Closed Bug 780717 Opened 12 years ago Closed 12 years ago

Blocklist Java versions affected by CVE-2012-1723

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: jorgev)

Details

(Keywords: qawanted, sec-critical, sec-vector) 

In June Oracle released Java updates (Java 7 update 5, Java 6 update 33, etc) and announced flaw CVE-2012-1723. An exploit for this bug was added to the BlackHole exploit kit in July and has also been added to Metasploit for others to use.

Encounters with this new exploit have already surpassed those written against the previous version we blocklisted.

http://blogs.technet.com/b/mmpc/archive/2012/08/01/the-rise-of-a-new-java-vulnerability-cve-2012-1723.aspx

Blocklisting this version is a no-brainer in terms of user safety, though I do recognize that deciding the trade-off in user angst is not quite as simple as I'd like. The graph in the Microsoft article linked above is alarming though.
QA Contact: jbecerra
The block is now staged for Windows and Linux:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

I need QA to confirm that this softblocks the plugin for versions 1.6.0_32 and lower, and versions between 1.7.0 and 1.7.0_4.

I also need someone to look up with version of the Mac OS X plugin corresponds to 1.6.0_33 (should be the latest one).
Assignee: nobody → jorge
The blocklist.xml files get updated with the p115 entry, but I haven't been able to trigger the softblock dialog.

The version designations are a little confusing. When I install version 1.7.0_4, for example, I see this version listed in about:plugins

    File: npjp2.dll
    Version: 10.4.0.20
    Next Generation Java Plug-in 10.4.0 for Mozilla browsers

That doesn't trigger a softblock dialog.

I tried installing older versions like 6.0.300.12 but that also did not trigger a softblock dialog.

The latest version of the Java Applet Plugin for Mac OS X is 14.3.0 (1.6.0_33).
We need the correlations between JRE version and plugin version for Windows and Linux, for JRE version 1.6.0_33 and 1.7.0_5. I also need the following information from about:plugins : Name, File, Version and Description (don't need anything from the MIME type table).

I asked Kev to ask this info from Oracle, but I don't expect a quick response. Juan, can you help me with this?
Linux:

Java(TM) Plug-in 1.6.0_33

    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.7.0_05

    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.
Using Ubuntu 12.04's Software Centre there are three versions of the Java Runtime available:
 * OpenJDK Java 7 Runtime -> results in no registered Firefox plugin
 * OpenJDK Java 6 Runtime -> results in no registered Firefox plugin
 * Icedtea Java Plugin -> results in "IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1))"

I'm not sure about trying to manually force the use of a binary downloaded from Oracle. I suspect most Ubuntu users are using one of the Software Centre provided versions.
We're not trying to force the use of plugins manually downloaded from Oracle, we're trying to block them. I'm not entirely sure why we're not blocking OpenJDK, other than it's known to cause headaches.
Okay, so it sounds like the ask here is to get the about:plugin registrations for manually installed Oracle JRE binaries?
We're missing the info for Windows at the moment. For Linux the situation is more complicated because of the different Java distributions, and last time it was a big headache because the JRE number didn't necessarily match the plugin number or security patches. Having the info for the Oracle plugin is good enough.
Not necessarily manually installed. Enterprisy systems tend to use the Sun JRE. SuSE does, and RHEL almost certainly does as well.
(In reply to Kris Maglione [:kmag] from comment #9)
> Not necessarily manually installed. Enterprisy systems tend to use the Sun
> JRE. SuSE does, and RHEL almost certainly does as well.

Yes, but Ubuntu doesn't and that's what I have readily available. It's probably a quicker turnaround if I can figure out how to manually install those binaries in Ubuntu than acquiring and installing SUSE or RHEL and trying to get older plugin versions installed via their package managers.
If you need to install them, download the non-RPM sfx from here:

http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

and the tarball from here:

http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

then symlink lib/amd64/libnpjp2.so from each of them in turn to ~/.mozilla/plugins/
Thanks Kris, here are my results:
 * Java 7u5 -> Java(TM) Plug-in 1.7.0_05
 * Java 7u4 -> Java(TM) Plug-in 1.7.0_04
 * Java 7u3 -> Java(TM) Plug-in 1.7.0_03
 * Java 6u33 -> Java(TM) Plug-in 1.6.0_33
 * Java 6u32 -> Java(TM) Plug-in 1.6.0_32
 * Java 6u31 -> Java(TM) Plug-in 1.6.0_31

It looks like the naming convention is pretty standard across Oracle Java versions...
Java(TM) Plug-in %majorversion%_%minorversion%
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12)
> It looks like the naming convention is pretty standard across Oracle Java
> versions...
> Java(TM) Plug-in %majorversion%_%minorversion%

Is this the name (top line in about:plugins) or the description? How does this relate to comment #2?
It's the top-line item. Here is the more detailed results (excluding table of mime-type bindings):

Java(TM) Plug-in 1.7.0_05
    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.

Java(TM) Plug-in 1.7.0_04
    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.

Java(TM) Plug-in 1.7.0_03
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_33
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_32
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_31
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.
...and just in case it's useful, here is the same for Icedtea:

IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1))
    File: IcedTeaPlugin.so
    Version: 
    The IcedTea-Web Plugin executes Java applets.
OK, thank you all.

I have updated the block on staging, so now I need some QA as explained in comment #1.

