Oracle's Out-of-Cycle Java Update Closes Two Serious Zero Day Holes

Severity: High

Summary:

• These vulnerabilities affect: Current versions of Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) running on all platforms
• How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
• Impact: In the worst case, an attacker can gain complete control of your computer
• What to do: Install the appropriate  Java update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

If you followed my twitter posts this week, you’ve surely heard of the serious new zero day Java exploit, which researchers found in the wild last weekend. First discovered by FireEye, and analysed by Deep End Research, the exploit leverages a previously unknown code execution flaw in Java 1.7 to launch drive-by download attacks. Worse yet, some underground criminal exploit kits, like Blackhole, have already added the zero day flaw to their arsenal. Even Metasploit, the popular penetration testing tool, has a working version of the exploit. Later in the week, researchers also pointed out a second vulnerability.

Typically, Oracle follows a quarterly patch cycle, which would have placed their next update two month from now. However, in an unprecedented move, Oracle has released an out-of-cycle update to fix this extremely dangerous zero day flaw, as well as two others.

According to Oracle’s alert and blog post, all three of the corrected vulnerabilities received a base CVSS score of 10.0, the most severe rating. They all allow attackers to execute code, are easily exploitable, very reliable, and often give attackers full control of victim machines. Furthermore, many attackers are already exploiting them in the wild. If you use Java, I highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK updates to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Java updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these attacks, but not all of them. Oracle’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Also, WatchGuard is working to provide IPS signatures for all these Java exploits. Our IPS system already blocks the Metasploit variant of this attack with one of our generic Metasploit Java shellcode signatures. If you have our security services, be sure to enable IPS.

Finally, Gateway antivirus can also help you prevent these sorts of Java attacks. WatchGuard leverages two Best-in-Class AV providers in our security appliances–Kaspersky and AVG. According to a recent test by AV-Comparitives, only nine out of 22 AV providers actually detect the public versions of these exploits. Both AVG and Kaspersky are on the lists of engines that do catch them.

Status:

Oracle has issued updates to correct these issues.

References:

• Oracle’s Out-of-Cycle Java Security Advisory

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at [email protected].

Need help with the jargon? Try the LiveSecurity Online Glossary.

Share This: