Oracle Java 7 vulnerable [unsolved]

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
oobetimer

Oracle Java 7 vulnerable [unsolved]

Post by oobetimer »

National Cyber Awareness System

US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012
Last revised: --

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including:

* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)

Web browsers using the Java 7 Plug-in are at high risk.

Overview

A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.

Description

A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.

Any web browser using the Java 7 Plug-in is affected.

Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.

Impact

By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.

Solution

Disable the Java Plug-in
http://seclists.org/cert/2012/91

A better solution(s): Use OpenJDK Java or Oracle Java 6 .. :wink:

http://forums.linuxmint.com/viewtopic.p ... va#p610313
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 3 times in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Oracle Java 7 vulnerable

Post by xenopeek »

More likely to be seen by more here, and it isn't a support request.

To summarize the above, if you are using Oracle Java 7 (not OpenJDK 7), you should disable the Java plugin in your web browser. To do so on Firefox, go to Tools > Add-ons, then Plugins.

On a default installation of Linux Mint 13 you would be using OpenJDK 6 and the IcedTea plugin. Unless you manually installed Oracle Java 7, you are not at risk.
Image
GeneC

Re: Oracle Java 7 vulnerable

Post by GeneC »

I just did a little casual research and mostly found the threat to Mac's and Firefox
http://reviews.cnet.com/8301-13727_7-57 ... fect-macs/
....Mac systems with the Java 7 runtime are vulnerable. While there are no known attempts to use this vulnerability to specifically target Mac users, the exploit has been successfully triggered in both Safari and Firefox on Macs running Mountain Lion. Furthermore, the means to exploit this malware have been found distributed in underground malware development kits, making its easier for the exploit to be developed into malware by those wishing to target Mac users....
BUT...here

http://nakedsecurity.sophos.com/2012/08 ... -wildfire/
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
If you want to check what version of Java you are running.

From terminal....run

Code: Select all

java -version
oobetimer

Re: Oracle Java 7 vulnerable

Post by oobetimer »

You can test your Java version here also: http://javatester.org/
GeneC

Re: Oracle Java 7 vulnerable

Post by GeneC »

Thanks oobetimer,,, :D
Nice find on the java vulnerability..
I HAD updated to Oracle Java 7 on all 4 of my installs.
Back to JDK 6 until they fix Oracle... :?
oobetimer

Re: Oracle Java 7 vulnerable

Post by oobetimer »

Finnish Communications Regulatory Authority has recommended to remove the Java software from the PC due to Java security risk
http://translate.google.fi/translate?sl ... %2F6274353
oobetimer

Re: Oracle Java 7 vulnerable

Post by oobetimer »

IcedTea plugin prevents the malicious code in OpenJDK Java.
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin).

Java 6 is currently not known to be affected.
https://bugzilla.redhat.com/show_bug.cg ... &id=852051
marko_s

Re: Oracle Java 7 vulnerable

Post by marko_s »

Ahh, so it's Java7, not Java6...? *phew* :o :)

On my system I get this when I run "java -version" in the Terminal:

Code: Select all

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.3) (6b24-1.11.3-1ubuntu0.12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
So this should be ok, right?

In the case you want to disable Java/IcedTea plugin in Firefox and/or Chrome:

Firefox

Add-ons -> Etensions -> IcedTea-Web Plugin (enable/disable)

Chrome

Settings -> Show Advanced Settings -> Privacy Section -> Content Settings -> Plugins -> Disable plugins individually... -> IcedTea
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Oracle Java 7 vulnerable

Post by xenopeek »

It's only Oracle Java 7 that is vulnerable. So yes, the 1.6 version (aka Java 6) of OpenJDK is twice not vulnerable :wink:
Image
Walhalm

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by Walhalm »

Hi:

A patch that fixes the problem was recently published here:

http://java.com/en/download/manual.jsp

I have been unable to perform the manual install, however. Do you think this patch will be eventually available from the repository?

In the meantime, does anyone know whether I should use the Linux RPM patch to update Java in Linux Mint 12 (KDE)?
I used the other one and I was unable to install the patch :( . I think I followed the instructions correctly, though.

Best wishes.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by xenopeek »

The RPM is for RedHat based distros. Though you can use that on Debian based distros with alien, it is NOT recommended!!! Try the tar.gz file instead.

This patch will not be available in the repository, unless you have added a repository to install Oracle Java 7 from. The default repositories have OpenJDK Java 6 and 7 (which is not vulnerable), not Oracle Java 7 (as Oracle prohibits distribution of Oracle Java with operating systems).
Image
grizzler

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by grizzler »

Unfortunately, the patch doesn't really fix things: http://www.ghacks.net/2012/09/02/warnin ... ter-patch/
/dev/urandom

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by /dev/urandom »

The solution is simple: Uninstall Java. Problem solved.

In case you wonder why, ask yourself what you need Java for.
If you can't answer it, you don't need it.

Java has been having critical security issues for ages.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by xenopeek »

That is a bit dramatic. The vulnerability is only for Oracle Java 7 in your browser, so just disable Oracle Java 7 in your browser. To a lesser extent /dev/urandom has a point there, because do you actually need Java in your browser? If you do, switch to OpenJDK and IcedTea and be rid of the vulnerability also.
Image
/dev/urandom

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by /dev/urandom »

What makes you think OpenJDK and IcedTea are not vulnerable?

And I can't see a reason to keep Java on your system unless you actually use Java applications at all.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by xenopeek »

LXmed and Minecraft run fine with OpenJDK, and I don't use Java in my browser :mrgreen:
Image
/dev/urandom

Re: Oracle Java 7 vulnerable [Problem fixed by Oracle]

Post by /dev/urandom »

See, you are a person who needs Java, and you can tell why. :D
That's what I meant.
oobetimer

Re: Oracle Java 7 vulnerable [unsolved]

Post by oobetimer »

/dev/urandom wrote:See, you are a person who needs Java, and you can tell why. :D
That's what I meant.
Some Banks and shops are using Java (Danske Bank, etc ..)
Last edited by oobetimer on Wed Sep 05, 2012 5:36 am, edited 1 time in total.
oobetimer

Re: Oracle Java 7 vulnerable [unsolved]

Post by oobetimer »

Fixed and still broken .. :(

https://www.infoworld.com/d/security/re ... ase-201472
August 31, 2012
Researchers find critical vulnerability in Java 7 patch hours after its release
Last edited by oobetimer on Wed Sep 05, 2012 5:36 am, edited 1 time in total.
caerolle

Re: Oracle Java 7 vulnerable [unsolved]

Post by caerolle »

Unfortunately, Amazon Cloud Player uses Java.
Locked

Return to “Open Chat”