Category Archives: Java

More holes in Java, denial from Oracle/Sun

A few days ago, Adam Gowdiak of Security Explorations discovered vulnerabilities in the most recent version of Java, 7u15.

Oracle’s response was to deny that the problem existed. So Adam got to work, testing Java 7u15 in more detail, and checking his results against the published Java documentation. He was able to confirm that his original report was legitimate, and he also found five more new vulnerabilities along the way. All of this information has been passed on to Oracle. Will they believe him this time? I’m betting yes.

More holes discovered in current Java

The hits just keep on coming for Java. As fast as Oracle/Sun plugs (or tries, but fails to plug) one hole, another is discovered by independent security researchers.

This time, it’s the security research team at FireEye that have found vulnerabilities in the latest Java, version 7u15, as well as the most recent 6-series version (6u41).

Making matters worse, the new vulnerability is being actively exploited in the wild: a remote access trojan is being installed on affected computers.

In other words, even if you have the latest version of Java, you can be hit by this exploit. As always, if you don’t actually need Java enabled in your browser, disable it. If that’s not an option, be extremely wary of browsing web sites that you don’t know for sure are safe.

Ars Technica has additional details.

Vulnerabilities in latest Java

Oh no, not again! Adam Gowdiak of the Security Explorations research team has been hard at work, looking for holes in the latest Java (7u15). Here’s a quote from Mr. Gowdiak’s alert email:

We had yet another look into Oracle’s Java SE 7 software that was released by the company on Feb 19, 2013. As a result, we have discovered two new security issues (numbered 54 and 55), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03).

Gowdiak has submitted his findings to Java’s developers, but there has been no official confirmation from Oracle/Sun as yet. Still, I’m cautioning Java users – especially those of us who have Java enabled in our web browsers – to exercise extreme caution, and flagging Java 7u15 as possibly vulnerable.

Ars Technica has more details.

Google Chrome 25 released

Version 25.0.1364.97 of Google’s Chrome web browser was announced yesterday.

The new version includes several security and other bug fixes, as well as some new features for web developers and voice recognition.

No mention of Java is made in the announcement linked above, but presumably the most recent Java security fixes found their way into this Chrome release.

Starting with this version, Chrome extension updates are no longer installed ‘silently’. This is a welcome improvement in security.

As expected, more critical Java updates

Oracle/Sun has released Java version 7, update 15. What happened to update 14? Anyway, the new version includes a batch of security and other bugfixes they wanted to release with the last batch, and which were originally scheduled for release today. Confused yet?

Since the new version is all about fixing the rather horrible Java security vulnerabilities that have been revealed in recent weeks, you should go ahead and install the update, if you use Java. If you don’t use it, pat yourself on the back and count yourself lucky.

If you read the announcement linked above, you’ll notice that once again, determining the version being discussed is left as an exercise for the reader, since the version (7u15) is not mentioned anywhere on the page. There are plenty of references to the versions being replaced, which only adds to the confusion. Annoying.

Massive Java security update

Oracle/Sun has released update 13 for Java 7 (Java 7u13).

The update was originally scheduled for release on February 19, but given all the recent security issues, Oracle decided to get the latest patch out there as soon as possible.

The update includes fifty bug and security fixes. The issues addressed are listed on the associated Critical Patch Update Advisory. Oddly, the update version (7u13) is never mentioned once on that lengthy page.

Recommendations:

  • If you use Java, update it ASAP.
  • Don’t depend on the Java auto-updater to update Java: do it manually.
  • Don’t assume Java is now safe. Until security researchers like Adam Gowdiak give Java 7u13 a thumbs-up, assume it’s still vulnerable.
  • Disable Java plugins in your web browser unless you have no choice.
  • Continue to be extremely careful when browsing the web.

Plugins will be safer in future versions of Firefox

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Java: what is it, and why do I need it?

You’re probably sick of hearing about Java and its troubles. Still, there seems to be a lot of confusion about what Java is, what it’s used for, and whether it’s really needed. This post is an attempt to alleviate that confusion.

From the About page on the Java web site:

From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!
– 1.1 billion desktops run Java
– 3 billion mobile phones run Java
– 100% of all Blu-ray players run Java
– Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

What is Java?

Java is essentially a programming language. It’s also a runtime environment: a program that runs natively on your PC or other computing device and allows Java programs to run on that device.

Why is Java everywhere?

Java is embedded into many household and industrial devices. Typically these devices run older versions of Java, and those older versions often have security vulnerabilities. However, the potential for damage through exploiting vulnerabilities on such devices is usually small or non-existent.

Java is currently installed on most consumer and corporate PCs, usually because at least one Java application or Java-enabled web site requires it. Java may also be enabled in the various web browsers used on those PCs.

The main reason for Java’s prevalence is its portability. In computing terms, that means a Java program will run on any Java-enabled device without modification. Developers only need to create one version of a program, instead of a different version for every computing platform they want to support.

Java in the browser; Java outside the browser

To run a Java program outside of a web browser, a Java Runtime Environment (JRE) must be installed on the device. To use a Java-enabled web site or a web-based Java application, you still need a JRE, but you also need a Java plugin for your web browser. Each browser handles plugins differently, but without a Java plugin providing a link between the browser and the JRE, Java code will not run in the browser.

Because a plugin is required to run Java in a web browser, disabling the plugin is a sure-fire way to avoid web-based Java malware.

Java programs that run outside of the web browser

The primary danger posed by Java at this time is visiting malware-infested web sites with a vulnerable version of Java enabled in the web browser. A Java program that runs outside the web browser is safe, even if the shared Java JRE is old or vulnerable, because the only Java code that runs is the code for that program. If you trust the program’s developer, you’re safe. Note that there is one exception: if the program contains a Java-enabled web browser, the risk is the same as in any other Java-enabled web browser.

