Last Comment Bug 780717 - Blocklist Java versions affected by CVE-2012-1723
: Blocklist Java versions affected by CVE-2012-1723
Status: RESOLVED FIXED
: qawanted, sec-critical, sec-vector
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: x86 All
: -- normal with 1 vote (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: juan becerra [:juanb]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-06 14:08 PDT by Daniel Veditz [:dveditz]
Modified: 2016-07-01 04:36 PDT (History)
24 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Daniel Veditz [:dveditz] 2012-08-06 14:08:42 PDT
In June Oracle released Java updates (Java 7 update 5, Java 6 update 33, etc) and announced flaw CVE-2012-1723. An exploit for this bug was added to the BlackHole exploit kit in July and has also been added to Metasploit for others to use.

Encounters with this new exploit have already surpassed those written against the previous version we blocklisted.

http://blogs.technet.com/b/mmpc/archive/2012/08/01/the-rise-of-a-new-java-vulnerability-cve-2012-1723.aspx

Blocklisting this version is a no-brainer in terms of user safety, though I do recognize that deciding the trade-off in user angst is not quite as simple as I'd like. The graph in the Microsoft article linked above is alarming though.
Comment 1 Jorge Villalobos [:jorgev] 2012-08-06 16:31:18 PDT
The block is now staged for Windows and Linux:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

I need QA to confirm that this softblocks the plugin for versions 1.6.0_32 and lower, and versions between 1.7.0 and 1.7.0_4.

I also need someone to look up with version of the Mac OS X plugin corresponds to 1.6.0_33 (should be the latest one).
Comment 2 juan becerra [:juanb] 2012-08-06 18:00:40 PDT
The blocklist.xml files get updated with the p115 entry, but I haven't been able to trigger the softblock dialog.

The version designations are a little confusing. When I install version 1.7.0_4, for example, I see this version listed in about:plugins

    File: npjp2.dll
    Version: 10.4.0.20
    Next Generation Java Plug-in 10.4.0 for Mozilla browsers

That doesn't trigger a softblock dialog.

I tried installing older versions like 6.0.300.12 but that also did not trigger a softblock dialog.

The latest version of the Java Applet Plugin for Mac OS X is 14.3.0 (1.6.0_33).
Comment 3 Jorge Villalobos [:jorgev] 2012-08-08 14:41:48 PDT
We need the correlations between JRE version and plugin version for Windows and Linux, for JRE version 1.6.0_33 and 1.7.0_5. I also need the following information from about:plugins : Name, File, Version and Description (don't need anything from the MIME type table).

I asked Kev to ask this info from Oracle, but I don't expect a quick response. Juan, can you help me with this?
Comment 4 Kris Maglione [:kmag] 2012-08-09 11:59:06 PDT
Linux:

Java(TM) Plug-in 1.6.0_33

    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.7.0_05

    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.
Comment 5 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 12:48:29 PDT
Using Ubuntu 12.04's Software Centre there are three versions of the Java Runtime available:
 * OpenJDK Java 7 Runtime -> results in no registered Firefox plugin
 * OpenJDK Java 6 Runtime -> results in no registered Firefox plugin
 * Icedtea Java Plugin -> results in "IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1))"

I'm not sure about trying to manually force the use of a binary downloaded from Oracle. I suspect most Ubuntu users are using one of the Software Centre provided versions.
Comment 6 Kris Maglione [:kmag] 2012-08-09 12:56:46 PDT
We're not trying to force the use of plugins manually downloaded from Oracle, we're trying to block them. I'm not entirely sure why we're not blocking OpenJDK, other than it's known to cause headaches.
Comment 7 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 13:05:31 PDT
Okay, so it sounds like the ask here is to get the about:plugin registrations for manually installed Oracle JRE binaries?
Comment 8 Jorge Villalobos [:jorgev] 2012-08-09 13:09:22 PDT
We're missing the info for Windows at the moment. For Linux the situation is more complicated because of the different Java distributions, and last time it was a big headache because the JRE number didn't necessarily match the plugin number or security patches. Having the info for the Oracle plugin is good enough.
Comment 9 Kris Maglione [:kmag] 2012-08-09 13:12:06 PDT
Not necessarily manually installed. Enterprisy systems tend to use the Sun JRE. SuSE does, and RHEL almost certainly does as well.
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 13:16:28 PDT
(In reply to Kris Maglione [:kmag] from comment #9)
> Not necessarily manually installed. Enterprisy systems tend to use the Sun
> JRE. SuSE does, and RHEL almost certainly does as well.

