Skip

Java 7 Vulnerability
August 29, 2012 1:31 PM   Subscribe

A working, cross-platform Java 7 exploit is now in the wild. It's apparently a pair of bugs, working in tandem; neither, alone, would be enough to escape the Java sandbox, but together, any machine, be it Windows, Mac, or Linux, can be instantly and silently compromised, simply by viewing a malicious web page. Only Java 7 is vulnerable, but because of the way Oracle schedules patches, it may be unfixed until October. You can test your machine for the flaw; if vulnerable, you'll want to at least disable Java in your Web browser, if not remove it altogether. On Firefox, NoScript will provide a little protection, by not running Java code unless you click it, but the vulnerability remains.
posted by Malor (104 comments total) 15 users marked this as a favorite

 
I wanted to call this a zero-day exploit, but that's not really true anymore; it's at least a day-two or day-three, and one of the links mentions that at least one nation may already have been exploiting this flaw against its citizens.

On my own machine, I've removed Java completely, as I can live without Minecraft until a patch comes out. But just disabling it in the browser is probably adequate, as long as you are very careful about what you download.
posted by Malor at 1:33 PM on August 29, 2012


Chrome makes Java click-to-run by default. The linked to blog posting doesn't mention this.
posted by damn dirty ape at 1:35 PM on August 29, 2012 [4 favorites]


I knew there was a reason I said "Hells No" when Mountain Lion prompted to me install Java.
posted by entropicamericana at 1:36 PM on August 29, 2012 [1 favorite]


I would like to thank the USPTO for dragging their asses on being compliant with Java 7. Because of this our office is still running Java 6.
posted by charred husk at 1:37 PM on August 29, 2012 [2 favorites]


Is this something I'd have to run client-side code written in Java to understand?
posted by brennen at 1:37 PM on August 29, 2012 [7 favorites]


Java on my machines seems to demand to update itself about three times a week (I swear that's about how often it seems I have to kill the "A new Java update is available" alerts), and I usually click no. Also, does Java really try to auto-update to a major version release? 6 to 7 silently? Useless bastards.
posted by Jimbob at 1:38 PM on August 29, 2012 [2 favorites]


Or you can just disable Java in your browser. Because seriously, who uses Java applets?
posted by azarbayejani at 1:38 PM on August 29, 2012


Because seriously, who uses Java applets?

My employer's time reporting application that only works in MSIE. sigh.
posted by Zed at 1:40 PM on August 29, 2012 [9 favorites]


I wish I could remove Java completely (and I did for about half a day), but sooner or later I need to run Eclipse or Aptana or some silly Java utility or actually (unfortunately) write some Java and I have to turn it back on again. At least I can keep applets turned off. Just how hard is it for Oracle to acknowledge the problem and commit to a fix? It's not like they are a major software company or anything...
posted by zachlipton at 1:42 PM on August 29, 2012 [1 favorite]


I was only running six here, but it's now gone. I feel...clean again. I need to go kill it on the laptop.
posted by maxwelton at 1:43 PM on August 29, 2012


I can't help noticing a common thread of many computer vulnerability FPPs:

1. Your computer can be compromised by viewing a malicious web page.
2. Click here to find out if you are at risk.
posted by Horace Rumpole at 1:45 PM on August 29, 2012 [54 favorites]


Oracle seems to be more concerned with not pissing off their enterprise customer base than actually protecting end users from their code. Because let's be honest no enterprise customer is actually going to have anything resembling Java 7 installed in their environment yet.
posted by vuron at 1:45 PM on August 29, 2012


I think I was forced to use that same IE only time-reporting application at one time, Zed, you have my profoundest sympathies. Once my department bought us Macs we all needed to have Windows XP virtual machines just so we could connect to the time reporting system.
posted by whir at 1:47 PM on August 29, 2012 [1 favorite]


Yeah, Horace, I thought about that, but as far as I can tell, that site's legit, and that's the easiest way to get people to see if they need to do something further.

Yes, it would be safest to just disable Java before you do anything else on the Web, and I probably should have said so.
posted by Malor at 1:47 PM on August 29, 2012 [1 favorite]


Definitely not a criticism of you or your post, Malor, just noticing the irony.
posted by Horace Rumpole at 1:49 PM on August 29, 2012 [1 favorite]


Because seriously, who uses Java applets?

Well, now, you say that, but...
posted by Greg_Ace at 1:49 PM on August 29, 2012


Because seriously, who uses Java applets?

