back to article Disable Java NOW, users told, as 0-day exploit hits web

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version …

COMMENTS

This topic is closed for new posts.

Page:

    1. sleepy

      Re: Can anyone please advise me ...

      Chrome is not the only browser to sandbox Flash/plugins. Safari and Internet Explorer also sandbox. But a sandbox won't necessarily save your system from a vulnerability.

    2. Michael Wojcik Silver badge

      Re: Can anyone please advise me ...

      whether Java and Javascript are the same for the purposes of this safety warning

      They're not the same for any purposes.

      They're both OO languages that adopt much of their syntax from the C family, and they're both usually executed in an intermediate form and JIT-compiled, but the similarities end there.

      Java is a language that originated at Sun and was originally intended for use in embedded applications (which is indeed where most of it is to be found); but Sun implemented an early graphical web browser (HotJava) that included a JRE and popularized the idea of executing downloaded Java applets in the browser. Netscape picked up the idea and eventually all the major browsers included Java runtimes. Java applets lost the popularity contest, though, first to Flash and then to "Javascript".

      "Javascript" is two things. First it was the new name of the browser scripting language Livescript, which was renamed to jump on the Java-in-the-browser bandwagon, thereby sowing much confusion. Now it is the name of Mozilla's implementation of the browser scripting language ECMAscript, which is the current descendant of Livescript. Many people use "Javascript" to refer, incorrectly, to all ECMAscript implementations.

      ECMAscript and Java are substantially different languages, and their implementations share nothing, except where people have implemented an ECMAscript interpreter in Java (sigh) and a JVM in ECMAscript (double sigh).

      This particular vulnerability appears to be the result of a too-clever-by-half change to the Java class loader in Java 7, with insecure use of reflection in the Java runtime classes, which lets an attacker obtain privileged references to private members of restricted classes. Recent discussion on Bugtraq points specifically to parts of the Abstract Windowing Toolkit, and there's some suggestion that this is in effect the reintroduction of a vulnerability originally fixed by Sun back in 2005. That, to my mind, supports the contention made by several respondents here that the Java runtime has grown far too complex.

  1. Test Man
    Go

    Java

    Got a new 64-bit Windows 7 laptop last week. Haven't installed Java on it, and I reckon I probably never will - I can't think of any website or app that I used recently that needed Java.

  2. sleepy

    Funny

    Funny how Steve Jobs / Apple were called evil control freaks for keeping everything but HTML5/Javascript off the iPhone. Two years ago Google took out full page ads to boast its openness in supporting buggy proprietary Flash on Android. "We love Apple, but what we don't love is anybody taking away your freedom . . .".

    And now everyone's quietly doing the same as Apple, practically every mobile browser is built on Apple's Webkit, and HTML5/Javascript is standard and more or less universal. Remember the days of Internet-Explorer-only web sites, and only-works-properly-on-Windows Flash?

    Frankly, thank goodness for Apple (and Google before they switched objectives to world domination).

  3. sleepy

    And by the way

    Java is disabled by default on MacOS and is automatically re-disabled if unused for a period of time.

  4. digismith
    FAIL

    I COULD disable java but then

    99 percent of my job would be un doable

    and the marjority of the web would be unuseable

    Every e comerce site uses it

    the Register itself uses it for log in log out

    Just about every site you go to for social networking

    1. Brewster's Angle Grinder Silver badge
      Facepalm

      Re: I COULD disable java but then

      I can absolutely assure you I don't have java install on my machine. But I was still able to log in and downvote you.

    2. Terry Cloth
      Boffin

      Don't sweat the Javascript

      You may need to refer to Test Man's comment above. To completely clarify: Pretty much the only things Java and Javascript have in common is that they're a) programming languages which start with b) the same four letters. Maybe half the web wants you to run Javascript, which is not the language in question here. Java is used much less, and unless it's part of your office environment or your bank's site, you can get along quite well without it, thank you.

  5. Anonymous Coward
    Anonymous Coward

    Write once, run anywhere

    Unfortunately that applies to viruses too :)

    1. Vic

      Re: Write once, run anywhere

      > Unfortunately that applies to viruses too

      ITYM "only applies to viruses".

      The Java mantra has turned into "Write Once, Debug Everywhere" :-(

      Vic.

  6. Tikimon
    Meh

    From the sanctity of your little worlds ye proclaim...

    Amazing how many smug comments from those with clearly limited perspective. Just because you don't know about or have to deal with it does not mean it's not a real, valid problem for others. I expected more imagination from Reg readers!

    "I can't see any need for java / I never use java and don't miss it" - you obviously don't have to support a business that is forced to use sites or services that require java. It's not so easy to simply banish a mission-critical process.

    "Java is disabled by default on Apples" - okay, Apples are crippled by default, woo. A car that won't move is inherently safe from accidents, but a pretty poor transport. Saint Jobs didn't banish Flash to protect you, but to make MO' MONEY. Don't confuse his intent..

    On the glum side, anything that reaches popular use is going to become a hack target. Given the complexity of software, everything will probably be somehow hackable. Every massive hacker opening began as a Wonderful Feature. Installing software from a web page, running programs from an e-mail, these and others were signposts to a glowing future of friendly computers. When someone invented doors, his neighbor invented burglary...

    1. Vic

      Re: From the sanctity of your little worlds ye proclaim...

      > you obviously don't have to support a business that is forced to use sites or services that require java

      I do - but there aren't many such businesses. Most sites[1] with Java applets have alternative methods of getting at the data as well, even if they're not quite as slick.

      The biggest Java installations I deal with are servers - and they're invariable hidden behind an Apache reverse proxy, and are unlikely to be downloading stuff from the web in the first place.

      Vic.

      [1] I'm excluding games sites, since fartnig around with Java games doesn't really come under my definition of "business use".

  7. Bradley Hardleigh-Hadderchance
    Windows

    Just re-enabled Java on a friend's machine

    Apparently the only thing they wanted it for was for an on-line Chess game.

    I warned them. But would they listen? I also had to re-enable NotScripts and Ghostery because they were 'messing up the way the machine is supposed to work'.

    It's all good, because now I get to say "I did tell you so" next time they call me up to fix their computer.

    These are people that point-blank REFUSE TO LEARN HOW TO JUST QUICKLY DISABLE/ENABLE A PLUGIN.

    Sorry for the shouting, nearly got hot under the collar there. ;-)

    I understand how NotScripts cripples half the web, but for deity's sake at least use it on the half you can. Same with Java. In fact. I personally have it turned off ALL THE TIME and only re-enable maybe once a month on my web travels.

    It's funny, coz when I was first learning JAVA, ooh, over 10 years ago now it would have been, people were saying: This thing is going to be a MASSIVE security risk. Same thing with Active-X. Few had the foresight to see the monster that FLASH would become though. I remember playing with the thing when it was called Future-Splash, and telling people this is the future of the web. Did anyone listen? No. They just said: There is nice dear.

    Oh well, I was right about one or two things, but am probably one of the few failed programmers on this site.

    Still, no great loss, apart from the few successful JAVA and whatnot programmers that work for Deutsche Bank and earned £60K a year, most I know are treading water. Still, what is £60K a year anyway.

    Alright it's more than my dole, but you know... That was a couple of years ago now, maybe things have changed.........

    </rant over>

    <new rant begins>

    I'm just waiting by my phone - it is inches away from my leg - no obstructions. I shall answer with: "Yes it is I."

    "Who speaks? Really? Never!"

    My insouciance shall be invisible. Though I bear no great malice, sometimes a quick "I told you so", is worth oh so much more than the £20 I will get for fixing their machine. Bring it on. I shall wait for that sweet-spot moment when the cash hits the claw, then look them in the eye, with an almost undetectable sideways glance - the way a Lion might eye up a Zebra in the Serengeti for example - then, in a James Bond manner, ever so coolly say, TOLD YOU SO, TOLD YOU SO! ARGH ARGH ARGH, TOLD YOU SO!, jumping up and down for good effect and also flapping my arms wildly in the air like a poor earth bound bird that hasn't flown for hundreds of thousands of years, but still tries anyway, just out of pure instinct. Think Emu, think Dodo - no that's not right. Anyway. You get the picture.

    Of course at this point I shall be off for the treatment I so rightly deserve. All because some bastard wrote a JAVA exploit. And some other bastard refused how to learn how to use the on/off switch under 'preferences'.

    Still. These are the good days... Wait until things really get out of control....

  8. Bucky 2
    Pint

    Already Disabled?

    I disabled Java in Firefox long ago, since whenever I hit a page with a Java applet, my browser pauses for a good 30-45 seconds, and then typically just crashes entirely.

    I remember trying to report it, and ending up with a lot of finger pointing (bad applet design, bad sandboxing, whatever), but no substantial remedies from my standpoint.

    Luckily, it was never a Thing for me to have it off.

    [Beer, because it helps me have it off]

  9. ~mico
    Trollface

    Java? Vulnerability? Online? But java doesn't work online unless clicked upon.

    Don't people know about NoScript?

  10. nuked
    Trollface

    Wait...

    ...Java is vulnerable?!

    Run for the hills.

  11. Joe Montana
    Pint

    OpenJDK

    Is there a patch for OpenJDK yet? Could you just use that instead?

    1. Not That Andrew

      Re: OpenJDK

      Apparently not affected, so you're ok on Linux. But the Windows version of OpenJDK is outdated and has other security problems.

      1. Anonymous Coward
        Anonymous Coward

        Re: OpenJDK

        I'm no Java expert so did a little digging and I'm not so sure OpenJDK is ok... See statement from Redhat in their bugzilla.

        https://bugzilla.redhat.com/show_bug.cgi?id=852051#c9

        Most people will have that installed on a linux box but then it doesn't appear as an available browser plugin. So in theory all ok from a drive by exploit point of view....

  12. Anonymous Coward
    Anonymous Coward

    >2012

    >still using Java

    ISHYGDDT.

  13. Anonymous Coward
    Anonymous Coward

    Simple solution

    For the most heinous crime of information terrorism by writing of viruses.. DEATH!

    Death by giant hornet enema, and put the execution video on Youtube with a soundtrack of "Toxic" as a deterrent for any idiots who think it is funny to destroy other people's hard work, memories and data.

    AC/DC although as a close second the electric chair would be acceptable punishment.

  14. Ilgaz

    US CERT agreed, disable applets

    I just had this url in my inbox and I don't remember anything written in this tone for a long time from them.

    http://www.kb.cert.org/vuls/id/636312

    Does it mean USA government will feel compelled to disable Java on their terminals too?

    Do any person remotely connected with Oracle know what it means to have such a alert from an institution like that? Not it seems, nobody heard a out of band, emergency patch yet.

    1. Ilgaz

      No word from oracle yet

      Sorry but I noticed an unbelievable thing. If you check

      http://www.kb.cert.org/vuls/id/MORO-8XKL37

      You will see even US CERT wasn't contacted in time of writing.

      While on it, if you are a win user and have broadband, have no mission critical apps written in Java, easiest way to disable applets seems to be removing/uninstalling Java altogether. Using registry modification seems absurd to me.

      1. Michael Wojcik Silver badge

        Re: No word from oracle yet

        Sorry but I noticed an unbelievable thing.

        You seem to have a pretty liberal definition of "unbelievable". I didn't have any difficulty believing it.

        If you check

        http://www.kb.cert.org/vuls/id/MORO-8XKL37

        You will see even US CERT wasn't contacted in time of writing.

        Discussed on Bugtraq and Full-Disclosure yesterday. Not all researchers feel obliged to inform CERT.

  15. number-g
    Stop

    Good thing none of my computers are on the internet anymore.

    Really; when I do manage to get online these days, all I hear about takes another week of being online to understand, untill I realise that it refers to things that only have any meaning on the internet.

    "AMIRITE?"

    And yes, I am aware of the nature of the site to which I am posting.

    But still.

    Get out while you can. Any industry that can make you suddenly twitch at the womb while you reassess . . .

    forgot what i was saying while i went to check the spelling of assess.

    doesn't matter.

  16. Anonymous Coward
    Anonymous Coward

    "All operating systems, browsers vulnerable"

    All operating systems?

    Including the ones that say they don't need virus checker because they are bullet proof?

    Yes?

    Good.

  17. Paul Hovnanian Silver badge
    Boffin

    Java plugin disabled ...

    ... on my system's browsers. I've rarely had a complaint from any website.

    JavaScript is up for all but a few bad actors.

    Java (the JRE and JDK, version 1.6) are up on my system. I've got gobs of stand alone (non browser) applications to run. But it sounds like this is a vulnerability of Java running under the plugin rather than standalone. Correct me if I'm wrong.

    At any rate, I can like with v1.6 until the patch comes out.

  18. Alan Firminger

    Does this put Bonusprint out of nusiness ?

    Bonusprint depend on Java for their upload. Can someone tell me why ?

  19. Henry Wertz 1 Gold badge
    Thumb Up

    Other choices...

    First, I must admit, I have not been to much that uses Java. But, I do have java installed. I'm not worried about malware though. Why?

    1) Linux uses an executable bit. It's Windows where you (well, "they") can download an .exe and just run it. Also my copy of Firefox does run under AppArmor so potential malware would be contained.

    2) *I'm not using Oracle's JVM*. Due to Oracle's licensing, Ubuntu dropped Sun/Oracle Java even as an option a while back. I thought I was screwed, because Eclipse says it requires Sun/Oracle Java and is incompatible with OpenJDK. Not so! It may have used to be true, but I've been running Eclipse on OpenJDK (with IcedTea6 browser plugin), and have coded, debugged, and published a signed Android app onto the market. No sweat at all.

    So, if you are using Java, I would try OpenJDK and see if it works. What can I say? At least if people find OpenJDK holes they are not on a every-4-months release schedule! 8-)

  20. Paul Anderson
    Alert

    Does This Exploit Have a Name ?

    Does this exploit have a name. Symantec's reference to Java.Awetook may be it, I'm not sure. Anybody know ?

    1. Michael Wojcik Silver badge

      Re: Does This Exploit Have a Name ?

      It probably has many names; there's no central authority for naming exploits, you know.

      Security Explorations, who have been talking about it on Bugtraq and Full-Disclosure, and are one of the groups to discover the issue, have been calling it SE-2012-01.

      See http://www.security-explorations.com/en/SE-2012-01.html.

Page:

This topic is closed for new posts.

Other stories you might like