Biz & IT —

Critical bug in newest Java gives attackers complete control of PCs

Discovery is the latest black eye for the security of the widely used Java.

Dan Goodin - Aug 31, 2012 6:57 pm UTC

Java "applets" run in a secure sandbox that prevents them from interacting with sensitive operating-system functions unless authorized.
Oracle

Researchers said they've uncovered a flaw in the Java 7 update released by Oracle on Thursday that allows attackers to take complete control of end-user computers.

The flaw in Java 7 Update 7, which Oracle released to stop in-the-wild attacks that silently install malware on end-user machines, is the latest black eye for the security of the widely used software framework. It comes after revelations that Oracle learned of the vulnerabilities under attack in April, four months before the exploits were detected. Oracle has yet to explain the delay in fixing the bugs.

The latest bug "facilitates full Java sandbox bypass on latest Java 7 Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations, wrote in an e-mail to Ars. His team developed proof-of-concept code and delivered it on Friday to Oracle engineers. The discovery of the new critical bug was reported earlier by IDG News. There are no reports that it is being exploited online.

"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."

Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."

An Oracle spokeswoman responding to a request for comment referred Ars to this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.

This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as confirmed by at least two Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also disagreed with the advice.)

Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.

Said Gowdiak: "When combined with some of the April 2012 issues, the new issue allows [one] to achieve a complete [Java virtual machine] sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on August 30, 2012)."

Listing image by Oracle

Promoted Comments

DCStone | Smack-Fu Master, in training
jump to post

From the article: "Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported..."

Except this Mac user has no problems using Adobe Photoshop and Dreamweaver (CS6) on a Mac (10.6.8) with Java disabled via the Java Preferences.app.

Now, it may be that the installer won't install without Java being at least physically present, and it may be that certain collaborative features don't function as intended without Java enabled, but the Adobe applications I use on a regular basis don't seem to be complaining!

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.
Last edited by DCStone on Fri Aug 31, 2012 1:35 pm

27 posts | registered Jul 6, 2010
Dan Goodin | Security Editor |
jump to post

Brass2TheMax wrote:
I lost a lot of respect for many Ars readers (and Ars as a whole) here today.

I thought we were supposed to be a technical audience? If so, why is it that so many people posting in here seem to think that because at least one serious exploit exists in the Java framework that the reasonable course of action is to either uninstall it completely from all of their machines, or to disable it and cripple it so as to render it completely unusable until you need it? This is what I would expect a sales associate at Best Buy to recommend to someone because they don't have a great understanding about what Java actually is.

Those of us who know and understand a lot more than that and have some experience under our belts know that this is a commonplace problem for many other software frameworks as well, it's nothing new. Some people are treating it like it's the freaking apocalypse!

Sure, Oracle has gone full retard with this whole situation, and may arguably have even ruined how stable Java used to be, but this is FAR, FAR, FAR, FAR, FAAAAAAAR from a reasonable reason to declare a war on Java by removing it from everything you can.

This is going to blow over. It always does. Welcome to the industry.

I'm not doing anything to my Java installation (I use the SDK frequently, but that's besides the point). Nothing's going to happen, seriously. Only if you go to some shady website, and I thought most of us here were smarter than that.

So are you saying the only people who get exposed to drive-by exploits are those who visit porn or warez sites? If so, that's a breathtaking statement that was proven false years ago. Witness:

http://www.theregister.co.uk/2011/11/02 ... ompromise/

http://www.theregister.co.uk/2011/08/08 ... gle_image/

http://www.theregister.co.uk/2011/08/02 ... oes_viral/

http://www.theregister.co.uk/2009/06/02 ... infection/

The vast majority of paid security experts will tell you to reduce your attack surface by uninstalling unneeded apps. Why is it surprising to find this advice on a tech site?

158 posts | registered Jan 30, 2012
PhilipTheHermit | Smack-Fu Master, in training
jump to post

@Dan Goodin: About "Attack Surface":

Think about your PC for a moment. Strike that, think about a generalized computer. There are only two ways in which a remote site can interact with that computer:

A) If the computer has a service listening on a port (i.e. it's acting as a server);

B) If the computer initiates contact with another computer (i.e. you're browsing the web or checking email).

Now, A pretty much goes away if you're running a firewall, doubly so if you're also running a NAT firewall/router on your home network. If you don't have any services listening on any ports, OR you've got them all firewalled off, it is simply not possible for another computer to initiate any sort of communications with your PC. That leaves B.

With respect to B, you're using your web browser, email software, or usenet client (heh heh -- right?). If you don't have a Java plugin running in your browser, email software, or usenet client, there isn't any Java in your "attack surface". Zip, nada, zilch. Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

Simply having Java does NOT mean it's a part of your "attack surface". You have to look at the boundaries, the ways in which your PC initiates communications with the outside world. What comes in, what goes out, and how it's processed.

If your Java isn't doing anything with the network, it's not part of your "attack surface".

