JDK 1.7.0_07 and JDK 1.6.0_35 are out

[Roedy Green]

JDK 1.7.0_07 and JDK 1.6.0_35 are out

See http://mindprod.com/jgloss/jdk.html if you are having trouble
installing. Page won't be updated until about 7 PM PDT.

 

[Arne Vajhøj]

JDK 1.7.0_07 and JDK 1.6.0_35 are out

And people using Java in web browsers should update ASAP
as the update contains fixes for several nasty
security issues that are actively being exploited
in the wild.

Arne

 

[markspace]

And people using Java in web browsers should update ASAP
as the update contains fixes for several nasty
security issues that are actively being exploited
in the wild.

There was an article on Slate about Java recently. Does this fix
address the issues it mentions?

<http://www.slate.com/blogs/future_t..._disable_java_on_your_browser_right_now_.html>

 

[Arne Vajhøj]

There was an article on Slate about Java recently. Does this fix
address the issues it mentions?

<http://www.slate.com/blogs/future_t..._disable_java_on_your_browser_right_now_.html>


I think so.

Arne

 

[Roedy Green]

There was an article on Slate about Java recently. Does this fix
address the issues it mentions?
http://www.slate.com/blogs/future_t..._disable_java_on_your_browser_right_now_.html>

The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why. I have
heard so much BS about the danger of Java. Crying wolf on that scale
should be a criminal offence, or at least get you sued.

On the other paw, this update follows fast on the heels of the
previous one. That would only normally happen if there were a very
important security fix.

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters. It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

"zero day" does not tell us much about the vulnerability.
A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of awareness
of the vulnerability.[1] This means that the developers have had zero
days to address and patch the vulnerability. Zero-day exploits (actual
software that uses a security hole to carry out an attack) are used or
shared by attackers before the developer of the target software knows
about the vulnerability.

This article claims Oracle knew about this but sat on their thumbs. It
also says the attack came from China and allows any code at all to be
run.
http://www.informationweek.com/security/attacks/java-zero-day-malware-attack-6-facts/240006535

This article says 1.7.0_07 fixes the vulnerability.
http://www.macobserver.com/tmo/article/oracle_patches_java_zero-day_vulnerability/

 

[Fredrik Jonson]

I have heard so much BS about the danger of Java. Crying wolf on that
scale should be a criminal offence, or at least get you sued.

On the other hand raising doubt about a acknowledged and severe security
vunerability isn't very wise either.

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

So lets not play this one down. This time it is for real.

On the other paw, this update follows fast on the heels of the
previous one. That would only normally happen if there were a very
important security fix.
Indeed.

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters. It sounds like it
applies only to unsigned applets on malicious websites. It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

Unfortunately I think Oracle are normally vague. If anything, they are less
vague than usual in describing the severity and consequences. I quote:

"To be successfully exploited, an unsuspecting user running an affected
release in a browser will need to visit a malicious web page that
leverages this vulnerability. Successful exploits can impact the
availability, integrity, and confidentiality of the user's system."

All you have to do is load the wrong web page in your browser. That's it.

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

Further this Java vunerability in it self wouldn't become any less serious
if any javascript engine would have a similar vunerability. Two wrongs does
not make a right.

 

[markspace]

Without pointing you to the source code of the exploit, which is widely
available this time, when reading the code it becomes trivially clear to
anyone that it allows the attacker to execute _any_ code on the target
machine. It evades the normal java sandbox completely.

But only for Java 7. Java 6 is fine.

I'm really appreciating Firefox right now. Earlier this year Firefox
forced me to do an upgrade of itself, then it invalidated my Java
plug-in and forced a re-installation of that as well. Yes, OK, whatever
Firefox; I didn't think too much about it afterwards even though it
annoyed me at the time.

Now I just double-checked and realized that I've had the 1.6 version of
the plug-in this whole time, even though I know I've had Java 7 since it
first came out. Bravo for Firefox keeping the secure version instead of
using the latest version.

 

[Arne Vajhøj]

The tone of the article made me suspicious. The author seems all to
eager to tell people to uninstall Java without explaining why.

The technical problem is known in details.

GIYF

And until Oracle got the fix out then not using Java was a
viable recommendation.

Oracle say that 1.7.0_07 fixes
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

But they are unusually vague about what the security vulnerability is,
ostensibly to avoid giving hints to exploiters.

Apparently Google is not your friend.

It sounds like it
applies only to unsigned applets on malicious websites.

That is correct.

But surfing the web on not that well known web sites is done
by a billion people every day (or something in that magnitude).

It is probably
1000 times easier for a malicious website to use JavaScript than this
exploit.

Given that you have not bothered finding out what the problem is
then you wild guesses about the risk are not credible in any way.

Arne

 

[Arne Vajhøj]

But only for Java 7. Java 6 is fine.

I'm really appreciating Firefox right now. Earlier this year Firefox
forced me to do an upgrade of itself, then it invalidated my Java
plug-in and forced a re-installation of that as well. Yes, OK, whatever
Firefox; I didn't think too much about it afterwards even though it
annoyed me at the time.

Now I just double-checked and realized that I've had the 1.6 version of
the plug-in this whole time, even though I know I've had Java 7 since it
first came out. Bravo for Firefox keeping the secure version instead of
using the latest version.

Note that Oracle fixed 4 problems.

3 that affected only Java 7.

1 that affected both Java 6 and 7.

So the presumed security of using Java 6 was non existing.

Arne

 

[Fredrik Jonson]

Without pointing you to the source code of the exploit [...] it becomes
trivially clear to anyone that it allows the attacker to execute _any_
code on the target machine. It evades the normal java sandbox completely.

But only for Java 7. Java 6 is fine.

Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

 

[Roedy Green]

That an attacking applet has to be unsigned doesn't limit the severety of
this vunerability. If the vunerability was only exploitable by signed
applets, the risk would be somewhat more limited. As it stands right now,
any script kiddie can compile and publish exploiting code.

A signed applet is by definition dangerous. It is typically allowed to
read/write any files it pleases. Normally unsigned applets are the
safest things going, though I have heard so many false claims they are
not. That is why I was initially suspicious.

 

[Arne Vajhøj]

A signed applet is by definition dangerous. It is typically allowed to
read/write any files it pleases. Normally unsigned applets are the
safest things going, though I have heard so many false claims they are
not.

They are supposed to be safe.

But the security comes from software. And sometimes
software has bugs.

There were bugs in this case.

There had been bugs before.

And I will be surprised if we do not see bugs in the
future as well.

Arne

 

[Fredrik Jonson]

Hmm,

There are now reports of another sandbox-breaking exploit, that has not been
patched in the Java 7u7 release.

"As in the case of the earlier vulnerabilities, Gowdiak says, this flaw
allows an attacker to bypass the Java security sandbox completely [...]

Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet
been found in the wild, but Gowdiak says he included proof-of-concept code
with the report to demonstrate that an exploit is indeed possible.

Oracle has not acknowledged that the new vulnerability actually exists, but
it has confirmed that it has received Security Explorations' vulnerability
report and is analyzing it."

http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

 

[Roedy Green]

Oracle has not acknowledged that the new vulnerability actually exists, but
it has confirmed that it has received Security Explorations' vulnerability
report and is analyzing it."

In the discussion of Stuxnet, I discovered that knowledge of an
unrevelealed flaw goes for about $200K.

There have been so many flaws, I suspect people on the inside are
putting them there on purpose.