Sun Pushes Emergency Java Patch

Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

PHB syndrome

[18_Rabbit]

Why is it that corporate types never understand that if the white hats have found it, the black hats have too...and are exploiting it.

White Hats

[DarkKnightRadick]

I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.

Re:PHB syndrome

[mea37]

That's not the problem.

The problem is, management (the people in control of the big corporations who harbor at most marginal technical aptitude) see the flaw but lack the imagination to understand how it could be used for real harm until they see it used for real harm.

(Actually, "lack the imagination" may be misleading. They are motivated to think that the problem is not a big deal, and they have no problem convincing themselves of this rather than exploring the possible threat scenarios.)

Full disclosure changes the risk from the company's point of view ("Oh, great, now we know people are trying to think of a way we're not seeing to exploit this") but the real tipping point is when they see a demonstration of harm being done (not merely a proof-of-concept that they can rationalize away).

There's a workaround

[afidel]

Just disable jnlp file association, we have a number of third party websites that require a specific version of java to function (I'm looking at you ADP etime) and so we can't just upgrade to the newest version. The workaround is to remove the JNLP file association from the registry which leads IE to prompt to download the file instead of automatically running it.

Re:PHB syndrome

[phantomcircuit]

What they don't realize is that black hats also have "jobs" and are being paid.

It's even worse than that. The black hats are almost certainly being paid far more than the white hats are.

Come on, be adults.

[Anonymous Coward]

It's not that corporations don't "get the value" of White Hat reports. They love them!

But these corporations are not giant machines running on magic. They are made up of people who have other priorities, other dead lines and will not get paid anything for going through the mountains of work that must be done to issue an emergency fix. Absolutely, they should be more responsive. But it's not like they're sitting on the beach smokin a bowl. These corporations are busting their ass to find enough money to keep all their people employed. Issuing an embarrassing, costly and difficult fix is a lot like working an extra job to pay an unexpected hospital bill. How much enthusiasm would have in that situation?

Re:PHB syndrome

[david_thornley]

Why is it that Slashdotters never understand that hasty patches are dangerous and expensive? This patch almost certainly hasn't been tested as well as Sun would like, and they could well be screwing up people's computers. There are dangers in patching too hastily and patching too slowly, and somebody has to decide on the trade-offs.

My guess is that they were hoping to run it through the normal cycle when they saw it being used in the wild, and decided that it was important to get something off now, regardless of risk and possible additional expense.

The fact that they were able to issue a patch the day after they found live exploits indicates that they were probably working on it already, and simply misjudged the immediacy of the danger.

Re:Does it bypass UAC?

[Anonymous Coward]

Does this exploit bypass UAC in 7 and Vista?

No, the user still does that.

I hate JAVA update

[JaCKeL 1.0]

They will once again propose me to install a toolbar. WTF, just do your update and stop trying to install shit I don't want after I already said "NO" to the same queation 10 freaking times before.

Re:PHB syndrome

[eloki]

Really? I thought the problem might be that they see the flaw but see it as lacking urgency as they have insufficient stake in an urgent patch.

When it becomes an exploited flaw, the company reputation is now at risk and customers/users experiencing actual (as opposed to possible) loss are much more likely to get angry and demanding. Now the company has a stake in the patch.

(But as pointed out elsewhere, it's hard to comprehensively test on an urgent patch.)

Re:Java 1.5 users are screwed

[Anonymous Coward]

Java 5 is from 2004. Now we have 2010.
I know how you feel. I liked my firefox 1.0, too. It sucked when I had to upgrade to firefox 2.0.
I would have preferred mozilla to support firefox 1.0 forever. Free of charge, of course.

Re:PHB syndrome

[Anonymous Coward]

Dude, you're full of crap.