| reply to InTheKnow
Re: Java 7 0-day Well I know what you're getting at, and I agree with your points, but yes I am glossing over things. |
|
| No worries, this is the real deal. Linux may not be a highly targeted demographic but indeed, we are vulnerable here if using the unpatched Oracle/Sun Java 1.7.x branch and it's able to be instanced, either from a browser, or other methods. Does this mean GNU/Linux itself is on the same security plane as Windows? Hell no, it just means we've got another permutation of typical asshattery from Oracle on par with Adobe; sometimes I think they're in competition to see who can produce the most security lax, shitty, exploitable code that causes tangible dollar loss in financial fraud thanks to Blackhole/Phoenix/Redkit Exploit Kit deployments of ZeuS, Carberp, Bugats, Gozi, SpyEye, etc.
Is the sky falling? No, we're GNU/Linux folks, we're a little more aware and technical than the Win32 sheeple who still believe signature-based anti-virus is something more than security placebo. "Protection from yesterday by tomorrow".
We just need to paint a picture of accuracy here. Not targeted by 1st stage downloaders/successful exploitation payload doesn't mean we're not vulnerable and *can't* be targeted. Trivial changes to the exploitation code seen in the wild can target all three demographics AND there is a real risk of compromise even if the process is constrained to the local logged-on user.
Lets just relish in the fact we can constrain processes using AppArmor, chrooting, etc and not have to rely on profiteering security vendors to convince us that by running their product it's "All the protection we'll ever need!" |
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| reply to InTheKnow
said by InTheKnow :1) People shouldn't run Java
In a browser that blindly executes any jar file it finds. NoScript would stop this. So would not having Java installed in the browser you use when browsing porn sites, er, sites that may be exploited.
--
My place : »www.schettino.us |
|
 IanPremium
join:2002-06-18
ON
kudos:1
·Rogers Hi-Speed
| said by JohnInSJ:said by InTheKnow :1) People shouldn't run Java
In a browser that blindly executes any jar file it finds. NoScript would stop this. So would not having Java installed in the browser you use when browsing porn sites, er, sites that may be exploited. I think with Firefox all you have to do running noscript or not is to change in about:config plugins.click_to_play = true. Then you can decide which (if any) to activate.
Is it normal that it would take this long to issue a patch?
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
|
|
 MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | reply to Snakeoil
said by Snakeoil:How does it work with Minecraft? 
I'm running both the Minecraft server and client with OpenJDK 7 to great avail. |
|
1 edit | reply to JohnInSJ
I had a post typed and lost it.
Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.
Fortunately we already have tools in Linux to make such attacks much more difficult. MAC systems (AppArmor, SELinux, Grsec) for instance. Linux, just like OSX, Solaris, and BSD, uses the traditional Unix DAC model. DAC is fine for separating userspace and root, but it does nothing to control processes *within* user space. This is where MAC's come in -- they can confine user space processes from each other and can even confine the root account (so even if an attacker successfully exploits a root owned process, he can't own the whole box).
I think MAC systems will become more necessary in the future, especially for servers. Actually, it is wise to use them now for servers. Even for desktops, it is smart to use them, at least for the browser. I find AppArmor the simplest to use, so it is my choice. Grsecurity is probably the best, but it is an animal to setup and get tweaked properly. |
|
Reviews:
 ·AT&T Southwest
| said by KodiacZiller:You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.
I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real.
I don't know. I get back from working on the Olympics stuff and now I've got a big project kicking off Monday. I don't remember anything anymore. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to KodiacZiller
said by KodiacZiller:Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box.
Userspace problems are easier to clean up. Far, far easier.
--
My place : »www.schettino.us |
|
| reply to howardfine
said by howardfine:said by KodiacZiller:You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.