I (sometimes) code in Java for a living; I use it in some way every day. I haven't run a Java applet in a browser in years.
posted by axiom at 1:50 PM on August 29, 2012 [5 favorites]


As someone who works in an infosec-related field, it's worth pointing out that usually when this kind of exploit is announced, it's a big deal because the relatively small number of people who know how to properly use exploits have access to another one. The fact that there is a Metasploit module is already built for this exploit means that a large number of script kiddies can use it too.
posted by antonymous at 1:50 PM on August 29, 2012 [4 favorites]


I wish the Pentaho BI tools didn't have to have Java. or the Oracle SQL Developer.
posted by deezil at 1:50 PM on August 29, 2012


You guys are lucky with your Java time reporting app, I had to use a completely horrible homegrown Oracle Forms app for entering time. MSIE only and even then it would break about half the time and god help you if you ever updated your Java for some other app.
posted by vuron at 1:50 PM on August 29, 2012 [3 favorites]


Because seriously, who uses Java applets?

Well...NASA, for one.
posted by Thorzdad at 1:51 PM on August 29, 2012 [1 favorite]


Well...NASA, for one.

It's a damn shame how Curiousity isn't sending back anything but porn ads anymore.
posted by Zed at 1:53 PM on August 29, 2012 [22 favorites]


I removed Java from all my maps just to be safe.
posted by mattbucher at 1:54 PM on August 29, 2012 [15 favorites]


My updated-yesterday Mac running Mountain Lion (OS X 10.7.4) has a Java version of 1.6.0_33. Not vulnerable.

Unless any of you Mac users out there have downloaded and installed a newer version of Java by yourselves without using Software Update (NOT easy to do), I don't think there's anything to worry about.

Anybody hear otherwise?
posted by Aquaman at 1:54 PM on August 29, 2012 [4 favorites]


Yeah, I thought Java was annoying until we were forced to use HP Quality Center for defect tracking, which only works in IE, runs native code, and won't start unless I run IE as an Administrator. Yikes.
posted by smackfu at 1:55 PM on August 29, 2012 [6 favorites]


entropicamericana: the version of Java that Mountain Lion uses is 1.6.33 - and NOT vulnerable to this exploit. You have to go out and find it. And that fact is discussed in the 'test' link.
posted by mephron at 1:55 PM on August 29, 2012


Only Java 7 is vulnerable, but because of the way Oracle schedules patches, it may be unfixed until October.

See, this is just kinda bullshit though. From Oracle:
Critical Patch Updates
Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October.

Security Alerts
Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update
No reason to think this wouldn't be a Security Alert.
posted by smackfu at 2:03 PM on August 29, 2012 [2 favorites]


My updated-yesterday Mac running Mountain Lion (OS X 10.7.4) has a Java version of 1.6.0_33. Not vulnerable.

10.7.4 is Lion. 10.8.1 is the latest version of Mountain Lion. It does, however, also come with Java 1.6.0_33, as I checked Chrome to ensure I wasn't affected.
posted by Rodrigo Lamaitre at 2:18 PM on August 29, 2012


You have to disable this for every single browser-type?
posted by Skygazer at 2:21 PM on August 29, 2012


Where I work, incompetent tech support reps regularly tell people having trouble with our (super-high-traffic, super-buggy) website to make sure that Java is up to date and running in their browser. They mean to tell them to enable javascript, but I work with idiots. We don't even use Java on our site.

So, now rather than just being useless to sweet old ladies who just want to order their movies, we can be useless and indirectly make them vulnerable to malicious exploits. Brilliant.
posted by maqsarian at 2:22 PM on August 29, 2012 [5 favorites]


I guess I picked a good week to give up coffee!
posted by b1tr0t at 2:27 PM on August 29, 2012 [4 favorites]


You know, Java keeps asking to be updated and I have tried more than once to do so but it never actually works. So I don't think I use Java or notice that it's missing (or at least not up to date) except for when I get the prompt to update that I now just ignore.

Running this test thing: Java installed: No

So it's a feature, not a bug, this inability to update, or care.
posted by chavenet at 2:28 PM on August 29, 2012 [2 favorites]


I knew there was a reason I said "Hells No" when Mountain Lion prompted to me install Java.

Not only does OS X Mountain Lion not install Java by default, it deletes Java if it's already installed. The first time you use Java, it asks you if you want to install it, then installs Java 6. Unless you have downloaded Java from Oracle and installed it manually, you're safe.
posted by nicwolff at 2:29 PM on August 29, 2012 [1 favorite]


Good article about this from Krebs on Security.