NOTE: Someone said yesterday that if they could get access to your PC, they could run some kind of poison Jar file on it and that means Java's still a problem. I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java? They already have you at that point. They could even install Java if they wanted. As I told him, Java on the desktop doesn't have a sandbox anyway -- it runs with your user privileges like any other program. This is all about the browser, and nothing but the browser.

38 posts | registered Aug 28, 2012
Jim Z | Ars Legatus Legionis | et Subscriptor
jump to post

daddysmonsters wrote:
dangoodin wrote:
mdfrncs wrote:
and another java comment thread dragged down by misinformation...

I might as well add some wood to the fire: if you don't uninstall Java your computer might blow up!

mdfrncs, something isn't misinformation simply because you label it as such. If you can document inaccuracies, please do. Otherwise, it's hard for anyone here to take your comment seriously.

It's hard to take an article seriously when the author has more prowess in gardening than he does in security.

Ad hominem.

Quote:
I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

Appeal to motive.

Quote:
At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy.

Ad hominem, abusive.

Quote:
so I'll just tell you how I really feel and you can deal with it because you are a grown ass man making comments that if echoed could harm someones means of making a living due to flat out ignorance.

These people can pressure Oracle to fix their shit if they want to do something useful, instead of throwing logical fallacies around like candy at a Memorial Day parade.

34448 posts | registered Nov 5, 1999
peregin55 | Smack-Fu Master, in training
jump to post

Hi Dan,

I completely agree that if a user isn't using an application, and if the application has become a significant risk to security, then the application should be removed.

The problem here, and why I think some of us are getting hot-under-the-collar, is that the article doesn't make clear what the exact attack-vector is, so the only thing we really know is that the attack-surface is the JVM. But the JVM is *not* an application! It is a platform that can take on a multitude of different forms (server-side, client-side, android, browser-plugin, etc). There are also two supported versions by Oracle, JVM 6 and JVM 7. This situation is similar to Microsoft Windows XP vs Vista. In fact it's worse, since the JVM really tries to act like a cameleon (unsuccessfully)...ideally you shouldn't even know if you're using it or not.

So from a developer's POV, your advice in the article is tantamount to advising users to abandon a platform because there were bugs found in it. And you're getting the same vitriol as if you were to advise people to uninstall Windows because Vista was buggy, or to switch to iOS because a particular version of Android is buggy. Some people shout hallelujah while others gnash their teeth.

Now no one can disagree with you that uninstalling the JVM completely would fix the issue, but it is the most extreme approach. I think equally valid advice would be to treat the JVM like any other platform: stay on the current version until the next one gets figured out. Or if that doesn't happen, find a better platform. Surely you've done this with OS X, Fedora, Debian, Windows, Ubuntu, KDE4, whatever...

I'd love a better/more-open VM, but right now the JVM is really the gold-standard (CLR is a non-starter for me). Folks are using it for high-performance computing (Hadoop, Lucene, etc.) and they're using a form of it on their devices (Dalvik, Android). It would just be a terrible thing to have it fail so completely on the desktop. This isn't like flash, people. Ah, c'est la vie.

By the way, would it be too much to ask to get some Editor's Picks for the pro-JVM side? Surely they weren't all bad?

1 post | registered Feb 29, 2008

Promoted Comments

DCStone | Smack-Fu Master, in training
jump to post

From the article: "Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported..."

Except this Mac user has no problems using Adobe Photoshop and Dreamweaver (CS6) on a Mac (10.6.8) with Java disabled via the Java Preferences.app.

Now, it may be that the installer won't install without Java being at least physically present, and it may be that certain collaborative features don't function as intended without Java enabled, but the Adobe applications I use on a regular basis don't seem to be complaining!

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.
Last edited by DCStone on Fri Aug 31, 2012 1:35 pm

27 posts | registered Jul 6, 2010
Dan Goodin | Security Editor |
jump to post

Brass2TheMax wrote:
I lost a lot of respect for many Ars readers (and Ars as a whole) here today.

I thought we were supposed to be a technical audience? If so, why is it that so many people posting in here seem to think that because at least one serious exploit exists in the Java framework that the reasonable course of action is to either uninstall it completely from all of their machines, or to disable it and cripple it so as to render it completely unusable until you need it? This is what I would expect a sales associate at Best Buy to recommend to someone because they don't have a great understanding about what Java actually is.

Those of us who know and understand a lot more than that and have some experience under our belts know that this is a commonplace problem for many other software frameworks as well, it's nothing new. Some people are treating it like it's the freaking apocalypse!

Sure, Oracle has gone full retard with this whole situation, and may arguably have even ruined how stable Java used to be, but this is FAR, FAR, FAR, FAR, FAAAAAAAR from a reasonable reason to declare a war on Java by removing it from everything you can.

This is going to blow over. It always does. Welcome to the industry.

I'm not doing anything to my Java installation (I use the SDK frequently, but that's besides the point). Nothing's going to happen, seriously. Only if you go to some shady website, and I thought most of us here were smarter than that.