The Windows and Linux block is:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

And the Mac OS X block is:
https://addons-dev.allizom.org/en-US/firefox/blocked/p119
Keywords: qawanted
These are the version numbers that appear in Firefox about:plugins on Windows XP:

Java(TM) Platform SE 6 U27

    File: npjp2.dll
    Version: 6.0.270.7
    Next Generation Java Plug-in 1.6.0_27 for Mozilla browsers

Java(TM) Platform SE 6 U29

    File: npjp2.dll
    Version: 6.0.290.11
    Next Generation Java Plug-in 1.6.0_29 for Mozilla browsers

Java(TM) Platform SE 6 U30

    File: npjp2.dll
    Version: 6.0.300.12
    Next Generation Java Plug-in 1.6.0_30 for Mozilla browsers

Java(TM) Platform SE 6 U31

    File: npjp2.dll
    Version: 6.0.310.5
    Next Generation Java Plug-in 1.6.0_31 for Mozilla browsers

Java(TM) Platform SE 6 U32

    File: npjp2.dll
    Version: 6.0.320.5
    Next Generation Java Plug-in 1.6.0_32 for Mozilla browsers

Java(TM) Platform SE 6 U33

    File: npjp2.dll
    Version: 6.0.330.5
    Next Generation Java Plug-in 1.6.0_33 for Mozilla browsers


Java(TM) Platform SE 7

    File: npjp2.dll
    Version: 10.0.0.147
    Next Generation Java Plug-in 10.0.0 for Mozilla browsers

Java(TM) Platform SE 7 U1

    File: npjp2.dll
    Version: 10.1.0.8
    Next Generation Java Plug-in 10.1.0 for Mozilla browsers

Java(TM) Platform SE 7 U2

    File: npjp2.dll
    Version: 10.2.0.13
    Next Generation Java Plug-in 10.2.0 for Mozilla browsers

Java(TM) Platform SE 7 U3

    File: npjp2.dll
    Version: 10.3.1.255
    Next Generation Java Plug-in 10.3.1 for Mozilla browsers

Java(TM) Platform SE 7 U4

    File: npjp2.dll
    Version: 10.4.1.255
    Next Generation Java Plug-in 10.4.1 for Mozilla browsers

Java(TM) Platform SE 7 U5

    File: npjp2.dll
    Version: 10.5.1.255
    Next Generation Java Plug-in 10.5.1 for Mozilla browsers
I'm not sure why but I can't get any Java plug-ins to register in Firefox on Ubuntu anymore using the steps in comment 11. The staged block also does not appear to be working either. I'm not getting a p115 entry in my blocklist.xml file.
Are you pointing the blocklist pref to the staging server? (See https://wiki.mozilla.org/Blocklisting/Testing)

Also, the blocks won't work with the plugin descriptions in comment #17, only the ones in comment #14. Sigh...
(In reply to Jorge Villalobos [:jorgev] from comment #19)
> Are you pointing the blocklist pref to the staging server? (See
> https://wiki.mozilla.org/Blocklisting/Testing)
> 

Yes. It worked the first time I tried it, but subsequent tests on new profiles are not working. I have no idea why. It's probably something with my system and not your block but I have no way to confirm.

> Also, the blocks won't work with the plugin descriptions in comment #17,
> only the ones in comment #14. Sigh...

Okay, so I would not expect this block to work for anyone on Linux. Do we need a follow up bug / block for comment 17 strings?
I just updated the blocks.

Linux:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

Mac OS:
https://addons-dev.allizom.org/en-US/firefox/blocked/p119

Windows:
https://addons-dev.allizom.org/en-US/firefox/blocked/p121

I just split the Windows and Linux blocks since they require different strings. Before testing, make sure you have block p121 in your blocklist.xml, to make sure you have the latest version.

Also, make sure it is a softblock and you can opt-out or enable the plugin after the block is applied.
The blocklist is being updated with p121, however in the case of Windows, version 6.0.330.5 (u33) is being softblocked, when I believe it shouldn't.
You're right. I've made a small correction in the Windows block that should fix the problem. You'll have to give it 15 mins or more to update.
This is now working on Windows. I tried with an older version of Java 6 and it was soft blocked. Then I tried the latest version of Java 7 and it was allowed. A similar thing happened with Java 7.

We need to at least spot check Mac and Linux before we're sign this off.
I tested this on a Mac machine with an older version of Java (..._31) which is blocklisted in stage, and on a machine which is up-to-date which has the latest version of Java (..._33).
Confirming the staged block works as a soft block on Mac 10.5 using Java 1.5.0.30. I was able to enable the plugin fine after the block.

Other lab machines all have the most up to date version of Java for their respective operating systems.
I was able to install Java 1.7.0_4 on Ubuntu 64bit, and it showed in the list of plugins in Firefox but no softblock happened. I doubt I installed it correctly, however, as when I went to test it with a sample clock applet, the application crashed. If anyone could give it a try, please let me know.
Is it Java distributed by Oracle, or the one you get from the package manager? We're only blocking the former.
(In reply to Jorge Villalobos [:jorgev] from comment #28)
> Is it Java distributed by Oracle, or the one you get from the package
> manager? We're only blocking the former.

I used the one distributed by Oracle. I'll give it another try this morning.
I've been trying to enable Java on a couple of Ubuntu machines using documentation in the Oracle site, but I haven't had any luck getting the plugin to work, so I haven't been able to see the blocklist in action in Linux.
Kris tested on Linux and the results were as expected.

The block is now in place:

https://addons.mozilla.org/en-US/firefox/blocked/p119 (Linux; only Oracle plugin)
https://addons.mozilla.org/en-US/firefox/blocked/p123 (Mac OS)
https://addons.mozilla.org/en-US/firefox/blocked/p125 (Windows)

Questions and comments should go in the blog post:

https://blog.mozilla.org/addons/2012/08/14/new-java-blocklist/
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
I've tested this in production and the block list has been updated, and it worked on XP with a spot check of Java 1.7.0_4 (softblocked) and 1.7.0_6 (allowed).
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.