This is getting old: New zero-day vulnerabilities found in latest versions of Java, including Java 7 Update 15
February 26, 2013 50
Email article | Print article 
Still have Java installed on your computer or enabled in your browser? Then you should know new vulnerabilities have been discovered in the latest versions of Java. Again.
The current latest version of Java is Java 7 Update 15, which includes the most recent patch Oracle issues on February 19. According to Security Explorations, a Poland-based security company that has been discovering Java vulnerabilities faster than Oracle can patch them, Java 7 Update 15 has two previously undiscovered vulnerabilities that, once combined together and exploited, allows scumbags to bypass Java’s security sandbox and take control of and/or infect computers.
These two vulnerabilities, identified as Issue 54 and Issue 55, affect not only the latest version but all of Java 7. However, it doesn’t appear to affect earlier versions of Java. It is unknown if these vulnerabilities are Windows-only or affect Mac OS X and Linux, too.
The next regular Java update by Oracle that could potentially fix these issues is scheduled for April 16. So unless Oracle issues another irregular patch (which will only happen if these vulnerabilities are discovered in in-the-wild attacks), these vulnerabilities are going to stay unpatched for over a month.This is particularly worrisome when considering recent hacks of major corporations, e.g. Facebook, Apple, and Microsoft, were conducted by exploiting Java.
If you still have Java installed/enabled, this may be a good time to either uninstall Java completely or at least disable it in your browser.
[via Softpedia, Security Explorations, image via Justin Kraemer]
![[Windows] Batch install software updates with OUTDATEfighter](http://cdn.dottech.org/media/2013/05/OUTDATEfighter-main-UI-134x90.png)
![Google is being investigated by FTC over anti-competitive practices in the US (again) [Rumor]](http://cdn.dottech.org/media/2013/05/google1-134x90.jpg)
For now, I depend too much on plugins to completely disable them. However, I do use “click to play” functionality, which prevents plugin-based content from downloading and running unless I specifically click on a placeholder to run it.
To my knowledge, this functionality is available natively in Firefox and Chrome. It is supposed to be natively available in Opera as well, though it is my understanding that the feature is crippled. For Safari, there is an add-in called ClickToPlugin to provide this functionality.
Because of click to play, my pageloads are faster, I don’t have to deal with annoying ads with audio interrupting me, and I don’t have to go back and forth to enable/disable plugins as I need them. For more information:
http://www.howtogeek.com/123986/how-to-enable-click-to-play-plugins-in-firefox/
http://www.howtogeek.com/126284/how-to-enable-click-to-play-plugins-in-google-chrome/
http://hoyois.github.com/safariextensions/clicktoplugin/
Hope this helps!
Thank you. I did not know this was an option.
[@BamBam]
My pleasure! A safer Internet for you is a safer Internet for me.
So with all these exploits why is Oracle still allowed to conduct business? If a bank were to be found leaking money out of every hole you’d think people would stop using them…. Oh wait totally forgot about the way economics work these days.
Carry on Oracle.
[@Coyote]
Practically all software has vulnerabilities in some form or another. Before Vista SP1 introduced Address Space Layout Randomization, most attacks didn’t depend on Java or Adobe Flash; they targeted browsers’ rendering engines and other facilities, especially Microsoft’s ActiveX. The biggest problem with Java and Flash is that these plugins are not subject to ASLR, so their vulnerabilities can provide a point of entry past its protection.
I understand your frustration, but prefer to focus on the good news, rather than the bad news. And the good news is that we Windows users have more control than ever before over whether we get infected. Although there are far more attacks now than in the past, this is because of the increasing numbers of both Internet users and cybercriminals, not decreasing security.
In other words, there are more bad guys, and they are trying harder. But security experts and authorities are trying harder as well, and making progress. I suspect that, one day, it will become so difficult to infect a computer that only the most elite of cybercrooks will be able to do so. And those who do will face greatly increased odds of being caught, as well as hefty penalties when they are.
[@santuccie]
Wow! Thanks for your posts, santuccie. This is most valuable info, and I appreciate it!
[@hypnostar]
My pleasure!
Please don’t overhype. This is an unpatched vulnerability. It’s not a zero-day vulnerability. Zero-day implies that it is being exploited in the wild. The name refers to the length of time developers have between discovering the vulnerability and the exploitations.
