Network News

X My Profile
View More Activity

Sun Acknowledges Security Hole in Patch Process

I have always dreaded security updates from Sun Microsystems to fix problems in their Java software. For one thing, the updates typically are huge and time consuming, the instructions for downloading and installing the fixes labrynthine, and when all is said and done you may still have older, vulnerable versions of the software scattered around the insides of your computer.

Last week, Sun issued another update to its J2SE Runtime Environment (JRE), but the advisory came with a caveat: Even if you apply the latest patch, your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software.

J2SE is a program bundle installed on millions of computers (most Windows PCs probably harbor some version of this software). It's designed to help Web sites better display interactive content in a visitor's browser. The problem, according to Sun's security advisory, is that a Web site set up by a bad guy could be made to pick and choose which version of Java should be used to render the content on his site. So, in theory, a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them.

Sun says this issue can occur with the following Java versions:

  • Java Plug-In included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
  • Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
  • Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

    You can check to see if Java is installed on your machine by visiting this link (if you use the Firefox "NoScript" extension you'll need to allow Java.com). Windows users should also check in the "Add/Remove Programs" to find any installed versions of Java. If you find any versions of Java in that list, you'll need to remove them before installing the latest patch, available here. Most Windows users will want to select the download next to "Java Runtime Environment (JRE) 5.0 Update 8," accept the license agreement on the next page that comes up, click the "continue" button to the right, and then select the "Windows Online Installation" option.

    What's perhaps most upsetting to me about this latest update is that it does not remove older versions of Java automatically. Given the thrust of its advisory, it seems Sun might want to include a feature in this latest patch that rips out previous versions of the software. But alas, that is not the case here. I updated an older machine of mine with this latest patch and it happily left the previous version of Java on the system after installing the update.

    Anyone having trouble banishing older versions of Java should consult Sun's uninstall instructions. When I last wrote about Java updates back in May, I found an old laptop of mine that had no fewer than four versions of Java still installed on it. Since then, I've uninstalled Java on most of the machines I use and have had no regrets.

  • By Brian Krebs  |  August 29, 2006; 10:44 AM ET
    Categories:  New Patches  
    Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Botnet Operator Sentenced to 37 Months in Prison
    Next: Anti-Virus Testing and Consumer Reports

    Comments

    Hi Brian, Glad to see you're alive and kicking. Before you write your next piece regarding anything apple, you might want to check out Chip Bok's editorial cartoon...LOL
    http://www.creators.com/0827/CB/CB0828g.gif

    Posted by: OhioMC | August 29, 2006 12:12 PM | Report abuse

    Brian:

    Sun decided not to remove previous versions of the Java VM because Java applications (and the Java code) are not forward compatible. In other words, if you installed a Java application that was designed to run on a previous version of the VM, it will probably not run on a newer version. And yes, I am talking about browser based applications.

    Posted by: Carlos R. Rodriguez | August 29, 2006 12:44 PM | Report abuse

    This article doesn't clearly distinguish between the JRE that runs in your browser (Java Plug-in) and the stand-alone JRE that runs as an application on your computer. The article provides a list of Java versions that are vulnerable to the problem discussed in the article, and this list includes only Java plug-ins. This makes sense, because the Java plug-in is the JRE that will be invoked when you visit a web site that uses Java.

    The article instructs users to check for all installed versions of Java using the "Windows Add or Remove Programs" Control Panel. This will only find the stand-alone JREs. To protect your computer from the vulnerability discussed in this article, you need to check the installed versions of your Java plug-ins for each browser you use.

    It's a good idea to eliminate older versions of stand-alone JREs as well, to protect against malicious java code that someone might install on your system or send to you. But java code executed merely by visiting a web page will run in the browser plug-in JRE.

    To check for Java plug-ins with IE 6.0, select Tools --> Internet Options. Select the "Programs" tab. Click "Manage Add-ons".

    Posted by: Mark Leone | August 29, 2006 12:49 PM | Report abuse

    With respect to the comment about Java versions not being forward compatible, that's true with respect to major versions of the JRE. So if you install JRE 1.5, I agree it would be bad behavior for JRE 1.4, for example, to be automatically removed.

    But I think that what Brian is referring to are the "Updates" within a major JRE version, which are generally forward compatible. So if I have JRE 1.5 Update 5, and I install JRE 1.5 Update 6, I see no reason why JRE 1.5 Update 5 should not be removed automatically. Code that runs on Update 5 should run on Update 6, and Update 5 probably has a vulnerability that has been fixed in Update 6.

