Page 1 of 2
Oracle Java 7 vulnerable [unsolved]
Posted: Tue Aug 28, 2012 12:50 pm
by oobetimer
National Cyber Awareness System
US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability
Original release date: August 27, 2012
Last revised: --
Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including:
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
Web browsers using the Java 7 Plug-in are at high risk.
Overview
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.
Description
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.
Any web browser using the Java 7 Plug-in is affected.
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
Impact
By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.
Solution
Disable the Java Plug-in
http://seclists.org/cert/2012/91
A better solution(s): Use OpenJDK Java or Oracle Java 6 ..
http://forums.linuxmint.com/viewtopic.p ... va#p610313
Re: Oracle Java 7 vulnerable
Posted: Tue Aug 28, 2012 1:02 pm
by xenopeek
More likely to be seen by more here, and it isn't a support request.
To summarize the above, if you are using Oracle Java 7 (not OpenJDK 7), you should disable the Java plugin in your web browser. To do so on Firefox, go to Tools > Add-ons, then Plugins.
On a default installation of Linux Mint 13 you would be using OpenJDK 6 and the IcedTea plugin. Unless you manually installed Oracle Java 7, you are not at risk.
Re: Oracle Java 7 vulnerable
Posted: Tue Aug 28, 2012 2:11 pm
by GeneC
I just did a little casual research and mostly found the threat to Mac's and Firefox
http://reviews.cnet.com/8301-13727_7-57 ... fect-macs/
....Mac systems with the Java 7 runtime are vulnerable. While there are no known attempts to use this vulnerability to specifically target Mac users, the exploit has been successfully triggered in both Safari and Firefox on Macs running Mountain Lion. Furthermore, the means to exploit this malware have been found distributed in underground malware development kits, making its easier for the exploit to be developed into malware by those wishing to target Mac users....
BUT...here
http://nakedsecurity.sophos.com/2012/08 ... -wildfire/
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
If you want to check what version of Java you are running.
From terminal....run
Re: Oracle Java 7 vulnerable
Posted: Tue Aug 28, 2012 2:30 pm
by oobetimer
You can test your Java version here also:
http://javatester.org/
Re: Oracle Java 7 vulnerable
Posted: Tue Aug 28, 2012 3:01 pm
by GeneC
Thanks oobetimer,,,
Nice find on the java vulnerability..
I HAD updated to Oracle Java 7 on all 4 of my installs.
Back to JDK 6 until they fix Oracle...
Re: Oracle Java 7 vulnerable
Posted: Wed Aug 29, 2012 3:05 pm
by oobetimer
Finnish Communications Regulatory Authority has recommended to remove the Java software from the PC due to Java security risk
http://translate.google.fi/translate?sl ... %2F6274353
Re: Oracle Java 7 vulnerable
Posted: Thu Aug 30, 2012 4:43 am
by oobetimer
IcedTea plugin prevents the malicious code in OpenJDK Java.
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin).
Java 6 is currently not known to be affected.
https://bugzilla.redhat.com/show_bug.cg ... &id=852051
Re: Oracle Java 7 vulnerable
Posted: Thu Aug 30, 2012 6:10 am
by marko_s
Ahh, so it's Java7, not Java6...? *phew*
On my system I get this when I run "java -version" in the Terminal:
Code: Select all
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.3) (6b24-1.11.3-1ubuntu0.12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
So this should be ok, right?
In the case you want to disable Java/IcedTea plugin in Firefox and/or Chrome:
Firefox
Add-ons -> Etensions -> IcedTea-Web Plugin (enable/disable)
Chrome
Settings -> Show Advanced Settings -> Privacy Section -> Content Settings -> Plugins -> Disable plugins individually... -> IcedTea
Re: Oracle Java 7 vulnerable
Posted: Thu Aug 30, 2012 6:21 am
by xenopeek
It's only Oracle Java 7 that is vulnerable. So yes, the 1.6 version (aka Java 6) of OpenJDK is twice not vulnerable
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 1:24 pm
by Walhalm
Hi:
A patch that fixes the problem was recently published here:
http://java.com/en/download/manual.jsp
I have been unable to perform the manual install, however. Do you think this patch will be eventually available from the repository?
In the meantime, does anyone know whether I should use the Linux RPM patch to update Java in Linux Mint 12 (KDE)?
I used the other one and I was unable to install the patch
. I think I followed the instructions correctly, though.
Best wishes.
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 1:26 pm
by xenopeek
The RPM is for RedHat based distros. Though you can use that on Debian based distros with alien, it is NOT recommended!!! Try the tar.gz file instead.
This patch will not be available in the repository, unless you have added a repository to install Oracle Java 7 from. The default repositories have OpenJDK Java 6 and 7 (which is not vulnerable), not Oracle Java 7 (as Oracle prohibits distribution of Oracle Java with operating systems).
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 1:43 pm
by grizzler
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 2:53 pm
by /dev/urandom
The solution is simple: Uninstall Java. Problem solved.
In case you wonder why, ask yourself what you need Java for.
If you can't answer it, you don't need it.
Java has been having critical security issues for ages.
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 3:31 pm
by xenopeek
That is a bit dramatic. The vulnerability is only for Oracle Java 7 in your browser, so just disable Oracle Java 7 in your browser. To a lesser extent /dev/urandom has a point there, because do you actually need Java in your browser? If you do, switch to OpenJDK and IcedTea and be rid of the vulnerability also.
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 3:32 pm
by /dev/urandom
What makes you think OpenJDK and IcedTea are not vulnerable?
And I can't see a reason to keep Java on your system unless you actually use Java applications at all.
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 3:46 pm
by xenopeek
LXmed and Minecraft run fine with OpenJDK, and I don't use Java in my browser
Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]
Posted: Sun Sep 02, 2012 3:48 pm
by /dev/urandom
See,
you are a person who
needs Java, and you can
tell why.
That's what I meant.
Re: Oracle Java 7 vulnerable [unsolved]
Posted: Mon Sep 03, 2012 9:51 am
by oobetimer
/dev/urandom wrote:See,
you are a person who
needs Java, and you can
tell why.
That's what I meant.
Some Banks and shops are using Java (Danske Bank, etc ..)
Re: Oracle Java 7 vulnerable [unsolved]
Posted: Mon Sep 03, 2012 9:53 am
by oobetimer
Fixed and still broken ..
https://www.infoworld.com/d/security/re ... ase-201472
August 31, 2012
Researchers find critical vulnerability in Java 7 patch hours after its release
Re: Oracle Java 7 vulnerable [unsolved]
Posted: Mon Sep 03, 2012 9:30 pm
by caerolle
Unfortunately, Amazon Cloud Player uses Java.