Yes, but Ubuntu doesn't and that's what I have readily available. It's probably a quicker turnaround if I can figure out how to manually install those binaries in Ubuntu than acquiring and installing SUSE or RHEL and trying to get older plugin versions installed via their package managers.
Comment 11 Kris Maglione [:kmag] 2012-08-09 13:19:24 PDT
If you need to install them, download the non-RPM sfx from here:

http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

and the tarball from here:

http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

then symlink lib/amd64/libnpjp2.so from each of them in turn to ~/.mozilla/plugins/
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 13:53:13 PDT
Thanks Kris, here are my results:
 * Java 7u5 -> Java(TM) Plug-in 1.7.0_05
 * Java 7u4 -> Java(TM) Plug-in 1.7.0_04
 * Java 7u3 -> Java(TM) Plug-in 1.7.0_03
 * Java 6u33 -> Java(TM) Plug-in 1.6.0_33
 * Java 6u32 -> Java(TM) Plug-in 1.6.0_32
 * Java 6u31 -> Java(TM) Plug-in 1.6.0_31

It looks like the naming convention is pretty standard across Oracle Java versions...
Java(TM) Plug-in %majorversion%_%minorversion%
Comment 13 Jorge Villalobos [:jorgev] 2012-08-09 15:08:51 PDT
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12)
> It looks like the naming convention is pretty standard across Oracle Java
> versions...
> Java(TM) Plug-in %majorversion%_%minorversion%

Is this the name (top line in about:plugins) or the description? How does this relate to comment #2?
Comment 14 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 15:19:20 PDT
It's the top-line item. Here is the more detailed results (excluding table of mime-type bindings):

Java(TM) Plug-in 1.7.0_05
    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.

Java(TM) Plug-in 1.7.0_04
    File: libnpjp2.so
    Version: 
    Java plug-in for NPAPI-based browsers.

Java(TM) Plug-in 1.7.0_03
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_33
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_32
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.

Java(TM) Plug-in 1.6.0_31
    File: libnpjp2.so
    Version: 
    The next generation Java plug-in for Mozilla browsers.
Comment 15 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 15:20:07 PDT
...and just in case it's useful, here is the same for Icedtea:

IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.1))
    File: IcedTeaPlugin.so
    Version: 
    The IcedTea-Web Plugin executes Java applets.
Comment 16 Jorge Villalobos [:jorgev] 2012-08-09 15:28:37 PDT
OK, thank you all.

I have updated the block on staging, so now I need some QA as explained in comment #1.

The Windows and Linux block is:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

And the Mac OS X block is:
https://addons-dev.allizom.org/en-US/firefox/blocked/p119
Comment 17 juan becerra [:juanb] 2012-08-09 16:40:46 PDT
These are the version numbers that appear in Firefox about:plugins on Windows XP:

Java(TM) Platform SE 6 U27

    File: npjp2.dll
    Version: 6.0.270.7
    Next Generation Java Plug-in 1.6.0_27 for Mozilla browsers

Java(TM) Platform SE 6 U29

    File: npjp2.dll
    Version: 6.0.290.11
    Next Generation Java Plug-in 1.6.0_29 for Mozilla browsers

Java(TM) Platform SE 6 U30

    File: npjp2.dll
    Version: 6.0.300.12
    Next Generation Java Plug-in 1.6.0_30 for Mozilla browsers

Java(TM) Platform SE 6 U31

    File: npjp2.dll
    Version: 6.0.310.5
    Next Generation Java Plug-in 1.6.0_31 for Mozilla browsers

Java(TM) Platform SE 6 U32

    File: npjp2.dll
    Version: 6.0.320.5
    Next Generation Java Plug-in 1.6.0_32 for Mozilla browsers

Java(TM) Platform SE 6 U33

    File: npjp2.dll
    Version: 6.0.330.5
    Next Generation Java Plug-in 1.6.0_33 for Mozilla browsers


Java(TM) Platform SE 7

    File: npjp2.dll
    Version: 10.0.0.147
    Next Generation Java Plug-in 10.0.0 for Mozilla browsers

Java(TM) Platform SE 7 U1

    File: npjp2.dll
    Version: 10.1.0.8
    Next Generation Java Plug-in 10.1.0 for Mozilla browsers

Java(TM) Platform SE 7 U2

    File: npjp2.dll
    Version: 10.2.0.13
    Next Generation Java Plug-in 10.2.0 for Mozilla browsers

Java(TM) Platform SE 7 U3

    File: npjp2.dll
    Version: 10.3.1.255
    Next Generation Java Plug-in 10.3.1 for Mozilla browsers

Java(TM) Platform SE 7 U4

    File: npjp2.dll
    Version: 10.4.1.255
    Next Generation Java Plug-in 10.4.1 for Mozilla browsers

Java(TM) Platform SE 7 U5

    File: npjp2.dll
    Version: 10.5.1.255
    Next Generation Java Plug-in 10.5.1 for Mozilla browsers
Comment 18 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 17:15:35 PDT
I'm not sure why but I can't get any Java plug-ins to register in Firefox on Ubuntu anymore using the steps in comment 11. The staged block also does not appear to be working either. I'm not getting a p115 entry in my blocklist.xml file.
Comment 19 Jorge Villalobos [:jorgev] 2012-08-09 17:20:51 PDT
Are you pointing the blocklist pref to the staging server? (See https://wiki.mozilla.org/Blocklisting/Testing)