    It's always posible that a later update could have a bug, but that's an issue faced with all software patching, and the usual behavior is to remove the vulnerable version. Keep in mind that there are generally no API changes between updates. Updates within a JRE version are intended to be compatible, whereas behavior is intentionally changed from one JRE version to the next.

    Posted by: Mark Leone | August 29, 2006 1:00 PM | Report abuse

    Mark:

    I have read your comments with interest.

    I have IE 6.0.2800.1106.

    When I proceed "To check for Java plug-ins with IE 6.0, select Tools --> Internet Options. Select the "Programs" tab. Click "Manage Add-ons" ", there is no "Manage Add-ons" to Click.

    Am I missing something here?

    Posted by: ken | August 29, 2006 1:10 PM | Report abuse

    Not to be all technical, but this has "tremendous pain in the a**" written all over it. It would be nice if they could make their update process as easy as say, Microsoft, rather than worse that say, Acrobat Reader.

    Or, and THIS is a BIG or, maybe as easy as Firefox...though that may be aiming a little high, I guess, you know, with the user-friendly and such.....hate to make something easy for folks.

    Posted by: Bob | August 29, 2006 1:38 PM | Report abuse

    Good article Brian!

    The Sun Java client is such a pain to maintain that all the companies I work with have completely eliminated Java from their environments (desktops/browsers) and have moved on to other technologies (some with potentially greater security risks, but since they are easier to maintain, a better business/cost tradeoff).

    Sun successfully killed off Java when they made Microsoft take the Java client out of the browser.

    Posted by: JavaIsDead | August 29, 2006 2:00 PM | Report abuse

    I still think that Java does NOT belong on the client. There are more holes that swiss cheese. Sun continues to get it wrong. Web Ajax apps are the way to go, secure centralizied access with minimal code passed to the client.

    My solution: uninstall all JRE's off your client and find some other solution!

    Posted by: Jim Manico | August 29, 2006 2:53 PM | Report abuse

    I echo the last few posters. I avoid installing java at all on any system. It is bug ridden and a huge security risk. If a website requires its use, I refuse to use that site (their loss). General rule to lower your security risk, install less software! Only run what you absolutely need.

    Posted by: TJ | August 29, 2006 5:10 PM | Report abuse

    Okay... okay! Ajax-based interfaces are "secure" when frozen pigs fly out of hell at superlight speed. Any client-side executed code is troublesome. If you are running your browser with admin privileges - and I would say many many users still surf typhoid mary-style sites with those privileges - you are in potential trouble.

    Now, one should at least give Sun an accolade for acknowledging the problem and setting up the Java Sandbox Security Model. It came out when other vendors allowed full scriptable access to your machine just to gain some marketshare. Actually they more or less still do: http://www.securityfocus.com/news/11403

    That said, what is the security problem here? The reference given by Brian just says that an application may be able to choose an unpatched Java runtime. But what are the consequences of that?

    > JavaIsDead writes: The Sun Java client is such a pain to maintain that all the companies I work with have completely eliminated Java from their environments (desktops/browsers) and have moved on to other technologies (some with potentially greater security risks, but since they are easier to maintain, a better business/cost tradeoff).

    These companies are *dumb*. The cost/security tradeoff reverses itself at the *first* security incident.

    Posted by: El Tonno | August 29, 2006 5:28 PM | Report abuse

    This is an old, known issue:

    http://www.securityfocus.com/bid/11757

    Nice that Sun finally got around to fixing it.

    Posted by: anonymous | August 29, 2006 5:47 PM | Report abuse

    Brian,
    Thanks. You're "Security Fix" column is the only place I have found mention of Java's JRE security updates. When they released update 7 you recommended checking for old versions and I had 5 on one machine and 3 on the other one. Needless to say they've all been uninstalled. I just installed update 8 after uninstalling update 7. Your column is priceless! Keep up the good work.
    RB

    Posted by: dbm1rxb | August 29, 2006 7:29 PM | Report abuse

    How does this apply to Apple? I am running OS 10.4.7 on my iMac G5.

    Posted by: Stanley | August 29, 2006 8:55 PM | Report abuse

    How does this apply to Apple? I am running OS 10.4.7 on my iMac G5.

