Warning: Java still vulnerable after patch
If you follow this blog you know that a critical vulnerability was discovered recently in Oracle's Java Runtime Environment that has been actively exploited in the wild ever since.
The vulnerability affected only Java running in a web browser, and my initial recommendation was to turn off Java in all web browsers, or to uninstall the software completely, to protect the computer system from exploits targeting the vulnerabilities.
Oracle pushed out a patch a few days ago that resolves the security issue In Java 7 Patch 6 and earlier. Polish-based security company Security Explorations however discovered a new vulnerability in Oracle's patched version that attackers can exploit to get out of the Java sandbox on vulnerable systems to execute code on the operating system.
The company has informed Oracle about the new vulnerability, and won't release public information or proof of concept code until Oracle addresses the issue. What's interesting in this regard is that the company claims to have submitted 29 Java 7 vulnerabilities to Oracle in April, of which two have been actively exploited by attackers in the last days.
What does this mean for Java users? If you do not need Java and are sure about it, your best bet is to uninstall it from your system. Your second best bet after that is to disable Java in all of your web browsers, or use a feature like click to play (Chrome click to play, Firefox click to play) or a security add-on like NoScript to block Java contents from being executed when you load a web page.
Most computer users do not need Java, especially not in the web browser. While there are great programs available that have been developed in Java, like RRSOwl, JDownloader or the popular game Minecraft, it is a technology that the majority of users do not need installed on their systems due to lack of programs or applications. If you are running a Java desktop program and want to keep using it, you may want to check out Java portable, a portable version of Java that is not adding itself to web browsers and only running when you launch the program.
You can switch off Java using the Firefox-Addon QuickJava 1.8.0
if you don’t need it actually.
It also works on Linux.
https://addons.mozilla.org/de/firefox/addon/quickjava/?src=ss
If oracle spent less time suing people and more time working on their products then things would be better. This is the way apple is going too.
Okay I found it. “STEVE: And it’s not vulnerable. So if you use the Java that’s natively in Ubuntu, for example, you’re okay. And one of the people exploring this had to remove that, then install the latest version of Oracle’s Java, and then was able to make the exploit happen. There were some early reports that Chrome was not vulnerable; but, I mean, this has been moving very fast. I mean, just minute by minute, hour by hour. It’s already in the Metasploit framework. It’s already in the Blackhole rootkit, which is used by bunches of bad guys. So it’s completely available. There’s a full technical explanation that shows the source code, step by step of how this works.”
He does claim OpenJRE is not vulnerable. Except, this is merely stating that the metaspoit module doesn’t work with OpenJRE’s version out of the box. I think this is misleading. What’s to say a few modifications and/or the other exploits reported don’t impact OpenJRE as well?
http://www.grc.com/sn/sn-367.txt
This is the transcript to the latest episode of SecurityNow. Search for the individual terms OpenJRE, IcedTea, and Linux. Nowhere does anyone claim that these technologies aren’t vulnerable. I don’t know what @Bob was heard, but it certainly doesn’t say OpenJRE’s web plugin is safe.
Boycotting all desktop apps that make use of the Java runtime seems a little extreme. Just make sure the Java plugin is disabled on all browsers (and/or enable click to play or noscript/scriptno), and you are fine. Continue using your favorite java-based desktop apps. Also, I don’t know what Security Now is smoking; Linux is vulnerable too. I need someone to provide a citation explaining how openjdk7’s icedtea isn’t also vulnerable. If it implements the same technology as Oracle’s Java, then it’s also vulnerable. Today’s malware is using Java to distribute crossplatform payloads. Linux with Java plugins simply isn’t safe either.
From the LibreOffice FAQ is the following list of components that required Java to operate
http://www.libreoffice.org/get-help/faq/general-faq/does-libreoffice-require-java/
It may be possible to start LibreOffice without Java being loaded on your computer by simply clicking through the warning screens the first time and then working as normally, though obviously anything dependent on Java will not work properly. There is reference on the Web to compiling LibreOffice to run without Java, which has worked successfully though I have not tried this
Michael
Anyway, in LibreOffice as well as in OpenOffice there is the option to use or not Java, which does mean that both may be run basically without Java, providing the special Java related features be left aside, as I see it.
Martin
LibreOffice (and presumably OpenOffice) requires Java to operate successfully. More specifically Base, the database component relies on Java Technologies to run since it utilizes the new embedded Java technology based HSQLDB database engine. The other components of the LibreOffice suite such as Writer, Calc and Impress only require Java for some of the accessibility and assistive technologies which provide special functionality. If you need neither the database or the special functionality then you could do without Java. Unfortunately, it appears that the LibreOffice suite will not start without Java being present even if you do not require the additional functionality.
From what I have read Oracle had stopped providing Java updates through to the various Linux versions (which explains why I was still on version 6). However, an Open Source version of Java can be obtained from
http://openjdk.java.net/
which has been updated to cope with the bug. You can obtain the openjre and openjdk from here as well as icedtea-web (the mozilla-compatible brwoser plugin) and the mandatory rhino package (the JavaScript engine).which is required for the openjdk.
For those you on Slackware related Linux distributions the latest updated version of the openjre can be obtained from
http://alien.slackbook.org/blog/openjdk-7u6_b30-with-icedtea-2-3-1-fixes-0day-exploit/
I have installed the jre and browser plugin packages from this site and they appear to be working properly. My LibreOffice suite is also working though I note that it is still referencing the old Java run-time environment, which I had removed, so there is still a bit of fiddling under the bonnet to be done
Michael
Thank you, Sir. Other than mentioned above, anything else that I should be aware about?
I have LibreOffice 3.6.1 installed only with Writer, Calc and Impress components, running perfectly without Java (left aside “some of the accessibility and assistive technologies which provide special functionality”). No problem.
Thanks for pointing that out. I knew that Open Office required Java for some functionality but never looked deeper.
I was just listening to this weeks Security Now podcast and Steve Gibson says that Java is not affected in Linux due to the fact that Linux has it’s own open source Java version and is not related to Oracle. So I guess I’ll just uninstall Java from Windows only and keep on trucking with Linux Mint.
For reader ‘PLI’ and others looking for replacements: check out this site
http://www.alternativeto.net
I use that site often enough. It does, for example, give a number of suggestions for software similar to JDownloader.
Does anyone know of a viable replacement for JDownloader? It’s pretty much the only program I would miss if I were to uninstall Java from my PC
Never mind, I’ve just found it :)
https://www.ghacks.net/2009/11/26/file-hosting-download-manager-mipony/
First, I disable Java from the browser. Because of the persistent issues, I uninstall it from the computer. Now I need to be an advanced user to see what I am missing. Any suggestion? Download something, maybe?
Kind of expected this, given Oracle’s silence on the problems with Java 7 Patch 6… indicating low integrity.
Total removal – days ago – has proven to be pretty much OK for me so far. What’s now changed:
– One clever backup freeware (DirDup) needed replacement – with GFI Backup, which is pretty good.
– A drive storage graphing program (JDisk) which I’d run about once very two years wouldn’t run. The substitute: FolderSize. It’s a tad too complex for me, but so what, I rarely will use it.
– FileHippo’s UpdateChecker starts but will not finish. Replacement choice: Software Informer. Again, for me this is a bit of overkill, but it’ll do.
PixelWizard, do you have some more infos on how it’s like without Java? Thanks.
That was me, accidentally as ‘Anonymous’ just above.
Since Sept 3 I have noticed Firefox (16b2) being incomplete, on some pages, about auto-filling the fields where a userID and password have long been saved in the browser. I mean it would fill in one field but not the other.
Also, today I went to an infrequent online destination: the user account for my ISP. The page itself was messed up – most graphics missing; the login fields vestigial. As this really is a necessary destination, I decided I had to reinstall Java.
Given what I have read in various columns and blogs, I went with Java 6 Update 35 as the best among the gambles. And I made pretty sure its auto-update option is shut off. I use Avast, and their 30Aug2012 blog states, “avast! detects the latest Java zero day exploit in real time”… I’ll be relying on that too.
At first I downloaded – from Oracle – the *offline* Windows installer. But the file I got was labeled as version 6 update 34. I recall someone writing that it’s just the label that is wrong – but why would one trust that? So I never used that file; instead I went for the *online* installer. It was labeled as, and installed, the desired version.
Now my ISP’s web site looks fine.
Not yet (other than suggesting alternativeto.net for replacement ideas). As time goes on, if more non-working applications on my system reveal themselves I’ll post more entries in this thread.
Anyone who would like to educate me how important JAVA really is, please feel free to do so.
hurricanetrack.com uses it for their tracking maps that’s important in my book.
Minecraft…..
Android.
Oracle are making a fool of themselves. This is becoming ridiculous, moreover when the company is working on a version 8 of Java whilst this 7 series was, is and remains buggy, and that flaws are information since at least April 2012.
I am more than ever glad of having removed Java from this computer.
Transcontinental, do you have some more infos on how it’s like without Java? Thanks.