Examples:

  • Minecraft – a popular game
  • Eclipse – a software development environment
  • FreeMind — mind-mapping software
  • OpenOffice (Base; wizards) – an office application suite

Java programs that run in the web browser

A Java program that runs in the web browser is safe – even using a shared, old, or vulnerable JRE – as long as you only use that program and don’t navigate to any Internet-based web sites. If you must run a browser-based Java program, try to use one particular web browser for that program (and any similar programs). In other words, use a browser that has Java disabled for web browsing, and a different (Java-enabled) browser for running your browser-based Java programs.

Examples:

  • Yahoo SiteBuilder – requires and installs JRE 1.6 in a shared location, and installs JRE 1.6 components in browsers (use with caution)
  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • many other system and network monitoring and analysis packages

Web sites that require Java for proper operation

If you can’t avoid web sites that use Java: again, it’s a good idea to set aside a Java-enabled web browser for accessing those sites (and nothing else!) Use a separate web browser with Java disabled for most of your web surfing.

Examples:

  • Some banking web sites
  • The Wall Street Journal website uses Java for dynamic charts
  • Secunia’s Online Software Inspector

Java applications that install their own JRE

When an application requires a JRE to run, it can use a shared JRE that is typically installed in a standard location where it can be found by any Java application on the PC. It can also install its own JRE in a location where it is only used by that application. This avoids potential compatibility issues, but it can make things more confusing for anyone trying to understand how Java is being used on their PC.

Examples:

  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • MindRaider – notebook and outlining application

How is Java related to Javascript?

It isn’t. Java is to Javascript what ham is to hamster. Like Java, Javascript is a programming language, and it’s often used on web sites to provide enhanced functionality. Also like Java, Javascript is often used for malware. Unlike Java, Javascript can only run within a web browser. Both represent significant security threats, and both can be disabled within web browsers, but doing so may cause some web sites to stop working properly.

Why are there so many security problems with Java?

Java’s success – its prevalence on PCs – has made it a useful target for malware developers. The success of Windows made that operating system the primary target of malware developers for years, but Microsoft has improved the security of Windows, and malware writers are looking for other targets.

All programs contain bugs, and if enough time is spent examining a program, eventually someone will find a way to break it in a way that allows security to be bypassed. Java is a program like any other, and the new focus on Java is revealing more and more security issues.

Why do developers still use Java?

Given all the recent problems with Java, one might expect software and web site developers to steer clear of it. Some developers are probably already looking elsewhere, and the longer it takes for Oracle/Sun to fix Java’s security problems, the more developers will bail. Most developers are probably concerned, but biding their time; switching away from Java is likely to be a massive undertaking.

Why do I need Java? Can I stop using it?

There’s no way to escape Java completely. You probably have several devices in your home that have Java embedded into them. But apart from the Java embedded in devices, you may not need Java at all.

In the PC world, some applications and web sites need Java to work properly. If you don’t have Java on your PC, you won’t be able to use those applications and web sites. If you’re a system or network administrator, you probably need Java to run system management tools. Your employer may use or require custom Java software in your workplace. You may need Java to use your bank’s web site. And so on.

The only way to know for sure whether you can do without Java on your PC is to disable or uninstall it, then make note of any web site or application that stops working. Of course, this may be more difficult than it sounds, since functionality may only be affected in subtle ways.

More problems with Java

  • Version confusion: traditionally, the JRE installer left old versions intact when installing new versions. This was apparently done to get around version incompatibilities, but in practice it created more problems than it solved. More recent JRE installers seem to be better at cleaning up older versions.
  • Java Development Toolkits (JDKs) add to the confusion, since they typically include their own, separate, embedded JRE.
  • There are apparently no tools for finding and diagnosing Java installations on a PC. JavaRa is useful to a point, but it doesn’t seem to find embedded JREs installed with certain Java applications.
  • When you install Java, it sets itself up to perform auto-updates. This feature can be disabled, but it has to be done every time you install or update Java. Worse, the auto-updater may delay updating your Java for days or even weeks after an update becomes available.
  • Recently, Oracle started including crapware (aka foistware) with Java JREs. Performing a default install of a recent JRE will add a worthless toolbar to your browser and may hijack your browser search settings.
  • Removing Java from Internet Explorer is almost impossible. Web browsers like Firefox and Google Chrome include simple settings for disabling Java, but for some reason this is not the case with IE.

Further reading

If you’re gotten this far and want more, the folks over at Windows Secrets recently posted some more useful information about Java.

Links

Java: now with nasty crapware

As if Java didn’t have enough problems, Oracle/Sun recently started packaging it with the Ask Toolbar. Anyone installing Java must opt out of installing the Ask toolbar, or it will show up in their web browser and hijack their browser’s search settings.

Ed Bott at ZDNet took a close look at the Java installation process and posted his findings. He starts by saying:

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

It’s an excellent article, well worth reading.

To make matters worse, I recently discovered that I can no longer disable the Java auto-updater using the Java Control Panel in Windows 7. I can uncheck the checkbox and save the settings, but if I go back to the Java Control Panel, the option has re-enabled itself. My only option is to disable the SunJavaUpdateSched (jusched.exe) startup entry using a tool like Autoruns.

I’m starting to get a bad feeling about Oracle’s management of Java. Oracle may feel that they have the world by the throat, given the prevalence of Java, but at some point, the world is going to revolt and start looking at alternatives.