I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real. This was dubbed Flashback, and I assure you it was both real and absolutely affected OS X. Were there alarmist news reports on it; no. Was there tangible, measurable, observed infection on a large volume of OS X computers that were seen across multiple industries with specific markers? Absolutely, and I'm speaking authoritatively (PCAPs) here not regurgitating news articles.
said by JohnInSJ:Userspace problems are easier to clean up. Far, far easier. If you're aware of them. Gone are the days of severity of threat from 13 year old Filipinos releasing ILoveYou.vbs; sure there are some very clear differences between the Win32 and GNU/Linux security models but please don't be so dismissive of the ease of dropping MiTB fun when I'm looking at ~/.mozilla/.
IF (big IF here, I know your views on Java) you a using vulnerable version of Java instanced, and it dropped a connect-back shell or egress script, how would you know it? How would you know you're doing RFC-violating DNS C2? What about egress C&C check-in over TCP 80/443? You using an explicit proxy, not transparent, with forced auth? You running DNS C2 monitoring code? Tell me about your IDS/NIDS/HIDS setup; OSSEC-HIDS using inotify() watching your filesystem? Where's your egress network tap/span port? Where are you terminating your SSL connections so you can inspect them in the clear. What alerts do you have on self-signed certs? It's easy to say "Userspace is easy cleanup" when you're aware. Tell me about your strict egress firewall; are you using IPv6? If not, are you sure you're not using a fe80 link-local address? 99% of the time the victims of financial fraud aren't aware.
I'm not trying to dismiss your response, matter of fact if anything it highlights that GNU/Linux uses are far more aware of defense-in-depth and intelligent mitigation techniques than our Win32 counterparts, but, as evidenced by others in this thread (whom I also appreciate their thoughts), reality isn't as cut and dry as SOHO or home setups.
KodiacZiller, thanks for backing me up sir. |
|
 SnakeoilIgnore Button. The coward's feature.Premium
join:2000-08-05
Mentor, OH
kudos:1
·RoadRunner Cable
·magicjack.com
| reply to Maxo
Thank you. For what ever reason, we keep getting Java errors on our server [I'm running the server on a Windows box, I play on a linux box. The other 3 people that play on the server play on windows boxes].
I guess I'll have to wait for Technic to update their server package. Though I'll tell the kids to grab the new java update as well.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?. |
|
MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | I used »github.com/marcuswhybrow/minecra···-manager on my server. After running the script I had to run this for it to work right.
sudo chown -R minecraft /dev/shm/msm
If you have any further questions start a new thread and I'll see if I can be of help. |
|
SnakeoilIgnore Button. The coward's feature.Premium
join:2000-08-05
Mentor, OH
kudos:1 | k. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to InTheKnow
said by InTheKnow :IF (big IF here, I know your views on Java) you a using vulnerable version of Java instanced, and it dropped a connect-back shell or egress script, how would you know it?
Yep. You would not, unless you noticed your machine doing unusual things. Or your firewall logging unusual behavior. I forget that my home network isn't run by an average user, and isn't set up like an average home network.
But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers. 
--
My place : »www.schettino.us |
|
 EUSKill cancerPremium
join:2002-09-10
canada
·voip.ms
| said by JohnInSJ:But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers.
Unfortunately where I live, us regular tax-paying users require java to interact with our gov's website, so disabling it is a no-go.
--
~ Project Hope ~ |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by EUS:said by JohnInSJ:But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers.
Unfortunately where I live, us regular tax-paying users require java to interact with our gov's website, so disabling it is a no-go. Java or Javascript?
--
My place : »www.schettino.us |
|
EUSKill cancerPremium
join:2002-09-10
canada | Java. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA | Well that's silly. What .gov sites need java?
--
My place : »www.schettino.us |
|
EUSKill cancerPremium
join:2002-09-10
canada | A section of our provincial gov't tax reporting website. |
|
| Oracle has released another update to address this (hooray, or something):
»blogs.oracle.com/security/entry/···ve_20121
For those who like being exploited, don't fret, in a few weeks I'm sure we'll be back to the same level of vulnerability. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to EUS
said by EUS:A section of our provincial gov't tax reporting website.
Oh Canada! Well, I would wall that sucker off for sure.
--
My place : »www.schettino.us |
|
