Oracle today released a security update for its Java platform that addresses at least 20 vulnerabilities in the software. Collectively, the bugs fixed in this update earned Oracle’s “critical” rating, meaning they can be exploited over a network without the need for a username and password. In short, if you have Java installed it is time to patch it or pitch it.
The latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 65. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 11.
According to Oracle, at least 8 of the 20 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 9.0 or higher (with 10 being the most severe). Oracle says vulnerabilities with 9.x CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.
The trouble with Java is that it has a very broad install base, but many users don’t even know if they have it on their systems. There are a few of ways to find out if you have Java installed and what version may be running. Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.
If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.
Otherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.
If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).
The fixed versions ain’t even listed on the Oracle Technology Network’s Java homepage yet: http://www.oracle.com/technetwork/java/index.html
But it was listed in the downloads area:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
As soon as I saw this article was posted they were listed as available for download.
I usually go to that page, as those installers normally lack the bundled crapware. Oracle has wisely chosen to not piss off the only people still supporting Java (by writing applets in it).
Is your last name Butts by any chance?
Lulz!
http://www.youtube.com/watch?v=FtKnTegOIM4
Typing “java” in the command line is likely to give a false negative for most users, personally i had to add jre/jdk to %PATH% manually.
Not a big fan of Java, always thought it was a big browser memory hog , worse then Flash
The “java -version” only works if you add the java install folder to the %PATH% variable. Type “set path” on cmd and there should be a path like “Program Files\Java\jdk1.7.0_06\bin” or similar.
I added this manually when I started programming in Java. Since I don’t need to run applets, I just unchecked Run in Browser on the control panel for security. (Though I use the NoScript plugin with Firefox so I’m probably just paranoid.)
Bryan,
Which version is safer (if we absolutely must use JAVA SE/JRE),
Version 7 or Version 8?
They should both be up to date.
Version 8 will continue to be patched longer (since its the newer version), so I’d go with 8 if you don’t have a preference.
It’s also good to point out that its the Java browser plugin that has the security holes – but these are the holes the bad guys use to run bad stuff – Java itself is relatively secure (and is the reason it continues to be used on business servers).
Not necessarily just the plugin. Applets can be downloaded and run by neophyte computer users and those exploits can then be run without a web browser involved at all.
Sometimes the miscreant will use another program to exploit, say (just as an example) your email software, and from there will piggyback onto Java or another OS level program without involving a browser at all.
It’s certainly safer to have the Java plugin turned off, but safest of all is to either not have Java installed at all or to have it fully patched.
Strongly agreed! Except as mentioned sandbox exploits after download can be done also.
I love all this forgetting history, where Java is somehow the most insecure gateway to mayhem there ever was.
Tech evolves. Way back it was activex that was really bad. Along comes java, the savior of security, with the concept of a good sandbox, signed apps etc. This worked great and was the hero of the web for quite a while.
But as attacks become more sophisticated, a new approach evolved, javascript is becoming better at doing things only java applets could do, so there you go. Java’s web role is not needed as much.
So it’s still a powerful language for apps and servers, and it’s fairly secure.
Watch as years go by and javascript goes from hero to ‘riddled with security holes!’
download.oracle.com uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net (Error code: ssl_error_bad_cert_domain)
Now why am I not surprised that their web site is hacked or misconfigured in a way that compromises security and trust? 😛
I better delete the installer I just downloaded from their site. Glad I haven’t installed it yet.
Do Oracle advertise a https version of the download link?
In any case, you can (and should) check the certificate on the executable after downloading it.
Check the certificate on the executable? How? I don’t know that Firefox can do anything of the sort — just download it and stick it in a folder somewhere.
Files hashes. https://en.wikipedia.org/wiki/File_verification
So check your download with this for reference: http://www.oracle.com/technetwork/java/javase/downloads/javase8-binaries-checksum-2133161.html
Another method you could use is just simply uploading it to https://www.virustotal.com/ and if others have uploaded that same file then it’s a high chance you have the legit download. But VirusTotal will also easily tell you the file hash of whatever file you upload under “Additional information”.
Are you crazy? Those Java downloads are forty or fifty megs. I’m not uploading them anywhere. As for those checksums, I don’t suppose there’s any way I can just click a couple of buttons and get either an “OK” or some sort of a security warning the way there is with the dodgy SSL certificate? If I’d have to download some other software to do this, then that’s a chicken-and-egg problem. Or am I expected to do a bunch of nasty math, or program something myself?
I’d much rather I could just trust download.oracle.com to actually be download.oracle.com and cannot think of one single good reason why I shouldn’t be able to. SSL isn’t exactly bleeding edge, it can’t be that difficult for Oracle of all companies to get it right on their web site.
Unless, of course, they did but someone else hijacked their DNS entry. Which is what the browser is warning is likely to be the case.
….
You want real security or do you want a program that gives you an automated green “ok” mark?
I gave you solid ways of verifying a file. The only way a HTTPS iffy setup would hurt you is in the case of a man in the middle attack, which if there was one on http://download.oracle.com then other security newsites would be reporting on it, because it’d be a huge story. But also the download would probably have a different hash.
Basically, HTTPS enabled sites can have forged certificates and man in the middle attacks, but that’s not happening on http://download.oracle.com and your Java download is fine. It’s your browser trying to force the site into using HTTPS and the certificate not matching their download domain.
Meaning, just get rid of the “s” in the “https://” download link, and it’ll download fine without any notification.
“I gave you solid ways of verifying a file.”
No, you didn’t. You didn’t say anything about how I could go about doing that without either doing a great deal of technical stuff myself or downloading yet another executable from somewhere (and verifying that one how, exactly?) even when I specifically asked for that information.
Just “upload” the file to VirusTotal (it won’t upload, because it’ll already be uploaded. But you’ll be able to check the file hashes)
If the download file is legit, it’s moot how their download domain is setup because the whole point is to receive the file you’re meant to receive. More than 90% of the stuff you download over the internet is HTTP anyway, yet you don’t lose sleep over verifying all of it.
How would the browser “know” whether VirusTotal already had a file with the same hash as a local file, other than by uploading the file first? Browsers don’t hash files, the last time I checked. VirusTotal might hash files, but it would need a copy to hash it. Really, I don’t see a way around it — to get the forty meg executable hashed I’d have to either upload it somewhere or download and run some other executable that does file hashing.
And that, of course, assuming I could get it in the first place, while observing my resolutions to not use IE and to not poke lasting holes in Firefox’s security by granting SSL exceptions.
Ah, now there you go wrong. A file hash is *NO* guarantee that the file was built by Oracle (in this case).
A file hash will prove that the file has not been corrupted during the download, that it is the same as the one the vendor uploaded.
If an attacker has the ability to upload a malicious file, she or he has the ability to change the webpage with the checksum of the malicious file as well.
A signed binary’s signature can under MS Windows be inspected by simply right-clicking and selecting properties.
It’s moot anyway. I can’t even download the file to check it against anything else. Firefox doesn’t give me an option to just ignore the security warning just the once; I have to either create an exception for download.oracle.com or leave it, and I don’t want to be poking lasting holes in the darn thing. And I’m pretty sure I tried changing https to http and it just redirected right back to https.
(That, and the lack of an opposite redirect or an error such as “connection reset” when download.oracle.com is contacted on the https port also seems to disprove the hypothesis that download.oracle.com isn’t configured for https. If it weren’t, why would it answer https requests with anything other than a redirect, let alone give some other random site’s certificate?)
Oracle needs to fix its website.
Just download it under Internet Explorer.
OK, “Vee”, you’ve just lost all credibility with me on the matter of computer security. First you tell me to ignore an SSL warning that a domain I tried to reach is apparently not who it says it is, and then you tell me to use Internet Exploder? Yikes!
I can’t tell if you’re so black and white minded that you honestly can’t help it or if you’re just baiting to fight.
Especially considering you yourself probably had to use Internet Explorer to download the Firefox you’re using now… And considering this is all over download a Java installer.
My mind is blown.
If you must know:
a) I get Firefox onto new or reinstalled systems by downloading it in Firefox on another machine and copying the installer to the target machine using media or a LAN; and
b) I use Java to run local software, not applets. Every browser I have either lacks a Java plug-in entirely or has it set to “click to play” (plus, I use NoScript).
I also get that notification (have been for months) but just assumed it was my HTTPS Everywhere extension that broke it.
https://www.ssllabs.com/ssltest/analyze.html?d=download.oracle.com
In any case, it’s harmless. Either add an exception or change the HTTPS download link to HTTP.
In what way can it possibly be “harmless” that when I try to contact download.oracle.com I get a site offering SSL certificates for some completely unrelated domains? That’s a strong hint that the machine responding to attempts to reach download.oracle.com is not the real download.oracle.com.
In any event, it smells and advice to ignore security warnings and download an executable anyway, despite indications that someone other than Oracle but pretending to be Oracle might end up being the source of it, doesn’t seem very sound to me. Aren’t we supposed to be in favor of not getting into bad habits like ignoring security warnings around here?
Akamai is just a distributed content delivery network. They’re trustworthy.
Are you claiming they’re hosters that are/may be hosting Oracle? Even if they are, there’s no guarantee whatsoever that they’re not also hosting some blackhat that hijacked Oracle’s DNS entry. And then how would I know which one was which, unless one presented a valid certificate for the domain download.oracle.com?
Akamai is *very* trustworthy, the only real issue they have is that they can be ‘lawfully’ backdoored by a certain Government Agency That Shall Be Unnamed Here.
If you ever downloaded Windows Updates, you received them from Akamai. The issue here is Oracle is being Uncle Scrooge and doesn’t want to shell out a few bucks to let Akamai install a DECENT certificate.
Reread my previous comment. The trustworthiness of Akamai is irrelevant. To trust an executable from a random Akamai node that I cannot verify is actually download.oracle.com means I’d have to trust Akamai and every single one of Akamai’s customers, any of whom could actually be serving that executable file.
Put another way, consider this scenario: bad guy rents hosting from Akamai. Bad guy uploads questionable executable to their web
space, with a path and filename that matches a Java download at download.oracle.com, say /downloads/java7u65.exe. Bad guy downloads it again and notes the IP address the browser actually fetches from. Bad guy hacks DNS so that download.oracle.com now points to that IP address. Unsuspecting user goes to “oracle.download.com”, gets the certificate mismatch, skips past it (somehow, maybe by not using Firefox, or creating a permanent exception?), and downloads the bad guy’s executable …
Now tell me how to distinguish the above situation from actually getting Oracle’s file and Oracle merely having misconfigured the download.oracle.com domain’s SSL.
I don’t think I can. The whole point of SSL certificates is to enable me to tell whether I’ve reached the real download.oracle.com.
Perhaps you should quit using computers all together as that would be the best bet to circumvent infection of malware and/or someone hacking you. Read the error message. Computers produce them all the time. Not all error messages constitute foul play. Paranoia is not a good security solution, it is just a good way to lose sleep, jump at shadows, and be an irritating prick. Arm yourself with information gained through research and try not to annoy those who are genuinely trying to help by offering advise.
Way to completely and utterly fail to address any part of my argument there, bozo.
Now, tell me again why I should trust not only Akamai but all of Akamai’s customers as well? Or else admit that you are wrong.
Because that one actually is perfectly fine to ignore. I’m almost certain it’s being triggered by a false HTTPS Everywhere ruleset. Do you also use HTTPS Everywhere (or another HTTPS type of extension)?
The issue is that they don’t have HTTPS configured to their download page (which is HTTP by default under IE). Yet, for whatever reason (again, for me I’m betting it is HTTPS Everywhere) our browsers are trying to connect using HTTPS. The issue is on OUR end.
I’m pretty sure that no scary security warning from the browser is “perfectly fine to ignore”. Either users should ignore it when domain A tries to proffer the certificate for domain B, or users shouldn’t. I’m pretty sure that the first case means the terrorists win, so I think I’ll choose what’s behind door #2.
Actually self-signed certificates that give scary warnings can be more secure than a big green “OK” a browser is programmed to give you, and it depends on the situation… Generally security authorities are trustworthy but the green ok is just a specific programmed situation that means something has a minimum level of encryption and the company purchased the certificate from an “authority” the browser is programmed to trust. It’s ridiculous to get into it too much here, but the big green ok you’re used to isn’t the end all be all of how secure a connection is.
The key is understanding what you’re actually seeing.
If you create your own self-signed certificate for your own website you’ll have no trouble identifying it and setting up a highly secure https site regardless if you paid a certificate authority to “certify” it and add their own code to it to “verify” you to others.
So once you are a security professional you can more securely judge a situation by more than a big green ok sign, which people are trying their best to help you with, because I doubt we’re going to get oracle to fix this for you..
I don’t recommend ignoring warnings in general, but if you understand what they’re really saying they’re not all scary.
It’s a misconfigured CDN. If the certificate belongs to akamai.com it’s ok.
It’s a misconfigured whaaa?
Not that it matters. Which is the better outcome: web sites configure SSL correctly, along with whatever ancillary bits of technobabble, or users start ignoring security warnings from their browsers?
Or put another way: Which outcome would the black hats prefer? Whatever the answer is to that, we should do the opposite. And I’m willing to bet that in this instance “the opposite” means “Oracle fixes their web server”.
As noted elsewhere Oracle needs to pay for a slightly more expensive level of service from Akamai, one which gives Akamai a certificate for download.oracle.com, and where Akamai allocates IP addresses just for the specific server.
afaict, Akamai doesn’t offer SNI (partially because IE for Windows XP doesn’t support it).
I don’t know much about half of that (my knowledge is mainly client-side stuff) but I can tell you that that’s no excuse. Microsoft doesn’t support Windows XP anymore, so what Windows XP supports ought to be considered irrelevant nowadays. XP is yesterday’s news.
It basically comes down to understanding.
If you know what you’re looking at, you can judge a self-signed certificate giving browser warnings as more secure than something that gives you a big green ok just because Verisign goofed up.
“browser warnings” are often a function of money paid to a certificate authority and less of an indication of trustworthiness. It’s a green checkbox someone paid for from a company you’re generally accepting as trustworthy to take the money and “certify” them.
In other words, if I were you, I’d trust the people telling you how to update it rather than fuss about exposing yourself to real security risks just because oracle didn’t pay to setup a certificate right.. Bad if you’re worried about permanent exceptions doesn’t Firefox let you edit or revoke it when you’re done? (Tools-options-security-exceptions)…
Unfortunately, many of my clients still have to use java on end of life XP – so this is the end of the road for many of my poor clients. All I can do is point to Linux or, many of the aggressive protections still available to XP users.
Hi, J. By “aggressive protections” are you referring to anti-virus? I’m asking because I had two laptops running XP and I installed LInux on one, but since I’m a newbie with it I did leave XP on the other. I rarely use the internet on that one though and I do have an anti-virus software on it. Just curious about your advice to people who are still using XP. Thanks.
Over at the http://www.wilderssecurity.com/ forums, the gist is that if you lock down an XP machine you can make it secure enough. It’d always be better to switch to an OS that’s still actively supported and updated of course by the developers, but it’s not the end of the world to have a few secondary systems that still run XP for whatever reason.
That’s a decent way to slowly get into Linux as well, to always have a backup Windows system. Then the learning curve isn’t so bad.
Thank you Vee, that is always a useful link! 🙂
Some of the free options are Steady State, which is mentioned in one of Brian’s new articles. If you have a version of XP that is the Professional version, there are some MMC snap-ins and group policy tricks that help a great deal. You can search engine on TechNet and find many of those.
Then there is EMET – I believe 3.0 works on XP, surely all versions are available some where. Other than that, it would be paramount to build a good blended defense, up to a limit as far as your RAM and CPU will allow. I still have some success fending off attacks in my honey-pot lab using a combination of one good free AV and several AM solutions – preferably ones that mix passive and active protections. There are only two free firewalls I recommend, and I’m not sure Emisoft’s is still free, but Comodo’s still is, and has a good HIPs. Some folks like WinPatrol as a fairly good heuristic intrusion protection system. I pile on Active X blockers like SpywareBlaster and also browser controls by Spybot Search & Destroy. They are getting old,, and long in tooth, but are still resistant to malware manipulation, and use passive real time protection. Anything like that is going to help, even if it is redundant with other products – especially if one of them fails a malware attack. Malwarebytes Anti-Malware is not free for real time protection, but their anti-exploit tool is, and that counts as real time protection in my book. I’ve never tried one for XP, but I’m sure someone makes a white-list for processes for that old venerable software. I should think it would work at least as well as Parental Controls in Vista. I only use the processes part of that utility on Vista. Rapport is still the best anti-key-logger/screen shot blocker I’ve ever tested.
I would never surf with IE-8 now that it is vulnerable, so using FireFox or Comodo Dragon can at least help, especially if NoScript or ScriptSafe and AdBlock Plus are installed as extensions. And last but not least I always clean with CCleaner before logging off or shutting down.
P.S. – Even if the operating system can’t be updated, it has become even more important to update the applications and get rid of end-of-life files. Secunia PSI and File Hippo’s Update Checker can be useful for that.
Q1
Does Java also make PCs vulnerable,
if they run Ubuntu 12.04 Linux?
Q2
How to tell if
a – my Linux PC has Java installed and
b – any installed programs are using Java?
thanks for any pointers!
The issues listed here tend to focus on the web browser plugins. The instructions at the bottom of Brian’s link are OS independent.
Whether or not you’re running Java apps is irrelevant. Assuming you have a firewall, you should be ok.
Thank you Bob and Vee.
I’ll make sure I disable Java in my FF browser…
Most Linux distros do come with some form of Java by default, usually OpenJDK or Oracle Java. For Ubuntu see: https://help.ubuntu.com/community/Java
Like bob said, the issue is from the web browser plugin, so just disable it in your web browser. I wouldn’t remove it entirely from a Linux distro, there could possible be dependency issues.
Each time I notice one of these JAVA articles I am even happier that I removed JAVA from my PC years ago. Thanks Brian! JAVA: Don’t have it, don’t miss it.
Fortunately Java now defaults to click-to-play (irrespectively of the browser used).
Oracle is a fool that they still support Web Applets. They should mark the whole code deprecated and remove it in Java 9 (while supporting updates for older versions).
Java installers should not install support for web applets by default.
Aside from the updates that correct the problem, I see mentions of the top most updates of Java being affected in the advisory.
For example
Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5
Does this mean that ONLY these versions are affected or predecessors like Java 7u55,45,40, etc ?
Although the recommendations for removing Java are more consumer oriented, I would clarify that most of the problems with Java are client-related and not server-related (i.e. most issues do not affect web sites or back-end systems powered by Java).
In this case, I think 3 of the 20 issues affect server-side, and none have high scores (although in any single specific case it could be important).
Regardless, Java on the client side is not a good idea.
And then there are those of us who are still stuck with either internal enterprise web apps or third-party applications (or both) which will only run on Java 6. Wish we could pitch it.
For Java-like development, why not use SENCHA ?
http://www.sencha.com/
We only have to run old java versions because of Oracle’s other software.
Hhhmm, seems to be a pattern.
The scarier version of the https: issue, from my perspective is that Oracle’s downloader brings me to:
http://java.com/en/download/installed.jsp
So, if I were in, e.g., an Internet cafe, and someone decided to MITM me, they could easily convince me to click the link:
Verify Java and Find Out-of-Date Versions
Check to ensure that you have the recommended version of Java installed on your Windows computer and identify any versions that are out of date and should be uninstalled.
Agree and Continue Properties / alt-enter)
Click the “Digital Signatures” tab.
Double click the row under “Name of signer”
It should say:
Digital Signature Information
This digital signature is OK.
the signer should be Oracle America, Inc.
If you click View Certificate, and then click certification path, it should be:
VeriSign
VeriSign Class 3 Code Signing 2010 CA
Oracle America, Inc.
(dismiss the dialog)
There should be a countersignature, from Symantec Time Stamping Services Signer – G4.
If you double click it, and click view certificate, you can check the certification chain:
Thawte Timestamping CA
Symantec Time Stamping Services CA – G2.
Symantec Time Stamping Services Signer – G4.
This is more or less the official way to check code-signed applications.
You really shouldn’t run Windows applications which aren’t code-signed.
You can read a bit about code signing here: http://en.wikipedia.org/wiki/Code_signing
If I understand correctly, those are, again, security flaws related to Java Applets only.
So any user that has deactivated Java in browser (which is possible since a while now) is not vulnerable to this, correct ?
Thanks already for the upcoming clarification 🙂
Como eu faço para baixar o Oracle Critical Patch Update Advisory – July 2014?
In general, the issues with Java are all related to applets running in the browser.
Essentially, you can consider running Java in the browser as equivalent to running a random full-fledged program you downloaded from a random website. Just like running “that neat animated monkey app from some random programmer in Russia” is a bad idea, running random Java applets in the browser itself is also a bad idea.
What makes it tricky is that unless you have click-to-play or some other browser configuration set up properly, Java applets can run in your browser automatically without you knowing it (though newer browsers often add an extra layer of defense by warning you before they run Java, at least).
If you’re running Java on your desktop, it’s a different can of worms. There are many legitimate programs written in Java that require it to be installed (Minecraft, multiple programmer’s tools such as Eclipse, Netbeans, IntelliJ, and so on). In that case, Java is at most no worse than any random Windows, Mac, or Linux program you download from anywhere. If it came from a legitimate source, you’re probably okay. In fact, one could argue that Java is at least a smidge more secure than the most commonly used languages for developing apps, C and C++, because (and I’m trying not to get too technical here) it has some built-in features that make it impossible make some of the most common security mistakes in C and C++.
These are vulnerabilities that need correcting.
Oracle CPU January 2010: Listener
Missing Oracle Critical Patch Update (CPU) for October 2009
Missing Oracle Critical Patch Update (CPU) for July 2006
Missing Oracle Critical Patch Update (CPU) for January 2007
Missing Oracle Critical Patch Update (CPU) for October 2006
Oracle CPU January 2010: OLAP
Oracle Database Obsolete Version
Oracle CPU July 2010: Net Foundation Layer
Oracle CPU July 2010: Listener
Oracle CPU April 2010: Core RDBMS
Now I see that Oracle has announced the end of public support for Java 7: http://www.java.com/en/download/faq/java_7.xml. Forewarned is forewarned. Should only be a couple more years before people quit writing for JRE7….
Is there any way to update security patches from Oracle 10g?
If you are referring to java – I’ve had better luck using the updater in the programs file list. I’ve never been able to use the Control Panel applet – in fact it disappeared after the last successful update. Lately I’ve not been able to successfully update java at all. Unfortunately I need it so I can check some security applications, including my ATM appliance. So much for security!
I’m not talking about Java, I need to update the security patches from Oracle 10g.