August 30, 2012

Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.

The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.

The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.

Today’s patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland — says it alerted Oracle about this vulnerability and 30 others back in April. It’s not yet clear how many of those vulnerabilities were patched in this release.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” said Security Explorations CEO and founder Adam Gowdiak told The Register’s Neil McAllister. “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java [updates].”

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here. If you’re not sure whether your system has Java installed or which version your computer may have, visit java.com and click the “Do I have Java? link.

Windows users can grab the update by visiting the Windows Control Panel and clicking the Java icon (or searching for “Java”). From there, select the Update tab and the Update Now button. Note that the updater may auto-select a toolbar like the “Ask Toolbar;” if you don’t want that as well, de-select it before proceeding. Mac and Linux users can get Java 7 Update 7 from this link.

If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.


50 thoughts on “Security Fix for Critical Java Flaw Released

  1. Thomas Daggett

    I was surprised to see not the usual Ask Toolbar [offer?] but some McAfee product. It employs the same ‘opt-out’ (pre-checked box) of course.

  2. John Cali

    Hi Brian,

    I uninstalled Java in the Add/Remove programs section in Windows. But I still have a Java plugin in Firefox. I’ve disabled it, but cannot figure out how to delete it. Is it even possible to delete it?

    Thanks very much, Brian.

    John

      1. BattleChicken

        I generally wouldn’t respond to a comment like this, but generally I see this kind of thing on low-rent forums frequented by angsty tweens not here.

        What a useless thing to say. Your comment doesn’t help or add to the conversation AT ALL. I understand your goal is probably something lofty like “teaching a man to fish” but the reality is you didn’t provide stus any helpful information, just a backhanded insult.

        Perhaps his search terms were wrong for what he was trying to find and suggestions would have helped? Perhaps his browser version changed in an update and where the plugins were isn’t where they are now? Or – and I think this is the most likely scenario – perhaps stus thought that a the comments on a security post about a java vulnerability where a suggested action was disabling your java plugin in your browser was an appropriate forum for a question about how to disable his Java plugin in his browser. Hint: It is.

        1. Uzzi

          Sorry, just tried to change a vector – gladly this worked. (At least it’s not to hard to google “delete Java Firefox plugin” to find support.mozilla.org …)

  3. Phoenix

    Maybe it’s time to start calling it Oracle’s Java, not just Java. Point responsibility where it belongs.

  4. Omer Bauer

    Brian…..I disabled JAVA 3 yrs. ago on your advice and do all kinds of things on line and don’t miss it at all. I occasionally do hit a site that requires it but have found out that there is always a alternate to it.
    Thanks for the advice.
    Omer

    1. TJ

      You can find and delete the Firefox plug-in here:

      Description: Next Generation Java Plug-in 10.7.2 for Mozilla browsers

      32bit system
      C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll

      64bit system
      C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

        1. TJ

          You’re welcome, John. It would have been nice, however, if I had replied to the right comment. 🙂

  5. Neej

    Thank christ Oracle saw sense on this one … I’d get rid of it completely other than I use jDownloader a lot. Like almost all Java applications I can’t see the point of programming jDownloader using the language given that there’s a version for each major OS…

    http://www.theregister.co.uk/2012/08/30/i_hate_java/

    I agree with this article almost completely – it seemed pointless back in 1998 when I had to do an extra year to get up to speed with Java order to get my CS degree. Mind you the uni I attended thought it was a good idea to teach COBOL(!?) alongside C/C++ so don’t ask me what they smoke behind closed doors.

    It amazes me that it’s still being taught to IT students – surely it would be better to learn OO programming principles on another language FFS, it’s not like if anyone really needed it they couldn’t pick it up in a day after that.

    1. Allan Miller

      I would disagree. Java is one of the few languages that was actually designed by computer scientists, rather than evolving into existence, or worse still, being (apparently) designed by high school students for a science fair project.

      It also currently has a big commercial value: it’s the language of choice for writing Android applications, and that will be true for some time to come.

