ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Java update plugs 27 critical security holes

By | April 2, 2010, 9:06am PDT

Summary: The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

Oracle has shipped a Critical Patch Update for Java SE and Java for Business to fix 27 security flaws that could expose users to malicious hacker attacks.

The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in an advisory.

Affected products include:

  • Java SE: JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux;  JDK 5.0 Update 23 and earlier for Solaris; and SDK 1.4.2_25 and earlier for Solaris
  • Java for Business: JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux, JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux; and SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux

Vulnerabilities in Java also affect Apple’s Mac OS X but Apple’s patches are usually delayed for a very long time.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security Flaw, Ryan Naraine, Programming Languages, Viruses And Worms, Security, Java, Software Development, Software/Web Development

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
44
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Java update plugs 27 critical security holes
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
RE: Java update plugs 27 critical security holes
reverseswing 2nd Apr 2010
updated 18 was downloaded and installed on my computer on 3/12/10, this is not new news.
0 Votes
+ -
Contributr
Update 19
Ryan Naraine 2nd Apr 2010
This is Update 19 and it's new. The story says that the flaws affect
Update 18 (yours). Go patch.

_r
0 Votes
+ -
Yeah, Java has already updated to version 19 of 6.0
Lerianis10 2nd Apr 2010
SO this guy is behind the times.
0 Votes
+ -
Apple?s patches are usually delayed for a very long time
honeymonster 2nd Apr 2010
So, once again, vulnerability information is in the
wild and Apples customers are left hanging there.

Would-be attackers can now run with the vulnerability
information which accompanies these patches. The can
even diff the source before and after to pinpoint
exactly where the vulnerabilities are.

The infinite loop control freaks insist on rolling
their own Java derivative (partly because of the
hardware abstraction). But they will - as usual - take
their time and leave their customers at risk.
0 Votes
+ -
Java is owned by Sun (now Oracle), not Apple.
AzuMao 2nd Apr 2010
So why should you get the patch from Apple?

Unless they did something completely retarded like made it impossible
use the updates to Java provided by the people who own Java, which
would make no sense whatsoever, what does Apple have to do with this?
0 Votes
+ -
Apple controls Java updates for OS X.
rtk Updated - 2nd Apr 2010
http://java.com/en/download/manual.jsp

"Apple Computer supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac."
0 Votes
+ -
???
AzuMao 2nd Apr 2010
What is the point of them doing this? I don't understand.
0 Votes
+ -
Agreed 100%
rtk 2nd Apr 2010
There's no point other than control.
0 Votes
+ -
Apple wants to ensure
honeymonster Updated - 3rd Apr 2010
that even Java apps have that Apple "look and
feel" using e.g. native widgets (or something
which looks like them).

Hence, they cannot do with Suns built-in
generic platform abstraction.

It's a control issue, basically. Somewhat
legitimate when you consider that Apples
profile *is* attention to details.

But the fact that they are consistently late
every time Java is patched means that Apple
customers live through a period with increased
risk because the vulnerabilities have been
disclosed.
0 Votes
+ -
I have to agree
Third of Five 3rd Apr 2010
If they would control the user's experience to the extent to which they do so now, they have to take a corresponding level of responsibility--the whole idea of "one throat to choke" is that the person attached to the throat is supposed to be willing to own up to the responsibility that goes along with it.

If Apple cannot keep their Java in step with the main iteration, they are potentially endangering their user base.
0 Votes
+ -
But isn't Java skinnable? Why distribute a custom version of it..
AzuMao 3rd Apr 2010
..and in doing so delay critical patches?
0 Votes
+ -
Yes, Java is skinnable
honeymonster 4th Apr 2010
But I suspect that there's more to it than just
Java L&F - like how Java apps integrate with
the Dock or Expos?. That integration is
something Sun would not agree to do - as Sun
always believed that the built-in hw
abstraction should be enough for everybody.

