JRE / JDK Security Thread

For discussions about security.
Message
Author
User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

JRE / JDK Security Thread

#1 Post by Q5sys »

  • Current Release: Java 7u17
    Exploits publicly available: No
    Temporary work around: N/A
    Download Link: http://java.com/en/download/manual.jsp
    32 Bit Puppy Version: You will need to check with your specific Puppy Version
    64 Bit Puppy Version: Will be released shortly

    Legacy Release: Java 6u43
    Exploits publicly available: No
    Temporary work around: N/A
    Download link: http://java.com/en/download/manual_v6.jsp
    32 Puppy Version: You will need to check with your specific Puppy Version
    64 Bit Puppy Version: Will be released shortly
Notice from Oracle:
Java SE 6 End of Public Updates
After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download.
EDIT: Despite Oracle's statement that 6u39 was going to be the last v6 release, they have released two more. 6u41 and 6u43

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)[/list]
Last edited by Q5sys on Thu 07 Mar 2013, 00:57, edited 8 times in total.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

Re: JRE / JDK Security Thread

#2 Post by jpeps »

Q5sys wrote:Current Release: Java 7u11
Exploits publicly available: Yes
Temporary work around: None Currently

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)
..this is like saying your cell phone is at risk. As noted in other threads, this is strickly related to browser plugins where they are permitted to begin with. Do you have a linux browser with an at risk java plugin?? Do you really believe that there are no other web browser vulnerabilities?

What do you get out of fear mongering?

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: JRE / JDK Security Thread

#3 Post by Q5sys »

jpeps wrote:
Q5sys wrote:Current Release: Java 7u11
Exploits publicly available: Yes
Temporary work around: None Currently

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)
..this is like saying your cell phone is at risk. As noted in other threads, this is strickly related to browser plugins where they are permitted to begin with. Do you have a linux browser with an at risk java plugin?? Do you really believe that there are no other web browser vulnerabilities?

What do you get out of fear mongering?
This isnt fear mongering. If you notice, its a yes/no field for public exploits. Im not giving all the details, just a simple fyi.

This is nothing more than a consolidated thread for all java related talk and update status. That way its not scattered around in different threads. If a person is curious as to the status of the latest java release, they can take a peek here and go about their way.
btw... Your claim that it is "strickly related to browser plugins", is incorrect. This isn't just related to browser security. In fact one of the 7u7 (i think, it might have been 7u9) bugs had nothing to do with the browser. You could not even have a browser installed and could be exploited. So while certain java exploits are browser dependent, not all are. Java is its own vector on a system.

I created this thread to have a single spot for people to check on java on the forum. And grab the latest packages when I have them available. That's it. If you don't want to know about if you have a decent version of Java... then don't click the thread.

Some people care about security, some don't. This thread is for those that care; if you dont care, then dont bother opening the thread.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#4 Post by jpeps »

The present security threat is related to enabled browser plugins, mostly with Internet Explorer. Regarding downloading malicious viruses that effects anything else, just how serious do you think that really is on your puppy linux computer?

There will never be a completely secure programming language that can't be exploited, so don't surf the web. Also, avoid beautiful women.
Last edited by jpeps on Sat 19 Jan 2013, 21:12, edited 1 time in total.

gcmartin

#5 Post by gcmartin »

Thanks for starting this thread. Let's hope that it doesn't push into the realm of emotionalism and remains in the area of technological understanding.

JAVA is a subsystem that can run in all present Operating Systems; namely Windows, Apple, Unix and Linux. This subsystem is and was designed to provide programmers of the world the ability to write a JAVA program (a JAR) and it will run wherever JAVA resides.

This has provided enormous benefit in and out of the business climate. In fact, it is found on many/most xPhones. And one can expect that an application from the xPhone can run on your PCs as well.

In any event, some apps design for desktop have little to no internet exposure. Other apps are internet only. And some of the internet apps actually interact with ,data that it is designed for, on your desktops.

The Homeland Security Announcement is an interesting one to say the least. It does NOT say that/where the exploits have occurred or from whence it comes, just that it has been found. I don't remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

But time marches on.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#6 Post by jpeps »

gcmartin wrote:
The Homeland Security Announcement is an interesting one to say the least. It does NOT say that where the exploits have occurred or from whence it comes, just that it has been found. I don't remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

.

Rather, it raises questions regarding the purpose. In the past, exploiting public fear served the purpose of more big government restrictions and access...i.e, loss of personal freedom. Big government is very interested in controlling the internet.

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#7 Post by Semme »

As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
"Java 7 fails to restrict access to privileged code"

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#8 Post by jpeps »

Semme wrote:As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..
In fact it's not even available for a linux Firefox browser.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#9 Post by Q5sys »

jpeps wrote:The present security threat is related to enabled browser plugins, mostly with Internet Explorer. Regarding downloading malicious viruses that effects anything else, just how serious do you think that really is on your puppy linux computer?

There will never be a completely secure programming language that cant be exploited, so dont surf the web. Also, avoid beautiful women.
jpeps wrote:
Semme wrote:As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..
In fact its not even available for a linux Firefox browser.

Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts'? Because everything I've read online so far says nothing about it being for 'Internet Explorer' only. If you have access to information that the rest of the security community does not, PLEASE pass it along. I'd love to read it, as I'm sure, would many others.

This issue isnt just IE based, it can affect Mozilla Browsers as well. If you bothered to even read the page Semme listed, youd see that the release that RedHat put out is vulnerable. [sarcasm] And we all know that Red Hat builds Internet Explorer releases. [/sarcasm]
The first example I saw was explained using sun.org.mozilla.javascript.internal.DefiningClassLoader
It still exists even after Oracle patched for CVE-2013-0422. Im not going to waste time explaining an implementation of how this would work, becuase A) I dont think anyone cares, and B) if someone does care they can find examples online.

So since this can work in mozilla based browsers... isnt it relevant to us? Afterall, most of the broswers that puppy linux users use are mozilla based. (Firefox, Opera, SeaMonkey, etc) Some of those people might want to know.

But even if they didnt... I still dont see how your argument against this thread is valid. Just because the 'latest' threat may be Browser based does not invalidate having a single source for Java issues. You have stated that there are browser threads out there. Well why have broswer threads? Because when people are wondering about their browser they go there. If your logic were applied to that thread, issues with broswers shouldnt have their own thread and only be in the seperate threads for each puppy version. This is obviously nonsense, as having a single broswer thread makes information easier to find.
The same goes for Java... just because this most recent exploit is browser based does not mean that Java shouldnt have its own thread. As I mentioned before, previous java exploits were not browser based. So they cant be discussed in the 'browser thread' becuase they have nothing to do with the browser. So should we have a seperate thread for java threats that are not browser based? One thread for Java is simple and consolidated. Itll have java related information about all the exploits. People in the broswer thread can link to this if they want, when something gets posted here. Or not, what people do in that thread is up to them.
jpeps wrote:
gcmartin wrote:
The Homeland Security Announcement is an interesting one to say the least. It does NOT say that where the exploits have occurred or from whence it comes, just that it has been found. I dont remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

Rather, it raises questions regarding the purpose. In the past, exploiting public fear served the purpose of more big government restrictions and access...i.e, loss of personal freedom. Big government is very interested in controlling the internet.
Well if we are going to put on our tinfoil hats... shouldnt you also consider the possibility of governments using existing known flaws to infiltrate computers and networks? Stuxnet and Flame are examples of State Sponsored exploitation. (doesnt matter what country you think is responsible) With the speed of the takedown of the 'Red October' network thats made news recently... some think it too was state sponsored.
I dont know if it was or wasnt, and I dont know enough to make a comment on that. But cyber criminals are not the only ones who are utilizing exploits for gain. Google got nailed when they were accessing wifi networks. Do you think google wasnt puting all that data into their database? And since Google has no problem supplying the gov with information, if you are anti-gov, you wouldnt want anyone to have your data.


To re-iterate. This thread (or at least the first post) was intended to be a single spot where people can quickly check the most recent java release which they may have running on their system. It was not intended to be a thread about the evils of Java or how Java will kill your first born (obvious sarcasm), or how Java is the greatest thing since sliced bread. Although people can use this thread to discuss any aspect of Java Security... the intention of this thread is not to be a Java-fan thread nor a Java-bashing thread. This thread (or at least the first post) was intended to be a Java-security-information thread.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#10 Post by jpeps »

Q5sys wrote:
jpeps wrote: In fact its not even available for a linux Firefox browser.

Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts' so that you seem knowledgable?
Why not attempt to install the plugin at the quoted link and find out for yourself? Older plugins don't install either. None of this is recent news, anyway. Mozilla has been blocking access since August of last year. All this has already been hashed out in other threads. How many times do we need to go through the same thing?

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#11 Post by Q5sys »

jpeps wrote:
Q5sys wrote:
jpeps wrote: In fact its not even available for a linux Firefox browser.

Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts' so that you seem knowledgable?
Why not attempt to install the plugin at the quoted link and find out for yourself? Older plugins don't install either. None of this is recent news, anyway. Mozilla has been blocking access since August of last year. All this has already been hashed out in other threads. How many times do we need to go through the same thing?
So your proof is that a single plugin wont install in mozilla? That's it? One single case that it doesn't work and you assume its a fact that every other possibility wont work either? Facts arent proved by single examples. They must be rigorously tested and verified.

Mozilla blocking whatever since last august hasnt done much for the exploits that were linux vulnerable in the entire Java 7u series. Mozilla may have put something in place last august, but it didnt help all the exploits that Oracle had to deal with in November and December last year that FireFox didnt stop.

gcmartin

#12 Post by gcmartin »

Question
I think I remember seeing or hearing a LInux discussions that references "safe JAVA releases". If this is true, should this thread make reference to those, as well?

Here to help

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#13 Post by jpeps »

Q5sys wrote: So your proof is that a single plugin wont install in mozilla? That's it? One single case that it doesn't work and you assume its a fact that every other possibility wont work either? Facts arent proved by single examples. They must be rigorously tested and verified.
You have a linux browser with a vulnerable java plugin? I have one on my windows computer with a big "disable" button next to it. But yes...if it's not available, I'm assuming it isn't available.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#14 Post by Q5sys »

gcmartin wrote:Question
I think I remember seeing or hearing a LInux discussions that references "safe JAVA releases". If this is true, should this thread make reference to those, as well?

Here to help
If you can find the information, I'll gladly add it to the first post. I know there are some who advocate still running java v6, but that's not necessarily the best choice for people, because since its an older version, it's limited in some functionality that people (and some programs) expect; and on top of that... its unknown if some new exploits work against it.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#15 Post by jpeps »

Q5sys wrote:... and on top of that... its unknown if some new exploits work against it.
No it isn't. There are no computer languages that can't be exploited. Bash can be exploited.
I know there are some who advocate still running java v6, but that's not necessarily the best choice for people...
Java is running on a few billion devices. Now that you've informed us, I'm sure everyone will proceed to delete it. Thanks for sharing.
Last edited by jpeps on Sun 20 Jan 2013, 00:00, edited 2 times in total.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#16 Post by James C »

http://feedproxy.google.com/~r/cnet/tco ... qiGvBFNTI/
"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory today. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."

The vulnerability was being exploited by a zero-day Trojan horse called Mal/JavaJar-B, which was already identified as attacking Windows, Linux and Unix systems and being distributed in exploit kits "Blackhole" and "NuclearPack," making it far more convenient to attackers.

gcmartin

#17 Post by gcmartin »

... I know there are some who advocate still running java v6 ...
Yeah. Seems I seen several references that indicates HMS is about V7.

By not including a V6 reference in the OP, one could surmise that the OP is about all JAVA . Or further by not including you leave all JAVA open to suspect. I don't think you intended that, though.

You be the judge.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#18 Post by Q5sys »

gcmartin wrote:
... I know there are some who advocate still running java v6 ...
Yeah. Seems I seen several references that indicates HMS is about V7.

By not including a V6 reference in the OP, one could surmise that the OP is about all JAVA . Or further by not including you leave all JAVA open to suspect. I don't think you intended that, though.

You be the judge.
I'll add something about it. Dont know the best way to frame it though.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#19 Post by James C »

http://arstechnica.com/security/2013/01 ... t-version/
Java 6, which Oracle is still supporting for the time being, hasn't been vulnerable to most of the recent exploits, although security experts remain mixed on whether it is a more secure alternative to Java 7. Gowdiak said one of the vulnerabilities Security Explorations discovered this week works on both versions while the other works only on Java 7.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#20 Post by Q5sys »

jpeps wrote:
Q5sys wrote:... and on top of that... its unknown if some new exploits work against it.
No it isn't. There are no computer languages that can't be exploited. Bash can be exploited.
I know there are some who advocate still running java v6, but that's not necessarily the best choice for people...
Java is running on a few billion devices. Now that you've informed us, I'm sure everyone will proceed to delete it. Thanks for sharing.
You are taking this WAY out of context. I create a simple informative thread, that people can use to check to see if they are using the most up-to-date java version and if there are known exploits that have not been patched.
And you exaggerate to the point of sarcasm suggesting advocating java be deleted.

Can you not have an intelligent discussion about this? You have stated 'facts' which are in fact wrong. Then you take a mindset, which NO ONE HERE has had, and sarcastically comment about deleting Java from a computer.
I have not once advocated that people delete java. I dont know of anyone else who has either. If you can point to where people have suggested that on this forum, please link to that. Or is this another wild unsubstantiated argument? Or are you simply trolling this thread with wild comments because you have nothing better to do?

Post Reply