    2. bob

      The strength of java is it’s class library. If you’re looking for a job in that area, already being familiar with the intricacies of the language will give you a big head start. We probably wouldn’t employ a Java programmer on the basis of their experience in another OOP language.

      Also, for a computer science degree, I’m not sure what the alternative OOP language to Java would be. Python? Eiffel? Neither seem really appropriate to a CS degree. I suppose C++ would be the best alternative.

      COBOL in ’98 was fairly reasonable. It teaches you the basics of programming and, at the time, there were lots of people after newbie COBOL programmers to help with Y2K issues. ’98 was the first year I got a bonus for COBOL work.

    3. george

      I like the quote in the article you pointed to:

      “Bear in mind that Java likes to compete with Flash for the least secure mainstream web browser extension ever created”

      So true, so true…

  6. Mike

    I updated through the Java icon in the control panel as directed. When I restarted IE9, a plug in SSV Helper asked to be enabled. What do I do with this? Never happened before.

  7. Mike

    Never mind. I found an old version of Java 6 on my computer. When I uninstalled it and something called JavaFX, then restarted, the SSV thing stopped asking to be enabled. Java 7 Update 7 is all that remains on my box.

    Thanks for the security tips.

  8. Doug

    I have the latest java ver 6 update on my system, (for all of 2 days!) and do use it (but I have Noscript). The Java site offers me the new Java ver 7 update.

    Now per Brian, the 0-day exploit only attacks java 7. Should I really update from the old, ignored version to the new, highly targeted version?! Really?

    Seems tactically unwise. Any advice?

    1. SeymourB

      You should update to the latest version of the flavor you have installed. Note that in 2013 Java 6 will be discontinued, and at that point you will need to move to Java 7 or risk having unpatched vulnerabilities that will never, ever, be patched.

      Forced obsolescence, ho!

  9. jeffrey

    So i see Java SE Development Kit 7u7, update on oracles site, but if i install this, it says i dont have java installed… didnt it used to be Java runtime environment?

  10. Chris Thomas

    Thank you for this valuable resource Mr Krebs. Everyone should read your blogs.

    I wonder how many Pointy Haired Bosses there are at Oracle.

  11. Oxa

    Do NOT use the Update tab in the Windows Control Panel to update Java. The last time I did that, Java installed obnoxious crapware on my computer. Because it was not uninstallable via Add or Remove Programs, I spent a couple of hours trying to figure out how to get rid of it, finally resorting to a system restore.

  12. stvs

    In upgraded an OS X 10.7.4 box with this dmg, but java -version says that I’m still running Version 6:

    $ java -version
    java version “1.6.0_33”
    Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
    Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

    Apparently a reboot is necessary, but that’s not possible or convenient for the foreseeable future. Anyone know the correct launchctl and plist incantation to tell OS X to start using the latest java version?

  13. Sterling

    Thanks for the heads up Brian, but I took your advice and removed Java from my computers.

  14. Rabid Howler Monkey

    A ToDo list for Oracle:

    o Improve the Java SE updating process for Windows, OS X
    and Linux as the majority of consumers and small organizations don’t have sysadmins pushing out updates
    o Follow Microsoft’s lead and implement a Security Development Lifecycle for software development
    o Follow Adobe Software’s lead with Flash Player and work with major web browser developers (i.e., Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari) to sandbox both java applets and web applications on Windows and OS X *
    o Increase the java security update frequency from every 4 months to quarterly and, next, to bi-monthly
    o Stop with the crapware already as Larry is a billionaire and owns an island (Lanai), a yacht and a number of planes

    * Most popular Linux distros provide Linux Security Modules (e.g., SELinux, AppArmor, Tomoyo) that can be used to sandbox java applets and web applications.

    1. Terry Ritter

      @Rabid Howler Monkey: “Follow Adobe Software’s lead with Flash Player and work with major web browser developers (i.e., Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari) to sandbox both java applets and web applications on Windows and OS X”

      Allow me to again recommend the excellent article by Roger Grimes in InfoWorld: “9 popular IT security practices that just don’t work”

      http://www.infoworld.com/d/security/9-popular-it-security-practices-just-dont-work-199548

      “Security fail No. 9: Sandboxes provide straight line to underlying system

      “I sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.

