

Facebook computers compromised by zero-day Java exploit - sk2code
http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/

======
jff
Aaaand that's why I don't have the Java plugin installed. Anywhere.

I'd like to think that we're almost to the point of viewing Java in the same
light as Bonzi Buddy or Comet Cursor; IT discovers you got Java on your
computer again, they just sigh and re-image it, with some stern warnings to
please not download such sketchy software.

~~~
jlgaddis
I wish that were the case.

Large companies tend to have important enterprise applications that require
Java to run and, even worse, in some cases _upgrading_ the version of Java on
the user's desktop will break the application. You then end up with hundreds
or thousands or users with vulnerable versions of Java on the PC that you
_can't_ upgrade until the software vendor fixes whatever is wrong with their
application.

I've seen it countless times at my previous job (.edu with 1000s of staff and
faculty) where we were basically helpless to do anything because absolutely
critical applications would break if we upgraded Java on the desktop.

Solution: closely monitor traffic to/from user's PC's, hope for the best, and
re-image when they inevitably got pwned.

Before someone chimes in with the obvious "switch to a different application",
it's not that easy when you have millions invested and training the user base
sometimes takes _months_.

Yeah, I hate Java.

~~~
pjmlp
> Yeah, I hate Java.

What about C and C++ induced security holes?

~~~
canttestthis
Indeed. Compare the number of Java vulnerabilities (plugin vulnerabilities
included) with the number caused due buffer overflows and such in C/C++.

------
nikcub
If your default browser still has the plugins enabled for Java, Acrobat and
Flash you are asking for it.

In Chrome: go to chrome://plugins and disable all

Safari: Preferences, Security uncheck 'Enable Plugins'

Firefox: Tools > Addons > Plugins Tab > disable all

Don't use Flashblock or Javablock or similar extensions, they hide the applet,
they don't stop execution.

You should _always_ use a browser with all plugins disabled as your default
browser. Run a second browser for trusted sites where you enter the URL in
yourself.

~~~
anonymouz
True. But once those plugins go away, something else will become the new low
hanging fruit. Personally, I wonder how well WebGL will hold up, given that 3d
graphics drivers are absolutely not written with security mind, and were never
really intended to be hooked up to the web...

~~~
svachalek
Microsoft is refusing to support WebGL for security reasons. I can't make up
my mind about whether to be annoyed or impressed.

~~~
hosay123
As with many (but not all) things Microsoft do, when the thick layers of
gelatinous hivemind diatribe are pealed away what's left are sound,
conscientious engineering decisions made by an organization with a near
pristine history of supporting end users and going to extraordinary lengths to
preserve backwards compatibility.

As for instances where they have not preserved support and compatibility,
Silverlight comes to mind, and they dumped that largely in favour of
frameworks targeting HTML+JS.

(I'm not a Microsoft employee, just a user who appreciates the APIs I cut my
teeth on 20 years ago remain applicable today)

~~~
pyre

      | when the thick layers of gelatinous hivemind diatribe
      | are pealed away what's left are sound, conscientious
      | engineering decisions
    

Like waiting years to take security seriously? :P

~~~
jrockway
That's covered by the "backwards compatability" item.

~~~
pyre
It took them a while to even take patching security vulnerabilities in a
timely manner seriously. I can understand that secure design (e.g. not running
everything as admin) could fall under "backwards compatibility."

------
jakub_g
> Rather than using typical targeted approaches like "spear phishing" with
> e-mails to individuals, the attackers used a "watering hole"
> attack—compromising the server of a popular mobile developer Web forum and
> using it to spring the zero-day Java exploit on site visitors.

> "The attack was injected into the site's HTML, so any engineer who visited
> the site and had Java enabled in their browser would have been affected,"
> Sullivan told Ars, "regardless of how patched their machine was."

It seems it's high time now to start working with two separate profiles in a
browser if you're forced to use Java - one internal-only with Java enabled,
and the second for browsing the internet, with Java disabled (of course this
works as long as your internal apps do not get hacked...).

Rather easy to achieve with Firefox (probably there are command line switches
for Chrome as well):

1\. Create two profiles, `external` and `internal`, using `firefox -p`

2\. Open external profile and disable Java (will be kept in profile settings)

Then, run first `firefox -p external`, then `firefox -no-remote -p internal`,
that way links opened e.g. from email clients will go to the external
instance.

To differentiate the two instances, you can install some theme:
<http://www.getpersonas.com/en-US/>

Total paranoiacs could try to find/write some extension that will block all
the pages other than approved internal ones in the internal profile (perhaps
AdBlock Plus will do?).

