 'em well enough that they can do this, or I automate the system to check regularly)

The major browsers (except IE, that's tied to Windows) update themselves on Windows boxes - what links are useful to ensure the rest of the browser-accessible ecosystem is current?

Re:PHB syndrome

[shentino]

An unfortunate side effect that full disclosure also gets them royally pissed at you for "exposing" their flaw.