Apple hasn't made any official statements as to
why they distribute their own Java.

But this problem is really just one example of
a systemic problem in OSX.

Big parts of OSX is built on open source and
other 3rd party software licensed by Apple.
Often these products are available independent
of OSX (especially the open source products).
And they often follow their own release
schedule.

A year or so ago I did a small test. I just
compared versions of libxml in OSX with
versions available elsewhere. An lo and behold,
OSX was behind. A quick check on what was fixed
in the later versions revealed a number of
vulnerabilities fixes.

Vulnerabilities which were sitting in
current versions of OSX. Actually, very
much like the c library vuln sitting there for
10 months.

At any one time a would-be attacker can find a
number of OSX vulnerabilities which makes good
exploit candidates simply by comparing versions
using public available information.

This is a systemic problem because of the way
Apple assembles their stack: They cannot
control the release of information regarding
vulnerabilities in the stack because they do
not control that stack nor the information.

Until the software community comes together and
are willing to wait for the slowest
distributors to ready a patch, this is going to
be a liability with OSX. Apple will always be
late patching. Information will be freely
available about candidate exploits.
0 Votes
+ -
Control ?
Jkirk3279 6th Apr 2010
"But the fact that they are consistently late
every time Java is patched means that Apple
customers live through a period with increased
risk because the vulnerabilities have been
disclosed"

Then again, Apple knows JAVA is a major attack vector.

If Mac users were encouraged to go fetch JAVA updates from
"the wild", there's the strong possibility a hacker could code a
Trojan, pose it as a JAVA update, and voila? !

Or, rather, OOPS.

By handling JAVA in-house Apple prevents that. And that
allows them to do sufficient testing to make sure the update is
compatible before releasing it.

It may be six of one and half a dozen of another, but I'd rather
get my updates from a trusted source.

Should it be faster? Maybe.

What's your take on M$ and their recent track record on
vulnerabilities? Ten months on that IE6 exploit, wasn't it?

Sauce for the Goose, and all that.
0 Votes
+ -
I still don't get it. I mean I know it's going to be delayed SOMEWHAT..
AzuMao 6th Apr 2010
..of course.. but come on. It should only take like half an hour for them
to apply their little GUI patch and compile it. Or less since they are a
big company which can afford some serious hardware. So why isn't it
released yet? I think they must be having some kind of political problems..
like Sun refuses to give them access to the updated version or something.
0 Votes
+ -
Add It To The List ...
PMC-CON 5th Apr 2010
of things you don't understand.

How do you keep track of THAT list, when you're typing ceaselessly?
  • Flagged
0 Votes
+ -
again, it will affect only windoze
Linux Geek 2nd Apr 2010
There is no code windoze that can run on Linux.
0 Votes
+ -
Wrong
pjotr123 2nd Apr 2010
Java is platform independent. Better fix your Linux box as well: http://sites.google.com/site/easylinuxtipsproject/java

Or better even: switch to OpenJDK + the IcedTea plugin.
0 Votes
+ -
.... your a morron....
Ceridan 2nd Apr 2010
Java runs inside it's own virtual machine, tus making it so every exploit capable to target anny OS with the Oracle Virtual Machine....


As long as there a check to see if it's linux, you can actually make something that attacks Macs, Linux and windows at the same time, by exploiting more specific security flaws in the case of so and so OS...

A flaw cannot work on it's own now... you need to use a collection of flaws to penetrate a target system...


PS: I am aware that I just destroyed your faith... once more
0 Votes
+ -
your own words bonehead!
Linux Geek Updated - 2nd Apr 2010
A flaw cannot work on it's own now... you need to use a collection of flaws to penetrate a target system...
...and those extra flaws are only available on windoze!
0 Votes
+ -
So...
Ceridan 4th Apr 2010
Your inferring that Linux has no security flaws?

only idiots and Cultist of Jobs would think that an OS has no security flaw...