So are you saying the only people who get exposed to drive-by exploits are those who visit porn or warez sites? If so, that's a breathtaking statement that was proven false years ago. Witness:

http://www.theregister.co.uk/2011/11/02 ... ompromise/

http://www.theregister.co.uk/2011/08/08 ... gle_image/

http://www.theregister.co.uk/2011/08/02 ... oes_viral/

http://www.theregister.co.uk/2009/06/02 ... infection/

The vast majority of paid security experts will tell you to reduce your attack surface by uninstalling unneeded apps. Why is it surprising to find this advice on a tech site?

158 posts | registered Jan 30, 2012
PhilipTheHermit | Smack-Fu Master, in training
jump to post

@Dan Goodin: About "Attack Surface":

Think about your PC for a moment. Strike that, think about a generalized computer. There are only two ways in which a remote site can interact with that computer:

A) If the computer has a service listening on a port (i.e. it's acting as a server);

B) If the computer initiates contact with another computer (i.e. you're browsing the web or checking email).

Now, A pretty much goes away if you're running a firewall, doubly so if you're also running a NAT firewall/router on your home network. If you don't have any services listening on any ports, OR you've got them all firewalled off, it is simply not possible for another computer to initiate any sort of communications with your PC. That leaves B.

With respect to B, you're using your web browser, email software, or usenet client (heh heh -- right?). If you don't have a Java plugin running in your browser, email software, or usenet client, there isn't any Java in your "attack surface". Zip, nada, zilch. Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

Simply having Java does NOT mean it's a part of your "attack surface". You have to look at the boundaries, the ways in which your PC initiates communications with the outside world. What comes in, what goes out, and how it's processed.

If your Java isn't doing anything with the network, it's not part of your "attack surface".

NOTE: Someone said yesterday that if they could get access to your PC, they could run some kind of poison Jar file on it and that means Java's still a problem. I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java? They already have you at that point. They could even install Java if they wanted. As I told him, Java on the desktop doesn't have a sandbox anyway -- it runs with your user privileges like any other program. This is all about the browser, and nothing but the browser.

38 posts | registered Aug 28, 2012
Jim Z | Ars Legatus Legionis | et Subscriptor
jump to post

daddysmonsters wrote:
dangoodin wrote:
mdfrncs wrote:
and another java comment thread dragged down by misinformation...

I might as well add some wood to the fire: if you don't uninstall Java your computer might blow up!

mdfrncs, something isn't misinformation simply because you label it as such. If you can document inaccuracies, please do. Otherwise, it's hard for anyone here to take your comment seriously.

It's hard to take an article seriously when the author has more prowess in gardening than he does in security.

Ad hominem.

Quote:
I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

Appeal to motive.

Quote:
At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy.

Ad hominem, abusive.

Quote:
so I'll just tell you how I really feel and you can deal with it because you are a grown ass man making comments that if echoed could harm someones means of making a living due to flat out ignorance.

These people can pressure Oracle to fix their shit if they want to do something useful, instead of throwing logical fallacies around like candy at a Memorial Day parade.

34448 posts | registered Nov 5, 1999
peregin55 | Smack-Fu Master, in training
jump to post

Hi Dan,

I completely agree that if a user isn't using an application, and if the application has become a significant risk to security, then the application should be removed.

The problem here, and why I think some of us are getting hot-under-the-collar, is that the article doesn't make clear what the exact attack-vector is, so the only thing we really know is that the attack-surface is the JVM. But the JVM is *not* an application! It is a platform that can take on a multitude of different forms (server-side, client-side, android, browser-plugin, etc). There are also two supported versions by Oracle, JVM 6 and JVM 7. This situation is similar to Microsoft Windows XP vs Vista. In fact it's worse, since the JVM really tries to act like a cameleon (unsuccessfully)...ideally you shouldn't even know if you're using it or not.

So from a developer's POV, your advice in the article is tantamount to advising users to abandon a platform because there were bugs found in it. And you're getting the same vitriol as if you were to advise people to uninstall Windows because Vista was buggy, or to switch to iOS because a particular version of Android is buggy. Some people shout hallelujah while others gnash their teeth.

Now no one can disagree with you that uninstalling the JVM completely would fix the issue, but it is the most extreme approach. I think equally valid advice would be to treat the JVM like any other platform: stay on the current version until the next one gets figured out. Or if that doesn't happen, find a better platform. Surely you've done this with OS X, Fedora, Debian, Windows, Ubuntu, KDE4, whatever...

I'd love a better/more-open VM, but right now the JVM is really the gold-standard (CLR is a non-starter for me). Folks are using it for high-performance computing (Hadoop, Lucene, etc.) and they're using a form of it on their devices (Dalvik, Android). It would just be a terrible thing to have it fail so completely on the desktop. This isn't like flash, people. Ah, c'est la vie.

By the way, would it be too much to ask to get some Editor's Picks for the pro-JVM side? Surely they weren't all bad?

1 post | registered Feb 29, 2008

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica