it ain't over yet (java 7 security hole(s))

[Ben Smith-Mannschott]

http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/

Researchers said they've uncovered a flaw in the Java 7 update
released by Oracle on Thursday that allows attackers to take complete
control of end-user computers.

The flaw in Java 7 Update 7, which Oracle released to stop in-the-wild
attacks that silently install malware on end-user machines, is the
latest black eye for the security of the widely used software
framework. It comes after revelations that Oracle learned of the
vulnerabilities under attack in April, four months before the exploits
were detected. Oracle has yet to explain the delay in fixing the bugs.

...

Seriously? :-/

// Ben

[Phil Haigh]

On Friday, 31 August 2012 20:39:54 UTC+1, bsmith.occs wrote:

http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/

    Researchers said they've uncovered a flaw in the Java 7 update
    released by Oracle on Thursday that allows attackers to take complete
    control of end-user computers.

Just goes to show that the hurriedly fixed bug is all to often our biggest enemy. Next to the hurriedly changed (and not thought through) requirement of course!

[Jan Goyvaerts]

Let's see how fast they react now. :-)

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/GlpkcwBwN9wJ.

To post to this group, send email to java...@googlegroups.com.
To unsubscribe from this group, send email to javaposse+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.

[Jan Goyvaerts]

Anything new about this ?

[Casper Bang]

Security Explorations, the company responsible for finding and demonstrating many of the recent security holes, have not issued updates since their initial post some 11 days ago (http://seclists.org/bugtraq/2012/Aug/225) and neither has Oracle.

Let's hope it has not made it into the wild yet, although that's likely only a matter of time (hackers know it's there and they are worth a lot of $).

[Casper Bang]

The neverending story, yet another gaping hole:
http://seclists.org/fulldisclosure/2012/Sep/170

[Fabrizio Giudici]

On Wed, 26 Sep 2012 19:29:06 +0200, Casper Bang <caspe...@gmail.com>
wrote:

> The neverending story, yet another gaping hole:
> http://seclists.org/fulldisclosure/2012/Sep/170
>

Well, it seems that 7u7 also introduced a random error with reporting the
MAC address... yesterday the first batch upload of Maven artefacts to
Sonatype failed apparently because of that (AFAIU MAC address is used as a
sort of session identifier).

--
Fabrizio Giudici - Java Architect, Project Manager
Tidalwave s.a.s. - "We make Java work. Everywhere."
fabrizio...@tidalwave.it
http://tidalwave.it - http://fabriziogiudici.it

[Fabrizio Giudici]

On Thu, 27 Sep 2012 08:20:12 +0200, Fabrizio Giudici
<Fabrizio...@tidalwave.it> wrote:

> Well, it seems that 7u7 also introduced a random error with reporting
> the MAC address... yesterday the first batch upload of Maven artefacts
> to Sonatype failed apparently because of that (AFAIU MAC address is used
> as a sort of session identifier).

Of course I was referring to the first batch upload made with 7u7.

[Casper Bang]

Unfortunately, it seems that Oracle will wait 4 months with patching this hole:

http://www.h-online.com/security/news/item/Security-researcher-experiments-with-patching-Java-1735346.html

The rationale must be: The security hole is not under full disclosure and it's a pain in the  &!%$ to get these out.

However, given what happened last (known security hole exploited, creating a lot of negative press and requiring a hasted out-of-band patch) I'm surprised at this approach. A security hole on a platform as ubiquitous as Java, with a future deterministic unpatch window, is likely to be worth a lot of €.

Even if Oracle stands ready with a fire extinguisher, I'd much rather they prevented sparks in the first place.

[Casper Bang]

Kaspersky's Lab: "56 percent of exploits blocked in Q3 use Java vulnerabilities" and "It’s exactly why you shouldn’t have Java installed, unless you absolutely need it.".

http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/

[Casper Bang]

On Thursday, October 25, 2012 10:13:09 AM UTC+2, Casper Bang wrote:

Unfortunately, it seems that Oracle will wait 4 months with patching this hole:

http://www.h-online.com/security/news/item/Security-researcher-experiments-with-patching-Java-1735346.html

Aaaaand here we go, exploit on sale to highest-bidder:

http://krebsonsecurity.com/2012/11/java-zero-day-exploit-on-sale-for-five-digits/ 

[Cédric Beust ♔]

Oh no! A security firm is advertising somebody trying to make money by selling a patch to an exploit without providing any link to said sale (conveniently posted on a for-pay web site) nor evidence to back up their claim.

