Closed
Bug 780717
Opened 12 years ago
Closed 12 years ago
Blocklist Java versions affected by CVE-2012-1723
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dveditz, Assigned: jorgev)
Details
(Keywords: qawanted, sec-critical, sec-vector)
In June Oracle released Java updates (Java 7 update 5, Java 6 update 33, etc) and announced flaw CVE-2012-1723. An exploit for this bug was added to the BlackHole exploit kit in July and has also been added to Metasploit for others to use. Encounters with this new exploit have already surpassed those written against the previous version we blocklisted. http://blogs.technet.com/b/mmpc/archive/2012/08/01/the-rise-of-a-new-java-vulnerability-cve-2012-1723.aspx Blocklisting this version is a no-brainer in terms of user safety, though I do recognize that deciding the trade-off in user angst is not quite as simple as I'd like. The graph in the Microsoft article linked above is alarming though.
Updated•12 years ago
|
QA Contact: jbecerra
Assignee | ||
Comment 1•12 years ago
|
||
The block is now staged for Windows and Linux: https://addons-dev.allizom.org/en-US/firefox/blocked/p115 I need QA to confirm that this softblocks the plugin for versions 1.6.0_32 and lower, and versions between 1.7.0 and 1.7.0_4. I also need someone to look up with version of the Mac OS X plugin corresponds to 1.6.0_33 (should be the latest one).
Assignee: nobody → jorge
Comment 2•12 years ago
|
||
The blocklist.xml files get updated with the p115 entry, but I haven't been able to trigger the softblock dialog. The version designations are a little confusing. When I install version 1.7.0_4, for example, I see this version listed in about:plugins File: npjp2.dll Version: 10.4.0.20 Next Generation Java Plug-in 10.4.0 for Mozilla browsers That doesn't trigger a softblock dialog. I tried installing older versions like 6.0.300.12 but that also did not trigger a softblock dialog. The latest version of the Java Applet Plugin for Mac OS X is 14.3.0 (1.6.0_33).
Assignee | ||
Comment 3•12 years ago
|
||
We need the correlations between JRE version and plugin version for Windows and Linux, for JRE version 1.6.0_33 and 1.7.0_5. I also need the following information from about:plugins : Name, File, Version and Description (don't need anything from the MIME type table). I asked Kev to ask this info from Oracle, but I don't expect a quick response. Juan, can you help me with this?
Comment 4•12 years ago
|
||
Linux: Java(TM) Plug-in 1.6.0_33 File: libnpjp2.so Version: The next generation Java plug-in for Mozilla browsers. Java(TM) Plug-in 1.7.0_05 File: libnpjp2.so Version: Java plug-in for NPAPI-based browsers.
Using Ubuntu 12.04's Software Centre there are three versions of the Java Runtime available: * OpenJDK Java 7 Runtime -> results in no registered Firefox plugin * OpenJDK Java 6 Runtime -> results in no registered Firefox plugin * Icedtea Java Plugin -> results in "IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1))" I'm not sure about trying to manually force the use of a binary downloaded from Oracle. I suspect most Ubuntu users are using one of the Software Centre provided versions.
Comment 6•12 years ago
|
||
We're not trying to force the use of plugins manually downloaded from Oracle, we're trying to block them. I'm not entirely sure why we're not blocking OpenJDK, other than it's known to cause headaches.
Okay, so it sounds like the ask here is to get the about:plugin registrations for manually installed Oracle JRE binaries?
Assignee | ||
Comment 8•12 years ago
|
||
We're missing the info for Windows at the moment. For Linux the situation is more complicated because of the different Java distributions, and last time it was a big headache because the JRE number didn't necessarily match the plugin number or security patches. Having the info for the Oracle plugin is good enough.
Comment 9•12 years ago
|
||
Not necessarily manually installed. Enterprisy systems tend to use the Sun JRE. SuSE does, and RHEL almost certainly does as well.
Comment 10•12 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #9) > Not necessarily manually installed. Enterprisy systems tend to use the Sun > JRE. SuSE does, and RHEL almost certainly does as well. Yes, but Ubuntu doesn't and that's what I have readily available. It's probably a quicker turnaround if I can figure out how to manually install those binaries in Ubuntu than acquiring and installing SUSE or RHEL and trying to get older plugin versions installed via their package managers.
