Serious New Java Flaw Affects All Current Versions of Windows

http://threatpost.com/en_us/blogs/serious-new-java-flaw-affects-all-browsers-040910


​

 

Hi

I had a Java Update on my laptop today ... Failed!
So...
I tried to update again via the Java Console in Vista Control Panel ... Failed!
So...
I went to my desktop computer - & - Tried to update Java on that via the Java Console in Vista Control Panel ... Failed!

Each Time... I was told I needed elevation of privileges - or - Something!
Don't Know What To Think

Zeena

 

Interesting ... I just updated my SE6 RTE to U19 a couple of days ago, with no problems (I use the offline installer).

If you disable those two problem EXEs mentioned in the article, what will or won't still run properly? Or does Java become essentially a write-off in that case?

 

More information on this here. I have no further information at this
time.

 

Yet again I find myself glad for having dumped this plugin.

 

http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/

Till they patch the problem it looks like the best solution is to uninstall Java.

 

the thing that I don't understand is why the makers of Java aren't seeing it as something that needs an emergency patch. what are they waiting for a major infection to happen before they see it as a threat? seems to me anytime an exploit is found in any program it is time to get it patched. or at least work on one.

because a lot of websites require Java for one function or another. Java and flash are the two applications that are used the most almost everywhere.

 

Facebook photo uploader works on Java, also it doesn't work on Open JDK but needs Sun Java specifically.

 

Indeed, Java isn't in its grave yet. I run across it often. However, should it not be pretty much a non-issue if, say you're running something like Sandboxie? You can not only keep Java from running period, but, if you do allow it to run, whatever damage it attempts is gone when the sandbox is cleared, just like any other malware problem, correct? The same with something like Returnil? My guess would be if you only allow Java on trusted websites, it shouldn't be a problem. We do this with Flash and scripting as well, I don't see Java being different.

 

Can you list some sites? I've never had Java enabled and haven't run across any sites that require it.

----
rich

 

Facebook for sure uses it, Pogo.com (a web games site, I know that's not the kind of example you were hunting for, but there it is), CanURunIt?, which is a website that scans your system for minimum/recommended specs for gaming (IE uses Active-X here, Firefox and others use a java applet). That's what I can think of off the top of my head.

 

my ISP Used to have a speed test that went off of Java, another example if the national weather service video runs off of Java I berlieve. and I think speed test does as well now speak easy runs off of flash. a lot of times it depends on the browser you are running too. now it would seem to me that disabling the deployment toolkit would work since that is where the problem in that exploit seems to be, http://i75.photobucket.com/albums/i319/Skywolfe/Javaaddons.jpg at least for the time being now maybe it would maybe it wouldn't I dunno because the rest of the work arounds suggest disabling something that I am wondering how to get them disabled in the first place. uninstalling doesn't necessaraly remove the files.

 

I like to play at FreeSlots, and there's a lot of other games and the like online which use Java.

More relevant to the "genre" of the forums here, the online version of Secunia's scan used to require Java, maybe still does.

 

just curious if this has been in Java for years, then why now all of a sudden has it been exploited? why wasn't it patched earlier?

 

If I read the article correctly, it has not been truly exploited, meaning in the wild yet. However, you can bet it will be now since the alarm has been raised and the fear factor will set in. As far as Sun's attitude towards it, it's inexcusable. ANY vulnerability that is easy to exploit and which leads to a compromised/controlled system is serious enough for an emergency patch. It reminds me of past Microsoft behavior, them being told of the vulnerability and then sitting on it for 3 months or more to "test" it, leaving their users hanging and hoping before a patch comes.

As to why a so-called "easily exploitable" bug was not found after this long or why it hasn't been exploited by malware yet, who knows.

 

agreed sometimes I wonder why these companies aren't more up to date on their stuff like antivirus programs are with their definitions. with antivirus programs they protect against the problem BEFORE it happens. or at least try to. and it ought to be the same way with these other programs. while I realize it takes a while to develop patches for things and new vunerabilities show themselves all the time in different applications. that doesn't mean they aren't any less of a problem and certainly when something is discovered whether it be in the wild or not. it is time to get something developed for it. or at least tell people the exact circumstances in which a compromise could occur. from the way it sounds to me they are making it sound like if you have Java and open your browser you will be affected but they don't really tell anyone how to disable the two things that could be a problem? makes no sense.

 

Well, no, antivirus companies generally get their definitions after exploits start rolling in. It does take time to test the vulnerability and make sure the patch works correctly, but there is a limit on what is a reasonable amount of time to me. To me, a week or two is reasonable. A month or more is not and never will be. As to your last statement about fear, researchers are good at that, and so are media outlets. From my understanding, the applet or file needs to be infected, likely meaning the website itself is compromised.

What I have taken from this is to only run Java on websites you trust, which is something that should be done regardless. Also, some sort of file execution/script protection should be in place as it is likely that where an infected Java applet file is, there is more malware to be found as well. That sort of protection may give off a warning sign that something isn't right before the infected applet/file is ran, prompting you to make a hasty retreat from the website.

 

well if a website is compromised you should get a warning about that (if your antivirus program does that and some do.) letting you know something like exploit detected, denied etc. I used to get some of that stuff through flash ads on Kaspersky letting me know a threat was blocked. don't know if Eset does that or not. but having the website compromised sounds more like a likely senerio instead of just saying"if you have java you are at risk." reminds me of an exploit that was out for IE for a while back only to find out later that it had to be through a specialy crafted file that took user interaction to get infected.

 

Yeah, once the "quaking with fear" phase is over with, people will realize that malware, no matter how sophisticated, still has to rely on the person sitting at the keyboard not taking precautions and/or doing something stupid. These threats come and go in weeks. The bad guys catch a few victims and move on, and infected websites are clean as a whistle within a few hours or a day or so. The worst part of this particular instance is the carefree attitude taken by Sun. Otherwise this is just another day in the life of the internet.

 

I remember something similar years ago, where I enabled JAVA to do some type of scan. OTherwise, I guess I don't frequent sites that require it.

From the article:

It doesn't list the versions; I've not updated mine in years, so maybe that's why the PoC did not work in IE.

Code:

*** Code Download Log entry (10 Apr 2010 @ 20:41:18) ***
Code Download Error: (hr = 8007007e) The specified module could not be found.

Operation failed. Detailed Information:
     CodeBase: 
     CLSID: {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}

Looking up that CLSID I see that it is related to the use of JAVA.

ACcording to his source code for the PoC it seems designed for Firefox and IE; I don't see Opera mentioned, and nothing happened when loading the page in Opera.

Code:

if (window.navigator.appName == 

           [B]"Microsoft Internet Explorer"[/B]) {
            var o = document.createElement("OBJECT");

            o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";

            // Trigger the bug
            o.launch(u);
        } else {

            [B]Mozilla[/B]
            var o = document.createElement("OBJECT");
            var n = document.createElement("OBJECT");

From the article:

It remains to be seen if the code could load a DLL not whitelisted.

----
rich

 

rmus,

which Opera are you using btw? The older one didn't use java plugin but used java files from the java install folder so it wouldn't be affected, newer ones use java plugin so I expect them to suffer the same fate.

 

yeah I don't understand that attitude either. it doesn't seem like good business especialy for something that millions of users already use. but it still seems to me that if it is an exploit as it says it is. an av should pick it up as that depends on how good the scanner is I think. some will bypass things like that and some won't.

and that article still doesn't say how to DISABLE the Javaws it gives the key. most workarounds will say something about a way to take care of the said problem .... all I saw there was how it could be executed.

 

Here is my version information. It says I have a Java Runtime environment. Is that the same as Java? I confess to knowing nothing about, nor having any interest in Java, since I don't seem to need it for anything.

​

 

You have the older Opera which uses Java folder and not plugin, latest Opera version is 10x with 10.52 being the latest.

 

The runtime engine is needed for loading and just-in-time compiling the bytecodes, i.e. applets and applications. So yes, it´s the same as having java.

/C.