What are we gonna do? What are we gonna do?

-- 

Cédric

--

You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/8BrcJEa3reoJ.

[Casper Bang]

On Monday, December 3, 2012 6:22:24 PM UTC+1, Cédric Beust ♔ wrote:

Oh no! A security firm is advertising somebody trying to make money by selling a patch to an exploit without providing any link to said sale (conveniently posted on a for-pay web site) nor evidence to back up their claim.

What pay website? Do you really think a black-hat hacker would sell their "product" on ebay?! If you cared to do a little research before attacking his credibility, you'd know that Brian Krebs is something of an security investigative celebrity and i.e. was the first to run into Stuxnet.

 

What are we gonna do? What are we gonna do?

 Wait until the next wave of Java attacks, curl out toes when Oracle eventually rushes a patch out and continue to block applets in our browser.

[Cédric Beust ♔]

On Mon, Dec 3, 2012 at 1:39 PM, Casper Bang <caspe...@gmail.com> wrote:

What pay website?

From the article:

"The flaw, currently being sold by an established member of an invite-only Underweb forum,"

[Josh Berry]

Not sure what you would expect here.  Unless you are claiming that the researcher is making up the forum in question, or potentially making up a vulnerability, is it really a criticism not to disclose a vulnerability one does not know?

This is mostly hinged on my belief that the selling of exploits is not actually unheard of.

Now, I agree that this really shouldn't turn into a bash Oracle thread.  Until we know the vulnerability, there is no way to know what they could have done to prevent it.  However, this does seem a good call to arms to be on the lookout for suspicious behaviour if you have an exposed machine with a jvm.

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

[Casper Bang]

This is mostly hinged on my belief that the selling of exploits is not actually unheard of.

In any event, the exploit has now made it into the known exploit kits Blackhole and NuclearPack, so a new wave of JVM security exploits now seems eminent: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ 

[Cédric Beust ♔]

On Thu, Jan 10, 2013 at 7:31 AM, Casper Bang <caspe...@gmail.com> wrote:

In any event, the exploit has now made it into the known exploit kits Blackhole and NuclearPack, so a new wave of JVM security exploits now seems eminent:

Hopefully you mean 'imminent' :-)

-- 

Cédric

[pwagland]

Sadly, I think that both would be accurate! This has hit front page, predictably, on hacker news.

Cheers,

Paul

[Casper Bang]

Naturally. It's the first time, over the last couple of JRE bugs, that my bank officially on their front page, is now issuing a warning against running Java 7 (which is a bit of a problem, as using Java is pretty much mandatory with our contry's SSO solution).

[Phil Swenson]

What is it going to take to get oracle to just kill java in the browser? It's an unneeded/obsolete embarrassment.

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/6fFk5pAxFd0J.

[Jon Kiparsky]

Apparently it's in wide use in much of the world. For example, Casper says it's "pretty much mandatory" where he is. I don't think it's getting killed any time soon.

[Ricky Clarkson]

http://blogs.computerworld.com/cybercrime-and-hacking/21627/oracle-patches-java-7-security-flaw-update-11

[Joseph Darcy]

Notification directly from Oracle on this matter:

https://blogs.oracle.com/security/entry/security_alert_for_cve_2013

-Joe

[phil swenson]

What I really mean is Oracle should say they will only issue security
fixes for the java browser plugin. No support for Java 8. Companies
would adapt. Honestly any company with atechnical clue should already
be migrating away from java in the browser to HTML5 or just a java
desktop client.

[Casper Bang]

Another week, another security hole. At least update 11 adds confirmation dialog for non-signed code, which makes new holes harder to exploit. Perhaps Oracle should change their update policy from 4 months to 4 days instead. ;)

http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/

/Casper

[Hayden Jones]

Just saw that java 7u13 has been released.  It's good to see Oracle try and patch more of these vulnerabilities.