Apple and Mozilla Block Vulnerable Java Plug-ins 88
hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18."
Here are some ways to disable Java, if you're not sure how.
Re: (Score:3)
and to unblock? (Score:3, Interesting)
... and if I need to unblock it, because I need to support shit that runs in these versions?
Re:and to unblock? (Score:5, Informative)
From Mozilla:
There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.
The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.
With OS X it's blacklisted. But then again everyone is recommending to uninstall these versions anyway. If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.
Re: (Score:1)
you should beat the developers over the head to fix it
Not only that, but the software should not depend on third and fourth part of the version to function correctly to being with. Those are supposed to be performance updates and bug fixes; not feature additions. So the fix should not be "now it will work with 1.7.10.19." it should be "now it will work with 1.7.x.y". Keep beating them until they get it right.
Re: (Score:1)
Could you please make Oracle aware of that? When software vendors do get it right and allow multi
Re: (Score:3)
Re:and to unblock? (Score:4, Insightful)
If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.
I would love to do that, but I'd get fired for it.
Re: (Score:1)
But then again everyone is recommending to uninstall these versions anyway.
For values where $theseversions >= JRE 0.1, of course.
Re: (Score:1)
Tell whoever is still running those versions that they are no longer supported.
Re: (Score:1)
Java 7U10 & 6U38 (the ones being blocked) are the latest versions.
Re: (Score:2)
tell you what, I'll unblock it for you... oh wait, you're not running it anymore as its disabled.. damn! I'll have to find a different vector to "assist" you with your computers.
Re: (Score:2)
Re: (Score:2)
It's blocked behing a click-to-play warning. It's just like NoScript, you click on it, and it runs.
Re: (Score:2)
... and if I need to unblock it, because I need to support shit that runs in these versions?
I ran into this problem, tried to enable it in Firefox, no luck. I had to use Internet Explorer to get around the block.
No, I did NOT feel safe.
Re: (Score:3)
Why after all these years is Java not just blocked by default?
Well, on OS X it is. What Apple just did is turn it back off for everyone who had turned it on ;-)
Re: (Score:2)
Or you could do the obvious route, and block all plugins by default and let you launch known/obvious plugins manually.
Browsers already had enough security holes (including alert loops, semi-forced downloads, and javascript) - there's no reason why you should risk less secure plugins as some auto-executer.
Re: (Score:1)
All plugins should be disabled by default, you should click to run anything embedded in a web page, with an option to whitelist certain sites / plugins. Who in modern times doesn't have this option enabled?
No need to scaremonger about Java, any plugin is a potential security risk.
Re: (Score:2)
people still use java in the browser?
Clearly, you do not work in the medical industry, where this shit is cutting edge, because it's cross-platform and a real upgrade from building entire applications as ActiveX in the browser. Sigh...
Re: (Score:2)
where this shit is cutting edge,
Party like it's 1999?
Re: (Score:3)
Because you can use the Windows installer to reformat your hard drive before install?
Re: (Score:1)
Why was this modded down?
Because you're the type of clueless user that has just enough of a clue to screw yourself.
Oracle Trashing Java? (Score:5, Interesting)
Re: (Score:1)
Not really true. If you look at Secunia the number of vulnerabilities is really not that different between the Sun years and Oracle's.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It has happened with Oracle at the helm. And it seems that they may have know about this vulnerability for some months and not fixed it.
At the very least, if they care about Java, they need to put some serious resources in
Re: (Score:1)
There were problems, of course, under Sun, but
I have seen something else under the sun: the race is not to the swift nor the battle to the strong, nor does food come to the wise nor wealth to the brilliant nor favor to the learned; but time and chance happen to them all.
Re: (Score:2)
More than likely, a core group of competent decision-making employees related to Java left Sun when they got bought out. It's like all the adults leaving, resulting in the teenagers taking charge of the kids.
Re: (Score:2)
I think it's more a matter of the knowledge on how to use Java as an attack vector (and the inclusion into Java exploits into easy-to-use-kits) causing the anti-Java sentiment, not who owns Java.
And some of that sentiment is misplaced: These exploits are largely a client-side problem (e.g., browsers running Java applets or downloaded Java apps) brought on by the servers dishing the Java up not being properly secured and/or managed.
Java's a great language in terms of what it's brought to the forefront of ap
Re: (Score:1)
What makes you think Oracle is just screwing up Java.
Get this thread about how an update to Solaris 11 broke ISCSI targets:
iSCSI Broken after 11.1 Update [oracle.com].
Geez, you think they cut out all regression testing?
And, of course, the final word:
Moderator Action:
With apologies to the original poster, but this thread has gotten hijacked too often to continue.
Your original question may not have been completely answered but the discussion has wandered far from that inquiry.
Thread locked.
How DARE they actually discuss the bug, possible workarounds, when it'll be fixed, etc.
Re: (Score:2)
That's just great, I get a DNS error from Oracle when I click on that link.
(But I can resolve all the host names involved... Seems like Oracle lost an internal server.)
Re: (Score:1)
Hypocritical (Score:5, Interesting)
While Java applets are very rare and not of much use to me personally (I mostly see it used for irc clients and bad web games), it seems a bit of an overstep to disable it completely for everyone due to a 0-day vulnerability. How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up. It's not like Firefox and Safari don't also have 0-day vulnerabilities but you don't see them completely shutting themselves down nor do they roll out fixes the same day, so it seems a bit hypocritical. IMO there should be a small grace period of 1-2 weeks where the browser warns people of the known unpatched vulnerability but allows users to choose to load it anyways if they trust the site (yes, most people will just say yes to get past it) to at least give the plugin authors a chance to fix it before it gets completely disabled.
Re:Hypocritical (Score:5, Interesting)
I really wish I could disable it at work, but we both have an (externally developed) Java applet in our main product and use WebEx to audio-conference and screen-share with the contractors who produce said Java applet.
At home, I occasionally do Java development, but I just install the 64-bit JDK, which doesn't include the plugin for 32-bit web browsers like Chrome and Firefox. Problem solved there!
Re: (Score:1)
Mozilla does allow you to load it. It's called "Click To Play". Apple's reaction is more extreme but most parties agree it's a bad idea to have those versions installed at all.
Re:Hypocritical (Score:4, Informative)
While Java applets are very rare
Let's keep that in mind for the rest of this discussion. Java is in no way, shape, or form a necessity for the vast majority of users. It is, however, a huge risk.
How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up.
First, Java has been available for web use since 1994. It's nearly 20 years old. It's not like it hasn't had a chance to take hold. There are plenty of reasons people choose not to use it. It's been an option for several projects I've been involved in, and we've never chosen it. Second, that "every 0-day vulnerability" part.. well, that's part of the problem with it. It has a lot of vulnerabilities, and a lot of them take a while to get fixed. So to answer your question, if browsers keep rightfully disabling a vulnerable POS software then people will not use it. Hopefully it will just go away.
It's not like Firefox and Safari don't also have 0-day vulnerabilities
Actually, it sort of is like that. Mozilla is pretty good about fixing bugs. If you don't believe me, here's [mozilla.org] their list of vulnerabilities. Go ahead and find the section on that page which lists the unfixed vulnerabilities. Here [secunia.com] is the vulnerability page for Firefox 18 on Secunia. Take a look at the stats on the right side to see how many vulnerabilities it is currently affected by, as well as the percentage of unpatched. Here [secunia.com] is the same Secunia page for Java JRE 1.7, go ahead and compare that to Firefox 18.
IMO there should be a small grace period of 1-2 weeks
Java has had a grace period of 19 years. Under Oracle, it's been around 6 years. This shit keeps happening. There is a pattern here. There is a reason why Java is the #1 infection vector for Windows machines [net-security.org]. The browsers are just trying to protect their users. Blocking the #1 infection vector is a pretty decent way to do that. If they also blocked the Acrobat plugin then that would be another step in the right direction.
US CERT has the right idea:
Due to the number and severity of this and prior Java vulnerabilities , it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note "Setting the Security Level of the Java Client."
(emphasis mine)
Re: (Score:2)
This issue is specific to the browser plug-in and it is due to a separate Security Manager in the com.sun.SunToolkit used by the JRE plug-in for browsers, ONLY.
