The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Wed Nov 27, 2024 5:57 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 17 posts ] 
Author Message
PostPosted: Tue Aug 28, 2012 4:20 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
An extremely nasty zero-day exploit in Oracle's Java runtime was just discovered:

http://secunia.com/advisories/50133

It allows for arbitrary execution of native (non-Java) code on the victim's machine. The user merely needs to visit a page, frame, etc. containing a hostile java applet in any browser that has the Oracle Java plugin enabled. This is a cross-browser, cross-platform vulnerability in the JRE itself. If you use Oracle's Java plugin, you are vulnerable regardless of browser or OS.

That being said, most Mac users are probably using Apple's JRE, and most Linux users are probably using OpenJDK these days. You should verify this before assuming you are safe, of course.

If Oracle's past behavior holds, it is unlikely that this bug will be patched until mid-October. For the time being, the only way to protect yourself is to either uninstall Oracle's JRE, or disable the browser plugin component.

Chrome:

Go to "chrome://plugins" in your browser

IE:

Click the gear icon, then "manage add-ons"

Firefox:

Main menu > Add-ons > Plugins

Opera:

Beats the hell out of me.

I would strongly urge doing this unless you absolutely must have in-browser support for Java applets. Alternatively, if you say, use Chrome for browsing, you could disable it in Chrome and leave it enabled in Firefox. Use Firefox only for loading specific, known safe pages that require Java. Default NoScript behavior also blocks plugin content without user intervention, which mitigates the potential that you might run hostile Java code in the first place.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Aug 28, 2012 4:57 pm 
Offline
adorabalicious
User avatar

Joined: Thu Sep 03, 2009 10:54 am
Posts: 5094
Hooray for noscript and boobies.

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Aug 28, 2012 7:13 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Thanks Stath..

Here is U.S. CERT VU
http://www.kb.cert.org/vuls/id/636312

Here is some potentially useful info from Computer World
http://www.computerworld.com/s/article/ ... onomyId=86


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 8:36 am 
Offline
User avatar

Joined: Tue Sep 08, 2009 9:36 am
Posts: 4320
Appreciate the heads up.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 29, 2012 11:54 am 
Offline
User avatar

Joined: Thu Sep 24, 2009 4:57 am
Posts: 849
Yikes. These sort of exploits are always pretty scary.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 1:37 pm 
Offline

Joined: Wed Sep 02, 2009 9:12 pm
Posts: 2366
Location: Mook's Pimp Skittle Stable
Anyone know offhand of how to disable/remove in Safari?

_________________
Darksiege: You are not a god damned vulcan homie.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 1:40 pm 
Offline

Joined: Wed Sep 02, 2009 9:12 pm
Posts: 2366
Location: Mook's Pimp Skittle Stable
Scratch that.

I just checked into it some more, and apparently the bug is in Java 7, which you have to manually upgrade to on most macs.

I checked, and I'm still on version 6, which isn't supposed to be vulnerable.

_________________
Darksiege: You are not a god damned vulcan homie.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 1:45 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
I'd make absolutely certain of that. I'm not sure anyone has tested earlier versions...

Anyway, here is how to disable Java in Safari
https://support.apple.com/kb/HT5241

I only had a Java plugin on one of my PC'c (work), and it was in Chrome. I only use Java for one function, which is a once-a-week thing. I have it disabled, and will re-enable it as needed until this gets patched.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 2:01 pm 
Offline

Joined: Wed Sep 02, 2009 9:12 pm
Posts: 2366
Location: Mook's Pimp Skittle Stable
http://www.macrumors.com/2012/08/28/new ... s-to-macs/

The first quote there (seems to be 3 different researchers) says that it effects all versions of Java 7, but does not effect 6 and below.

And thanks for the link- I've got it disabled there, but I wasn't sure if there was something else I needed to do.

_________________
Darksiege: You are not a god damned vulcan homie.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 29, 2012 2:20 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
What's oracle, and how would I disable Java in Firefox? Is it only a problem if you have this Oracle thingy, or what?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 29, 2012 2:44 pm 
Offline
Web Ninja
User avatar

Joined: Wed Sep 02, 2009 8:32 pm
Posts: 8248
Location: The Tunt Mansion
Oracle is the company that owns and maintains Java.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 29, 2012 2:45 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
Oracle is a software company. They 'own' the Java programming language and release software so that Java can run on your PC. If you go to java.com, that's Oracle's java runtime software. The exploit discussed in this thread is for Oracle's implementation of the Java runtime software, which is what most people have.

If you want to disable Java in Firefox, you can follow the instructions here: http://support.mozilla.org/en-US/kb/How ... %20applets

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 29, 2012 3:42 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
I see now that the US Cert, according to the link I provided above, is recommending a downgrade to Java 6, (for those who must use it) so apparently it is not affected.

US Cert wrote:
Downgrade to Java 6

After uninstalling Java 7, the Java 6 JRE can be obtained from the Oracle Java download page. The latest Java 6 version as of the publication of this document is Java SE 6 Update 34.


FWIW, the one Java applet I use requires Java 7, so I just disabled mine, and will re-enable it as needed until it's patched.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 30, 2012 8:42 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
I evidently have Java 6, update 31, according to my uninstall programs window on my control panel. Does that mean I'm OK?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 30, 2012 9:28 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Miracles never cease.

Oracle actually broke from their rigid update cycle policy and released Java 7 Update 7 this evening, which fixes this vulnerability plus several other vulns. present in Java 6 Update 34 (which is why downgrading is not such a great idea, CERT!)

I guess even Oracle realizes what a massive shitstorm this would be if they refused to patch for 6 weeks while the internet burns.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 31, 2012 8:01 am 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
http://arstechnica.com/security/2012/08/oracle-patches-critical-java-bugs/

Quote:
Oracle reportedly learned of the bugs more than four months ago, but didn't issue the fixes until Thursday, four days after researchers discovered they were being targeted.


Quote:
The vulnerabilities addressed in the update include those designated as CVE-2012-4681. Among those Oracle credited was Adam Gowdiak of Poland-based Security Explorations, who said he alerted Oracle engineers to the vulnerabilities in April.


****.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 26, 2012 8:16 am 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Here we go again:

http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

Total escape from the sandbox. This time the flaw exists in every version of Java released in the last 5 years. It gets better:

Quote:
Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.


How's that Sun buyout looking now, Oracle?

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group