April 16, 2013

Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content.

42bbJava 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password” [emphasis mine].

There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21. Update, 5:42 p.m. ET: Twitter follower @DonaldOJDK notes that Java 6 Update 45 is indeed available here.

javawarningsJava 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

As Ars Technica writes, Oracle introduced a similar dialog message scheme late last year, but as previously reported by Ars, it doesn’t check the validity of application certificates. It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.

I’ve long urged end users to uninstall Java unless they have a specific use for it (this advice does not scale for businesses, which often have complex custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a favorite target of malware writers and miscreants. Rather than ask users to discern the safety of applications using yellow triangles, blue shields, green clovers or orange stars, I’ll keep telling users to get rid of Java entirely.

If you do need it, unplug it from the browser unless and until you need it. Java 7 lets users disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com. Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

22 thoughts on “Java Update Plugs 42 Security Holes

  1. Tom

    The download link for the Java 6 Update 45 download gets a 404.

  2. SeymourB

    Anyone else wondering what rabbit hole Java 7 Update 19 escaped into?

  3. Nic

    Uninstall it.

    If you find out you actually “need” it, download the new version, complete with thousands of security holes.

    If you find nothing changes, that nothing breaks, great, you’re (hopefully) no longer part of the global DDoS pool.

  4. Faye Kane, homeless brain

    Wait… it’s possible to reach out and infect you over the network WITHOUT AUTHENTICATION?

    By “network” do you perhaps mean “homegroup”?

    I’m surprised this is even possible! Surely this is a (yet another) Windows hole if Java or anything else can modify a machine on the network without permission and without logging in!

    As bad as it is, why is Java the bad guy this time?

    Sadly, I need Java to teach a class remotely. Why is it so screwed up? Were the programmers all to lazy to test for buffer overrun before storing a character into an array?

    Why is Java so unsecure when other apps (besides Microsoft’s) are not?

    -faye kane girl brain
    Sexiest astrophysicist you’ll ever see naked

      1. nikol

        Any recommendations for a reliable source for a MD5, SHA1, SHA256, or SHA512 calculators to help with the risks that the file I download is safe and has not been compromised or altered?Windows 7…..thanks….. Brian does a great job of scaring the pants off me!

    1. Robert

      Wow. You need to read more.
      Homegroup is a non-sequitur and Java, Adobe Flash, Reader etc have been the preferred exploit avenue for years because they are cross platform.

    2. Beau

      I’m curious as well, about the notion of how this exploit would be used in a network environment? Are we to understand that someone on the network could use an installation of java on my pc to remotely authenticate as some user on my pc? Is there a particular port/ protocol that would allow that? I’ve looked at the oracle notice, and that doesn’t seem to answer that question. Does anyone know where I can go to understand this better?

  5. JohnP

    Every few weeks we get another set of patches with 10-50 fixes. This has been going on for years and there is no belief that it will ever end.

    I once worked on software that was declared “bug free” in 1994 – at the time, it was believed there were zero remaining bugs in that software. The program continued until 2011 when it was finally retired. The development process was 100% about bug free code, not just getting something out the door. We would stop everything if our process analysis showed more than a few bugs in the design or code reviews. We were very serious about bug-free coding and had 100% management support to that end.
    In 2010, a study of all known errors over the life of the program was released. Noted was the over 100 remaining bugs that existed in the code from 1994 when it was declared “bug-free.” At that time, we and the different levels of testing were uncovering 1 bug every 2 years.

    I have ZERO hope that Java will ever be secure, much less bug free. They (them?) are still adding new features when they should be focusing on 1 thing – security. At this point, it is time to cut our combined losses and make the very hard choices to walk away from any tool or system that uses Java in an non-secure environment. Basically, only environments that run 100% on private, disconnected, networks make sense.

    Do not run Java programs on any home network or any business network that is connected to the internet in any way.
    Do no load java on these servers or desktops. Stop today or it will be harder in the future.

    I know that Brian can’t say these things without appearing as a fanatic. I don’t have that issue.

    If I were a java programmer, I’d learn a new skill and switch quickly.

    I hope that Oracle can get a handle on these issues, but their long history with other products and security has me convinced that will never happen. At their heart, they are a sales-run organization, so as long as people continue to use Java, these issues will never be addressed. They will be patched in an effort to look like they are trying … just like building parks in SimCity makes the computer residence believe that smog isn’t a problem. It is not a real fix.

    1. Vee

      I don’t believe Java needs to be killed off, it (and people) need to know its place. That place isn’t as a web browser plugin. Ever since they started the option of being able to disable it in ALL web browsers I haven’t had any issue with Java. I just wish they’d alert people of that option during setup and I wish they had done this sooner. Corporate/work environments, well, they’re always playing catchup with all software updates and I feel for them.

      All you can do with anything in life is reduce your risk. Health, home, computer security and everything else.

      1. SeymourB

        In my corporate/work environment I would love to kill off Java completely, except some government websites we have to use require Java. Indeed they require Java, worst of all, in a web browser.

        If Java had an adequate automatic updating method I wouldn’t be completely annoyed at Oracle. As much as I loathe Adobe, whatever method they’ve settled on for recent versions of Flash does keep plugins updated well enough that its become rare for me to see them more than a week out of date. If Oracle would stop with the “monthly check” for updates being set by default – and overriding whatever value was set in the previous version for monthly checks – I’d be far less annoyed with them.

        As it is, I’m annoyed with Oracle yet resigned to my fate…

  6. EJ

    So Java 7 u21 now fires off a security warning when running Secunia’s awesome OSI security application. Great – another cry of “Wolf!” that users will become numb to and ignore universally.

  7. Martin

    I just upgrade update 17 to update 21 on 4 VM workstation (XP, VISTA, WIN7 and WIN 7 64) on a lab environnement. Now if I try to open Java in the control panel Java crash on my 4 VM !!!

    I am just tired of Java !

  8. harry L

    Installed new version (v7 update 21) of JAVA (etrade would not lanuch their market caster (real time) without installing. However I did not uninstall V7 update 17.

    If the older version of JAVA had security issues, am I at risk even though I am using the new version. Can I uninstall the older version without messing up the new version?

    1. BrianKrebs Post author

      Harry, did you check to see whether the old version was still installed? Java’s uninstaller should now remove older versions. You can also check via instructions in the last paragraph above:

      Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage.

      1. harry L

        Went to Control Panel “uninstall programs” and it shows only the new version.

        Back in the older days, it used to retain old versions. Feel a bit dumb for assuming it still does without checking.

        Thanx Brian

Comments are closed.