Oracle releases emergency security patch for Java
Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat. Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis …
Seems there's no auto update available to some places yet at least... The "Update Now" function within the java control panel still insists I have no update available, despite the download clearly being available on their website.
I love their intellectual dishonesty too. Normally, when you drop a check box, the size of the box covers that of the label too. Clicking the label text will normally change the option.
To disable the Yahoo malware, you have to click the check box only. Clicking on the text has no effect.
Actually they pushed out update 19 to fix it, but that was badly broken so u20 is an attempt to fix that. Still has some problems according to at least one poster on javagaming.org.
It wanted to install a Bing toolbar for me this time.
Yes, I go to Control Panel and ask and it says "no problemo". But if I go and manually execute the *other* javacpl.exe it says "Ayeee! Get 20 quicko!" See, on my Win7 system, there are *two* "Program Files" folders, one for 32-bit Java and one for 64-bit Java. Nice, huh? They don't know about each other. Really nice, eh?
C:\Program Files (x86)\Java\jre6\bin\javacpl.exe
C:\Program Files\Java\jre6\bin\javacpl.exe
Twice as nice! I'm doubly blessed I'm sure.
Now your computer can be exploited while it is exploited so you can exploit the exploit while you exploit the exploit.
I have just upgraded from JRE 6u19 to JRE 6u20.
When I check the version that is installed, 6u20 shows up.
When I check the version through Firefox 3.6.3, 6u19 shows up.
JRE 6u19 was completely removed on my Linux box. I'm guessing Oracle didn't change the version in libnpjp2.so, so if they forgot something *that* simple, perhaps they also forgot to *really* fix the bug?
The problem and bitch I have with java updates is they don't remove the OLD versions. When I install Java JRE I turn OFF automatic updates every time. And every time I am forced to drill down through sun////oracle's menus to find the proper download. Sometimes Secunia PSI gives me a direct download. If oracle's sun's java's jre's automatic update worked proper there would be no c:\Program Files\Java directory before the install. But obviously it's simply dumping files over the top.
At least it's not as bad as the Quicktime update where the latest breaks .mov import in Sony Vegas.
My workaround is based on testing the harmless exploit proof of concept against some methods of protection.
1. Cripple IE from running via Security Panel
2. Don't run opera, since JAVA and JAVASCRIPT are tied together on the same stupid switch! Oh dear Opera...
3. Install The Firefox extension Quick Java 1.7.2 https://addons.mozilla.org/en-US/firefox/addon/123... Which gives me switches for all this broken nonsense--except the quicktime!
~peace
> 2. Don't run opera, since JAVA and JAVASCRIPT are tied together on the same stupid switch! Oh dear Opera...
What on earth are you talking about? Java & JavaScript disable have been separate switches for as long as I can remember -- at least as far back as Opera 5.02 (2001-02-27).
I downloaded Opera 3.62 (2000-02-27) just for laughs. It has a "disable scripting languages" setting that might apply to both. So your information is somewhere between 9 and 10 years out of date. (Actually it has separate "Enable Plugins" and "Enable Scripting Languages" settings, and it used a Java plugin, so I think even 10 years ago it had separate killswitches -- though it's true that killing Java would kill any other plugins as well.)
Opera 3.00 (1997-12-31) had separate scripts & plugins killswitches. The next older one I found (2.12 from 1996-04-19) doesn't seem to support either Java or Javascript.
Was it ever the intention of the Microsoft anti-trust actions to create an avenue for selling toolbars? Will Larry Ellison finally top the richest man in the world list due to the income from Yahoo payments?
Stay tuned for results...
Sign up, sign up for The Register's weekly IT security newsletter - click here
