Ghosts of Java Haunt Users
Sun Microsystems has issued updates for its ubiquitous Java software to plug multiple security holes. Of particular interest in this bundle is a fix that prevents attackers from exploiting vulnerabilities in older versions of the software.
Why is this a big deal, you ask? Aren't patches designed to fix vulnerabilities in older versions of the software? Well, yes, but as Security Fix has lamented time and again, Sun's updates are notorious for leaving older versions of the software lying all over the user's machine.
If this conundrum sounds familiar, you're not crazy (although you might be a geek). Roughly two years ago, Sun quietly acknowledged in a security update that it had fixed a very similar flaw -- which allowed attackers to invoke older, insecure versions even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser.
A PR firm, hired by Sun, gave me a head's up about this patch (JDK and JRE 6 Update 7) by pointing me to this post on Sun's security blog, which - as you can see - isn't terribly informative.
So for true transparency, I turned to John Heasman, vice president of research for NGSSoftware. Heasman, a Brit based in Seattle, is something of a Java freak, having reported close to 15 Java vulnerabilities to Sun so far (not all of which are patched yet). Heasman said he reported the flaw to Sun back in November, after poking and prodding Sun's previous fix for preventing attackers from invoking older versions of Java.
That fix, bundled with JRE 5.0 Update 8, implemented an approach Sun called "secure static versioning." If you check out the "add-ons" installed in Internet Explorer, for example, (in IE7, click Tools, Internet Options, Programs, then Manage Add-Ons) you should see the filename of the plug-in that undertakes this task, called "ssv.dll".
"I was thinking that there was probably a way to break the static versioning plug-in," Heasman said. "That was the rationale for my playing around with it."
Heasman said he ran the plug-in through a series of tests and eventually found a way to bypass its security checks and present the user with something of a Catch-22: Namely, a pop-up dialog box that says basically, "Hey, this Web site wants to run a Java program using an older version of Java than what's installed, is that okay?" What Heasman found was that even if the user clicks no to this prompt, he still could force the browser or operating system to revert to an older, vulnerable version of Java still installed on the system.
And, of course, if the user approves the use of an older, vulnerable version of Java, Heasman's proof-of-concept exploit pops open a new browser Window that runs the Web site's program using....wait for it....the older, vulnerable version.
Either way, by virtue of not removing older versions of Java, Sun's updater has once again kept users exposed to older security vulnerabilities.
Now, I understand why Sun does not automatically remove older versions: many businesses build custom applications based on a particular version of Java, so migrating to a new version and nuking the old one often renders that custom-built application worthless or buggy at best.
But perhaps there's a two-tiered solution that Sun could adopt here, with one version of Sun's software designed exclusively for consumers, and another meant for business use and developers. I realize this would add a layer of complexity for Sun, but in my opinion there's no good reason for consumers to have six to eight different versions of Java on their systems when vulnerabilities like this keep popping up.
As it stands, Sun puts the onus of uninstalling these older versions on the user. While uninstalling those versions isn't a terrible trial for users, it's also not something most users are likely to know that they should do.
If it seems like I'm making a big deal of this it's because Java is probably one of the most -- if not THE most - widely deployed software title on the planet today. By Sun's own estimates, something like 90 percent of the world's desktops, regardless of operating system, run Java.
The beauty of developing exploits from an attacker's standpoint is that the same exploits can work seamlessly regardless of which operating system or browser the target is using, Heasman said.
Heasman said he's holding off on releasing a proof-of-concept exploit for this flaw until next month's annual Black Hat hacker conference in Las Vegas. For now, he said he wants to wait until he's had a chance to fully delve into Sun's fix to make sure it isn't just a surface patch.
"I want to learn how they addressed the problem before I put something out there that someone can just tweak slightly and cause problems for everyone all over again," Heasman said.
I don't know about you, but I'm not interested in waiting around to find out who's right. Unless you have some need for those older versions of Java hanging around your system, I'd advise you to 'nix them after installing this latest update. Windows users can grab the latest version by opening Control Panel, double clicking the Java icon, then the Update tab, and then Update Now. Windows users should be able to banish older versions using the Add/Remove Programs menu in the Control Panel.loo
July 10, 2008; 11:28 AM ET
Categories: From the Bunker , Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: U.S. Supreme Court Judge Data Exposed Via P2P
Next: Speeding In Maryland Could Be Hazardous to Your Identity
Posted by: I Hartfield | July 10, 2008 12:21 PM | Report abuse
Posted by: M Henri Day | July 10, 2008 12:37 PM | Report abuse
Posted by: Bk | July 10, 2008 12:38 PM | Report abuse
Posted by: Bk | July 10, 2008 12:42 PM | Report abuse
Posted by: Jay Liew | July 10, 2008 1:15 PM | Report abuse
Posted by: ugh | July 10, 2008 2:06 PM | Report abuse
Posted by: 1800 | July 10, 2008 2:51 PM | Report abuse
Posted by: TJ | July 10, 2008 3:08 PM | Report abuse
Posted by: D | July 10, 2008 4:12 PM | Report abuse
Posted by: anon12 | July 10, 2008 7:12 PM | Report abuse
Posted by: Sandi Hardmeier | July 10, 2008 9:30 PM | Report abuse
Posted by: TJ | July 10, 2008 9:56 PM | Report abuse
Posted by: Josh | July 11, 2008 2:40 AM | Report abuse
Posted by: Robert Holleyman, BSA | July 11, 2008 10:52 AM | Report abuse
Posted by: CT | July 11, 2008 12:49 PM | Report abuse
Posted by: BobfromLI | July 11, 2008 2:30 PM | Report abuse
Posted by: Anonymous | July 11, 2008 5:47 PM | Report abuse
Posted by: Michael Horowitz | July 13, 2008 7:41 PM | Report abuse
Posted by: TJ | July 13, 2008 9:32 PM | Report abuse
Posted by: MikeyHi | July 15, 2008 4:16 PM | Report abuse
The comments to this entry are closed.