Remember, if it was built by man... it will be destroy by man...
0 Votes
+ -
No geek.
tealcat Updated - 5th Apr 2010
You're no geek. You're a spammer.
0 Votes
+ -
Very ironic title, but you're right. Java is cross-platform.
AzuMao 2nd Apr 2010
The low-level implementations of it, however, likely differ.
Meaning that attacks aimed at the Windows version will likely not work right on the OSX or Linux version, since attacks generally aren't based on the agreed-upon specifications.
0 Votes
+ -
Actually...
Ceridan 4th Apr 2010
Your right... but as I said:

You can actually have a check in the code to see what OS is running and launch a more specific exploit that uses one of the JVM's security holes.


PS: I would be worried if youre using Apple's Implementation however, since apple is usually quite slow to fix security flaws for their implementations of third party technology... However, if your using IcedTea or similar on Linux, they should come with a fix soon... if it's not allready out.
0 Votes
+ -
Java: "Write Once, Run Anywhere"
PMC-CON 5th Apr 2010
It wasn't true. But: "install once, vulnerabilities forever" just didn't fly.

BTW, you are not a geek, just a nerd.
0 Votes
+ -
Wrong, @Linux Geek
rustek Updated - 5th Apr 2010
We run Visual Basic programs via CGI with Apache on Ubuntu, you say the same thing over and over, and your told that your wrong over and over.

When are you going to figure out that you don't know what your talking about.
0 Votes
+ -
RE: Java update plugs 27 critical security holes
richvball44 3rd Apr 2010
this was stated in article;
Affected products include:

* Java SE: JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux; JDK 5.0 Update 23 and earlier for Solaris; and SDK 1.4.2_25 and earlier for Solaris
* Java for Business: JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux, JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux; and SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux

Vulnerabilities in Java also affect Apple?s Mac OS X but Apple?s patches are usually delayed for a very long time.

I do not see anywhere in the article where it states that there ARE flaws to be fixed in Apple version. Only indicates, Windows, Linux and Solaris. Admittedly i don currently own or use a Mac so i can not determine if there is a patch or not. Nor do i understand the underlying technology behind Java.
Time to read up

I only see a link, to another story Aug 23 2007, that Apple is always slow in relasing fixes
0 Votes
+ -
@Ryan: Safe alternatives
Dietrich T. Schmitz, Linux Advocate Updated - 5th Apr 2010
Ryan,

As you know, I am a proponent of safe alternatives with a focus of advocating Linux solutions.

I don't mind (I have a 'thick skin') when the Moderators delete my comments when they are 'off-topic' but you need to incorporate into your agenda the premise that 'safety' is a maxmimum predicate, even if it means recommending solutions found on alternative operating systems.

Safety should be your credo.

Where possible, when I see an opportunity to do so, I provide an awareness for these 'safe alternatives' and insert my comments accordingly.

Today, for a second time (my comments were deleted), I am raising awareness for the added security benefits of using Ubuntu Linux.

User's with Ubuntu Linux 9.10 have AppArmor LSM installed by default, with profiles for Firefox, it's Java plugins (openJDK IcedTea implementation) and Evince PDF document viewer.

These safety features ensure a maximum of safety when accessing the Internet.

Users who are not satisfied with the ongoing Zero-Day issues with Microsoft Windows products should be aware that AppArmor puts your 'App' (e.g., Firefox) into a secure 'sandbox' and GUARANTEES that even an unpatched Firefox or other 'App' will not be exploited. AppArmor stops ALL exploits cold in their tracks.

Having AppArmor will be a big help to Administrators faced with 'putting out Zero-Day fires' because it simply makes the need for taking corrective action less urgent and more 'manageable'.

So, please, show that you are truly interested in safety and let users read about such alternatives. Even better, write an occasional article including coverage of such alternative features, yes?

Thank you Ryan.

