21
Jan 15

Java Patch Plugs 19 Security Holes

Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road.

javamessOracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).

Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.

According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco reckons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it.

The trouble with Java is that it has a very broad install base, but many users don’t even know if they have it on their systems. There are a few of ways to find out if you have Java installed and what version may be running. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel.

Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Tags: , , , , , , , , ,

44 comments

  1. I haven’t dealt with Java since the late nineties

  2. My coffee is NOT vulnerable to attacks from the web. I attack it first.

  3. If you need it for something and don’t want to use the standard stub installer Oracle pushes from the basic website, offline installers for all OS flavors of Java are available from this webpage:

    https://www.java.com/en/download/manual.jsp

  4. Three machines, zero Java instances.

  5. Another good way to check if you have Java installed: If your kid (or you) plays Minecraft on your computer, you have Java. I’m willing to wager that Minecraft is the #1 reason why any home PC has java installed anymore. That and online backup software like CrashPlan that is written by people who don’t want to put too much effort into multi-platform support.

  6. Heads up

    Javara was retired as of December 18th 2014

  7. I’m still not allowed to use computers or telephones….

  8. “According to a new report from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year.”

    Too Funny, from the ID10T’s that require me to run JAVA 6 to access their crappy ASA firewalls.

    Cheers.

  9. Looks like they released 7u76 same day as u75. Unsure what the diff is.

    • If I recall a past Krebs post correctly, even-numbered releases such as 7u76 contain corrections for minor technical issues which are not security-related but are otherwise identical to (in this instance) 7u75. Odd-numbered releases are security updates. Correct, Brian?

  10. What you write seems to apply mostly to the Java plugins for web browsers, not for Java in general. I agree that any sort of plugin that can run code from the web is not to be trusted, and that includes Flash, MS Silverlight, Java, and also Javascript.

    However as a general execution environment, separate from one’s browser, it is a bit nonsensical to speak of security holes, when there are normal and documented ways of reading and writing files. That would make any program one installs into a security hole. (Well, maybe in some environments that is not an unreasonable position to take 😉

    • I’m not writing this for programmers and for people who know better. The fact is that Java installs plug-ins in your browsers, whether you ever intend to use the Java through the browser or not. Since the browser is the way most attacks happen these days (aside from email/spam), it seems reasonable to suggest that people either minimize the use of the browser plugin or disable it altogether.

      And yes, Flash, and Silverlight also plug into the browser, and I similarly warn readers when there are updates for both and suggest options for limiting the use of these plugins in the browser.

      • The problem with your article is that it doesn’t distinguish between Java in the browser, and Java on the server-side. While it’s become pretty clear the Java on the client side in the browser isn’t a great choice from a security perspective, Java on the server-side is still a very strong choice for secure web applications and web services. The majority of critical enterprise web applicationsare written in Java for good reason.

        For the most part, the kinds of attacks that affect Java in the browser aren’t a problem for Java on the server-side. The threat model is quite different. In the browser you’re running code written by some random third-party. But on the server-side you’re running code that your organization and presumably trust. So the whole Java sandbox just doesn’t really apply.

        So please, don’t give companies bad advice. Java on the server-side is a good secure platform for web apps and web services.

        • Every time I write about Java I hear this from people who complain that telling people to remove Java from their computers somehow threatens the viability of the Java platform for businesses or for developers. Again, quite clearly the focus of this story is for end users and consumers, not for businesses. In fact, I state this explicitly in the story:

          “I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java).”

          • Well there are some consumer facing apps that use it (minecraft is perhaps the top one). But if they find they break stuff it’s not hard to re-install.

        • In this case, the update includes fixes for POODLE, which is mostly a server side vulnerability.

          http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

          CVE-2014-3566 Java SE, Java SE Embedded, JRockit SSL/TLS JSSE Yes 4.3 Network Medium None Partial None None Java SE 5.0u75, Java SE 6u85, Java SE 7u72, Java SE 8u25, Java SE Embedded 7u71, Java SE Embedded 8u6, JRockit 27.8.4, JRockit 28.3.4 See Note 4

          https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

          The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.

          Mind you, admins will probably want to consider “what’s the harm in breaking clients that are vulnerable to POODLE”. The answer should be “better broken than compromised”.

          CVE-2014-6593 Java SE, Java SE Embedded, JRockit SSL/TLS JSSE Yes 4.0 Network High None Partial Partial None Java SE 5.0u75, Java SE 6u85, Java SE 7u72, Java SE 8u25, Java SE Embedded 7u71, Java SE Embedded 8u6, JRockit 27.8.4, JRockit 28.3.4 See Note 4

          https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6593
          Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

          Not much detail, but again, based on the rough description, I wouldn’t want to run a affected version of java server side.

          If your java application doesn’t actually have any network access, then you could consider ignoring these two vulnerabilities.

          It’s possible that the “Libraries” vulnerabilities could be impacted by data processing, but it’s really hard to draw much in the way of conclusions about the underlying vulnerabilities (which is sort of the point, the goal is to encourage you to upgrade, not to help an attacker identify and exploit the flaw).

  11. Perhaps some day their auto updater will actually work correctly, too.

    We are stuck with it on most workstations here for GoToMeeting, and quite disappointingly, the otherwise awesome Unifi 802.11 access points rely on it.

  12. Would be nice for this post to address MacOS users. While still a minority, we have issues with Java too.

    My wife uses Adobe Creative Suite and this insists hourly that she install Java, which she has so far refused to do.

    Apple has removed Java from their default operating system installation, which makes dealing with this software both easier (because it is never installed by default) and more difficult (because updates are via alternative means) to handle.

    • Harder to handle on a Mac? Coincidentally, the Java 8 updater prompt popped up on my Mac while reading this article. One button press and it’s updated.
      (Unfortunately, I need Java….)

      • Yeah, I was impressed (by the OS X prompt sequence), it was painless.

        Whereas, I can never find the update button in the Java control panel on Windows. I suspect that a policy has disabled it (I haven’t spent the time investigating).

  13. Brian, I think you should update your Tools for a Safer PC article to include these two extensions for Chrome, which are far lighter-weight, more efficient, and more granular than other script blockers and ad blockers for Chrome. They are from the same developer (whose first project included the functionality of both these extensions, which he has now separated out).

    https://chrome.google.com/webstore/detail/%C2%B5matrix/ogfcmafjalglgifnmanfmnieipoejdcf?hl=en

    https://chrome.google.com/webstore/detail/%C2%B5block/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

    With these two plugins, Chrome’s sandbox model, its certificate pinning and its general commitment to a secure architecture, Chrome is the browser people should be using if security is their priority.

    I think you should also add a note on Tools for a Safer PC to the effect that blocking ads is good protection against opportunistic malware infection of the “browse and get owned” variety. To me it is fair to block ads if content providers aren’t taking end user security seriously. Ad channels need to be authenticated and secured, and they should be prevented from pulling third or fourth party resources, full stop.

    BTW Adobe Creative Cloud on OS X in many cases requires users to download Java 6 for Mac, which is entirely unsafe. Adobe needs to be called out for this.

    • I am one of those people that read the ULAs. Using Chrome gives google access to monitor all your browsing for “marketing” purposes. Same as using their IE plug in, along with a lot of similar products.
      As much as I don’t like IE, I don’t allow Chrome on our buisness PCs.

      • I hear you, but I am increasingly disgusted with the attitude that Mozilla has taken WRT Firefox development.

        And I don’t like IE either.

        Unless you want to build Chrome from source (after having removed the bits where they collect and transmit marketing data), I am not really sure what browser to recommend any more. But now you have me curious enough that I am tempted to pull the sources and see what they have in there, and how hard it would be to rip out.

      • You can actually use the uMatrix extension to block what the developer calls “behind the scenes” traffic to Google.

        Does Chromium (the unbranded open source version) have the same terms?

        • I wouldn’t recommend Chromium.
          http://www.chromium.org/getting-involved/download-chromium
          “Chromium builds do not auto-update”

          That alone is a recipe for disaster.

          If you’re looking for a Chrome alternative, you /might/ consider Iron:
          http://www.srware.net/en/software_srware_iron.php

          Note: I don’t bother. I use Mozilla Nightly, Chrome Canary, and Chrome (and IE11 and Safari).

          If you’re paranoid about where you browse on the Internet, then you’re probably best off not being on the Internet at all.
          You could try: Tor Browser https://www.torproject.org/projects/torbrowser.html.en but you’d have to have faith that the sites you visit aren’t (a) compromised (b) conspiring against you (c) poorly designed

          Personally, I take for granted (c), expect (a) to happen w/ some regularity (don’t you, I mean, we both read krebsonsecurity.com …), and accept (b) as the price of doing business (I’m not particularly excited by a subscription based Internet — I do not miss AOL/Compuserve).

  14. Mac Os users who do paypal and ebay printed postage labels online will have java on their systems.

  15. We use Image Now software (no, I don’t recommend it). It requires v6 for 64bit machines and v7 for 32bit. We also use Banner and that requires 7 as well (although they will probably certify 8 soon). So I’m glad that the browser has a selective running option for Java now. I only activate it when I have to.

  16. It should be remembered that end of lifecycle for Java 7 has already been announced (again well in advance), though no doubt some laggards will continue to require it well past its sunset, just as they currently do for Java 6.

  17. Twin Mustang Ranch Dressing

    Google Chrome has also been updated:
    http://googlechromereleases.blogspot.com/2015/01/stable-update.html
    As one of the commenters there notes, the Pepper version of Flash Player in this version of Chrome is version 16.0.0.287 but Adobe’s Flash Player test page still shows 16.0.0.257 as the latest version.

  18. Almighty Krebs, your “Donate Bitcoin” link is broken, it leads to a “checkout not found” page on Coinbase… you may want to look into that.

    I was going to post my quarterly invite link to you-know-where, then bribe donate to you another $5 or $10 to leave it up. But it shall have to wait. :-\

  19. Greetings Kevin Mitnick.

    648%#*;:+$68

  20. Bryan, I just discovered that there’s a Java control panel option to suppress the sponsored installer junk.

    http://www.howtogeek.com/198240/avoid-javas-ask-toolbar-installations-with-this-one-weird-registry-hack/
    … talks about it. Note that the quotes in that article are fancy quotes, and the quotes you want to use in .reg files are normal quotes, but…

  21. In related news, Adobe has released a new Flash Player update (16.0.0.287). Google pushed out the new Chrome update yesterday with the Flash Player update.

  22. Found 6 outdated versions of Java, everything back from 7 update 10.

    I remember we needed it for some ancient company application that we don’t even use anymore.

    Thank you for link to JavaRa tool, great help in removing that old crap. I mightaswell uninstall it completely now…