    Posted by: Stanley C. Simon | August 29, 2006 8:55 PM | Report abuse

    Here's another face of the confusion for consumers on Java versions:

    If I go to:
    http://www.java.com/en/download/manual.jsp

    I'm told that the version available is JRE 5 update 6.

    When I used the version checker Brian mentioned in the article, it told me that I was running JRE 5 update 7, adding "CONGRATULATIONS, you have the Latest version of Java!"

    But the article pointed out that the latest version is JRE 5 update 8.

    What's up with three reports on "official" websites, each with a different message about the current version? Am I missing something?

    Posted by: Kevin | August 30, 2006 12:16 AM | Report abuse

    Kevin -- I'm guessing that Sun hasn't yet updated those pages to reflect the newest versions. But you're right....that kind of confusion is among the reasons Sun end-user updates can be such a confusing mess.

    Posted by: Bk | August 30, 2006 12:47 AM | Report abuse

    Ken,

    I don't know why you don't see the "Manage Add-Ons" button. I do have a later version of IE than you do, so maybe they changed it since your version.

    I'm running 6.0.2900.2180. I also have SP2 applied (to IE, not just to Windows).

    I suspect the capability is there in your version of IE, just located somewhere else. Look around for anything that mentions add-ons or plug-ins.

    Posted by: Mark Leone | August 30, 2006 1:38 AM | Report abuse

    Regarding comments about upward compatibility: it's a little bit of a misnommer to say that java code is not upwardly compatible. We have 500,000 lines of java code all of which worked without change or recompiling the class files from 1.3 to 1.4 to 1.5 and now to 1.6 Beta.

    Does anyone have any examples of code which was NOT upwardly compatible?

    Posted by: Dave Armstrong | August 30, 2006 2:01 AM | Report abuse

    Ken,

    Manage Add-ons functionality was added via XP SP2. Looks like you are running XP SP1 version of IE. For more info see these Microsoft articles:

    How to manage Internet Explorer add-ons in Windows XP Service Pack 2
    http://support.microsoft.com/kb/883256/en-us
    How to determine which version of Internet Explorer is installed
    http://support.microsoft.com/kb/164539/en-us

    Posted by: TJ | August 30, 2006 12:40 PM | Report abuse

    Ken -- If you are running SP1 with IE, you should also make sure you have the latest (re)patch from Microsoft for IE:

    See:

    http://blog.washingtonpost.com/securityfix/2006/08/microsoft_rereleases_internet.html

    Posted by: Bk | August 30, 2006 1:05 PM | Report abuse

    Dave Armstrong: You ask for code exmaples that were not upward compatible. I can give you a generic description of compatibility problems that much code written for JRE 1.4 and below will have with JRE 1.5.

    1. In JRE 1.5, the word "enum" became a reserved word. Any code that uses enum as a variable name will not compile.

    2. I don't rememebr the particular class and methods, but JRE 1.5 added some methods to an Interface that is used in XML parsing. When I tried to compile code written for JRE 1.4 i a 1.5 compiler, the code would not compile because my code was missing implementations for the methods that were added for the Interface.

    Having given these examples, I agree with the general gist of your comment, which is that upward compatability issues are not as big a deal in java as one might think.
    The sort of thinks outlined above are easy enough to fix, and as far as I can tell, JRE 1.5 was a bit unusual in how much it broker previous code.

    FOr the most part, new JRE versions are compatible with existing Java code; but the examples above show that you can't rely on that to always be the case.

    Posted by: Mark Leone | August 30, 2006 6:13 PM | Report abuse

    I'm confused as when I go to www.java.com/en/download/manual.jsp, it shows that the Java RE version available for download is version 5 update 6, which is what I already have. Shouldn't the download on this site mirror that of the other location mentioned?

    Posted by: TonyW | August 31, 2006 12:48 PM | Report abuse

    Tonyw- Yes is most definitely should, and you're not the first person to point that out. Initially, I thought perhaps Sun just hadn't gotten around to updating that, but we're now more than a week after they released this update, so unless I'm missing something Sun has sort of dropped the ball here.

    Posted by: Bk | August 31, 2006 12:55 PM | Report abuse

    Java tells me I have the latest version, but thanks to you I know I don't.

    Posted by: Thanks! | August 31, 2006 5:37 PM | Report abuse

    Do I really need to install this latest version of JRE? I just spent 15 minutes uninstalling all the myriad versions that were on my computer. Now I'm clicking on my favorite websites and I don't see any difference without it.

    Why should I use Java at all if it's going to cause these issues? Can I get by without it?

    Posted by: Ms. Clear | September 1, 2006 3:25 PM | Report abuse

    Ms Clear,

    Probably the update fixes some vulnerability in the pervious version. How serious, we don't know, until Sun posts info about it, and currently they don't even have a consistent statement of what the latest veriosn is. Historically, java is fairly safe so long as you do't mess with the java secrity policy on your computer, which it seems doubtful you would be doing. It's a good idea to use the latest version, but I don't think it's anywhere near as risky as running Windows unpatched.

    As far as why you need java, certain web sites have functionality that requires it. It's one of the ways that a web site gives you interactive behavior without having to load web pages for each interaction. It will look to you like an application that is running in your browser window.

    Java code is portable, meaning that someone can write it once and no matter what type of computer you're using, you can execute the code. There as a time when Java was about the only platform-independent language out there; but nowadays there are others. I think you will every now and then run into a wen page that requires Java, but probably not too often.

    BTW, Java is also used to run applications on your computer if you choose to. If someone has an app written in Java, and you want to run it, then you will need Java on your computer.

    I know it's a bit confusing because of SUn's current mess-up on the version issue, but it's erally not too complicated to keep java on your system, and you never know when you might need it. I would donwload JRER 1.5 Update 8 and de-install any earlier versions. You should do that through the Windows Add-Remove Programs COntrol Panel, and by looking at your IE plug-ins, as described above.

    Posted by: Mark Leone | September 1, 2006 5:17 PM | Report abuse

    In general, I don't think it is a good idea to have Java enabled all the time. Firefox makes it very clear when it is on or off. I leave it off until I need it. The power of Java is just too much greater compared to JavaScript for devious types to take advantage of. It isn't just holes in this or that particular version of Java. So much for rentable Java apps. Regarding the apps that depend on particular versions of Java I can only say that if you have internal apps in companies they should be updated to use the latest version of Java with all haste. Do not allow just anyone to execute Java apps on your system. Enable it when needed, disable it, then close the browser. This needs to be as clearly demarcated in IE and other browsers as it is in Firefox when Java is turned on or off.

    Posted by: hhhobbit | September 3, 2006 11:07 AM | Report abuse

    Dear Brian,

    Thanks a lot ! I've been busy lately and unable to check your column as often as I should, but on reading through earlier columns today I found the answer to a query which has been bothering me - having downloaded JRE 5.0 Update 8, should I or shoud I not delete Update 7, which, to my surprise, still remained on my computer ? Sun provides no hints about whether this should be done (but unless I am mistaken, Update 6 was removed automatically when I downloaded Update 7 - at least I have no memory of doing so manually), thus leaving users to their own devices. I tried to remove Update 7 using Remove in the Control Panel, but in the end I always chickened out - what if Update 7 was necessary for running Java on my computer ? Now, you have given me the courage required to remove this large (120MB), unnecessary, and vulnerable programme from my computer ! But why, o why couldn't Sun provide users with a little hint that it should be removed at the same time that Update 8 is downloaded - if they didn't wish to include a script for automatic removal in the download itself ? And to take this matter further - the Program Files folder on my C disk is full of various types of Microsoft security patches ; when the company issues a new patch, for say, Windows XP, why doesn't it bundle all the earlier patches for the same OS into the new one, and see to it that earlier patches are deleted, either automatically or manually, to eliminate this clutter ? Am I being naive in thinking that this shouldn't be to difficult to do, and that it is highly desirable, so that users can remove at least some of the alphabet soup that occupies their Program Files folder today ?...

    Posted by: M Henri Day | September 5, 2006 2:25 PM | Report abuse

    I maintain a web site http://www.javatester.org that reports on the version of Java used by your web browser(s). I created the site a few years ago when learning to program Java and found this simple, trivial task was much harder than necessary. On the "Other Testers" page you'll see that Sun has two web pages that report the Java version installed at, at times, both have lied about what the latest version is.

    Javatester.org is a hobby web site, this is not a commercial plug. There aren't even any ads.

    Posted by: Michael Horowitz | September 6, 2006 1:55 PM | Report abuse

    A question to Michael Horowitz: Have you been able to get somebodys' internal IP address with JavaScript? I and others can't do it with JavaScript, but we can do that and a lot of other stuff with Java that we cannot do with JavaScript. Ullrich at SANS got into a lot of hot water for doing just that. Lots of supposedly erudite computer and network security experts got burned with his test (no, I was not one of them). Thanks for the web page. I think it will help a lot of users out there. I encourage everybody to go to it. His page will answer a lot of your questions.

    Ms. Clear: You will notice that very few web sites use Java. The reason I know this is that I am an independent computer and network security researcher and I frequently work almost wide open with Java enabled, pop-ups allowed, no cookies blocked, etc. I am NOT so stupid as to do this research on MS Windows using Internet Explorer. I work strictly from Linux using either Firefox or Opera, and even there things can get hairy (especially with badly behaved porn sites - see it IS a security issue). I have a shell script that I run that can INSTANTLY detect whether or not somebody ran a Java applet (and some other methods as well). The files for Michael Horowitz's site (site and files) are:

    http://www.javatester.org

    # /root/cleanjava/filesjava.sh
    FOUND:
    JavaVersionDisplayApplet.class-5a720efd-52f16108.class
    JavaVersionDisplayApplet.class-5a720efd-52f16108.idx

    I also have a shell script called cleanjava.sh that will remove all Java app files. It removes all the users Java files.

    I can tell you that I some times work for days and never run a single Java app going to hundreds of sites. I am just showing you the applets that Michael has as proof that I can instantly detect whether a site is using Java or not (his site was very polite and he didn't even set a cookie). Generally speaking you can go sometimes for weeks without ever needing Java. Most of my advice on Java updates was directed towards companies. Many are doing all kinds of internal programs in Java to access their databases and a lot of other stuff. In that case they usually leave it enabled all the time The only reason you may not be attacked is because the Internet presence of Java is very low. On the other hand, almost everybody uses JavaScript.

    Regarding the removal of Java from Windows, I just removed 1.5.0_06 on Windows. I did what I always do which is remove it using the Add / Remove and noticed it did leave a zipped file in the:

    C:\Program_Files\Java\jre1.5.0_06\lib
    (I can't remember the actual release name - this is close enough.)

    folder so I did what I always do next - I removed the whole Java program folder and went into IE and saw that all the Java stuff was gone. Even though I didn't need to do it, I also went into the registry and cleaned out all references to the previous version of Java. Then I installed 1.5.0_08. All of the old stuff is gone.
    I still say that Java or anything like it is too powerful to remain enabled all the time. But then I AM a security researcher. Would you expect me to say anything different?

    Posted by: hhhobbit | September 7, 2006 7:29 AM | Report abuse

    Frankly, I've never had a problem installing the latest Java update from Sun - unless one considers clicking through an EULA a "labyrinthine" experience.

    hhhobbit's remarks above tend to confirm my suspicion that just running IE as your browser is a much greater security issue than having any version of Java installed.

    Posted by: SkepticalA | September 7, 2006 1:58 PM | Report abuse

    This is an interesting subject and the issues raised are valid. It would be naive to see this as the whole picture. Java "on the client" and Java "on web sites" are two very different things. Client side Java can be an amazingly powerful, fast, productive and stable platform. There isn't another client technology that offers this combination.

    Yes AJAX websites are easier to deploy, and if implemented in Rails, PHP or similar can be faster to implement. But they also expose us to browser incompatibilities and they do not have the managability or high performance that Java can offer. Ajax is still a polling technology and, whilst suitable for say 80% of apps, it doesn't cut it for the harder 20%.

    Posted by: Peter Booth | September 13, 2006 10:11 PM | Report abuse

    @Mark Leone:

    >1. In JRE 1.5, the word "enum" became a reserved >word. Any code that uses enum as a variable name >will not compile.

    >2. I don't rememebr the particular class and >methods, but JRE 1.5 added some methods to an >Interface that is used in XML parsing. When I >tried to compile code written for JRE 1.4 i a 1.5 >compiler, the code would not compile because my >code was missing implementations for the methods >that were added for the Interface.

    Nobody promised you could do that. Java is changed here and there, so that you have to make slight adjustments here and there after a major version change (renaming your variables called "enum", or implementing the additional inerface methods). But your compiled files will just keep working. We are talking about client experience here, and as all a client will ever get is the compiled program anyway, I don't see the problem here.

    Posted by: Frog | October 2, 2006 6:11 AM | Report abuse

    The comments to this entry are closed.

     
     
    RSS Feed
    Subscribe to The Post

    © 2010 The Washington Post Company