This is getting old: New zero-day vulnerabilities found in latest versions of Java, including Java 7 Update 15
February 26, 2013 50
Email article | Print article 
Still have Java installed on your computer or enabled in your browser? Then you should know new vulnerabilities have been discovered in the latest versions of Java. Again.
The current latest version of Java is Java 7 Update 15, which includes the most recent patch Oracle issues on February 19. According to Security Explorations, a Poland-based security company that has been discovering Java vulnerabilities faster than Oracle can patch them, Java 7 Update 15 has two previously undiscovered vulnerabilities that, once combined together and exploited, allows scumbags to bypass Java’s security sandbox and take control of and/or infect computers.
These two vulnerabilities, identified as Issue 54 and Issue 55, affect not only the latest version but all of Java 7. However, it doesn’t appear to affect earlier versions of Java. It is unknown if these vulnerabilities are Windows-only or affect Mac OS X and Linux, too.
The next regular Java update by Oracle that could potentially fix these issues is scheduled for April 16. So unless Oracle issues another irregular patch (which will only happen if these vulnerabilities are discovered in in-the-wild attacks), these vulnerabilities are going to stay unpatched for over a month.This is particularly worrisome when considering recent hacks of major corporations, e.g. Facebook, Apple, and Microsoft, were conducted by exploiting Java.
If you still have Java installed/enabled, this may be a good time to either uninstall Java completely or at least disable it in your browser.
[via Softpedia, Security Explorations, image via Justin Kraemer]
[@santuccie] And I showed you 2 sites that it appeared on.
That’s because you mentioned rogue pop-ups, and continued talking about it. Now you’re changing the subject to rogue AV.
No, that’s the case means your click to play statement.
Really, says the one who made a big deal out of it. Why should I leave when you’re messing with my facts? At least I’m trying to improve myself by learning.
Lastly, I took 2 hours, because I have a life outside of arguing with a stranger on this site. Not to mention I had to restart to reset Internet Explorer’s settings, install Flash and Java on my XP virtual machine, and download/install Windows 7 on VirtualBox.
Speaking of “burden of proof”, where’s yours for this statement: Like I said in my first response to you, legitimate pages will trigger the prompt, illegitimate ones will not; cybercriminals don’t follow the rules.
[@J.L.]
“And I showed you 2 sites that it appeared on.”
- Can’t link to a specific page? If you intend to prove a point, you don’t tell the other party to “go fish.” But since you want to try and turn the tables on me, here you go:
http://s1033.beta.photobucket.com/user/santuccie/media/sshot-2.png.html
Cakewalk. Now, it’s your turn.
“That’s because you mentioned rogue pop-ups, and continued talking about it. Now you’re changing the subject to rogue AV.”
- Clever. I mentioned rogue AV because it’s one of the most prevalent types of rogue software. You also have rogue reg cleaners and, more recently, rogue disk utilities. But I brought up a pandemic I thought you might have heard about, because EVERYONE is hearing about rogue AV.
“No, that’s the case means your click to play statement.”
- What are you talking about? When you say, “that’s the case by default as well on Internet Explorer,” you could be meaning that click to play is a default feature in IE, or both in IE and alterative browsers, neither of which is true. Only in IE10, which is used by approximately 1.29% of Web surfers.
“Why should I leave when you’re messing with my facts? At least I’m trying to improve myself by learning.”
- First, you’re trying to fake it until you make it. Second, what facts? You’ve already struck out, kiddo.
“Lastly, I took 2 hours, because I have a life outside of arguing with a stranger on this site. Not to mention I had to restart to reset Internet Explorer’s settings, install Flash and Java on my XP virtual machine, and download/install Windows 7 on VirtualBox.”
- LOL, nice contradiction there. You’ve spent a lot more time on this than I have, just FYI; it doesn’t take long for me to squash your latest, feeble attempt to save face.
P.S.: If it hasn’t sunk in yet that you’ve been squashed, then go ahead and keep trying to fight your way out of the corner you now find yourself backed into. I have to get up in the morning.
[@santuccie] Short term memory loss? Can’t read previous comments? Okay, I’ll spoon feed you the links:
http://www.java.com/en/download/testjava.jsp
http://javagameplay.com/offroadrally/rally.html
Wow, epic fail. There’s not even the slightest bit of java in flash-player-update.com. There’s a JavaScript popup though.
Sure, but mentioning irrelevant information doesn’t help your case.
You
*accidentally pressed post*
stated: “Thanks to click to play, all my pop-ups display harmless placeholders, just like all other plugin-based content.” I stated Internet Explorer has that as well. ActiveX Filtering is in IE 9 too.
You’re one of the most ignorant people I’ve ever met. Apparently anything you only consider yourself as the bearer of all facts.
So what if I spent more time? You should be grateful that someone is trying to research and state the facts.
Your example is worse than I thought, it doesn’t exploit anything other than user stupidity, you have to download and run it.
One last note, stop putting words like “default” in my mouth.
Well, I guess this one means I am happy that I have not gone to Java7… the Java team at Oracle has to be pulling out their hair nowadays…
[@J.L.]
I’m surprised you’re still here. Clearly, you don’t know enough about computers to even realize that you were down for the count a few posts back already. So here you are again, flogging a dead horse. Suit yourself…
“Wow, epic fail. There’s not even the slightest bit of java in flash-player-update.com. There’s a JavaScript popup though.”
- What are you talking about? This was in response to your remark about the effectiveness of pop-up blockers! Are you still trying to claim that there are no Java-based pop-ups? Okay, you just keep on saying that; it’ll be a short trip back here with a screenshot the very next time I run across a Java pop-up. Then you can tell all your friends how you sure told me (just hope they don’t actually find this thread).
“I stated Internet Explorer has that as well. ActiveX Filtering is in IE 9 too.”
- Changing stories, are we? You said it has it BY DEFAULT.
“You’re one of the most ignorant people I’ve ever met. Apparently anything you only consider yourself as the bearer of all facts.”
- That’s funny, coming from you. Do you know what “ignorant” means? It doesn’t mean stupid, if you were trying to find a sophisticated way to call me that. And if you actually knew that ignorant means inexperienced – which I doubt – then you would know that describes the person who has been consistently getting schooled… you. Either way, you’re not describing me. Nice try, though.
“So what if I spent more time? You should be grateful that someone is trying to research and state the facts.”
- So what? I thought it took you all that time because you “have a life.” How old are you, kid? I should be grateful that some wannabe is trying to pretend that he is some kind of guru, belittling his better, and repeatedly asserting that he is stating “facts” after being struck down again and again for misinformation? So, posting on an assumption, jumping from one foot to the next as you get knocked back, and all the while thumbing up your nose at my experience is charity from you to me? Great, you’re blind as a bat AND audacious. You’ll make some girl a fine partner one day.
“One last note, stop putting words like “default” in my mouth.”
- First, you’re not bullying anybody; I don’t take orders from you. Second, you put “default” in your own mouth. Just look back at your previous posts. They’re not going anywhere; they’ll be there for all the world to see after you’ve dug yourself a hole so deep that you can never climb out, and I won’t even have to bother saying I told you so.
“Your example is worse than I thought, it doesn’t exploit anything other than user stupidity, you have to download and run it.”
- Oh, really? Going on a hunch again, are we? Just FYI, we’re talking about pop-ups that come not only from dodgy Web sites, but also from legitimate pages that have been compromised by a third party. If they don’t install automatically, as some actually do, then one can only be rid of them by terminating the process or rebooting; not something the average user would know (you didn’t even know until I told you). Furthermore, I’ve already told you flat-out that the Flashback Trojan was a drive-by download; the only difference between providing the admin password and not doing so was whether it installed only to one user account, or system-wide. Strike 4.
And lastly, are you backing out of your denial that these pop-ups are indeed Java-based? Wise choice, but a little too late to save face here. And trying to dismiss it as a poor example (a drive-by download is a worse example than you thought?) is yet another cop-out for the record books. On the bright side, you can always create a new username, LOL.
[@Ashraf]
Interestingly, a bit of research has shown the question to be less cut-and-dry than I thought. I found three definitions of “zero day vulnerability,” two of which imply active exploits being in the wild, whereas the third one does not.
What is clear, though, is that the term “zero-day vulnerability” is far less frequently used (and defined) than the similar term “zero-day attack,” which everyone agrees does imply an active exploit.
At the end of the day, it doesn’t matter which definition of “zero-day vulnerability” you personally adopt; what matters is what the term means to your readers. Between the fact that – in my admittedly small sample of definitions – the active exploit is implied more often than not, and the similarity to the more commonly used term “zero-day attack”, I strongly suspect that the majority of your readers, if going by the headline alone, would believe the headline to imply an active exploit. You may not intend for them to come away with such a false impression, and you may hope that they read the full article for clarification, but I do believe that hyping the story with this language does the community a disservice.
[@Bub]
I’m with Ashraf. If you actually did see two misnomers out of the first three sites you looked at, understand that not all bloggers are created equal.
