Saturday, April 10, 2010

Cup of Joe: good; Java: not so much

Reader Wolfwalker pointed out the new security bug-from-hell in Java, the ubiquitous programming language that runs just about everywhere. This looks like it wins the trifecta of security FAIL:
  • It runs everywhere (especially in the browser).
  • It allows a web page to silently pwn your computer.
  • The vendor (Oracle, who bought Sun Microsystems) isn't interested in fixing it, at least for a while.
{Sigh}

I give Microsoft credit for having the security religion. Sure, they have a lot of problems, but the days of having to convince someone there that "Security really is important" are long past. Oracle, not so much:

Researchers have discovered a flaw in the latest version of Oracle's Java runtime environment that attackers can exploit to remotely execute malicious code on end user machines.

The bug in the Java Web Start component has been confirmed exploitable on all recent versions of Windows by Tavis Ormandy, a security researcher who prefers his employer not be named. Fellow researcher Ruben Santamarta of Spain-based security firm Wintercore, said a related flaw potentially affects Linux users as well.

I guess us Linux fanbois should stop smirking.
Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy said he alerted Java handlers in Oracle's recently-acquired Sun division to the threat but "they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle."
Look, there's a good reason to have a patch cycle - I've implemented them in the past when companies haven't had them. By minimizing customer confusion, you actually increase the number of customers to update their security.

But even Microsoft releases patches out of cycle when it's important.

So, you have a nasty bug that gets tickled when you surf the 'net. There's no patch. What do you do?

Turn off Java. In Firefox, go to the "Tools" menu, select "Add-Ons", click "Plugins", and scroll to the one called "Java". Disable it. I've done it, and it doesn't seem to have broken Al Gore's Intarwebz. If there's a particular site that gives you an error about needing Java, you can always enable it for the time you go to that site. Assuming you trust the site. If you're at something like w3pwnUlongt1m3.ru, I'd recommend giving Java a pass, but maybe that's just me.

And as a bootnote, the absolutely worst company I ever had to work with to get a security problem fixed was Sun Microsystems. At Internet Security Startup, the researchers found a bug from hell in Sun's Solaris operating system. They called Sun - nobody called them back. They emailed - nobody returned the emails. In despair, they came to me.

I knew a security person from Sun, via email. He was from the Netherlands, so I had to call Europe to get someone in Mountain View to call me back in Atlanta. Doesn't look like anything's changed since Oracle bought them.

And the punchline? Oracle touts their "Unbreakable" security. Yeah, those are scare quotes.

10 comments:

bluesun said...

Like the Titanic was the "Unsinkable" Ship.

Don't boast, because you will have to eat your words later.

Anonymous said...

they have found a way to exploit something that has gone unnoticed and unexploited for years. Based on this, it was entirely reasonable for Oracle/Sun to say "we'll fix it in the next patch cycle". All would be fine, but as "security researchers", they want their moment of fame, and weren't going to get it. So...

Regarding Linux - they say they can trigger the flaw, but they are "still testing" whether or not they can do anything with it under Linux. In other words, they haven't yet been able to.

wolfwalker said...

Something that has gone unpublicized, you mean. Unnoticed and unexploited? Who knows? There are a number of malwares in the wild that seem to be damn good at getting onto target machines no matter what defenses are running. Some of them may be using this exploit.

Also, it's impossible to keep something like this secret. Nothing is so well hidden that it can't be discovered, and nobody is so uniquely good that they're the only ones who can uncover a hole. Find a hole, patch a hole. The bigger and more dangerous the hole, the faster you patch. That's the way it's gotta work.

And thank you, Borepatch, for such simple directions on how to protect against this. I looked at a couple of the links from the Slashdot post, and couldn't find anything similar. I do have one or two regular sites that require Java, but I can deal with them. Otherwise, I don't think that disabling Java will bother me much. I only wish there was a Firefox add-on that would selectively permit Java apps to run, the way Flashblock will permit an individual Flash item to load, but only after you click it.

Anonymous said...

Java, huh, what is it good for?

Jim

Borepatch said...

Anon, you're probably right on the "not able to figure out how to exploit it on Linux" bit. I'd be surprised if you couldn't, but it seems that they haven't.

However, this seems so trivially easy to exploit on Windows that I'm with Wolfwalker: the more serious the bug, the faster the fix. This may bot the the worst I've seen in 15 years, but it would probably be in the top 10.

Jim, it was a very cool idea in 1993. Like TurboPascal (OK, that was a very cool idea from 1983).

Gordon R. Durand said...

It says the bug is in Java Web Start. That's a different delivery mechanism from the plain old Java applets that might run in your browser. You would have to explicitly request and give permission to a Web Start program; it doesn't automatically run. In a sense it's like downloading and installing any other program except you sort of skip the install phase.

DaddyBear said...

Getting either SUN or Oracle to move outside of their default policy is like pulling teeth. I agree that just because this is just now becoming public knowledge doesn't mean that it's not been known and exploited since Cthulu knows when. There's something to be said for turning off Java and other scripts permanently, even if this gets patched. Firefox has a plugin for that.

Casey said...

Thank Heaven for Borepatch!

I was disabling Java in my Firefox browser before I even finished reading the post :)


Casey

NotClauswitz said...

My experience working with Oracle-droids is about like Googloids. You can't tell them anything, they're locked into a rigid in-box mindset but think they're not, they produce vanilla ice-milk and claim it's strawberry gelato, or will be once they fix it - and fixing it will cost YOU a barrel of money.

NotClauswitz said...

Re the Sun-story: the person you called in Europe who called Mountain View, who called you in Atlanta - the Mountain View guy probably was a friend of mine. He was doing that for them for a while over here - the night-shift for Europe and Britain is awake at that time.
Now since Sun collapsed, he's at Red Hat.
Sun was a bunch of Stanford GSB-types who over-engineered their own company and it sunk under the weight of sloganeering.