Comment 11•12 years ago
|
||
If you need to install them, download the non-RPM sfx from here: http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html and the tarball from here: http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html then symlink lib/amd64/libnpjp2.so from each of them in turn to ~/.mozilla/plugins/
Comment 12•12 years ago
|
||
Thanks Kris, here are my results: * Java 7u5 -> Java(TM) Plug-in 1.7.0_05 * Java 7u4 -> Java(TM) Plug-in 1.7.0_04 * Java 7u3 -> Java(TM) Plug-in 1.7.0_03 * Java 6u33 -> Java(TM) Plug-in 1.6.0_33 * Java 6u32 -> Java(TM) Plug-in 1.6.0_32 * Java 6u31 -> Java(TM) Plug-in 1.6.0_31 It looks like the naming convention is pretty standard across Oracle Java versions... Java(TM) Plug-in %majorversion%_%minorversion%
Assignee | ||
Comment 13•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12) > It looks like the naming convention is pretty standard across Oracle Java > versions... > Java(TM) Plug-in %majorversion%_%minorversion% Is this the name (top line in about:plugins) or the description? How does this relate to comment #2?
Comment 14•12 years ago
|
||
It's the top-line item. Here is the more detailed results (excluding table of mime-type bindings): Java(TM) Plug-in 1.7.0_05 File: libnpjp2.so Version: Java plug-in for NPAPI-based browsers. Java(TM) Plug-in 1.7.0_04 File: libnpjp2.so Version: Java plug-in for NPAPI-based browsers. Java(TM) Plug-in 1.7.0_03 File: libnpjp2.so Version: The next generation Java plug-in for Mozilla browsers. Java(TM) Plug-in 1.6.0_33 File: libnpjp2.so Version: The next generation Java plug-in for Mozilla browsers. Java(TM) Plug-in 1.6.0_32 File: libnpjp2.so Version: The next generation Java plug-in for Mozilla browsers. Java(TM) Plug-in 1.6.0_31 File: libnpjp2.so Version: The next generation Java plug-in for Mozilla browsers.
Comment 15•12 years ago
|
||
...and just in case it's useful, here is the same for Icedtea: IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1)) File: IcedTeaPlugin.so Version: The IcedTea-Web Plugin executes Java applets.
Assignee | ||
Comment 16•12 years ago
|
||
OK, thank you all. I have updated the block on staging, so now I need some QA as explained in comment #1. The Windows and Linux block is: https://addons-dev.allizom.org/en-US/firefox/blocked/p115 And the Mac OS X block is: https://addons-dev.allizom.org/en-US/firefox/blocked/p119
Keywords: qawanted
Comment 17•12 years ago
|
||
These are the version numbers that appear in Firefox about:plugins on Windows XP: Java(TM) Platform SE 6 U27 File: npjp2.dll Version: 6.0.270.7 Next Generation Java Plug-in 1.6.0_27 for Mozilla browsers Java(TM) Platform SE 6 U29 File: npjp2.dll Version: 6.0.290.11 Next Generation Java Plug-in 1.6.0_29 for Mozilla browsers Java(TM) Platform SE 6 U30 File: npjp2.dll Version: 6.0.300.12 Next Generation Java Plug-in 1.6.0_30 for Mozilla browsers Java(TM) Platform SE 6 U31 File: npjp2.dll Version: 6.0.310.5 Next Generation Java Plug-in 1.6.0_31 for Mozilla browsers Java(TM) Platform SE 6 U32 File: npjp2.dll Version: 6.0.320.5 Next Generation Java Plug-in 1.6.0_32 for Mozilla browsers Java(TM) Platform SE 6 U33 File: npjp2.dll Version: 6.0.330.5 Next Generation Java Plug-in 1.6.0_33 for Mozilla browsers Java(TM) Platform SE 7 File: npjp2.dll Version: 10.0.0.147 Next Generation Java Plug-in 10.0.0 for Mozilla browsers Java(TM) Platform SE 7 U1 File: npjp2.dll Version: 10.1.0.8 Next Generation Java Plug-in 10.1.0 for Mozilla browsers Java(TM) Platform SE 7 U2 File: npjp2.dll Version: 10.2.0.13 Next Generation Java Plug-in 10.2.0 for Mozilla browsers Java(TM) Platform SE 7 U3 File: npjp2.dll Version: 10.3.1.255 Next Generation Java Plug-in 10.3.1 for Mozilla browsers Java(TM) Platform SE 7 U4 File: npjp2.dll Version: 10.4.1.255 Next Generation Java Plug-in 10.4.1 for Mozilla browsers Java(TM) Platform SE 7 U5 File: npjp2.dll Version: 10.5.1.255 Next Generation Java Plug-in 10.5.1 for Mozilla browsers
Comment 18•12 years ago
|
||
I'm not sure why but I can't get any Java plug-ins to register in Firefox on Ubuntu anymore using the steps in comment 11. The staged block also does not appear to be working either. I'm not getting a p115 entry in my blocklist.xml file.