      “Today the biggest security sandboxes are probably best represented by Java and Google’s Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn’t stop the dreamers who think they’ll find one that will halt all exploits and put down computer maliciousness forever.

      “Unfortunately, a lot of computer security is more security theater than protection.”

      1. Rabid Howler Monkey

        @Terry Ritter I’m gobsmacked! You only shot down one of my five recommendations. :()

        My view is that computer security is an illusion. There are only levels of insecurity. I simply prefer to operate on a level of insecurity somewhere above the lowermost level. At least make the miscreants work a bit for their misdeeds.

        Here’s an interesting and, hopefully, enlightening example (sorry, Linux fans):

        “Exploiting grsecurity/PaX with Dan Rosenberg and Jon Oberheide
        http://resources.infosecinstitute.com/exploiting-gresecuritypax/

        P.S. In this case, vulnerabilities were not introduced by grsecurity/PaX. As a matter of fact, grsecurity/PaX made the “exploitation process is many orders of magnitude more difficult”.

  15. Alan

    Researchers Find Critical Vulnerability in Java 7 Patch Hours After Release
    http://www.cio.com/article/715219/Researchers_Find_Critical_Vulnerability_in_Java_7_Patch_Hours_After_Release

    “The removal of the getField and getMethod methods from the implementation of the sun.awt.SunToolkit class in Java 7 Update 7 disabled all of Security Explorations’ PoC exploits, Gowdiak said. However, this only happened because the “exploitation vector” was removed, not because all vulnerabilities targeted by the exploits were patched, Gowdiak said. The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.”

    1. Nick P

      Yeah, that was also published on Schneier’s blog by somebody (Clive Robinson, I think). They seem to ignore the holes for a while, then throw some crap together, release it, & lo’ and behold the garbage they delivered gives attackers more opportunities. Is there an infinite downvote button for Oracle? 😉

      Figure this adds credence to the “uninstall, disable or block Java” approach. Uninstalling or disabling it is the easiest method. Been too busy to read all comments, but I’m sure someone has already mentioned NoScript can block many Java attacks by default. I’ve recently been thinking that NoScript should get some web security medal or something. (Esp for cost, compatibility & ease of use attributes.)

  16. Jon

    Is the problem just with client side Java or with server based code (struts, Java Server Faces and so on) ?

    Or both.

    I have only just heard and this is the first question that comes to mind.

  17. Jeff

    The latest bug in Java is client side only. In fact, it is browser client side only. There was never a problem with OS applications that used Java outside of a web browser.

  18. Loget X

    These terribly designed browser plugins contribute to the problem. Users should never be allowed to run a Java applet on a site automatically unless they’ve already approved that site, period.

  19. Larry

    ??? Program? Buggy? Really?? I haven’t read such ignorance in a while….must be a newbie.

    “If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. “

    1. Uzzi

      Thx, hope some of the folks still gambling around with Java in their browsers read it – especially this passage:

      “Java-in-the-browser absolutely must be treated as ‘already compromised’. There is no wiggle room here. Do not under any circumstances run Java in the browser on any production system or any client system in which any other application is used. Go buy another Windows licence and put Java inside a virtual machine. – Ring-fence the virtual machine by placing it on its own VLAN and subnet. Keep that virtual machine’s traffic as separate from the rest of your network and system as you possibly can: Java-in-the-browser is a live grenade and you can’t afford to have it go off inside your network. If you can, deploy the virtual machine from a managed template; the ability to destroy it at the end of the day and revert to a ‘known good’ is a huge advantage when dealing with a threat of this magnitude.”

      1. Nick P

        All that rhetoric & a simple plugin blocks most Java attacks. Hmm…

        #NOSCRIPT

    2. Allan Miller

      Wow, what a nightmare. I really empathize with the author. It’s a brutal reminder that malware keeps getting “better” every day.