Also, the blocks won't work with the plugin descriptions in comment #17, only the ones in comment #14. Sigh...
Comment 20 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-09 17:24:55 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #19)
> Are you pointing the blocklist pref to the staging server? (See
> https://wiki.mozilla.org/Blocklisting/Testing)
> 

Yes. It worked the first time I tried it, but subsequent tests on new profiles are not working. I have no idea why. It's probably something with my system and not your block but I have no way to confirm.

> Also, the blocks won't work with the plugin descriptions in comment #17,
> only the ones in comment #14. Sigh...

Okay, so I would not expect this block to work for anyone on Linux. Do we need a follow up bug / block for comment 17 strings?
Comment 21 Jorge Villalobos [:jorgev] 2012-08-09 17:38:46 PDT
I just updated the blocks.

Linux:
https://addons-dev.allizom.org/en-US/firefox/blocked/p115

Mac OS:
https://addons-dev.allizom.org/en-US/firefox/blocked/p119

Windows:
https://addons-dev.allizom.org/en-US/firefox/blocked/p121

I just split the Windows and Linux blocks since they require different strings. Before testing, make sure you have block p121 in your blocklist.xml, to make sure you have the latest version.

Also, make sure it is a softblock and you can opt-out or enable the plugin after the block is applied.
Comment 22 juan becerra [:juanb] 2012-08-10 14:31:27 PDT
The blocklist is being updated with p121, however in the case of Windows, version 6.0.330.5 (u33) is being softblocked, when I believe it shouldn't.
Comment 23 Jorge Villalobos [:jorgev] 2012-08-10 14:43:04 PDT
You're right. I've made a small correction in the Windows block that should fix the problem. You'll have to give it 15 mins or more to update.
Comment 24 juan becerra [:juanb] 2012-08-10 16:11:33 PDT
This is now working on Windows. I tried with an older version of Java 6 and it was soft blocked. Then I tried the latest version of Java 7 and it was allowed. A similar thing happened with Java 7.

We need to at least spot check Mac and Linux before we're sign this off.
Comment 25 juan becerra [:juanb] 2012-08-10 16:52:25 PDT
I tested this on a Mac machine with an older version of Java (..._31) which is blocklisted in stage, and on a machine which is up-to-date which has the latest version of Java (..._33).
Comment 26 Marcia Knous [:marcia - use ni] 2012-08-10 17:29:33 PDT
Confirming the staged block works as a soft block on Mac 10.5 using Java 1.5.0.30. I was able to enable the plugin fine after the block.

Other lab machines all have the most up to date version of Java for their respective operating systems.
Comment 27 juan becerra [:juanb] 2012-08-10 18:08:56 PDT
I was able to install Java 1.7.0_4 on Ubuntu 64bit, and it showed in the list of plugins in Firefox but no softblock happened. I doubt I installed it correctly, however, as when I went to test it with a sample clock applet, the application crashed. If anyone could give it a try, please let me know.
Comment 28 Jorge Villalobos [:jorgev] 2012-08-10 22:34:06 PDT
Is it Java distributed by Oracle, or the one you get from the package manager? We're only blocking the former.
Comment 29 juan becerra [:juanb] 2012-08-13 09:27:36 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #28)
> Is it Java distributed by Oracle, or the one you get from the package
> manager? We're only blocking the former.

I used the one distributed by Oracle. I'll give it another try this morning.
Comment 30 juan becerra [:juanb] 2012-08-13 16:07:37 PDT
I've been trying to enable Java on a couple of Ubuntu machines using documentation in the Oracle site, but I haven't had any luck getting the plugin to work, so I haven't been able to see the blocklist in action in Linux.
Comment 31 Jorge Villalobos [:jorgev] 2012-08-14 09:36:37 PDT
Kris tested on Linux and the results were as expected.

The block is now in place:

https://addons.mozilla.org/en-US/firefox/blocked/p119 (Linux; only Oracle plugin)
https://addons.mozilla.org/en-US/firefox/blocked/p123 (Mac OS)
https://addons.mozilla.org/en-US/firefox/blocked/p125 (Windows)

Questions and comments should go in the blog post:

https://blog.mozilla.org/addons/2012/08/14/new-java-blocklist/
Comment 32 juan becerra [:juanb] 2012-08-14 13:38:01 PDT
I've tested this in production and the block list has been updated, and it worked on XP with a spot check of Java 1.7.0_4 (softblocked) and 1.7.0_6 (allowed).

Note You need to log in before you can comment on or make changes to this bug.