I hear the same thing every time any serious Java vulnerability is discovered. "But, it's not the whole thing, it's just this one part that causes ransomware to get installed and all of your files get encrypted and you have to pay some sleazy asshole to get them decrypted! It's just this one little obscure part that does that!" That's great, and I hope you take solace in the fact that, as far as you know, there aren't massive security vulnerabilities also present in the JRE or anywhere else. However, if
JAVA = Just A Virus Apploader (Score:2)
Blocking the plugin is the best thing that they can do. It will force Oracle to fix it sooner and keeps it's users protected. I wish IE and Chrome would jump on that bandwagon as well.
Frankly, in the consumer space. Unless you Know what a Creeper or Enderman is chances are you don't need Java. Ever. Just about every virus I see these days comes in from Java. These Virus kits barely bother with Flash or Reader anymore since Adobe changed their Update Policy, Even if the user has an older copy of Adobe Plugin
Re: (Score:2)
so... (Score:1)
Why this zero-day? Why Java? (Score:4, Interesting)
There are many zero-day exploits out there for many applications (and operating systems, etc.). Why does this one deserve special treatment?
It's the second time that I remember Mozilla doing it with Java.
Re:Why this zero-day? Why Java? (Score:5, Insightful)
> Why does this one deserve special treatment?
Because it is
* wide spread, both in terms of users and in terms of malicious sites
* serious: remote exploit with none but the initial user interaction
* arrogant of Oracle not to respond
* avoidable, because nearly nobody needs Java anyway
Oracle really dropped the ball here, and they deserve to be kicked.
Re: (Score:2)
nearly nobody needs Java anyway
Java may be unpopular on Slashdot, but that's not a reason to handle it differently
Oracle really dropped the ball here, and they deserve to be kicked.
But it's end users who rely on Java (and there are still many) who are getting kicked. I know a business whose remote access uses Java; now some of their users are going to be cut off.
arrogant of Oracle
It's arrogant of Mozilla and Apple to dictate to people what they need, want, and are allowed to use on their own computers.
Re: (Score:2)
Most applications are not automatically launched when you visit random websites.
In fact, that's the change Mozilla made: they turned on click to play for Java so that it is no longer launched automatically when you visit a site with a java plug-in.
My Java was still siabled from the last Java (Score:1)
I can't say I've missed it. Now if we could do the same thing with flash...
Chrome - "Click to Play" (Score:5, Informative)
In Chrome select "Settings" from options menu or navigate to "chrome://chrome/settings/"
Click Link "Show advanced Settings"
Click button "Content settings..." under Privacy
Look Under "Plug-ins"
Select the option "Click to play" which will prevent plug-ins from running on a page unless you manually click on a bar which allows them to run.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
For Firefox you can go to about:config and enable "plugins.click_to_play", there is no preference UI for it yet
What changed? (Score:2)
Re:What changed? (Score:5, Informative)
Description The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.
and the biggest joke is (Score:3)
I have java 7u10 plugin installed, and its now disabled (ok, good). So I check the latest version from Oracle so I can install the fixed, safe version.... which is Java 7u10.
ho hum.
Mozilla: Why break stuff instead of fixing it? (Score:5, Interesting)
Why is no one recommending to raise the security level for Java applets from "medium" to "high" or "very high"?
Since Update 10 there is this new control that could be employed exactly right now:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html [oracle.com]
Needs whitelisting (Score:4, Insightful)
I think this kind of mass disabling should be combined with a list of known "Good" java applets, possibly matched by URL or file hash.
The list doesn't necessarily have to come from some authority from the internet, it could possibly be provided by a company's IT department to run the specific Java applets they need to use.
So when people hit the "good" java applets, their Java plugin isn't disabled, and it runs the applet just like normal.
Ah, first obsolesence (Score:2)
So applets will never work again for most people, and the services that require them will be gradually (slowly) phased out. Maybe a narcissistic comment, but my first game was an applet. Now it will never be playable again without great effort. it's kind of sad that with all the computing power we have today, we can't just automatically load old software and have it work.