The fact that Security Explorations appears to be discovering such vulnerabilities before the bad guys do ultimately makes Java more secure, not less.
Of course, Java has had its share of zero-day vulnerabilities in recent times, as we all know. Its security as a browser plug-in certainly isn’t what we would want it to be, and I myself keep it disabled. But don’t overhype the situation with misleading headlines.
[@Bub] Firstly, let’s agree that, when it comes to digital security, definition of terms is fungible.
That said, you are wrong. A zero-day vulnerability is a previously unknown vulnerability regardless of if it is being exploited or not. A zero-day attack is an attack exploiting that zero-day vulnerability. There is no hyping here nor is the headline misleading.
And I agree, a security firm regularly finding and reporting vulnerabilities is making Java more secure. However, that doesn’t mean Java is secure.
[@santuccie] Indeed, and that’s the case by default as well on Internet Explorer. There’s a prompt whenever a site needs Java, not to mention a possible UAC alert after running the Java applet.
[@J.L.]
Ever watch a YouTube video? It plays automatically, doesn’t it? Now, try right-clicking on the video, and see that it uses Adobe Flash Player. Some may use HTML5, but that’s not the standard yet. It may be in IE10, but that’s because IE10 doesn’t support plugins at all.
Legitimate sites show alerts for Java applets, but you’re assuming that the bad guys follow the rules, which they don’t. And furthermore, most rogue pop-ups will make changes only at user level, rather than system-wide. This does not trigger a UAC alert; if it did, then scareware wouldn’t be such a pandemic.
A lot of Mac users think the way you do; that their administrator password is required for any badware to be installed. So, how did the Flashback Trojan install on over 600,000 Macs? That was a drive-by download.
I would like to believe the world to be as harmless as you do, but I outgrew that naivety the first time I saw a limited user account pwned by SQL Slammer. Before you venture to try and correct someone who is trying to help, I suggest you make sure you know what you’re talking about.
[@santuccie] That’s because YouTube is whitelisted by Microsoft. Try some other sites before insulting me.
You’re the one assuming that. I’m talking about how Internet Explorer asks you to run the plugin for a website, not how Java handles things. Of course many things are user level, I never said anything against that.
Once again, making false assumptions. You think you know so much about others, computers, and everything that’s ever touched your cocky ass.
LOL, and let’s just leave it at that. You get the picture. And FYI, I wasn’t correcting you, it was a simple agreement with additional info until you blew it out of proportions.
[@J.L.]
Once again? Have we met? If not, then you’re quick as a whip with the cursing.
As far as how Java handles things, you ought to realize that many rogue pop-ups are Java-based, and they don’t give you an alert; just the pop-up. And when that happens, you only have a few choices: terminate it via Ctrl + F4 or Task Manager, restart your system, or get infected. Because even if you click the red “X” button, you’re infected. If Java “handled” things so well, then nothing would escape the sandbox in the first place, and we wouldn’t be having this conversation.
And as far as “leaving it at that,” you can leave any time you like. I’m here primarily to provide information, but I’m also a stickler for correctness of information. Forgive me if I misunderstood your intent but, apart from being inaccurate, your original post did sound rather challenging. And now you’re cursing, and talking like you have known me for awhile. Are you here for a personal vendetta, or for education?
Correction: I meant Alt + F4, not Ctrl + F4.
[@santuccie] Once again means your false assumptions of course.
I’m not talking about how Java handles things, I’m talking about how Internet Explorer handles plugins in websites. Why do I have to state that again, can’t you read what others write?
Instead of focusing on how correct you are and how challenging I am, how about taking a look at the technical contents of my post? Sorry if my expression of anger at your incompetent assessment of my thoughts offends you, but please learn from your inaccuracies.
[@J.L.]
Once again, in reply to the first post you’ve seen from me, insinuates either that we’ve met before, or that you say it because you think it sounds good.
Sounds like you’re in over your head. What technical contents are you referring to? Because examples hold a lot more weight than empty assertions. And speaking thus, here’s another…
Since when does Microsoft whitelist Web sites for us? Because Microsoft doesn’t provide DNS services. And you’ve evaded the question as to why rogue pop-ups appear without a prompt.
If there is one inaccuracy I’ve made, then it may be that of your original intent, which is debatable. Otherwise, we can talk about those that you would like for us to forget, such as prompts “whenever” a site needs Java, or Microsoft whitelisting YouTube.
Keep it up. The longer you continue for the sake of your pride, the more ammo you give me to blow your cover.
[@santuccie] It insinuates nothing of the sort, that’s all in your head.
You skipped all the major details: 1) I specifically stated IE asks your permission when running plugins, I wasn’t talking about how Java does it. 2) If you want an example, try any website not trusted by Microsoft like killsometime.com and javagameplay.com. 3) You never noticed how you cocky you appear thinking you know the whole topic and what’s in the mind of others.
Since Internet Explorer 10′s Flash whitelist. Rogue pop-ups are mainly JavaScript, which isn’t a plugin. If you mean what you mentioned about user level vs system-wide, please read the third sentence of my second paragraph of my second post.
That is far from the only inaccuracy. Funny you mentioned forgetting, because that would only benefit you.
Blow what? Just continue your nonsense, it’ll be my pleasure.
[@J.L.]
I visited the two sites you linked me to, with IE8 on default settings. I didn’t receive any prompts for Java. Of course, I didn’t go very far; I just played a video (which uses Flash, not Java).
I mentioned IE10 earlier, and also that this is not yet the standard. And you didn’t say IE10; you said Internet Explorer. By the way, where did you read that rogue pop-ups are JS, rather than Java? I suggest you try again. Thanks to click to play, all my pop-ups display harmless placeholders, just like all other plugin-based content. That’s strike 3. You wanna keep going?
As far as cockiness goes, this isn’t a discussion about personalities, or else we can get back to why you find it necessary to use profanity. This is about Web security. Let’s stay on-topic, at the very least.
Correction: I didn’t realize you were talking specifically about IE10, which is used by 1.29% of users. Certainly not the standard, but that takes you down to 2 strikes.
[@santuccie] After some extensive testing, I’ve found out that the prompt does not appear for Flash by default. As for Java, there is a “This website wants to run the following add-on:” and a Security Warning pop-up. That is the case for Internet Explorer 8 and 10 on both XP and 7. Just go to: http://www.java.com/en/download/testjava.jsp
I did mean just IE, because I remember it working in 8 and 9. Most of the time rogue popups means JavaScript (at least to me), because they always appear in websites full of ads. Sure I’ll keep going, thanks to ActiveX Filtering that’s the case for Internet Explorer as well.
[@J.L.]
What happened to the other two sites? And I know about the security warning pop-up. Like I said in my first response to you, legitimate pages will trigger the prompt, but illegitimate ones will not; cybercriminals don’t follow the rules.
At least to you? This and Oracle’s own Java test page are the comebacks that took you two hours to hit me with? Sorry, but show me a pop-up ad that triggers a prompt. And then, show me some JS pop-up ads.
As far as ActiveX goes, that is IE only; other browsers don’t have it. And more importantly, ActiveX is subject to ASLR. Java and Flash are not, which is why more exploits are being written for them these days. That, and the fact that they are cross-platform.
Thinking about it now, I probably shouldn’t say Java and Flash are not subject to ASLR. They use JIT, which makes it easier to defeat ASLR.
[@santuccie] One is Flash, which there’s no alert. You never visited the Java games site, so I provided an easier example. Prove to me that illegitimate one will not trigger those prompts.
I never said anything about pop-up ads showing prompts, but all browsers block most pop-ups by default so there’s a a notification. Now I have to show you something that’s obvious? I thought you knew enough to not need such examples, so stop wasting my time.
ActiveX Filtering blocks all plugins, research more.
Correction, you never played a game in that site, which triggers the Java security warning.
[@J.L.]
Oh, don’t cop out on me now. Haven’t you heard the term, “burden of proof?” These are your words: “There’s a prompt whenever a site needs Java.” You made the claim, not I.
Now, you’re changing the subject to pop-up blocking. Problem with that theory is, all browsers have that enabled by default. Why then do you think people are getting infected with rogue antivirus products right and left? And besides, you can turn pop-up blocking in IE all the way up, and you’ll still have problems.
Is ActiveX filtering enabled by default? Because you said, “that’s the case by default as well on Internet Explorer.” Strike 3.
Who’s wasting whose time? You came after me, remember? And I told you that you could leave at any time. But you still seem to think you can win this debate by learning on the fly.