Java does a “Jack and Jill”

CC attribution: illustration "Jack and Jill" by "perpetualplum" on flickr.

So here is the way I saw the Java drama roll downhill like Jack and Jill over the last two weeks from security standpoint.

So we started out safely headed up the hill to fetch our water shod with Oracle’s Java 1.7 update 6.

08/27/2012 - Starting up the hill…

• Quick Bits about Today's Java 0-Day - ISC Diary
• Research & Analysis of Zero-Day & Advanced Targeted Threats:Zero-Day Season is Not Over Yet - Malware Intelligence Lab from FireEye
• Java 7 0-Day vulnerability information and mitigation - DeepEnd Research
• Attackers Pounce on Zero-Day Java Exploit - Krebs on Security
• Researchers: Java Zero-Day Leveraged Two Flaws - Krebs on Security

Oh noes! Jack has stumbled!

(It wasn’t really clear at first, but Java 1.6.34 was also vulnerable.)

08/30/2012 - Java Jack Recovers

Fortunately Java Jack just had a stumble, the pail and his crown are still safe after catching himself.

• Oracle Releases Java Security Updates - ISC Diary
• Vulnerability Note VU#636312 - Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code - US-CERT
• Alert for CVE-2012-4681 - Oracle
• Java SE 7u7 AND SE 6u35 Released - F-Secure Weblog : News from the Lab
• Oracle patches critical Java bugs used to commandeer computers -  Ars Technica

So we all rush out and download Java 1.7.7 and/or Java 1.6.35.

Whew! That was close.

08/31/2012 - Java Jack Takes a Dive bringing Jill with him

Jack…Stop looking at that frisky rabbit and getting ideas and pay attention dude! You’re about to step into some of its…

Oh snap! You did and you slipped in it.

• Not so fast: Java 7 Update 7 critical vulnerability discovered in less than 24 hours - ISC Diary
• Critical bug in newest Java gives attackers complete control of PCs - Ars Technica
• Latest Java sandbox is still vulnerable - The H Security: News and Features
• Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish - ISC Diary

Seriously Jack. Really?

You should have been paying better attention to your hill-climbing technique; or at the very least dear Jill and not the rabbit.

Now you’ve taken Jill out in your folly and broken your crown; again.

Still Want That Water?

So where does that leave us now that we are holding the pail to safely quench our thirst?

Here is some sound advice.

• 6 ways to protect against the new actively exploited Java vulnerability - Security - InfoWorld
• You don't need Java - BetaNews
• Tips For Java Junkies - F-Secure Weblog : News from the Lab

Me? I just disabled my Java browser plugins for IE/Chrome/Firefox and run NoScript in Firefox. However I didn’t uninstall my Java applications (1.6.35/1.7.6) as I do use a handful of true Java applications on my system.

I figure that will have to do for now until the next round of updates rolls.

No word when Jack will be out of the ER yet. Jill remains pouty.

Other Java-related tools you might be interested in while you wait…

• JavaRa - SingularLabs - great third-party freeware utility to manage your Java RE build installations. More here at ghacks.net.
• Jarfix - Johann N. Löfflmann’s tiny app to fix Java “JAR” file associations on Windows after a Java update borks them.
• Java SE Downloads - Oracle - Java SE (Standard Edition) 7u7 JRE (Java Runtime Environment) and Java SE 6 update 35 JRE download links available from this link. When new updates are available you should be able to get them here.

Oh, did I mention that we just completed a massive rollout of Java 1.6.31 a few weeks ago across our enterprise to bring us to a new operational standard?

I lovingly refer to it as Project Maginot Line.

à revoir! from the bunker,

--Claus V.