Oracle Java 7 vulnerable [unsolved]

Chat about just about anything else

Oracle Java 7 vulnerable [unsolved]

Postby oobetimer on Tue Aug 28, 2012 12:50 pm

National Cyber Awareness System

US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012
Last revised: --

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including:

* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)

Web browsers using the Java 7 Plug-in are at high risk.

Overview

A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.

Description

A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.

Any web browser using the Java 7 Plug-in is affected.

Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.

Impact

By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.

Solution

Disable the Java Plug-in

http://seclists.org/cert/2012/91

A better solution(s): Use OpenJDK Java or Oracle Java 6 .. :wink:

viewtopic.php?f=47&t=108446&p=610313&hilit=java#p610313
Last edited by oobetimer on Mon Sep 03, 2012 9:54 am, edited 2 times in total.
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Linux Mint is funded by ads and donations.
 

Re: Oracle Java 7 vulnerable

Postby xenopeek on Tue Aug 28, 2012 1:02 pm

More likely to be seen by more here, and it isn't a support request.

To summarize the above, if you are using Oracle Java 7 (not OpenJDK 7), you should disable the Java plugin in your web browser. To do so on Firefox, go to Tools > Add-ons, then Plugins.

On a default installation of Linux Mint 13 you would be using OpenJDK 6 and the IcedTea plugin. Unless you manually installed Oracle Java 7, you are not at risk.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14697
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Oracle Java 7 vulnerable

Postby GeneC on Tue Aug 28, 2012 2:11 pm

I just did a little casual research and mostly found the threat to Mac's and Firefox
http://reviews.cnet.com/8301-13727_7-57 ... fect-macs/

....Mac systems with the Java 7 runtime are vulnerable. While there are no known attempts to use this vulnerability to specifically target Mac users, the exploit has been successfully triggered in both Safari and Firefox on Macs running Mountain Lion. Furthermore, the means to exploit this malware have been found distributed in underground malware development kits, making its easier for the exploit to be developed into malware by those wishing to target Mac users....


BUT...here

http://nakedsecurity.sophos.com/2012/08 ... -wildfire/

Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).


If you want to check what version of Java you are running.

From terminal....run
Code: Select all
java -version
GeneC

AMD Phenom2x4 3.2 ghz, 12GB DDR3, Nvidia GTX 460

Qiana (Cinnamon/XFCE)
Sparky XFCE (Debian Testing)
Sparky Cin 2.2 (SID)
OpenSUSE 13.1 (Gnome)
Evolve OS (Budgie)
User avatar
GeneC
Level 7
Level 7
 
Posts: 1559
Joined: Fri Sep 03, 2010 1:59 pm
Location: Maine, USA

Re: Oracle Java 7 vulnerable

Postby oobetimer on Tue Aug 28, 2012 2:30 pm

You can test your Java version here also: http://javatester.org/
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Re: Oracle Java 7 vulnerable

Postby GeneC on Tue Aug 28, 2012 3:01 pm

Thanks oobetimer,,, :D
Nice find on the java vulnerability..
I HAD updated to Oracle Java 7 on all 4 of my installs.
Back to JDK 6 until they fix Oracle... :?
GeneC

AMD Phenom2x4 3.2 ghz, 12GB DDR3, Nvidia GTX 460

Qiana (Cinnamon/XFCE)
Sparky XFCE (Debian Testing)
Sparky Cin 2.2 (SID)
OpenSUSE 13.1 (Gnome)
Evolve OS (Budgie)
User avatar
GeneC
Level 7
Level 7
 
Posts: 1559
Joined: Fri Sep 03, 2010 1:59 pm
Location: Maine, USA

Re: Oracle Java 7 vulnerable

Postby oobetimer on Wed Aug 29, 2012 3:05 pm

Finnish Communications Regulatory Authority has recommended to remove the Java software from the PC due to Java security risk

http://translate.google.fi/translate?sl ... %2F6274353
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Re: Oracle Java 7 vulnerable

Postby oobetimer on Thu Aug 30, 2012 4:43 am

IcedTea plugin prevents the malicious code in OpenJDK Java.
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin).

Java 6 is currently not known to be affected.

https://bugzilla.redhat.com/show_bug.cg ... &id=852051
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Re: Oracle Java 7 vulnerable

Postby marko_s on Thu Aug 30, 2012 6:10 am

Ahh, so it's Java7, not Java6...? *phew* :o :)

On my system I get this when I run "java -version" in the Terminal:

Code: Select all
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.3) (6b24-1.11.3-1ubuntu0.12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)


So this should be ok, right?

In the case you want to disable Java/IcedTea plugin in Firefox and/or Chrome:

Firefox

Add-ons -> Etensions -> IcedTea-Web Plugin (enable/disable)

Chrome

Settings -> Show Advanced Settings -> Privacy Section -> Content Settings -> Plugins -> Disable plugins individually... -> IcedTea
Linux Mint 13 Maya (MATE)
marko_s
Level 1
Level 1
 
Posts: 29
Joined: Fri Jun 29, 2012 10:36 am

Re: Oracle Java 7 vulnerable

Postby xenopeek on Thu Aug 30, 2012 6:21 am

It's only Oracle Java 7 that is vulnerable. So yes, the 1.6 version (aka Java 6) of OpenJDK is twice not vulnerable :wink:
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14697
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby Walhalm on Sun Sep 02, 2012 1:24 pm

Hi:

A patch that fixes the problem was recently published here:

http://java.com/en/download/manual.jsp

I have been unable to perform the manual install, however. Do you think this patch will be eventually available from the repository?

In the meantime, does anyone know whether I should use the Linux RPM patch to update Java in Linux Mint 12 (KDE)?
I used the other one and I was unable to install the patch :( . I think I followed the instructions correctly, though.

Best wishes.
Walhalm
Level 1
Level 1
 
Posts: 1
Joined: Sun Sep 02, 2012 1:07 pm

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby xenopeek on Sun Sep 02, 2012 1:26 pm

The RPM is for RedHat based distros. Though you can use that on Debian based distros with alien, it is NOT recommended!!! Try the tar.gz file instead.

This patch will not be available in the repository, unless you have added a repository to install Oracle Java 7 from. The default repositories have OpenJDK Java 6 and 7 (which is not vulnerable), not Oracle Java 7 (as Oracle prohibits distribution of Oracle Java with operating systems).
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14697
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby grizzler on Sun Sep 02, 2012 1:43 pm

Unfortunately, the patch doesn't really fix things: http://www.ghacks.net/2012/09/02/warnin ... ter-patch/
grizzler
Level 4
Level 4
 
Posts: 430
Joined: Wed Jun 15, 2011 5:19 pm
Location: The Hague, NL

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby /dev/urandom on Sun Sep 02, 2012 2:53 pm

The solution is simple: Uninstall Java. Problem solved.

In case you wonder why, ask yourself what you need Java for.
If you can't answer it, you don't need it.

Java has been having critical security issues for ages.
Linux is not the only answer! :: eD2k/Kad mirrors for Linux Mint and LMDE.
Users who misspell "Windows" as "Windoze" intentionally will be considered stupid.

Image
User avatar
/dev/urandom
Level 4
Level 4
 
Posts: 469
Joined: Sun Jul 17, 2011 8:02 pm

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby xenopeek on Sun Sep 02, 2012 3:31 pm

That is a bit dramatic. The vulnerability is only for Oracle Java 7 in your browser, so just disable Oracle Java 7 in your browser. To a lesser extent /dev/urandom has a point there, because do you actually need Java in your browser? If you do, switch to OpenJDK and IcedTea and be rid of the vulnerability also.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14697
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby /dev/urandom on Sun Sep 02, 2012 3:32 pm

What makes you think OpenJDK and IcedTea are not vulnerable?

And I can't see a reason to keep Java on your system unless you actually use Java applications at all.
Linux is not the only answer! :: eD2k/Kad mirrors for Linux Mint and LMDE.
Users who misspell "Windows" as "Windoze" intentionally will be considered stupid.

Image
User avatar
/dev/urandom
Level 4
Level 4
 
Posts: 469
Joined: Sun Jul 17, 2011 8:02 pm

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby xenopeek on Sun Sep 02, 2012 3:46 pm

LXmed and Minecraft run fine with OpenJDK, and I don't use Java in my browser :mrgreen:
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14697
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Postby /dev/urandom on Sun Sep 02, 2012 3:48 pm

See, you are a person who needs Java, and you can tell why. :D
That's what I meant.
Linux is not the only answer! :: eD2k/Kad mirrors for Linux Mint and LMDE.
Users who misspell "Windows" as "Windoze" intentionally will be considered stupid.

Image
User avatar
/dev/urandom
Level 4
Level 4
 
Posts: 469
Joined: Sun Jul 17, 2011 8:02 pm

Re: Oracle Java 7 vulnerable [unsolved]

Postby oobetimer on Mon Sep 03, 2012 9:51 am

/dev/urandom wrote:See, you are a person who needs Java, and you can tell why. :D
That's what I meant.

Some Banks and shops are using Java (Danske Bank, etc ..)
Last edited by oobetimer on Wed Sep 05, 2012 5:36 am, edited 1 time in total.
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Re: Oracle Java 7 vulnerable [unsolved]

Postby oobetimer on Mon Sep 03, 2012 9:53 am

Fixed and still broken .. :(

https://www.infoworld.com/d/security/re ... ase-201472

August 31, 2012
Researchers find critical vulnerability in Java 7 patch hours after its release
Last edited by oobetimer on Wed Sep 05, 2012 5:36 am, edited 1 time in total.
User avatar
oobetimer
Level 7
Level 7
 
Posts: 1889
Joined: Tue Jun 01, 2010 12:53 pm
Location: Finland / above the Arctic Circle

Re: Oracle Java 7 vulnerable [unsolved]

Postby caerolle on Mon Sep 03, 2012 9:30 pm

Unfortunately, Amazon Cloud Player uses Java.
caerolle
Level 3
Level 3
 
Posts: 143
Joined: Sun Aug 26, 2012 3:50 pm

Linux Mint is funded by ads and donations.
 
Next

Return to Open chat

Who is online

Users browsing this forum: No registered users and 4 guests