Archive for Java

« Older Entries

Oracle Patches Java Bug That’s Very Bad

Posted in Commentary with tags on April 21, 2022 by itnerd

Oracle has apparently patched a vulnerability in server-side Java that allowed an attacker to forge some kinds of SSL certificates and handshakes, along with several kinds of authentication messages. The vulnerabilities were discovered by ForgeRock security researcher Neil Madden and documented here. But here’s the info that what you need to know:

It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys*) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.

If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes in the April 2022 Critical Patch Update.

Lovely.

Kevin Bocek, VP, Security Strategy & Threat Intelligence at Venafi had this comment:

“This vulnerability is just one more example of how important machine identities are to global security. It allows an attacker to bypass the TLS session handshake for specific servers so they can install malware and look for ways to pivot across networks. This is a serious vulnerability that needs to be patched quickly.”

Given the severity of this bug, I’d be patching all the things right now before you get pwned now that this is out there.

Leave a comment »

Sigh…. Time To Patch Java Due To Remote Exploit Threat

Posted in Commentary with tags on March 24, 2016 by itnerd

There’s two pieces of software that are guaranteed to make your system less than secure. One is Adobe Flash. The other is Oracle Java. Given that I talk about Flash insecurity frequently, it’s almost a refreshing to talk about Java insecurity.

Oracle is urging Java users to upgrade to the latest version which is available here (or via their software update mechanism) to stop a very nasty bug in the desktop and browser plug-in versions of the software. The bug in question allows attackers to “impact the availability, integrity, and confidentiality of the user’s system.” That means that an attacker can get into your system at will. Worse still, an attacker can do that remotely, without authentication.

Now if you want my advice, I say dump Java. While you’re at it you should dump Flash too. By doing so, you can safely ignore these security alerts and just use your computer in confidence.

 

Leave a comment »

Oracle Issues Emergency Java Patch For Windows…. Upgrade NOW!

Posted in Commentary with tags on February 8, 2016 by itnerd

When Oracle issues an emergency patch for Java, it’s in your best interests to immediately download it and update. In this case, it’s for Java for Windows. The issue is documented in CVE-2016-0603 where an attacker would have to trick a user into visiting a compromised Website before installing Java 6, 7 or 8. However, a successful attack results in a “complete compromise” of the target.

Not good. The fact that Oracle didn’t wait for its regular patch cycle means attacks are already taking place. Thus downloading the latest Java update should be done ASAP. Or better yet, ditch Java altogether. Trust me, you’re not missing much.

Leave a comment »

Oracle To Deep Six Java Plug-In

Posted in Commentary with tags on January 29, 2016 by itnerd

Frequent readers of this blog know that I am no fan of Oracle’s Java or Adobe’s Flash and I have recommended that to keep your PC or Mac safe, that you run neither. Others who have more influence than I have said the same thing. I guess that Oracle must have seen the writing on the wall because Oracle has explained in a blog post that it kill off the Java plug-in which works with whatever browser that you choose. The Java plug-in will be removed in Development Kit 9. But there’s been no date set for the official decommissioning of the plug-in, although it is likely to be based on monitoring future use, which means it could be around for a long time. However, this could be irrelevant as Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge have already announced time frames for when the Java plug-in will stop working. Thus the clock is already ticking for the Java plug-in. And perhaps for Java itself.

Leave a comment »

Oracle Settles With FTC Over Failure To Remove Old Java Versions

Posted in Commentary with tags , on December 22, 2015 by itnerd

If you still run the Java plug in for whatever reason, you might have notice as of late that when you install or update Java, it will check and offer to remove older versions of Java on your system. That’s a great idea as it ensures that you’re protected from threats that the older versions might have.

The problem is, it didn’t really work. Here’s what the FTC says on that front:

In its complaint, the FTC alleges that Oracle promised consumers that by installing its updates to Java SE both the updates and the consumer’s system would be “safe and secure” with the “latest… security updates.” During the update process, however, Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10. As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked.

What’s really bad about this is that Oracle knew about this as early as 2011.

#Fail

To make this go away, Here’s what Oracle has been ordered to do:

Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.

The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.

The FTC has published a blog post for consumers with more information about Java SE’s update issues.

My advice for a very long time has been not to run Java at all. Now would be a really good time to get rid of it. If you want to go ahead and make yourself a whole lot safer, visit http://java.com/uninstall where there are instructions on how to uninstall older versions of Java SE. This webpage also provides a link to the Java SE uninstall tool, which you can use to uninstall older versions of Java SE.

Leave a comment »

Nine Month Old Java Vulnerability Puts Those Who Run Java On Servers At Risk

Posted in Commentary with tags , on November 16, 2015 by itnerd

Java is something that I dumped a very long time ago because of how insecure it is. It seems my lack of faith in the security of Java is well placed as a 9 month old vulnerability has reared its ugly head:

The flaw is located in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.

The flaw is specifically in the Collections component of Apache Commons and stems from unsafe deserialization of Java objects. In programming languages, serialization is the process of converting data to a binary format for storing it in a file or memory, or for sending it over the network. Deserialization is the reverse of that process.