Personally, I find the following factoid amusing. In the code for this exploit are several Chinese phrases. The three phrases "xiaomaolv" "woyouyizhixiaomaol" and "conglaiyebuqi" are apparently common script variables that are re-used often by Chinese hackers. According to “Balancing the Pwn Deficit” (PDF) in 2010, these lyrics are from songs by Jay Zhou.

Maybe so. But when I saw them yesterday I actually laughed out loud. Why? Because they are also the lyrics of a nursery rhyme that we learned in Chinese class in Taiwan. "I have a little donkey!" Text translated/explained here. And gahhh now that song is in my head!
posted by gemmy at 2:30 PM on August 29, 2012 [14 favorites]


Because seriously, who uses Java applets?

The native capabilities of the web are still heavily limited in some areas. If you're working in those areas, but still want to make something available over the web, you use Java, Flash, or something like them. Or if you're using capabilities that Webkit/Moz have, but Trident doesn't yet, you use Java or Flash for a fallback.

I used an applet for generative music about a year ago. Java has fairly accessible sound/MIDI APIs, and you don't have to build your own synths.
posted by weston at 2:31 PM on August 29, 2012 [1 favorite]


I think I'm just going to start browsing inside a VM from now on. Please tell me no one has figured out how to break a VM yet?
posted by BrotherCaine at 2:32 PM on August 29, 2012


They mean to tell them to enable javascript, but I work with idiots. We don't even use Java on our site.

The people manning the phones where I work are at least as smart as I am, and generally super-competent, and they can't tell the difference either. Computery words that are almost the same word just confuse the ever-living shit out of people who are not primarily computer people.
posted by brennen at 2:33 PM on August 29, 2012 [2 favorites]


To be clear, in FF I need to go to Plugins and disable the Java plugin, right?

Can I still run javascript, or do I need to kill that too?

- noob
posted by Aizkolari at 2:34 PM on August 29, 2012


Aizkolari - Java and Javascript are completely separate things. The similar name is just marketing.

I worried for a moment when I saw this post, went to turn it off in firefox and.... turns out I don't even have Java installed on this computer. I think I've had this computer just short of 2 years and never noticed that before. Guess that shows how far dhtml/css3/js/html5 etc have come.
posted by Slyfen at 2:37 PM on August 29, 2012


http://arstechnica.com/security/2012/08/crisis-espionage-malware-targets-virtual-machines/

It looks like VMs aren't necessarily secure. (Not necessarily a bad idea, mind you, but not unbreakable)
posted by CrystalDave at 2:37 PM on August 29, 2012


I find it a little disturbing that when I use Chrome to access the 'check your computer here' page, it runs the little applet (or doesn't?) and then tells me my Java is old and would I like to update it?

NO, THANK YOU.
posted by maryr at 2:37 PM on August 29, 2012 [4 favorites]


Or you can just disable Java in your browser. Because seriously, who uses Java applets?

Browser-based board game addicts, like me. This sucks.
posted by jb at 2:37 PM on August 29, 2012 [2 favorites]


I just checked the official Java site and there's a Java 1.7 dmg available. Weird. But also good, because I can stop worrying about the future of convenient stuff like JDBC drivers on Mac.
posted by fleetmouse at 2:43 PM on August 29, 2012


I think I'm just going to start browsing inside a VM from now on. Please tell me no one has figured out how to break a VM yet?

Do you require that the statement is truthful?

The best that can really be said is that it's such an edge use case that nobody bothers in the wild yet.
posted by jaduncan at 2:44 PM on August 29, 2012


Not true, several recent pieces of malware can actively detect and infect VMs, even when those VMs are not running.
posted by GallonOfAlan at 2:52 PM on August 29, 2012


Not true, several recent pieces of malware can actively detect and infect VMs, even when those VMs are not running.

From inside one?
posted by jaduncan at 2:53 PM on August 29, 2012 [1 favorite]


It worried me that security exploits and Trident were being mentioned in the same sentence, but then I'm more familiar with the thermonuclear-missile/submarine Trident, and not the layout-engine Trident.
posted by urbanwhaleshark at 3:02 PM on August 29, 2012


From inside one?
Wasn't there a recent FPP about some virus writers who included a chat client in their virus. Then they used it to make fun of the virus researchers and shut down the VM they were using to investigate the virus?