Assignee | ||
Comment 19•12 years ago
|
||
Are you pointing the blocklist pref to the staging server? (See https://wiki.mozilla.org/Blocklisting/Testing) Also, the blocks won't work with the plugin descriptions in comment #17, only the ones in comment #14. Sigh...
Comment 20•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #19) > Are you pointing the blocklist pref to the staging server? (See > https://wiki.mozilla.org/Blocklisting/Testing) > Yes. It worked the first time I tried it, but subsequent tests on new profiles are not working. I have no idea why. It's probably something with my system and not your block but I have no way to confirm. > Also, the blocks won't work with the plugin descriptions in comment #17, > only the ones in comment #14. Sigh... Okay, so I would not expect this block to work for anyone on Linux. Do we need a follow up bug / block for comment 17 strings?
Assignee | ||
Comment 21•12 years ago
|
||
I just updated the blocks. Linux: https://addons-dev.allizom.org/en-US/firefox/blocked/p115 Mac OS: https://addons-dev.allizom.org/en-US/firefox/blocked/p119 Windows: https://addons-dev.allizom.org/en-US/firefox/blocked/p121 I just split the Windows and Linux blocks since they require different strings. Before testing, make sure you have block p121 in your blocklist.xml, to make sure you have the latest version. Also, make sure it is a softblock and you can opt-out or enable the plugin after the block is applied.
Comment 22•12 years ago
|
||
The blocklist is being updated with p121, however in the case of Windows, version 6.0.330.5 (u33) is being softblocked, when I believe it shouldn't.
Assignee | ||
Comment 23•12 years ago
|
||
You're right. I've made a small correction in the Windows block that should fix the problem. You'll have to give it 15 mins or more to update.
Comment 24•12 years ago
|
||
This is now working on Windows. I tried with an older version of Java 6 and it was soft blocked. Then I tried the latest version of Java 7 and it was allowed. A similar thing happened with Java 7. We need to at least spot check Mac and Linux before we're sign this off.
Comment 25•12 years ago
|
||
I tested this on a Mac machine with an older version of Java (..._31) which is blocklisted in stage, and on a machine which is up-to-date which has the latest version of Java (..._33).
Comment 26•12 years ago
|
||
Confirming the staged block works as a soft block on Mac 10.5 using Java 1.5.0.30. I was able to enable the plugin fine after the block. Other lab machines all have the most up to date version of Java for their respective operating systems.
Comment 27•12 years ago
|
||
I was able to install Java 1.7.0_4 on Ubuntu 64bit, and it showed in the list of plugins in Firefox but no softblock happened. I doubt I installed it correctly, however, as when I went to test it with a sample clock applet, the application crashed. If anyone could give it a try, please let me know.
Assignee | ||
Comment 28•12 years ago
|
||
Is it Java distributed by Oracle, or the one you get from the package manager? We're only blocking the former.
Comment 29•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #28) > Is it Java distributed by Oracle, or the one you get from the package > manager? We're only blocking the former. I used the one distributed by Oracle. I'll give it another try this morning.
Comment 30•12 years ago
|
||
I've been trying to enable Java on a couple of Ubuntu machines using documentation in the Oracle site, but I haven't had any luck getting the plugin to work, so I haven't been able to see the blocklist in action in Linux.
Assignee | ||
Comment 31•12 years ago
|
||
Kris tested on Linux and the results were as expected. The block is now in place: https://addons.mozilla.org/en-US/firefox/blocked/p119 (Linux; only Oracle plugin) https://addons.mozilla.org/en-US/firefox/blocked/p123 (Mac OS) https://addons.mozilla.org/en-US/firefox/blocked/p125 (Windows) Questions and comments should go in the blog post: https://blog.mozilla.org/addons/2012/08/14/new-java-blocklist/
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 32•12 years ago
|
||
I've tested this in production and the block list has been updated, and it worked on XP with a spot check of Java 1.7.0_4 (softblocked) and 1.7.0_6 (allowed).
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•