And:

The vulnerability received a new wave of exposure Friday after researchers from a company called FoxGlove Security released proof-of-concept exploits based on it for WebLogic, WebSphere, JBoss, Jenkins and OpenNMS.

In response, Oracle issued a security alert Tuesday containing temporary mitigation instructions for the WebLogic Server while the company is working on a permanent patch. The Apache Commons Collections developers have also started working on a fix.

This vulnerability has the potential to affect a lot of companies out there. So this is not trivial by any means. Neither is a fix for this which may involve the rewrite of something in the area of 1300 applications. Sucks to be the people who are responsible for that.

Leave a comment »

Zero Day Java Exploit Exposed

Posted in Commentary with tags on July 13, 2015 by itnerd

Lately, I’ve been posting about Adobe Flash having multiple exploits out in the wild that threaten users. But an old attack vector for evil doers has returned in the form of an exploit on the Java platform. Here are the details from Trend Micro on the exploit dubbed “Pawn Storm”:

Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.

And:

The said URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.  However, at that time, these URLs were not hosting the said exploit yet. Pawn Storm also targeted other nation-state organizations using political events and meetings such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of its social engineering tactics.  Media and defense industries were other entities targeted by this APT campaign apart from military and government.

Now the Trend Micro products apparently already protect users from this threat. But…. :

Currently, this vulnerability is still not patched by Oracle. Based on our investigation, the latest Java version 1.8.0.45 is affected. Older versions, Java 1.6 and 1.7 are not affected by this zero-day exploit. We already notified Oracle and we’re collaborating with their security team regarding this threat.

Translation, if you have Java installed, you are at risk until it is patched by Oracle. Thus you should consider yanking it off your system if you don’t need it. And to be frank, most people don’t need Java. So you’re likely better off without it. Plus you’re likely better off without Adobe Flash as well. By not having both, your system will be way more secure.

Leave a comment »

Oracle Bundles New Crapware With Java

Posted in Commentary with tags , , on June 30, 2015 by itnerd

I haven’t run Java on my Macs in some time as it like my other least favorite piece of software Adobe Flash is a popular attack vector for hackers of all stripes. But now Oracle is looking to make some extra cash by changing the crapware that it bundles with Java. If you’re not familiar with the term, crapware is useless software that comes either with a new computer or with other software that you need to use. Oracle has latched on to the latter by inking a deal with Yahoo to bundle Yahoo Search with Java starting with the next Java update:

Begining with the next Java update, Yahoo! will replace the current invitation to make Ask your default search engine. Instead, you’ll be asked if you want to make Yahoo! the homepage and default search engine for Chrome and Internet Explorer, and have the firm’s site load every time a new tab is opened in Chrome. (Yahoo! is already the default search engine for Firefox.)

As with the Ask offer, the checkbox to allow these settings changes arrives pre-ticked, so if a careless user simply clicks on “Next,” the changes will be made automatically. Changing the browser settings back is likely to be a pain, based on past experience.

“We have definitely made sure that our onboarding process is one that is highly transparent and gives users choice,” a Yahoo! spokesman told the Wall Street Journal.

No you haven’t made the onboarding process transparent. It’s an opt out process which means that people will inadvertently install Yahoo when they were not meaning to. But of course, that’s the idea as Yahoo is going to get a big boost to its share of the search engine market by going this route. And I will get a few phone calls from clients of mine asking me how to reverse this.

A pox on both their houses.

Leave a comment »

Hey IT Nerd: Should I Remove Old Java Versions?

Posted in Security with tags , on June 19, 2013 by itnerd

I got this question from a reader today:

“Hello IT Nerd. I read your blog often and I had a question for you. I just updated my installation of Java and it opened a web page offering to remove older versions of Java. Do I need to do that?”

Thanks for reading my blog!

The page that this reader is referring to is this one. It’s a Java based uninstall tool that is designed to find older versions of Java and remove them. It appears to have popped up to users when Java released their latest update a day or two ago. Though I will admit that it may have been there for much longer and simply wasn’t presented to users when they updated. You should use it as there are plenty of exploits out there that leverage older versions of Java. In short, if you want to be secure and you have to run Java rather than remove it, you should use this tool.

There is one catch though This tool is Windows only. If you’re running anything else such as a Mac or a LINUX box, you’re forced to remove older versions manually. Not the biggest deal in the world for those who are technically skilled, but it would be nice if Oracle brought this same functionality to other platforms.

Leave a comment »

Oracle Issues Emergency Fix For Java Flaws

Posted in Commentary with tags , on March 5, 2013 by itnerd

That didn’t take long.

Oracle who in my opinion hasn’t taken Java security very seriously has released a emergency patch to fix the zero day flaw I told you about. A note on Oracle’s website has the details:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

So I would do what the note says and apply these patches to protect you, assuming you still run Java of course. Too bad there are likely more flaws out there that hackers are sure to exploit.

Leave a comment »

« Older Entries