• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Critical Oracle (Sun) Java Update Closes 21 Holes

February 16, 2011 By Corey Nachreiner

Severity: High

16 February, 2011

Summary:

  • These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before 14 February, running on Windows, Solaris, and Linux platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate JRE (or JDK) update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Yesterday, Oracle released a security alert warning of 21 vulnerabilities that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ quite a bit technically, an attacker can exploit many of them in a similar manner – by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute attack code on your user’s computer. If your user has local administrative privileges, the attacker could potentially leverage these flaws to gain complete control of that user’s machine. Some of the other vulnerabilities allow an attacker to launch Denial of Service attacks or to expose sensitive information on your users’ computer.

Recently, attackers have increasingly targeted new Java vulnerabilities to leverage in their drive-by download attacks. For that reason, we consider this Java update fairly critical. If you have installed Java, which most users have, we recommend you download and install Oracle’s updates as soon as you can.

Solution Path:

Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible:

  • JRE and JDK 6.0: Download Update 24

Previous releases of Java have reached end of service life (EOSL) or end of life. For more information about these releases, see this page.

Note: Your Sun JRE client may also automatically inform you of an update. If it does, be sure to let it install this update for you.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Sun JRE updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these vulnerabilities, but not all of them. Sun’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Status:

Sun has issued updates to correct these issues.

References:

  • Oracle’s February 2011 Java Security Advisory
  • Secunia’s Consolidated Java Advisory

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].

Need help with the jargon? Try the LiveSecurity Online Glossary.

Share This:

Related

Filed Under: Security Bytes Tagged With: drive-by download, Oracle, sun, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use