Not to be rude, but you appear to be alone in your contention. And you can’t please everybody; just because one reader interprets the word “vulnerability” to mean “exploit” whenever “zero-day” is coupled with it, doesn’t make the author wrong for failing to read minds and word things accordingly.
“Zero-day” means something that was discovered less than 24 hours ago, “zero-hour” means something that was discovered less than 60 minutes ago, and “vulnerability” means weakness. If exploits are exploits, and vulnerabilities are exploits, then what would be your word choice to describe a vulnerability that was discovered today by the good guys, and not the bad guys?
[@J.L.]
While I was reading about the Flashback Trojan, it occurred to me that what may have confused you is that you may have recently read about JavaScript being what causes a pop-up to load. And when you made your rebuttal that the pop-up in my screenshot was a JS pop-up, now I realize that you’re thinking the content in the page itself is JS. Is that it? Because most of the content in the pop-up you see is neither Java nor JS, but HTML (except for Java pop-ups, which would likely include some HTML as well).
Understand that JS is not what the Flashback Trojan used to infect over 600,000 Macs, although JS is what opened the pop-up; it was a Java exploit. Sorry to confuse you, but I didn’t realize you’d gotten even the JS bit itself from a Google search while you were already trying to engage me in a debate, LOL. Oh, well; live and learn.
P.S.: Reading back over our previous posts, I can see that my own wording would seem to position a screenshot for a Java pop-up (which I will still provide for you when I have one), since I had addressed your inability to provide concrete evidence in the same paragraph. What I was thinking and what came out were two different things, sorry. I knew what I meant.
[@santuccie] “I’m surprised you’re still here. Clearly, you don’t know enough about computers to even realize that you were down for the count a few posts back already. So here you are again, flogging a dead horse. Suit yourself…”
I don’t know what kind of flagrant hubris you have looking down on me, but it’s not going to work.
“What are you talking about? This was in response to your remark about the effectiveness of pop-up blockers! Are you still trying to claim that there are no Java-based pop-ups? Okay, you just keep on saying that; it’ll be a short trip back here with a screenshot the very next time I run across a Java pop-up. Then you can tell all your friends how you sure told me (just hope they don’t actually find this thread).”
Can you understand the word most?
“Changing stories, are we? You said it has it BY DEFAULT.”
When I said default in my first post there was no mention of ActiveX Filtering. It only meant the Internet Explorer security prompt when you run a Java applet.
“That’s funny, coming from you. Do you know what “ignorant” means? It doesn’t mean stupid, if you were trying to find a sophisticated way to call me that. And if you actually knew that ignorant means inexperienced – which I doubt – then you would know that describes the person who has been consistently getting schooled… you. Either way, you’re not describing me. Nice try, though.”
I say ignorant, because you clearly ignore what I actually said and only rely on your own interpretation.
“So what? I thought it took you all that time because you “have a life.” How old are you, kid? I should be grateful that some wannabe is trying to pretend that he is some kind of guru, belittling his better, and repeatedly asserting that he is stating “facts” after being struck down again and again for misinformation? So, posting on an assumption, jumping from one foot to the next as you get knocked back, and all the while thumbing up your nose at my experience is charity from you to me? Great, you’re blind as a bat AND audacious. You’ll make some girl a fine partner one day.”
If you cannot see the facts, then there’s no helping it.
“First, you’re not bullying anybody; I don’t take orders from you. Second, you put “default” in your own mouth. Just look back at your previous posts. They’re not going anywhere; they’ll be there for all the world to see after you’ve dug yourself a hole so deep that you can never climb out, and I won’t even have to bother saying I told you so.”
Learn Ctrl+F. When was the words “Default” and “ActiveX Filtering” ever in the same place?
“Oh, really? Going on a hunch again, are we? Just FYI, we’re talking about pop-ups that come not only from dodgy Web sites, but also from legitimate pages that have been compromised by a third party. If they don’t install automatically, as some actually do, then one can only be rid of them by terminating the process or rebooting; not something the average user would know (you didn’t even know until I told you). Furthermore, I’ve already told you flat-out that the Flashback Trojan was a drive-by download; the only difference between providing the admin password and not doing so was whether it installed only to one user account, or system-wide. Strike 4.”
What does FlashBack Trojan have to do with Internet Explorer on Windows?
“And lastly, are you backing out of your denial that these pop-ups are indeed Java-based? Wise choice, but a little too late to save face here. And trying to dismiss it as a poor example (a drive-by download is a worse example than you thought?) is yet another cop-out for the record books. On the bright side, you can always create a new username, LOL.”
What pop-ups? I only said rogue pop-ups are mainly JavaScript.
[@santuccie] I’ve yet to see a “HTML pop-up” that doesn’t rely on JavaScript.
The example you gave me was not FlashBack Trojan.
The fact is, Internet Explorer gives a security prompt whenever a Java applet is run (not to mention the possible UAC prompt). Although there may be bypasses of that, I doubt it’s as widespread as you think. The fact is, Internet Explorer 9+ has ActiveX Filtering, which is basically click to play. I should have mentioned that earlier. The fact is, you have insulted me in every way you can, and I’m sick of it.
[@J.L.]
“I say ignorant, because you clearly ignore what I actually said and only rely on your own interpretation.”
- Ignorant has nothing to do with ignoring. Clearly, you are ignorant to the meaning of the word. Ignorance means lack of knowledge or education. Stupidity means dullness of mind. And ignoring means not paying attention. Ignorant does NOT mean a state of being one who ignores things. Speaking of “ignoring what I actually said and only relying on your own interpretation,” you just made a fool of yourself for the umpteenth time. Thanks for the laugh. This one will follow you until the end of our conversation.
“Learn Ctrl+F. When was the words “Default” and “ActiveX Filtering” ever in the same place?”
- When WAS the words in the same place? Learn grammar. That said, you told me that IE blocks plugin-based content by default, but ActiveX filtering is what causes the blocking (ActiveX is IE’s counterpart to plugins). Again, you don’t know enough about computers to know when your foot is in your mouth.
“What does FlashBack Trojan have to do with Internet Explorer on Windows?”
- A drive-by download delivered by a Java exploit. The same stuff exists for Windows (e.g. rogue AV), and we’ve been over that. Don’t get me wrong; not all Java pop-ups are drive-by downloads. Some rely on at least one click, others do not. The point is that plugin-based content in pop-ups that circumvent ASLR present a real threat, and one that can be greatly reduced by either enabling click to play, or by enabling ActiveX filtering in the event that IE is your preferred browser.
“What pop-ups? I only said rogue pop-ups are mainly JavaScript.”
- You should have read my latest responses through to the end before firing back. They are NOT mainly JavaScript; in fact, the pop-up itself may be completely devoid of JS. NO pop-up is comprised entirely of JavaScript, period. It’s either HTML by itself, or HTML with JS and/or some plugin-based content (such as Java content). JS is not the building block of Web pages; it’s simply a code that can be embedded into HTML to provide enhanced functionality. HTML is not dependent on JS, and JS does not stand on its own. Get it?
Here’s your problem: you only recently learned that JS is responsible for launching a pop-up, which you probably got in a Google search while trying to cross swords with someone who has decades of experience to prepare him for the likes of you. This is like reading the wikipedia about thrusting and parrying while you’re in the middle of a fencing match with Albert Axelrod (exaggeration, of course; I am by no means a revered authority). This is strike 5, and the most conspicuous of all the blunders you’ve made so far. I told you that the longer you continue for the sake of your pride, the more ammo you give me to blow your cover and stomp that pride flat. You’re a regular glutton for punishment! Want some more?
[@santuccie] [@J.L.] LMAO are you two still at it?
In all seriousness, I love the discussion and the back-and-forth — very informative and educating. However, let’s be adults about it, puhleez. Personal insults/attacks don’t add any weight to a point and only lower the quality of the discussion. Of course that doesn’t mean you can’t be uber defensive but do it respectfully.
Thanks!
@Ashraf:
Thank you, and I apologize. No more posting from me in this thread.
@J.L.:
I am sorry for jumping you after your initial post. Take care.
“Ignorant has nothing to do with ignoring. Clearly, you are ignorant to the meaning of the word. Ignorance means lack of knowledge or education. Stupidity means dullness of mind. And ignoring means not paying attention. Ignorant does NOT mean a state of being one who ignores things. Speaking of “ignoring what I actually said and only relying on your own interpretation,” you just made a fool of yourself for the umpteenth time. Thanks for the laugh. This one will follow you until the end of our conversation.”
Must have been my dictionary, but it’s just like you to be overblown.
“When WAS the words in the same place? Learn grammar. That said, you told me that IE blocks plugin-based content by default, but ActiveX filtering is what causes the blocking (ActiveX is IE’s counterpart to plugins). Again, you don’t know enough about computers to know when your foot is in your mouth.”
I thought it did, but it appeared to be my settings. Java isn’t executed without your permission in virtually all cases though.
“A drive-by download delivered by a Java exploit. The same stuff exists for Windows (e.g. rogue AV), and we’ve been over that. Don’t get me wrong; not all Java pop-ups are drive-by downloads. Some rely on at least one click, others do not. The point is that plugin-based content in pop-ups that circumvent ASLR present a real threat, and one that can be greatly reduced by either enabling click to play, or by enabling ActiveX filtering in the event that IE is your preferred browser.”
I’d like to see a true drive-by example, but valid point.
“You should have read my latest responses through to the end before firing back. They are NOT mainly JavaScript; in fact, the pop-up itself may be completely devoid of JS. NO pop-up is comprised entirely of JavaScript, period. It’s either HTML by itself, or HTML with JS and/or some plugin-based content (such as Java content). JS is not the building block of Web pages; it’s simply a code that can be embedded into HTML to provide enhanced functionality. HTML is not dependent on JS, and JS does not stand on its own. Get it?”
Obviously you don’t respect me enough to constantly post security 101, web 101, etc. Maybe you should search my name and find out yourself how knowledgeable I am. Please give me an example of a pure HTML popup.
“Here’s your problem: you only recently learned that JS is responsible for launching a pop-up, which you probably got in a Google search while trying to cross swords with someone who has decades of experience to prepare him for the likes of you. This is like reading the wikipedia about thrusting and parrying while you’re in the middle of a fencing match with Albert Axelrod (exaggeration, of course; I am by no means a revered authority). This is strike 5, and the most conspicuous of all the blunders you’ve made so far. I told you that the longer you continue for the sake of your pride, the more ammo you give me to blow your cover and stomp that pride flat. You’re a regular glutton for punishment! Want some more?”
Looks like all civility might’ve be lost if Ashraf didn’t step in.
@santuccie:
I won’t deny that you know the topic at hand, but nobody is perfect and one is not above others.
[@santuccie]
Actually, as far as I can tell, your definitions are yours and yours alone. I cannot find any source that defines “zero-day” as “discovered within the last 24 hours”. As generally used, the term refers not to the time since discovery, but the time available to developers to fix the bug between time of discovery and time of working exploit. The only disagreement I found between definitions is whether for a “zero-day vulnerability” the working exploit had to be in the wild, or whether a working proof-of-concept would suffice.
In fact, your response really proves my point. If the term is so poorly understood that some readers interpret it as inaccurately as you do, then it is not conducive to effective communication.
Oracle seems to be code content, take-it-or-leave-it. It is another sterling example of behemoth corporate haphazard commitment to individual users.
Come on, Coders, the arena is devoid creativity…
Besides, can the I-world not easily survive without Oracle’s java?
Unfortunately, Java is required to create an mhtml file from Firefox that can later be opened. (If Java is disabled, you can can still create an (invalid) mhtml file, but you won’t be able to open it.)
@J.L.:
Here’s a Flash pop-up for you:
http://s1033.photobucket.com/user/santuccie/media/ScreenShot2013-03-18at12201AM.png.html
A Java pop-up would look much like this, with the same placeholder. BTW, look what it’s for! Had it not been for click-to-play, I might have been infected.
@Bub:
Whatever you say. I’m not touching that with a ten-foot pole.
@Bub:
Re-reading your last post, you got it part right. The only problem is that you’re counting PoC exploits as statistics. Just for the record, PoCs are used regularly; this is how researchers prove the existence of a vulnerability to the developers (the only time there might not be a PoC exploit is if the developers themselves discovered the flaw, and are publicly announcing and/or patching it). So yes, if you’re trying to argue that “zero-day” almost always indicates the existence of an exploit, then you would be right. However, by your rationale, the very term, “vulnerability” would itself indicate the existence of an exploit; at least a PoC exploit.
The reason you are having such a hard time finding a definition for “zero-day vulnerability” is because it is so rarely used. The public doesn’t usually read about a vulnerability until after there is either a patch available, or an In-the-Wild exploit; and this is usually more than 24 hours after the vulnerability is discovered. Another term you may not have heard is “zero-day warez”, which refers to software that is cracked the same day it is released. It does not refer to a crack that is less than one day old, nor does it refer to a crack that will execute arbitrary code and compromise your system. This term is also rare, because warez do not usually come out the same day as the licensed releases.
“Zero-day exploit/attack” refers to an ItW (not PoC) exploit whose outbreak is the same day a vulnerability is discovered or, more frequently, before the developers were ever aware of the vulnerability. The day of the outbreak in either case is day zero, as the vulnerability has been known to the developers for less than 24 hours. PoCs do not count as active exploits, even if they are released to the public. There is no threat to you or me until the bad guys pick up on it and release an exploit designed to do their dirty deeds. Not to be a smart-***, but it was you who proved my point.
Sorry if failed to clarify this earlier, but I’m not guessing at this; I’m not “winging it.” ;) No hard feelings, just useful information. Cheers!