Java zero-day exploit - how to install in Ubuntu?

[Mark_in_Hollywood]

If you have been keeping up with "tech" a Java zero day exploit (0 day) has been "in the wild" and only reported about 7 days ago.

Oracle/Java has release a patch for it at:

http://www.oracle.com/technetwork/to...1-1835715.html

but gives NO instructions for Linux and/or Ubuntu installation.

Windows has an "update" feature that would do the patch. Does Ubuntu? I am completely unskilled in Java.

Any suggestions appreciated.

[Bobhuber]

If you have been keeping up with "tech" a Java zero day exploit (0 day) has been "in the wild" and only reported about 7 days ago.

Oracle/Java has release a patch for it at:

http://www.oracle.com/technetwork/to...1-1835715.html

but gives NO instructions for Linux and/or Ubuntu installation.

Windows has an "update" feature that would do the patch. Does Ubuntu? I am completely unskilled in Java.

Any suggestions appreciated.

Sun Java JRE (Easy Linux tips project)

[QIII]

The easy linux tips method will work. However, it will require you to be aware of when updates come out and reinstall each time.

Please see the Java wiki in my signature. In the "Oracle Java 7" section, under "Command line methods", see the link "Using webupd8.org's strikingly simple method".

This will automatically update Oracle Java 7 as Oracle makes updates available.

[bcschmerker]

Oracle® having to scramble a patch for JRE 7 didn't particularly surprise me; I've yanked Java® Runtime Environment 7 from my Asus® CM1630-06 and can wait, I estimate, until JRE 8 is released. BIG question: Does a similar vulnerability affect OpenJDK™ or IcedTea™? I'd rather not end up double-pwned, especially since I already have a potentially exploitable issue with Kernel 3.2 and its hypersensitivity to inter-package conflicts (see "12.04 shutdown bug").

[QIII]

Red Hat has confirmed that the vulnerability was present in OpenJDK. So, yes. OpenJDK was affected. Oracle Java 7, OpenJDK 7 and IBM Java 7 were all vulnerable.

[Mark_in_Hollywood]

Thanks, everyone. I looked at the "strikingly simple method" and wish Linux had the ease of Windows for once. In my Win7 calling Java and then clicking update was all that was needed.

MEANWHILE: I found that OpenDNS blocks that exploit. OpenDNS uses their own DNS router numbers and I've changed my router to use theirs.

You can inform yourself about that here:

http://blog.opendns.com/2012/08/31/java-0-day-details/

what follows this line is some of the text of that blog:


Java 0-Day Details

by Dan Hubbard, CTO on Aug 31st, 2012

Earlier this week, the security community learned that CVE-2012-4681, a recent Java-based zero-day vulnerability, is being leveraged to attack client machines, and fear it will cause large-scale infections soon. The vulnerability was reportedly discovered about four months ago, but iust became public knowledge last Sunday.

What does OpenDNS know about this exploit?

So far we have collected over 200 different domains.
These domains are hosted on 26 different server IP addresses.
These servers are located in 7 different countries: Russia (6 locations), US (11 locations), UK (1 location), Germany (3 locations), Luxembourg (2 locations), Hong Kong, and Romania. One server IP in Romania hosts over 80 domains involved with this exploit.

These domain names all seem to be registered via changeip.com and are likely dynamic DNS domains.

At the time of writing of this blog, the OpenDNS research team has observed DNS queries to only 23 domains from the 200+ domains identified in the wild. You may observe the traffic spiking in the last few days in the figure below. The remaining domains are not showing any traffic yet, but this may rapidly change as users unknowingly visit these infected domains and their machines will in turn get compromised.

. . .

Are you protected against this exploit?
YES, if you’re currently using OpenDNS to resolve your DNS requests.

Not using OpenDNS yet? Simply create a free account, choose your router or computer and follow the step-by-step instructions.
We are collaborating with other security vendors, which are tracking the domains and IPs of malicious servers hosting these exploits.
Domains and IPs associated with this threat are included in our malware category and are being updated as new sites come online.

For me, this is the easier way. Again, thank you, Linux Community.

[QIII]

The webupd8 method has the ease of Windows. Once installed (you have to install Java on Windows, too) webupd8's script will automatically update Java as new versions come out when you do your normal Ubuntu updates.

The OpenDNS statement is terribly misleading and perhaps dangerously irresponsible. The exploit still exists. All OpenDNS might do is stop the particular payload from source IPs in this case. Another payload, delivered via the same vulnerability from other IPs, might do something completely different.

The vulnerability is in the Java platform itself. This incident is one attack against that vulnerability. OpenDNS has done nothing to address the actual vulnerability.

[Paqman]

I looked at the "strikingly simple method" and wish Linux had the ease of Windows for once.

Unless you need to get patched RFN, we have a better method. A Windows system can't actually upgrade third-party software like Java, it relies on the software either having its own updater (running all the time, consuming resources) or the user updating manually.

We have a package manager that's an integrated part of the system. When a security update is released for a package such as Java your distro will update the repositories and the update will get automatically pushed out to all users. Linux distros can update any package for the vast majority of users within days (a huge percentage will be within 24 hours). Windows just can't match that.

So if you're willing to wait a little bit for your distro to push out the update, you don't have to lift a finger. Doing the upgrade manually is only necessary if your machine is some critical piece of infrastructure IMO.