That said, I assume BrotherCaine was making an ironic double entendre, like my comment about quitting coffee.
posted by b1tr0t at 3:03 PM on August 29, 2012


If the VM is on the Internet, why Not?
posted by GallonOfAlan at 3:03 PM on August 29, 2012


I find it a little disturbing that when I use Chrome to access the 'check your computer here' page, it runs the little applet (or doesn't?) and then tells me my Java is old and would I like to update it?

There is another checker at www.isjavaexploitable.com that doesn't require you to load an applet.
posted by gemmy at 3:05 PM on August 29, 2012 [2 favorites]


urbanwhaleshark: It worried me that security exploits and Trident were being mentioned in the same sentence

Wait - now my coffee-flavored sugarless gum is infected?? I'm so confused.
posted by Greg_Ace at 3:08 PM on August 29, 2012


How to disable Java in Firefox.
posted by b1tr0t at 3:08 PM on August 29, 2012


"At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP), and then click Add-onsOn the menu bar, click on the Tools menu, and then click Add-onsAt the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will openAt the top of the Firefox window, click on the Tools menu, and select Add-onsOn the menu bar, click on the Tools menu, and select Add-onsAt the top of the Firefox window, click on the Tools menu, and select Add-ons."

Whoa, that's way too complicated way too complicated way too complicated for me! And it's way too complicated.
posted by Greg_Ace at 3:14 PM on August 29, 2012 [1 favorite]


Will Spy_sweeper protect against this?
posted by Skygazer at 3:16 PM on August 29, 2012


Will turning my computer on and off, fix this??
posted by Skygazer at 3:16 PM on August 29, 2012 [1 favorite]


There is another checker at www.isjavaexploitable.com that doesn't require you to load an applet.


Ha! I totally expected that to be one of them jokey single-serving sites that always just said "YES" in large sans-serif.
posted by juv3nal at 3:17 PM on August 29, 2012 [2 favorites]


you'll want to at least disable Java in your Web browser

Again?

I've been using computers for 27 years. I don't think I ever could have imagined how awesome using computers would be today, nor would I have imagined how lame it could be.
posted by grouse at 3:21 PM on August 29, 2012 [4 favorites]


Yay Oracle
posted by mattoxic at 3:25 PM on August 29, 2012


I think CS6 made me install Java. I guess I'll check which version when I get to the office.

Computers are fun.
posted by dumbland at 3:32 PM on August 29, 2012


How do I disconnect my computer's Java from it's Script??

Should I run a disk defragmentation?

How do I make coffee with my JAVA program?

posted by Skygazer at 3:32 PM on August 29, 2012


Will turning my computer on and off, fix this??

It couldn't hurt.
posted by drezdn at 3:35 PM on August 29, 2012 [1 favorite]


My employer's time reporting application that only works in MSIE. sigh.

Man, that is the intersection of suck in that Venn diagram.
posted by me & my monkey at 3:37 PM on August 29, 2012 [1 favorite]


How do I make coffee with my JAVA program?

Sift, wash and roast beans plucked from the poop of an Oracle executive.
posted by urbanwhaleshark at 3:43 PM on August 29, 2012 [3 favorites]


It looks like VMs aren't necessarily secure.

That article describes malware that infects client VMs from the host; the inverse (breaking out of the VM to infect the host) doesn't seem to be a real threat at the moment.
posted by Pyry at 3:51 PM on August 29, 2012


The thing I like about developing in Java is all the objects it creates. Some people think it is too verbose, but actually, this unleashes the power of object oriented programming!

Java really is a strange language now. It's still dominated by some of the its goals, like type safety, which has led to things like the grotesque implementation of generics that they had to do. But then there is this huge use of annotations and reflection and programming by configuration and convention in frameworks, all of which more or less discards primary OOP goals like encapsulation.
posted by thelonius at 4:11 PM on August 29, 2012 [2 favorites]


I think the only things I've consistently used Java for have been 1) a SCORM 1.2 LMS emulator (no longer needed now that we have SCORMCloud) and 2) the Glass Engine (which I miss, but hey, there's always YouTube).
posted by maudlin at 4:25 PM on August 29, 2012


From inside one?

That's some serious Inception shit there. Infecting base reality from inside a dream.
posted by Kevin Street at 4:26 PM on August 29, 2012


Ars Technica reports that Oracle has known of the vulnerabilities for 4 months now. Still no fix?
posted by Llama-Lime at 4:33 PM on August 29, 2012


Wow, from the IDG report Ars references:
Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.