Dietrich T. Schmitz
Linux Advocate
0 Votes
+ -
AppArmor = UAC
PMC-CON 5th Apr 2010
"AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it is path-based, allows for mixing of enforcement and complain mode profiles, uses include files to ease development and has a far lower barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Work is ongoing by AppArmor, Ubuntu and other developers to merge AppArmor into the official Linux kernel. "
0 Votes
+ -
No, gksudu = UAC. AppArmor = HIPS/MAC
AzuMao 5th Apr 2010
0 Votes
+ -
Actually, I take that back.
AzuMao 5th Apr 2010
Programs in Linux can't sudo themselves without permission.

Starting with Windows 7, however, programs can automatically elevate themselves without any user interaction, by default.


Back in Windows Vista, however, my point (that gksudo = UAC) stands.
0 Votes
+ -
"Maximum of safety"?
AzuMao 5th Apr 2010
Just because it's more secure than Windows doesn't make there's no room for improvement.

OpenBSD is more secure. Ubuntu selling points are ease-of-use and compatibility.
0 Votes
+ -
OpenBSD and Java
RobertFolkerts 6th Apr 2010
Please look at the OpenBSD FAQ @
http://www.openbsd.org/faq/faq8.html#Programmin
g

Until Java 1.7 is mainstream, OpenBSD is
relatively painful as a Java platform. So a
Linux or Solaris has better support. FreeBSD
is also better for Java than OpenBSD (in my
opinion).

So I would argue that OpenBSD could be very
useful for running Pound & pf in front of a
Java App server, but it isn't the best choice
for Jetty or Tomcat. A BSD is also viable for
running a database in a Java shop, so there are
uses, but is it not the best choice for running
Java
0 Votes
+ -
Secunia PSI (nt)
waldenasta 5th Apr 2010
nt
0 Votes
+ -
RE: Java update plugs 27 critical security holes
yangzone 5th Apr 2010
"Vulnerabilities in Java also affect Apple?s Mac OS X but
Apple?s patches are usually delayed for a very long time."

Yes, it's nice not to have an Apple and not have to worry
about stuff like that... no rush on the updates... 'has not
been one problem this century.
0 Votes
+ -
Other way around.
AzuMao 5th Apr 2010
Apple aren't rushing this update. They are taking longer.
0 Votes
+ -
You read it too fast.
rustek 5th Apr 2010
He didn't say it backwards, you read it backwards.
0 Votes
+ -
????
AzuMao 5th Apr 2010
Yes, it's nice not to have an Apple and not have to worry
about stuff like that... no rush on the updates...


Isn't he saying that since he doesn't have an Apple, he doesn't have to worry about stuff like rushed updates? :s
0 Votes
+ -
"no rush on the updates..."
rustek 6th Apr 2010
Isn't written in his voice, but meant to reflect Apple's attitude.

"'has not
been one problem this century."
Is him suggesting that Apple doesn't acknowledge problems.
0 Votes
+ -
Ah, my bad, sorry.
AzuMao 6th Apr 2010
0 Votes
+ -
Just Another Virus Application
Reality Bites 6th Apr 2010
java and a virus.... the line between is always very blurry.

Hopefully oracle will kill the bug.
0 Votes
+ -
Yeah .. uh, 19. Awhile ago.
Mordecai Irony Updated - 14th Apr 2010
This is the Funny Guy pages .. official kindergarten genius. Does he get a medal of honor, or does this author really exist?
I can only be impressed that too many things here look like a the typical govt operation. Like anything 'backed' by the rockefeller cadre; lacking in brains. Medical, publishing, religion, chinese ... ad nauseum

Yeah .. uh, 19. Awhile ago.
Definition: real swift
stfu

Any chance we can get some real people here that don't live the corporatist lie? Probably not, we're all trying to survive paying bills and eating.
Sure the AC will take care of all your problems, for a price.
0 Votes
+ -
RE: Java update plugs 27 critical security holes
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix