Network News

X My Profile
View More Activity

Ghosts of Java Haunt Users

Sun Microsystems has issued updates for its ubiquitous Java software to plug multiple security holes. Of particular interest in this bundle is a fix that prevents attackers from exploiting vulnerabilities in older versions of the software.

Why is this a big deal, you ask? Aren't patches designed to fix vulnerabilities in older versions of the software? Well, yes, but as Security Fix has lamented time and again, Sun's updates are notorious for leaving older versions of the software lying all over the user's machine.

java67.jpg

If this conundrum sounds familiar, you're not crazy (although you might be a geek). Roughly two years ago, Sun quietly acknowledged in a security update that it had fixed a very similar flaw -- which allowed attackers to invoke older, insecure versions even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser.

A PR firm, hired by Sun, gave me a head's up about this patch (JDK and JRE 6 Update 7) by pointing me to this post on Sun's security blog, which - as you can see - isn't terribly informative.

So for true transparency, I turned to John Heasman, vice president of research for NGSSoftware. Heasman, a Brit based in Seattle, is something of a Java freak, having reported close to 15 Java vulnerabilities to Sun so far (not all of which are patched yet). Heasman said he reported the flaw to Sun back in November, after poking and prodding Sun's previous fix for preventing attackers from invoking older versions of Java.

That fix, bundled with JRE 5.0 Update 8, implemented an approach Sun called "secure static versioning." If you check out the "add-ons" installed in Internet Explorer, for example, (in IE7, click Tools, Internet Options, Programs, then Manage Add-Ons) you should see the filename of the plug-in that undertakes this task, called "ssv.dll".

"I was thinking that there was probably a way to break the static versioning plug-in," Heasman said. "That was the rationale for my playing around with it."

Heasman said he ran the plug-in through a series of tests and eventually found a way to bypass its security checks and present the user with something of a Catch-22: Namely, a pop-up dialog box that says basically, "Hey, this Web site wants to run a Java program using an older version of Java than what's installed, is that okay?" What Heasman found was that even if the user clicks no to this prompt, he still could force the browser or operating system to revert to an older, vulnerable version of Java still installed on the system.

And, of course, if the user approves the use of an older, vulnerable version of Java, Heasman's proof-of-concept exploit pops open a new browser Window that runs the Web site's program using....wait for it....the older, vulnerable version.

Either way, by virtue of not removing older versions of Java, Sun's updater has once again kept users exposed to older security vulnerabilities.

Now, I understand why Sun does not automatically remove older versions: many businesses build custom applications based on a particular version of Java, so migrating to a new version and nuking the old one often renders that custom-built application worthless or buggy at best.

But perhaps there's a two-tiered solution that Sun could adopt here, with one version of Sun's software designed exclusively for consumers, and another meant for business use and developers. I realize this would add a layer of complexity for Sun, but in my opinion there's no good reason for consumers to have six to eight different versions of Java on their systems when vulnerabilities like this keep popping up.

As it stands, Sun puts the onus of uninstalling these older versions on the user. While uninstalling those versions isn't a terrible trial for users, it's also not something most users are likely to know that they should do.

If it seems like I'm making a big deal of this it's because Java is probably one of the most -- if not THE most - widely deployed software title on the planet today. By Sun's own estimates, something like 90 percent of the world's desktops, regardless of operating system, run Java.

The beauty of developing exploits from an attacker's standpoint is that the same exploits can work seamlessly regardless of which operating system or browser the target is using, Heasman said.

Heasman said he's holding off on releasing a proof-of-concept exploit for this flaw until next month's annual Black Hat hacker conference in Las Vegas. For now, he said he wants to wait until he's had a chance to fully delve into Sun's fix to make sure it isn't just a surface patch.

"I want to learn how they addressed the problem before I put something out there that someone can just tweak slightly and cause problems for everyone all over again," Heasman said.

I don't know about you, but I'm not interested in waiting around to find out who's right. Unless you have some need for those older versions of Java hanging around your system, I'd advise you to 'nix them after installing this latest update. Windows users can grab the latest version by opening Control Panel, double clicking the Java icon, then the Update tab, and then Update Now. Windows users should be able to banish older versions using the Add/Remove Programs menu in the Control Panel.loo

By Brian Krebs  |  July 10, 2008; 11:28 AM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: U.S. Supreme Court Judge Data Exposed Via P2P
Next: Speeding In Maryland Could Be Hazardous to Your Identity

Comments

This article was extremely useful and I found several old versions of Java on my machine, which I removed. I also found J2SE Runtime Environment Update 5.0 Updates. Are these just other versions with a slightly different name or is it a different program?

Posted by: I Hartfield | July 10, 2008 12:21 PM | Report abuse

Brian, why couldn't Sun provide *all* users - both ordinary consumers and businesses or developers - with a clickable option which, in conjunction with the installation of a new Java version, informed them of which earlier versions were still installed on their computer and allowed them to choose which, if any were to be automatically removed ? That, perhaps together with some advice on when it is appropriate to remove older versions, should do the trick....

Henri

Posted by: M Henri Day | July 10, 2008 12:37 PM | Report abuse

@Hartfield -- Java Update 5 is very old, and should be removed if you're a home user. Sun's naming convention for Java is a whole separate nightmare, and probably fodder for another column.

Posted by: Bk | July 10, 2008 12:38 PM | Report abuse

@Henri -- They could do that, certainly, but they wouldn't. To put it very simply: A large number of businesses create custom applications -- some for in-house use, others for Web use -- that depend on some specific feature or code function that -- if changed, say in an update or patch -- could cause that custom application to stop working, and cost the affected company lots of money, make them mad at Sun, etc. So Sun leaves the old versions there unless the user explicitly uninstalls them.

Posted by: Bk | July 10, 2008 12:42 PM | Report abuse

Love how you shine the light into the dark corners. Keep the transparency coming!

Cheers,

Jay Liew

Posted by: Jay Liew | July 10, 2008 1:15 PM | Report abuse

For the past 2 Java updates, whenever I would check for updates from the control panel, I would always get a message that says I already have the latest version. So I'd have to know (thanks to this blog) that there actually was a newer one and go download it manually.

Posted by: ugh | July 10, 2008 2:06 PM | Report abuse

nEBhbE fasdfsdaf safasf saf safsa fsafasfsa

Posted by: 1800 | July 10, 2008 2:51 PM | Report abuse

Best solution if you can:

Install a clean version of your OS and NEVER install Java! I've done so for years and never looked back. If a website requires it, their loss, I move on and find another that doesn't. Some software just isn't worth the hassle and security risks, Java being one of many.

Posted by: TJ | July 10, 2008 3:08 PM | Report abuse

I've got a really basic question I'm almost ashamed to ask:
I've got Java (TM) 6 Update 7 and I've got Java (TM) SE Runtime Environment 6 installed on my pc. Is the latter the original version of Java that we're updating or is it something separate?
Thanks all.

Posted by: D | July 10, 2008 4:12 PM | Report abuse

All previous versions of Java are archived and available for download from the Sun website. If an IT guy or sophisticated user needed a previous version, they can just go there. No need to keep them all archived on end user machines.

Posted by: anon12 | July 10, 2008 7:12 PM | Report abuse

Hi Brian, we have been complaining about Java leaving old versions behind for, literally, years. I have posts on my blog highlighting this very problem going back to early 2005. Your suggestion that there be two versions, business and consumer, has merit. The option to prompt to remove old versions when updating also has merit. But, the latter will present problems for business who will have to trust their users to NOT remove older versions if they are needed. To be frank, though, if a particular version of java is critical to the business, then there should be protocols in place to prevent users from updating in the first place. It is of grave concern that Secure Static Versioning can be bypassed :o(

Posted by: Sandi Hardmeier | July 10, 2008 9:30 PM | Report abuse

"there should be protocols in place to prevent users from updating in the first place"

In a well-managed environment, that would be the use of non-admin accounts which would prevent users from installing anything or making system wide changes. Network admins should be updating systems, not end users.

It's also wise to implement a policy where Java is only installed on systems that have a justifiable business need for it. I'd say the same thing for consumers (home users). My last job had such a policy for all types of software. It sure made patching the systems much easier. No Java junk to deal with.

Posted by: TJ | July 10, 2008 9:56 PM | Report abuse

Buy yourself a mac and NEVER install Flash Player! I've dump my PC for good and never bought a new one. Youtube requires Flash and your money, so move on and buy a mac. PCs aren't worth the money and they're considered security hazards. Microsoft is the father of all lies.

Posted by: Josh | July 11, 2008 2:40 AM | Report abuse

This article is a stark reminder that companies need to be aware of what their employees are doing with company computers.

Many businesses do not have a full understanding of the software being used in their organization and have inadequate controls to ensure lawful software use. To avoid exposure to cyber security and legal risks, businesses must create, communicate, and enforce an effective software asset management (SAM) program. Businesses can download a variety of free basic SAM tools from the Business Software Alliance website at www.bsaaudit.com .

Meanwhile, Congress has been discussing for years and should adopt pending legislation that protects consumers' data while providing a workable, technology-neutral framework to businesses that handle such data.

Robert Holleyman
President and CEO
Business Software Alliance

Posted by: Robert Holleyman, BSA | July 11, 2008 10:52 AM | Report abuse

Thanks Robert for the off topic and blatant plug for BSA :) Nobody mentioned "lawful software use". Can BSA tools help me find vulnerable Java?

Posted by: CT | July 11, 2008 12:49 PM | Report abuse

There is a free program out there called JavaRa which will remove old versions of Java. I use it and it works without probs.

Get it free at:
http://prm753.bchea.org/software.html

Posted by: BobfromLI | July 11, 2008 2:30 PM | Report abuse

It's sad that this problem didn't die when Sun assured us it did, what with their weaseling "static version" stuff.

I suspect it's developer-friendly collusion at the end user's expense, because if devs had to re-do everything every time there was a new JRE, then maybe they'd move off the platform?

From 2006, here's a case in point...

http://cquirke.blogspot.com/2006/09/banking-on-java.html

...where banking software "worked" by dropping the old JRE that it preferred to use. Since then I've seen really old JREs (e.g. 1.3.x) popping up in Downloaded Program Files - I dunno if this is a complete JRE, or if it works as such.

Posted by: Anonymous | July 11, 2008 5:47 PM | Report abuse

@D: Java (TM) SE Runtime Environment 6 is probably the first version of version 6, which is now on its seventh iteration. I'd thus remove it.

As for not using Java at all, it is required for one of my favorite online utilities, the Secunia software inspector. If for no other reason than to use the Secunia service, I suggest having Java installed.

You can see what version of Java your web browser is using at www.javatester.org. If you use multiple browsers, you need to check each one.

Posted by: Michael Horowitz | July 13, 2008 7:41 PM | Report abuse

"As for not using Java at all, it is required for one of my favorite online utilities, the Secunia software inspector."

The fact it requires Java is a liability.

"If for no other reason than to use the Secunia service, I suggest having Java installed."

At what cost to your system security?

Installing Java just to run the Software Inspector will actually increase a system's attack surface not to mention add another piece of software to patch. IMO, the trade off just isn't worth it.

Posted by: TJ | July 13, 2008 9:32 PM | Report abuse

By removing older versions of Java(JRE) and updating to the newest version on my Windows Server 2003, it caused havic for the latest version of my Symantec Endpoint virus software upgrade. After much frustration only to find out the programs management consule only runs on version JRE 1.4! I think that's 2 versions ago?! So I had to DOWNGRADE the JRE version in order to make my NEWEST SEP work!

Posted by: MikeyHi | July 15, 2008 4:16 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company