Results 1 to 8 of 8

Thread: Java zero-day exploit - how to install in Ubuntu?

  1. #1
    Join Date
    Mar 2006
    Location
    Rumplestiltskin, Cal.
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Java zero-day exploit - how to install in Ubuntu?

    If you have been keeping up with "tech" a Java zero day exploit (0 day) has been "in the wild" and only reported about 7 days ago.

    Oracle/Java has release a patch for it at:

    http://www.oracle.com/technetwork/to...1-1835715.html

    but gives NO instructions for Linux and/or Ubuntu installation.

    Windows has an "update" feature that would do the patch. Does Ubuntu? I am completely unskilled in Java.

    Any suggestions appreciated.
    AMD Athlon II X4 620, 4gig ddr2-800, m/b MSI K9N6PGM2, 1T SATA, EVGA 9500GT, Canon MB2320 all-in-one, LG DVD-rom GSA-H55N

  2. #2
    Join Date
    Nov 2009
    Location
    Lake Wales Florida
    Beans
    607
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Java zero-day exploit - how to install in Ubuntu?

    Quote Originally Posted by Mark_in_Hollywood View Post
    If you have been keeping up with "tech" a Java zero day exploit (0 day) has been "in the wild" and only reported about 7 days ago.

    Oracle/Java has release a patch for it at:

    http://www.oracle.com/technetwork/to...1-1835715.html

    but gives NO instructions for Linux and/or Ubuntu installation.

    Windows has an "update" feature that would do the patch. Does Ubuntu? I am completely unskilled in Java.

    Any suggestions appreciated.
    Sun Java JRE (Easy Linux tips project)
    AMD FX-6200 - MSI 4.1Ghz- Nvidia GTX550Ti -12/GIG - 60GB-SSD/500 Sata - 12.04 - Gnome 3

  3. #3
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Java zero-day exploit - how to install in Ubuntu?

    The easy linux tips method will work. However, it will require you to be aware of when updates come out and reinstall each time.

    Please see the Java wiki in my signature. In the "Oracle Java 7" section, under "Command line methods", see the link "Using webupd8.org's strikingly simple method".

    This will automatically update Oracle Java 7 as Oracle makes updates available.
    The Left Coast Geek * The Community ATI Driver Wiki * Find what you need in the Ubuntu Community wikis

    Don't let the truth get in the way of a good story!
    This universe is crazy. I'm going back to my own.


  4. #4
    Join Date
    Jun 2008
    Location
    Byron, CA, USA
    Beans
    437
    Distro
    Ubuntu 16.04 Xenial Xerus

    Question Re: Java zero-day exploit - how to install in Ubuntu?

    Oracle® having to scramble a patch for JRE 7 didn't particularly surprise me; I've yanked Java® Runtime Environment 7 from my Asus® CM1630-06 and can wait, I estimate, until JRE 8 is released. BIG question: Does a similar vulnerability affect OpenJDK™ or IcedTea™? I'd rather not end up double-pwned, especially since I already have a potentially exploitable issue with Kernel 3.2 and its hypersensitivity to inter-package conflicts (see "12.04 shutdown bug").
    Gigabyte® GA-MA78GM-S2HP (AMD® Athlon 64® X2 5600+ MPU, RS780G NB, SB710 SB)
    Audio: ASUS® XONARESSENCESTX/A (PCIe, C-Media® CMI-8788 via PCIe-PCI bridge)

  5. #5
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Java zero-day exploit - how to install in Ubuntu?

    Red Hat has confirmed that the vulnerability was present in OpenJDK. So, yes. OpenJDK was affected. Oracle Java 7, OpenJDK 7 and IBM Java 7 were all vulnerable.
    The Left Coast Geek * The Community ATI Driver Wiki * Find what you need in the Ubuntu Community wikis

    Don't let the truth get in the way of a good story!
    This universe is crazy. I'm going back to my own.


  6. #6
    Join Date
    Mar 2006
    Location
    Rumplestiltskin, Cal.
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Java zero-day exploit - how to install in Ubuntu?

    Thanks, everyone. I looked at the "strikingly simple method" and wish Linux had the ease of Windows for once. In my Win7 calling Java and then clicking update was all that was needed.

    MEANWHILE: I found that OpenDNS blocks that exploit. OpenDNS uses their own DNS router numbers and I've changed my router to use theirs.

    You can inform yourself about that here:

    http://blog.opendns.com/2012/08/31/java-0-day-details/

    what follows this line is some of the text of that blog:


    Java 0-Day Details

    by Dan Hubbard, CTO on Aug 31st, 2012

    Earlier this week, the security community learned that CVE-2012-4681, a recent Java-based zero-day vulnerability, is being leveraged to attack client machines, and fear it will cause large-scale infections soon. The vulnerability was reportedly discovered about four months ago, but iust became public knowledge last Sunday.

    What does OpenDNS know about this exploit?

    So far we have collected over 200 different domains.
    These domains are hosted on 26 different server IP addresses.
    These servers are located in 7 different countries: Russia (6 locations), US (11 locations), UK (1 location), Germany (3 locations), Luxembourg (2 locations), Hong Kong, and Romania. One server IP in Romania hosts over 80 domains involved with this exploit.

    These domain names all seem to be registered via changeip.com and are likely dynamic DNS domains.

    At the time of writing of this blog, the OpenDNS research team has observed DNS queries to only 23 domains from the 200+ domains identified in the wild. You may observe the traffic spiking in the last few days in the figure below. The remaining domains are not showing any traffic yet, but this may rapidly change as users unknowingly visit these infected domains and their machines will in turn get compromised.

    . . .

    Are you protected against this exploit?
    YES, if you’re currently using OpenDNS to resolve your DNS requests.


    Not using OpenDNS yet? Simply create a free account, choose your router or computer and follow the step-by-step instructions.
    We are collaborating with other security vendors, which are tracking the domains and IPs of malicious servers hosting these exploits.
    Domains and IPs associated with this threat are included in our malware category and are being updated as new sites come online.

    For me, this is the easier way. Again, thank you, Linux Community.
    AMD Athlon II X4 620, 4gig ddr2-800, m/b MSI K9N6PGM2, 1T SATA, EVGA 9500GT, Canon MB2320 all-in-one, LG DVD-rom GSA-H55N

  7. #7
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Java zero-day exploit - how to install in Ubuntu?

    The webupd8 method has the ease of Windows. Once installed (you have to install Java on Windows, too) webupd8's script will automatically update Java as new versions come out when you do your normal Ubuntu updates.

    The OpenDNS statement is terribly misleading and perhaps dangerously irresponsible. The exploit still exists. All OpenDNS might do is stop the particular payload from source IPs in this case. Another payload, delivered via the same vulnerability from other IPs, might do something completely different.

    The vulnerability is in the Java platform itself. This incident is one attack against that vulnerability. OpenDNS has done nothing to address the actual vulnerability.
    Last edited by QIII; September 3rd, 2012 at 05:47 AM.
    The Left Coast Geek * The Community ATI Driver Wiki * Find what you need in the Ubuntu Community wikis

    Don't let the truth get in the way of a good story!
    This universe is crazy. I'm going back to my own.


  8. #8
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Java zero-day exploit - how to install in Ubuntu?

    Quote Originally Posted by Mark_in_Hollywood View Post
    I looked at the "strikingly simple method" and wish Linux had the ease of Windows for once.
    Unless you need to get patched RFN, we have a better method. A Windows system can't actually upgrade third-party software like Java, it relies on the software either having its own updater (running all the time, consuming resources) or the user updating manually.

    We have a package manager that's an integrated part of the system. When a security update is released for a package such as Java your distro will update the repositories and the update will get automatically pushed out to all users. Linux distros can update any package for the vast majority of users within days (a huge percentage will be within 24 hours). Windows just can't match that.

    So if you're willing to wait a little bit for your distro to push out the update, you don't have to lift a finger. Doing the upgrade manually is only necessary if your machine is some critical piece of infrastructure IMO.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •