Sun Pushes Emergency Java Patch 90
Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."
PHB syndrome (Score:4, Insightful)
Re: (Score:3, Informative)
Re:PHB syndrome (Score:4, Insightful)
What they don't realize is that black hats also have "jobs" and are being paid.
It's even worse than that. The black hats are almost certainly being paid far more than the white hats are.
Re:PHB syndrome (Score:5, Insightful)
That's not the problem.
The problem is, management (the people in control of the big corporations who harbor at most marginal technical aptitude) see the flaw but lack the imagination to understand how it could be used for real harm until they see it used for real harm.
(Actually, "lack the imagination" may be misleading. They are motivated to think that the problem is not a big deal, and they have no problem convincing themselves of this rather than exploring the possible threat scenarios.)
Full disclosure changes the risk from the company's point of view ("Oh, great, now we know people are trying to think of a way we're not seeing to exploit this") but the real tipping point is when they see a demonstration of harm being done (not merely a proof-of-concept that they can rationalize away).
Re: (Score:3, Insightful)
Really? I thought the problem might be that they see the flaw but see it as lacking urgency as they have insufficient stake in an urgent patch.
When it becomes an exploited flaw, the company reputation is now at risk and customers/users experiencing actual (as opposed to possible) loss are much more likely to get angry and demanding. Now the company has a stake in the patch.
(But as pointed out elsewhere, it's hard to comprehensively test on an urgent patch.)
Re: (Score:3, Informative)
An unfortunate side effect that full disclosure also gets them royally pissed at you for "exposing" their flaw.
Re: (Score:2)
And an unfortunate side effect of that is that you have to disclose anonymously for your own protection, and that means simply making the whole thing public from the start.
Re: (Score:3, Insightful)
Why is it that Slashdotters never understand that hasty patches are dangerous and expensive? This patch almost certainly hasn't been tested as well as Sun would like, and they could well be screwing up people's computers. There are dangers in patching too hastily and patching too slowly, and somebody has to decide on the trade-offs.
My guess is that they were hoping to run it through the normal cycle when they saw it being used in the wild, and decided that it was important to get something off now, reg
Re: (Score:2)
> This patch almost certainly hasn't been tested as well as Sun would like
You do not have to release the latest and greatest if hasn't been tested enough for your taste.
Just branch from the last stable release and apply only the fix that is needed for security reasons. This is done all the time !
A patch to filter input parameters should be trivial enough to test ;-))
Re: (Score:2, Informative)
Re: (Score:1, Insightful)
Dude, you're full of crap.
Re: (Score:2)
You have obviously never worked on a serious project and you are obviously unaware of tools such as source repositories, with functionality such as versioning and branching functionality.
I bet your sources live on your hard-drive. At best, you might be using MS source-safe which is pretty limited in functionality.
Re: (Score:2)
On the theory that a patch from a stable version will break nothing? If it filters input parameters, how are you to know, without extensive testing, that it filters the right ones? If it filters out too much, it may break perfectly reasonable applications. If it filters out too little, it may leave the system vulnerable. It may do both, if it's just a little wrong.
Yes, I, too, have deployed very simple patches to stable software without adequate testing. One recent time, I put a hundred-thousand-dol
Re: (Score:2, Informative)
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html [oracle.com]
Re:We are all individuals (Score:2)
Why is it that slashdot poster types group everyone together, as if they all have a hive mind? Each company has to learn this lesson, and often if a person is replaced the new guy has to learn it as well. Each company learns as it happens, and still they might resist the change in certain situations.
I frequently find small quirks in my codebase while looking at other unrelated items like general performance monitoring, and don't have time to investigate completely, but if someone complains I'll fix it. T
White Hats (Score:5, Insightful)
I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
Re: (Score:3, Informative)
that sounds nice and all, but there are currently very real legal risks involved even if you are a white hat and employed by a company to look for this stuff.
I agree that white hats should do it anyway - one way or the other the legal system will get around to protecting it, probably as whistleblowing/free speech, but in the meantime I think plenty are afraid to be taken to court for disclosing vulnerabilities and/or not being employed for future whitehat jobs.
Re: (Score:2)
I take white hat to mean Good, i.e. you're not using the exploit for personal gain.
You're Lawful Good if you're working on behalf of some legal authority. Chaotic Good if you're exposing it to shame/antagonize the companies. Neutral Good if just out of your own personal reasons.
Need a new breed of white hat (Score:5, Funny)
I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
I recommend we coin a new term for this elite breed of white hat. White hats that are more aggressive. Not afraid to be an asshole when required. I would like to propose: "ass hats"
Re: (Score:2)
Re: (Score:2)
If Sun patched this today, you can expect the patch for iStuff around Christmas or so, if that quickly.
They've been that slow before on exploited vulnerabilities, they'll be that slow again.
Re: (Score:2)
Given that the problem is not exploitable on MacOS X with Safari... I think they'll be very slow to release a fix.
Summary reads better with hyphenated words only (Score:5, Funny)
about-face
drive-by
in-the-wild
out-of-cycle
booby-trapped
Java-Plugin
command-line
about-face
full-disclosure
Re: (Score:3, Funny)
Re: (Score:2)
Summary reads better with hyphenated words only
That is surprisingly true.
Re: (Score:1)
Oracle (Score:5, Informative)
there is no company or organization called "sun" ... there is only oracle now.
Re: (Score:2)
Re: (Score:1, Funny)
That's no Sun.
Re: (Score:1)
Re: (Score:2)
Rarely are "mergers" destructive of corporate entities (especially so early in an acquisition)
Don't worry, they'll find a way.
Re: (Score:2)
uh huh, why don't you go to *sun.com* and check out some *sun solaris* features, and observe
Re: (Score:2)
Even if Oracle does intend to liquidate Sun and merge its assets into itself rather than operate it as a wholly-owned subsiduary Sun certainly still exists as a legal entity. It takes many months (sometimes years) to work through all the details of a merger.
Re: (Score:2)
I propose that from now on we refer to the entities as zombie Sun and Papa Oracle.
Re: (Score:2)
there is no company or organization called "sun" ... there is only oracle now.
It's not too late for Oracle to sell some or all of Sun, as "Sun".
Your grasp on corporatism is only half-sufficient to keep you from falling off a cliff.
Re: (Score:2)
In the same way that you can only buy Diageo and not Guinness?
OK Corral (Score:1)
Re: (Score:2)
So does thinkgeek (Score:4, Funny)
java patch:
http://www.thinkgeek.com/stuff/41/caffederm.shtml [thinkgeek.com]
smoking day at slashdot (Score:2)
First it's e-cigs and now it's patches.
What's next, an article about pipes?
Re: (Score:2)
No, NO! They're tubes, you noobs.
Sheesh. Get it right, eh?
Does it bypass UAC? (Score:2, Interesting)
Re: (Score:2, Insightful)
Does this exploit bypass UAC in 7 and Vista?
No, the user still does that.
There's a workaround (Score:4, Insightful)
Re: (Score:2)
Saw this earlier today (Score:3, Informative)
The Register mentioned this earlier today, and I immediately informed our local IT guy, who contacted someone higher up at Enterprise Security.
Then Worf came to my desk and said I needed to test the Java upgrade before they deployed it to everyone.
...
Ok, not Worf, just one of our tech guys. Since I'm one of two Java developers on this floor as well as the one who reported it, I got the fun job of making sure everything i have (Eclipse, OC4J, Oracle SQLDeveloper, Oracle JDeveloper, etc...) still worked.
Re: (Score:2)
Come on, be adults. (Score:3, Insightful)
It's not that corporations don't "get the value" of White Hat reports. They love them!
But these corporations are not giant machines running on magic. They are made up of people who have other priorities, other dead lines and will not get paid anything for going through the mountains of work that must be done to issue an emergency fix. Absolutely, they should be more responsive. But it's not like they're sitting on the beach smokin a bowl. These corporations are busting their ass to find enough money to keep all their people employed. Issuing an embarrassing, costly and difficult fix is a lot like working an extra job to pay an unexpected hospital bill. How much enthusiasm would have in that situation?
Re: (Score:2)
...fifth build of 1.6.0_19 and it still crippled your app? Whoops.
Java 1.5 users are screwed (Score:3, Informative)
Due to development constraints, I run JDK 5 Update 22 on my system.
As of Nov 3rd 2009, Update 22 is the last public release of version 5.
I used the exploit demo link to see if it is also vulnerable, and sure enough it attempted to launch a program.
So now the still-quite-large-installed-base of 1.5.0_x users are screwed!!!
Fortunately though, my AVG quickly blocked it, reporting it as "Exploit JSE WebStart (type 1067)"
Re: (Score:1, Flamebait)
I ended up uninstalling Java the day I got hit by malware through Java.
Don't need it to run anything on my machine so the POS is gone, gone, gone.
Re: (Score:2)
Corporate constraints?
That's what VMs are for: testing and development without exposing your main desktop and web browser to those vulnerabilities.
Re: (Score:2, Insightful)
Java 5 is from 2004. Now we have 2010.
I know how you feel. I liked my firefox 1.0, too. It sucked when I had to upgrade to firefox 2.0.
I would have preferred mozilla to support firefox 1.0 forever. Free of charge, of course.
Re: (Score:2)
My AVG reported it as type 1066, but yeah, AVG stopped this exploit cold.
I was affected (Score:2, Interesting)
I was actually hit by one of these "drive by downloads" within firefox via java 5-6 weeks ago. Browsing porn, opened a tab to a video, the browser suddenly got sluggish like crazy. Task manager showed java executable running at near 100% cpu. The processes were so locked up that an attempt to kill either the java process or firefox just wasn't doing anything. I have Avast for anti-virus, and it wasn't complaining about any virus - until the exact moment I clicked to reboot the machine. At that instant, Avas
Which toolbar does this patch? (Score:3, Interesting)
Re: (Score:3, Informative)
The Java SE page has downloads that don't have the obnoxious toolbar/trial crap in them
http://java.sun.com/javase/downloads/index.jsp [sun.com]
I hate JAVA update (Score:3, Insightful)
Re: (Score:2)
I'm always amused that the annoying Yahoo toolbar ad in the installer claims to "block annoying ads".
Update Links (Score:2, Informative)
For Java, here's a quick link to see what version you have installed, and if there's a new version available or not:
www.java.com/en/download/installed.jsp?detect=jre&try=1
Here's one for Adobe Flash Player:
http://www.adobe.com/software/flash/about/ [adobe.com]
What other plugins are there links for like this?
I'd love to have a page set up that I can just click through a set of links to verify each app is current when checking PCs. If the update process is painless enough, just have friends and family run through it
Write once, exploit everywhere (Score:5, Funny)
"Write once, exploit everywhere"
Well, someone had to say it.
Java 6 u19 Works Fine (Score:2)
I have Java 6 update 19 installed and I get the same error and failed attempt using this link (weird url but it's the one from the TFA): test demo [cmpxchg8b.com]. The author also said the fix wasn't mentioned in the patch notes. Could this vulnerability have been fixed in a previous version and no one actually tested what versions/updates were actually vulnerable before publishing these articles, or did I miss something?
"the full-disclosure weapon" (Score:2)
eyelet kasugai (Score:2)
Know what, security analyst jobs became common and then we had these periodic reports of `vendor ignores for-long-time reported insecure flaws, errors, etc.' bullshit. Fuckthat! go back to the ole publish to Bugtraq all warts most post haste. But then you don't get legally usable cred for your resume---oh, excuse me, Curriculum vitae, oh so sorry, CV---awww.