The company continued to report Java 7 vulnerabilities to Oracle in the following months until the total number reached 29. "We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs," Gowdiak said.

(long snip)

According to a status report received on Aug. 23 from Oracle, the company was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), together with 17 other Java 7 flaws reported by Security Explorations, Gowdiak said.

Oracle releases security patches every four months. The last Java CPU was released in June and only addressed 3 of the security issues reported by Polish security firm.

"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said.

Security Explorations is not aware of any changes in Oracle's patching plans at this time, Gowdiak said. "But, we hope they will stand up to the task and release a Java CPU fixing the security issues as soon as possible."

So they've accumulated 19 separate full Java compromises, but they weren't planning on patching them until October.

Oracle: where software goes to die. Don't think I'm going to be running it anymore.
posted by Malor at 4:59 PM on August 29, 2012 [2 favorites]


Sorry, I misread slightly: 19 reported bugs, 16 of which were full sandbox compromises.
posted by Malor at 5:01 PM on August 29, 2012


I forget, why the hell did Oracle buy Sun anyway? Other than getting a halfway decent patent library for a relatively cheap price it doesn't really seem like Oracle wants anything to do with about 99% of Sun's product lines.
posted by vuron at 5:06 PM on August 29, 2012 [1 favorite]


Malor, that second paragraph says the total reached 29.
posted by urbanwhaleshark at 5:13 PM on August 29, 2012


Firefox and chrome update automatically. Why doesn't Java? Why does it keep annoying you and demanding you update, rather then just doing it. If you're a developer, you can have as many JVMs installed as you want, if you're worried about updates breaking your code.

Exploits are discovered chrome/firefox/safari every so often, but it's rarely a problem if you
if vulnerable, you'll want to at least disable Java in your Web browser, if not remove it altogether. On Firefox, NoScript will provide a little protection, by not running Java code unless you click it, but the vulnerability remains.
Uh... you do understand the difference between Java and Javascript, right? NoScript kills javascript, not Java. Firefox disables Java when there's a security problem, and Chrome always asks if you want to run it by default. In either of those two browsers, you should be safe without needing to do anything.
I forget, why the hell did Oracle buy Sun anyway? Other than getting a halfway decent patent library for a relatively cheap price it doesn't really seem like Oracle wants anything to do with about 99% of Sun's product lines.
Java is huge on the server side, and this doesn't really affect that at all (since servers generally don't download and run untrusted code). In fact, along with C++ it's one of the most popular languages for writing custom code. It's also used frequently for desktop software (like minecraft). Also, most of Android is written in the Java language (although with a totally different runtime)

Java applets are a tiny, tiny fragment of the use of Java.

It's too bad, though, that Oracle is doing a lot to hurt Java as a language. Suing Google over Android was a big example. Android was probably one of the best things to promote the use of Java, but, Oracle was basically trying to kill it.
posted by delmoi at 5:43 PM on August 29, 2012 [1 favorite]



Java really is a strange language now. It's still dominated by some of the its goals, like type safety, which has led to things like the grotesque implementation of generics that they had to do.
Type safety is the whole point of having Generics. The problem with Java's generics is that they wanted the code to be backwards compatible. So a List<String> needs to have the same function signature as a List object created in pre JDK 1.5 code.

So what they did, is when you run the code, the generic signature is 'erased' (read, simply not included) and you have no way of knowing what the generic parameters were at runtime. What this means in practice is that if you want to know the generic type you're using, you have to store it yourself, which is a pain.

The old 'raw' collection types were actually not typesafe at all, you had to cast and it was possible to make a mistake in your code that wouldn't be caught by the compiler.

But anyway, at compile time, they are typesafe, just like C#, C++, and most new languages.
posted by delmoi at 5:48 PM on August 29, 2012 [2 favorites]


Uh... you do understand the difference between Java and Javascript, right? NoScript kills javascript, not Java.

Yes, delmoi, I understand the difference between Java and Javascript.