  20. Esther Walker

    Oracle should be ashamed and I hope I don’t have to use them for anything. They knew there was a problem since April and did nothing until now because they were exposed. They did not care about all the people that rely on their product and it could have caused all kinds of havoc to their systems and financial data.

  21. stvs

    But without Java exploits, could there be 12 million Apple device UDID/APNS tokens released into the wild from an FBI laptop?

    According to the Pastebin post, the file was originally taken from a Dell Vostro laptop … the attackers reportedly used a vulnerability in Java to gain access to the machine.

  22. Jim C.

    Thanks again, Brian, your information is, as always, incomparably spot-on!

    For novices, here’s a really useful explanation by Leo Notenboom of “How do Java and Javascript relate to each other?”

    http://ask-leo.com/how_do_java_and_javascript_relate_to_each_other.html

    (Notenboom concludes with:

    Java & JavaScript: Should you or shouldn’t you?

    Given the current application and security landscape, I’ll make the following recommendations:

    Javascript: In general, leave Javascript enabled and stay away from questionable sites. The practical fact is that many, many websites simply will not work if Javascript is disabled. If you are concerned, then the only true solution is to use Firefox with the NoScript add-on to allow selective choice of which websites are allowed to use Javascript. Similar-sounding add-ons for Chrome apparently don’t work reliably and give a false sense of security. Managing this through IE’s security zones is a confusing nightmare.

    Java: Uninstall Java unless you’re certain you need it. It’s not at all uncommon to end up with Java installed because of a website you visited only once. Uninstall it, and if something you care about breaks, re-install it. In this case, some security-minded folks recommend [e.g., Brian Krebs!] having it enabled in only one browser that you don’t use regularly and explicitly disabling it in the browser you use day-to-day.

    As for me, I just uninstalled Java. I know of only one program that I use that may eventually require it. Until then, I’ll run without.)

    I first learned of the two-browser technique from Brian Kreb’s
    http://krebsonsecurity.com/2012/08/security-fix-for-critical-java-flaw-released/
    “…If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.”

  23. Tom

    Hi Brian,

    Would it be possible to date your posts? I find it disconcerting when I access your website articles via RSS and have to look at the comment dates to determine when you posted an article such as this one (possibly Friday August 31, 2012) to determine which release of Java you mean – last Thursday’s (with a fatal flaw subsequently founded), or a fix to the current problems.

    Tom (dated Sept 4, 2012 ~ 4:42PM)

    1. BrianKrebs Post author

      The date is listed at the top of every story that appears on the homepage. If you are viewing the full story, the date and time stamp is at the bottom of every post, right below the tags and directly before the comments start.

      This entry was posted on Thursday, August 30th, 2012 at 5:07 pm and is filed under Latest Warnings, Security Tools, Time to Patch.

      1. Tom

        The reason I asked about the dating of your posts was that I access your material via RSS feed, not the homepage, and the usual standard which seems to be practiced by most authors is to date the article itself (at the top of the article).

        Thanks for the feedback – now I know where to look for the date on your articles.

  24. Larry

    This site seems to be filled with Microsoft geeks/college grads with no level of professional experience. Anyone can have a blog…..

    ??? Program? Buggy? Really?? I haven’t read such ignorance in a while….must be a newbie.

    “If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. “

  25. Uzzi

    No need to repeat your downrated insults:

    Anyone who can read, can read ‘About the Author’ and ‘About this Blog’ at the top of every page on the right side… .oO(In fact Brian is the illegitimate son of Warren Buffett and William ‘Bill’ Henry Gates III by gene manipulation. But this is top secret! He was later adopted by some russian botherders. ;-))

  26. Branden Spikes

    Clearly people aren’t seeing the forest through the trees here. Not just us, the readers, but the security industry in general. Releasing a security update which introduces a zero-day vulnerability is an unforgivable act. Java needs to be uninstalled. Only run software from a trustworthy source.

Comments are closed.