Apple and Mozilla Block Vulnerable Java Plug-ins 88
hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18."
Here are some ways to disable Java, if you're not sure how.
Re:and to unblock? (Score:5, Informative)
From Mozilla:
There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.
The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.
With OS X it's blacklisted. But then again everyone is recommending to uninstall these versions anyway. If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.
Chrome - "Click to Play" (Score:5, Informative)
In Chrome select "Settings" from options menu or navigate to "chrome://chrome/settings/"
Click Link "Show advanced Settings"
Click button "Content settings..." under Privacy
Look Under "Plug-ins"
Select the option "Click to play" which will prevent plug-ins from running on a page unless you manually click on a bar which allows them to run.
Re:What changed? (Score:5, Informative)
Description The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.
Re:Hypocritical (Score:4, Informative)
While Java applets are very rare
Let's keep that in mind for the rest of this discussion. Java is in no way, shape, or form a necessity for the vast majority of users. It is, however, a huge risk.
How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up.
First, Java has been available for web use since 1994. It's nearly 20 years old. It's not like it hasn't had a chance to take hold. There are plenty of reasons people choose not to use it. It's been an option for several projects I've been involved in, and we've never chosen it. Second, that "every 0-day vulnerability" part.. well, that's part of the problem with it. It has a lot of vulnerabilities, and a lot of them take a while to get fixed. So to answer your question, if browsers keep rightfully disabling a vulnerable POS software then people will not use it. Hopefully it will just go away.
It's not like Firefox and Safari don't also have 0-day vulnerabilities
Actually, it sort of is like that. Mozilla is pretty good about fixing bugs. If you don't believe me, here's [mozilla.org] their list of vulnerabilities. Go ahead and find the section on that page which lists the unfixed vulnerabilities. Here [secunia.com] is the vulnerability page for Firefox 18 on Secunia. Take a look at the stats on the right side to see how many vulnerabilities it is currently affected by, as well as the percentage of unpatched. Here [secunia.com] is the same Secunia page for Java JRE 1.7, go ahead and compare that to Firefox 18.
IMO there should be a small grace period of 1-2 weeks
Java has had a grace period of 19 years. Under Oracle, it's been around 6 years. This shit keeps happening. There is a pattern here. There is a reason why Java is the #1 infection vector for Windows machines [net-security.org]. The browsers are just trying to protect their users. Blocking the #1 infection vector is a pretty decent way to do that. If they also blocked the Acrobat plugin then that would be another step in the right direction.
US CERT has the right idea:
Due to the number and severity of this and prior Java vulnerabilities , it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note "Setting the Security Level of the Java Client."
(emphasis mine)