NoScript will present Java apps as a clickable target, without running them, unless you enable a given site. And I think, even after enabling a site for Javascript, running an actual Java app might need another click. I can't easily verify that, however, because I've uninstalled Java.
posted by Malor at 5:50 PM on August 29, 2012


It looks like VMs aren't necessarily secure. (Not necessarily a bad idea, mind you, but not unbreakable)
Anything scriptable is exploitable. In fact, if you can find a buffer overflow or something you don't even need scripting. Pretty much everything has been exploited at one point or another.
posted by delmoi at 5:51 PM on August 29, 2012


Bugs sometimes take a long time to fix. It isn't like the magic patch fairy appears the moment a zero day exploit shows up and hands out an update.
posted by humanfont at 7:57 PM on August 29, 2012


I love it when they make the link under the word 'here'
This maybe due to my lack of understanding of the word 'love'
posted by epjr at 8:12 PM on August 29, 2012


It isn't like the magic patch fairy appears the moment a zero day exploit shows up and hands out an update.

Actually, with open source projects that fairy is going to be one of your users, and it may take more than a day, but it very rarely takes more than a week. Slowness to patch exploits is one of the tradeoffs you have to live with when you don't use open source software.
posted by idiopath at 8:38 PM on August 29, 2012


the inverse (breaking out of the VM to infect the host) doesn't seem to be a real threat at the moment

It's been done; this SYSRET exploit is pretty recent, but I have a vague memory of some other technique (possibly purely theoretical) for breaking out of a domU a couple of years ago.

But VM hosts, being essentially microkernels, have a smaller "attack surface" than macrokernels, which have a smaller surface than a Java environment.

I forget, why the hell did Oracle buy Sun anyway?

I always assumed (as an outsider to such things) that it was in order to get a vertical kinda thing going on with their enterprisey Oracle database and the enterprisey Sun hardware that people tended to run it on. All the other Sun stuff, like Java and ZFS and MySQL and OpenOffice, just came along to be squeezed dry and then discarded.
posted by hattifattener at 1:01 AM on August 30, 2012 [3 favorites]


Well, they certainly seem to be succeeding with that part of the deal (squeeze dry and discard), hattifattener, whether that was the original intention or not. :/
posted by Malor at 5:50 AM on August 30, 2012


I didn't realize a company could be worse than Adobe when it came to patching security problems in widely deployed client software. It's time to remove Java entirely from browsers.
posted by Nelson at 7:31 AM on August 30, 2012


Some of us do need java applets: A lot of chemistry sites use it for drawing molecules that you can then search (Sigma-Aldrich, Scifinder). Luckily I'm not in any classes that need it right now, but it IS a tool that some people need on a regular basis.
posted by Canageek at 8:19 AM on August 30, 2012


Oracle knew about this and sat on it? Just when my opinion of them couldn't get much worse.
posted by Artw at 8:32 AM on August 30, 2012


Oh, delmoi, I took the time to look it up today, and NoScript explicitly blocks Java, Flash, and Silverlight directly, and then has a separate setting for 'all other plugins'. All four are blocked by default.

I'm still not sure, though, if allowing a site to run Javascript also allows it to run Java. I'm pretty sure that needs an additional click, but I can't test it.
posted by Malor at 8:35 AM on August 30, 2012


Artw: and not just these two vulnerabilities, either -- they've accumulated a total of 16 sandbox-breaking Java bugs between April 2 and now, although we don't know when in that window the additional bugs were reported.

So at least two of them were on their doorstep on April 2, and by the end of August, they couldn't be bothered to fix them.

Oracle has to be one of the very worst companies in technology.
posted by Malor at 8:40 AM on August 30, 2012 [2 favorites]



I'm still not sure, though, if allowing a site to run Javascript also allows it to run Java.
No, it does not. Other then the name, Javascript has NOTHING to do with Java. It was developed independently at Netscape, and it was originally going to be called "LiveScript" but when Sun wanted to put out Java, they decided to do some "co-branding" they don't share any code or work together in any way. You don't need anything relating to Java on your system at all to run Javascript.
posted by delmoi at 10:31 AM on August 30, 2012


Oracle issued patches today, according to F-Secure.

Oracle Security Alert for CVE-2012-4681
posted by gemmy at 11:38 AM on August 30, 2012


Java Installed: No

I actually had to go to this website to find that out. Why do we need Java again?
posted by cman at 12:41 PM on August 30, 2012


I wanted to call this a zero-day exploit, but that's not really true anymore; it's at least a day-two or day-three

I'm not a hundred per cent certain on this, as it's not my field, but I think that in the context of security holes, "zero-day" means that the vulnerability still exists in the latest version of the software. This is as compared to most vulnerabilities that get exploited in the real world, which depend on people being kind of lazy about updating their software.

