
Java 6 exploit found in the wild - Codeson
http://www.theinquirer.net/inquirer/news/2291040/java-6-exploit-found-in-the-wild?
======
pilif
My cynical self would say that this is the perfect training for when XP runs
out of support next April. Just because their vendor dropped support doesn't
mean that usage will suddenly stop nor does it mean that no exploits are going
to be found and used.

Right now it's "just" Java 6 which isn't installed on every machine out there
(but still on a huge part of all Java capable machines). Next year it will be
Windows XP which still has between 40% and 80% usage.

Me personally, I'm really interested how this is going to turn out. Will we
see unofficial patches? Will we see anti virus vendors step up and provide
semi-official patches? Will vendors have to cave and continue issuing patches?
Will the malware issue just be ignored? What kind of damage does need to
happen before something changes?

~~~
commandar
I'm in healthcare. We have a number of clinical applications that are only
officially supported on J6 (and sometimes they even go so far as specifying
specific _updates_ that are supported). They actually work just fine on J7, it
just requires tweaking a couple of security settings. But getting that across
to non-technical managers that have had "You _must_ be running J6u17" beat
into their heads by idiot vendors is a bit of a nightmare.

~~~
bilbo0s
Guy...

the non-technical managers understand that the FDA only approved the J6
version of the app. If you want to use J7, you have to resubmit to the
approval process.

The law is there for a reason.

SOME apps it won't matter... like maybe some billing or hospital
transportation apps or something... but certainly anything diagnostic in
nature cannot be run in a manner in which it was not approved.

~~~
commandar
> but certainly anything diagnostic in nature cannot be run in a manner in
> which it was not approved.

Which is why biomedical engineering and IT are different departments. IT
doesn't touch anything that directly touches a patient.

------
jsight
It's worth noting that OpenJDK has had this fixed for a couple of months now:
[https://access.redhat.com/security/cve/CVE-2013-2463](https://access.redhat.com/security/cve/CVE-2013-2463)

AFAIK, Oracle Java 1.6.0 is EOL, and thus does not receive patches in a timely
manner (if at all).

~~~
benjarrell
The freely available updates have ceased, you have to buy Java for business[1]
to continue to receive updates.

1:
[http://www.oracle.com/technetwork/java/javase/training/index...](http://www.oracle.com/technetwork/java/javase/training/index-
jsp-138092.html)

~~~
yuhong
Yea, until recently they even continued to provide updates for 1.4.2 if you
pay.

------
Pxtl
How is it that the service with the noisiest, most obnoxious updater on my
machine still manages to suck at staying up-to-date?

~~~
awda
If you're talking about the Java windows updater, IME it gives up really
easily and then doesn't remember to update until the next patch goes out.
Also, aborts if any other installer is running.

OTOH, the Linux openjdk package stays pretty up to date and doesn't install
the Ask toolbar ;-).

~~~
Pxtl
I've seen some machines where it tries to update with every release, and every
release it fails with some cryptic error message, leaving the user on the old
version. That can't be good for security.

~~~
jebblue
Perhaps there's a reported bug for this, you could add a comment describing
what you saw. If we report bugs in software then we're contributing to better
software.

~~~
Lambdanaut
Ironically, the people reporting the bugs won't be able to automatically
update to the new versions with the bug fix.

------
lucian1900
Just kill the fucking applet already, no one uses it. All it does now is give
the JVM an undeserved bad name.

~~~
shawnz
Do you mean the Java browser plugin? If so, I agree with you, but this is
still a serious issue even if you just have Java installed for desktop
applications.

EDIT: To elaborate on jokc's reply (who appears to be shadowbanned), it seems
that this exploit is only a problem for applications that use Java's
sandboxing features, and the browser plugin is the best example of this -- but
desktop applications can use these features too.

~~~
lucian1900
No other desktop apps are commonly sandboxed, so that's a minor issue, if an
issue at all.

~~~
justincormack
If they aren't sandboxes you don't need the vulnerability. Then the only
question is if you can run untrusted code. Which is going to depend on the
application.

~~~
jtheory
If you're downloading an application and running it, it's pretty much
immaterial whether it's Java-based or not; there's no vulnerability required
to trash your computer at that point.

Sandboxes only apply in the browser, as far as I can think of -- Java code all
executes in the context of a security manager, but does anyone actually set a
custom security manager for running untrusted Java applications? (Maybe I'm
just missing an example you know of...)

------
awda
To get the best of both worlds (in Firefox, but I know Chrome has something
similar):

* Go to: about:config

* Search "plugins.click_to_play"

* Enable.

~~~
FreeFull
You'll also have to go to the Add-ons page, the Plugin tab and then select
which plugins you want to be click to play

~~~
awda
Ah, very true. Why they make it harder than necessary, I don't know.

------
lelf
_/ Unspecified/_ vulnerability in the Java Runtime Environment (JRE). Fucking
great

[http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2463](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2463)

[https://access.redhat.com/security/cve/CVE-2013-2463](https://access.redhat.com/security/cve/CVE-2013-2463)

[http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b79d56eee...](http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b79d56eee18e)
\-- 4 month old fix

------
diminoten
Can someone explain to me the current title? From the CVE:

> Unspecified vulnerability in the Java Runtime Environment (JRE) component in
> Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0
> Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect
> confidentiality, integrity, and availability via unknown vectors related to
> 2D.

Doesn't that say Java SE 7 Update 21, as well as OpenJDK 7? Or is that new
info since the title was written? HN should update accordingly?

~~~
m_ram
Yes, it affects all versions, but the article is emphasizing Java 6 because it
is no longer being updated.

------
JimmaDaRustla
The best part is my Java Update Checker says I have the most recent version...
_sigh_

Edit: I'm on 1.6

~~~
pilif
Java 6 (1.6) is EOL. You won't get an update unless you update to 7

------
pachydermic
Question:

Why does Java have so many security holes? Is it really worse than any other
language, or is it just so ubiquitous that it presents itself as a good
target?

~~~
jsight
I don't think the Java Sandbox has had significantly more security holes than
other similar sandboxes (eg, Flash).

Most of these vulnerabilities are only applicable to environments which are
required to run untrusted code.

------
mooreds
From
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-246...](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463)

"Applies to client deployment of Java only. This vulnerability can be
exploited only through sandboxed Java Web Start applications and sandboxed
Java applets."

------
comex
To nit-pick, calling a bug that has been patched in a different version of
Java for two months and exploited in this version at least a week ago a "zero-
day" is quite a stretch of the term!

------
dfrey
It would have been nice if they had mentioned specifically what the problem
was. To the layman, this article makes it seem like just having Java 6
installed on your computer puts you at risk.

------
hexagonc
Despite its origin as a "web language", it looks like just about the last
place you want to use Java is in the browser.