~~~
dfc
I think the separate profiles is the better looking tinfoil hat. For everyday
browsing Adblock is nice, but I think it falls short. Throw NoScript and
RequestPolicy into the mix and it gets a lot better. My friends always laugh
when they watch me browse the web because I have to enable javascript for any
new site and then use RP to allow that site to make requests to other domains.

~~~
anonymouz
I also use that approach, and while it sometimes gets annoying I am really
glad for choosing it when I, once again, stumble upon some page that would
like to load crap from 20 other domains.

------
jtheory
This happened last month, so it was 0-day THEN, not NOW.

The hole in question was patched in the February 1st Java release.

This is news because it shows how Facebook was affected by the many
unaddressed security holes that were present in Java (and how it could be run
-- last month -- silently), but this is NOT news of new holes in Java.

So far the latest (quite significant) fixes seem to have been effective.

------
error54
__"The attack was injected into the site's HTML, so any engineer who visited
the site and had Java enabled in their browser would have been affected,"
Sullivan told Ars, "regardless of how patched their machine was." __

It's criminal how Oracle can release production code with so many security
holes. It seems like every week there is a new new Java based exploit.

~~~
yuhong
Some of these vulns are extremely old. I read the Oracle security bulletin
which says some of them dates back to _1.4.2_. (Oracle is still willing to
support such old versions if you pay for it)

------
0x0
Any ideas on which "waterhole" website was compromised?

~~~
ianhawes
I would suspect that it would be related to Android development given that (1)
Android SDK requires Java, (2) Facebook develops a native Android app, (3)
Facebook does NOT develop a native Blackberry app (other mobile SDK using
Java), and (4) the identified engineer(s) were on the mobile team.

~~~
dsl
Having the Java plugin installed does not mean they were doing Java
development. It could have been iOS engineers and they had the plugin enabled
so they could access some internal application.

------
pjmlp
Browser plugins are bad and should be eradicated.

But that is only half of the way, because thanks to C and C++ runtimes, they
are still open to security exploits triggered by buffer overflows, strings
misuse, use after free, double deallocation, array access out of bounds, stack
overflow, pointer misuse...

The only safe way is to use a separate VM for browsing, or failing that, run
the browser under a different user account with limited user rights.

------
uptown
The only reason I still have Java installed on my OSX machine is to use a SQL
Server management tool. If I were to run that in a virtualized environment by
installing Parallels and running a separate instance of OSX in that virtual
environment, would that completely isolate Java to that one "box" and protect
the rest of my environment?

~~~
dbloom
Does the management tool run as Java web page plugin, or as a standalone Java
application? If it's the latter, just disable the Java plugin in all of your
browsers and you should be safe.

~~~
uptown
It's a Java application (www.dbvis.com) so I guess if I disable the plugins I
should be good. Open to any alternative suggestions.

------
blazingfrog2
_"The attack was injected into the site's HTML, so any engineer who visited
the site and had Java enabled in their browser would have been affected,"
Sullivan told Ars, "regardless of how patched their machine was."_

How can one find out if one has been infected?

------
ihsw
How long will we wait and shrug our shoulders until we start blaming Oracle
and looking for assurances this doesn't happen again? 'Free' services
continuously disappoint me, notwithstanding FLOSSware.

Perhaps there is a mole at Oracle leaking security holes elsewhere.

------
lucian1900
It is an excellent idea to always use click to play for all plugins.

------
gdeglin
I wonder what the most practical but effective defense against these kinds of
exploits would be?

Company-wide install of NoScript? But that wouldn't save you if a trusted site
got compromised.

Maybe they should prohibit use of all commonly targeted software? (Flash,
Acrobat Reader, Java..)

This seems really serious. Surely someone must be working on a better way to
protect against this kind of thing?

~~~
jakub_g
Regarding the corporate users, I think actually most of them should not need
any of those 3 plugins enabled:

1\. Acrobat Reader plugin: use some less popular PDF reader which is not that
commonly attacked

2\. Flash: you shouldn't play Flash games in the office ;) For Youtube, you
can enable HTML5 version in modern browsers

3\. Java: IMO it's mostly needed in IE6-dating web apps but I might be very
naive here...

Regarding Acrobat: there's a built-in PDF reader coming in Firefox soon
(pdfjs). Currently I do not use any plugin, just make the browser download a
PDF and render it in SumatraPDF or PDF Xchange Viewer.

~~~
ams6110
Sometimes you really need Acrobat though. For fill-in PDF forms none of the
other "readers" really do an adequate job.

~~~
drucken
_For fill-in PDF forms none of the other "readers" really do an adequate job._

That is not really relevant to a browser plugin. You can download and fill in
PDFs with whatever application you like without browser plugins.

~~~
jakub_g
Exactly. BTW are the fill-in PDF forms that prevalent? I've only been using
them once a year to fill my tax declaration which sadly requires installation
of Adobe Reader plugin in Poland. I feel the corpo world prefers Excel for
that kind of things :)

------
mtgx
Isn't the Skype plugin for Facebook video-chats made in Java, too? Sounds to
me like Facebook should be one of the very first companies to want to adopt
WebRTC. Not only will they become independent of Skype for video-calls, but
they can offer it for everyone inside the browser, too, instead of getting
them to install plugins. Hopefully they intend to make it federated though,
rather than keeping it Facebook-only.

~~~
rmc
That's presuming Web browsers won't have any bugs in how they do webrtc that
could allow someone to take over the browser.

Web browsers sometimes have bugs like this. I believe iPhone 1.1 had a bug in
TIFF images that people used to jail break the phone

~~~
ubercow13
Presumably it could be sandboxed for security, being a feature of the browser
itself, which Java can't be.

~~~
rmc
Sure, but what if there's a bug with your sandboxing and code can escape the
sandbox? There is no magic bullet.

------
logn
Are there any good malware scans for Mac? Obviously it's not going to prevent
a novel attack, but I'd like to see if I'm infected with this or other known
attacks.

------
klausjensen
I have two banks, that require me to use Java. Please, banks, stop using java,
so we can finally get rid of that POS.

~~~
drucken
Agreed. But for anything that needs a browser plugin, you can run it in a VM,
if it is your own hardware.

VM software is often free and extremely useful anyway for developers or
security.

------
speeder
Java is that prevalent to make it a good target, or it is full of holes making
it a easy target?

Also this must be (more) very negative pr to Oracle

~~~
martinced
It's complicated.

First, yes, Java is _that_ prevalent. There's no a single corporate company
out there were there's not Java devs. As simple as that. Then Java is also on
so many systems even outside the corporate world: both Windows on OS X. It's
typically not there by default but on Windows it depends on who ships the
machine. On OS X now at least they don't ship it by default but it's trivial
to install.

But really the problem ain't Java but Java applets.

Java as in "The JVM" is actually not bad at all on the server side: on the
contrary, it's very robust. There are have been two very lame exploits in 2011
allowing Denial of Services on Java webservers, but no remote exploit working
on Java _servers_.

The problem is Java on the client-side: i.e. on people's computers. In other
word: the issue is pathetically lame Java applets.

Java applets have to be the most stupid, silly and insecure lame technology
ever invented by Sun.

You should have been there in comp.lang.java.programmer back in the nineties
when people were saying how stupid, silly and insecure a lame tech Java
applets were... Only to be laughed at by the like of Jon Skeet (the most
upvoted user today on StackOverflow). To most Java early adopters Java applets
were "the nuts". Supposedly _the_ one tech going to solve all our problems.

It "only" took close to 15 years to prove wrong all the retards who thought
Java applets were a good thing.

And now we're in this big mess.

For end-users it's easy: remove Java or disable Java applets.

But for the corporate world it's not so simple: many devs are, well, Java
devs. Because Java is pretty much what powers the corporate world (hint: no,
it's not Excel).

Then even if most apps tend to be webapps now, there are still a lot of in-
house apps which are Java apps and corporate drones do _need_ to use these
apps.

Then there are all the Android / dalvik devs: world is moving to mobile and
Android is _huge_. Hence Java is huge.

Hence you can count on many, many, many more Java exploits being used to
infiltrate companies.

Companies whose users / devs are using very poor security practices anyway.

~~~
pconf
_But really the problem ain't Java but Java applets._

Don't know about you but I find it fascinating how many comments fail to make
a distinction between the vulnerable 'javaws' (i.e., applets) and the far more
common 'java' vm. This 'mistake' illustrates both java competitor astroturfing
and simple ignorance on the part of those commenting. Are there other
potential reasons so many don't know or intentionally obfuscate the difference
between java and javaws?

~~~
pjmlp
Plain ignorance.

Many don't even make a difference between Java the language and Java the VM
with all its multiple implementations from vendors all around the World.

This security exploits most of the time are only relevant to Oracle's VM.

------
martinced
Defense in depth.

People should _really_ all consider doing what I do: install a throwaway VM on
your system from which you surf the Web. For all the sites that I don't trust
I do surf from a VM which can be erased / re-installed at will.

For sites I trust, like my GMail / Google Docs, I surf from a _separate user
account_. I'm using a firewall that can do "per user" rules and I'm only using
whitelists. By default no packets can be emitted. Then the user account used
to access GMail / Google Docs is configured so that it can emit HTTP/HTTPS
trafic.

No Java in the user accounts / VM that do surf the Web: and I'm a "Java" dev
(Java + Clojure). Java can be installed only for one user account on Linux,
without needing to be root.

Wanna do online banking / MoneyBookers / etc.: boot a read-only Linux CD /
DVD.

Yes, it is slightly more inconvenient than using your main user account to
surf the Web. But so far security and conveniency haven't exactly been good
matches yet.

The state of security today is really terribly bad. It is so bad that I'm
going back to a "stupid" Nokia S40 phone until things settle down.

~~~
Osmium
> Yes, it is slightly more inconvenient

That's not just inconvenient, it's verging on paranoia. Most people haven't
got the time or the processor cycles to spare to run a separate VM. What's
wrong with just disabling plugins for all but trusted sites?

~~~
xyzzy123
There are lots of browser bugs which aren't plugin related at all. Lots of
DOM/parser/JS stuff; the most popular bug class at the moment is use-after-
free.

------
recoiledsnake
Wonder if those laptops were running Windows, OS X or Linux.

Hard to find details on that, anyone know?

~~~
drucken
Why would it matter? The initial attack vector is the same no matter the OS:
Java in the web browser.