I'm not entirely certain how "zero-day" came to be the term for it. It may come from counting how long out-of-date the software needs to be for the exploit to work; that is, how long ago a fix became available.
posted by reprise the theme song and roll the credits at 12:41 PM on August 30, 2012 [1 favorite]


Why do we need Java again? -- Well, for one, Minecraft runs on it.
posted by crunchland at 12:55 PM on August 30, 2012


Oracle released a fix today.
posted by smackfu at 2:54 PM on August 30, 2012


delmoi: No, it does not. Other then the name, Javascript has NOTHING to do with Java. It was developed independently at Netscape, and it was originally going to be called "LiveScript" but when Sun wanted to put out Java, they decided to do some "co-branding" they don't share any code or work together in any way. You don't need anything relating to Java on your system at all to run Javascript.

You know, I would really appreciate it if you would stop treating me like an idiot. YOU are the one getting this all wrong, not me. You're obviously not familiar with NoScript, and now you're lecturing me on irrelevant bullshit that I already know anyway.

NoScript stops both Javascript and Java. They are different, but the program stops BOTH. I even told you this upthread, but you couldn't be fucking bothered to actually parse and understand it. The only thing I'm not sure about is whether, after enabling Javascript, if that enables Java too, or if you have to also make an extra click on a Java app to run it.

Pay goddamn attention when I'm talking about technical matters, because I'm good at this stuff. If you think I'm wrong about something that trivial and stupid, then I would suggest you back off and read it, whatever it is, again.
posted by Malor at 3:01 PM on August 30, 2012 [3 favorites]


Wait why should we pay attention to goddamn when you are talking about technical matters? What is your relationship with goddamn? Is it professional, are you just freinds or are you a couple? I heard that goddamn was fucking insane. We await your goddamn explanation.
posted by humanfont at 5:15 PM on August 30, 2012 [3 favorites]


"They thought they could use browsers as a computing platform. BUAAAAHAHAHAHA."

- skynet
posted by jfuller at 5:29 AM on August 31, 2012


Critical bug in newest Java patch gives attackers complete control of PCs

Apparently the critical fix Oracle put out has a devastating vulnerability...which was discovered about three hours after release.
posted by whittaker at 1:04 PM on August 31, 2012 [1 favorite]


Why do we need Java again?

When there was the OS X Java scare earlier on this year, I fairly comprehensively managed to trash Java on my Macbook* - now Photoshop won't launch. Not a big problem, as I hardly use it on the Macbook, but nonetheless, it appears you need Java to run Photoshop.

*No, I don't really know what I'm doing.
posted by Grangousier at 1:47 PM on August 31, 2012


This is what happens when the corporate masters decide that a patch must go out immediately. Anyone who had ever run a software team has been in this exact situation. Amazingly this strategy works occasionally and so then execs think it should alway work.

Open source is sometimes harder because you get like 20 half tested proposed patches any of which might be the magic solution. Huge flame wars on IRC erupt during code review and before the right one is selected and put in trunk.
posted by humanfont at 4:02 PM on August 31, 2012 [2 favorites]




Critical bug in newest Java patch gives attackers complete control of PCs

This is frankly difficult to parody.
posted by jaduncan at 9:26 AM on September 3, 2012


I'm not entirely certain how "zero-day" came to be the term for it. It may come from counting how long out-of-date the software needs to be for the exploit to work; that is, how long ago a fix became available.

Correct. It's "days since patch". A zero-day is something with no known patch.
posted by jaduncan at 9:27 AM on September 3, 2012


Fully patched Java 6 may have an unknown remote hole, as well.
Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact its revenge.
Oh shit, it's alive.
posted by homunculus at 10:47 AM on September 3, 2012


I wonder of it is in the parts of Java Google took for Andriod.
posted by humanfont at 4:30 PM on September 3, 2012


I wonder of it is in the parts of Java Google took for Andriod.

No, it won't be affected. Android isn't really a Java VM so much as a seperate VM that accepts Javaish code as an input before conversion to an entirely different (it's register based and has a completely different instruction set, to start with) set of backend functions. It's thus hard to envision a likely attack on the VM which could work across both platforms due to the differing architectures and security flaws.
posted by jaduncan at 7:06 PM on September 3, 2012


« Older And now for something completely different....   |   (A)pproach, (P)robe, (P)resent, (L)isten, (E)nd Newer »


This thread has been archived and is closed to new comments



Post