• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Oracle's Out-of-Cycle Java Update Closes Two Serious Zero Day Holes

August 31, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Current versions of Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) running on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate  Java update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

If you followed my twitter posts this week, you’ve surely heard of the serious new zero day Java exploit, which researchers found in the wild last weekend. First discovered by FireEye, and analysed by Deep End Research, the exploit leverages a previously unknown code execution flaw in Java 1.7 to launch drive-by download attacks. Worse yet, some underground criminal exploit kits, like Blackhole, have already added the zero day flaw to their arsenal. Even Metasploit, the popular penetration testing tool, has a working version of the exploit. Later in the week, researchers also pointed out a second vulnerability.

Typically, Oracle follows a quarterly patch cycle, which would have placed their next update two month from now. However, in an unprecedented move, Oracle has released an out-of-cycle update to fix this extremely dangerous zero day flaw, as well as two others.

According to Oracle’s alert and blog post, all three of the corrected vulnerabilities received a base CVSS score of 10.0, the most severe rating. They all allow attackers to execute code, are easily exploitable, very reliable, and often give attackers full control of victim machines. Furthermore, many attackers are already exploiting them in the wild. If you use Java, I highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK updates to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Java updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these attacks, but not all of them. Oracle’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Also, WatchGuard is working to provide IPS signatures for all these Java exploits. Our IPS system already blocks the Metasploit variant of this attack with one of our generic Metasploit Java shellcode signatures. If you have our security services, be sure to enable IPS.

Finally, Gateway antivirus can also help you prevent these sorts of Java attacks. WatchGuard leverages two Best-in-Class AV providers in our security appliances–Kaspersky and AVG. According to a recent test by AV-Comparitives, only nine out of 22 AV providers actually detect the public versions of these exploits. Both AVG and Kaspersky are on the lists of engines that do catch them.

Status:

Oracle has issued updates to correct these issues.

References:

  • Oracle’s Out-of-Cycle Java Security Advisory

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at [email protected].

Need help with the jargon? Try the LiveSecurity Online Glossary.

Share This:

Related

Filed Under: Security Bytes Tagged With: drive-by download, Oracle, sun, Updates and patches, Zero day exploit

Comments

  1. Per-Anders Fasth says

    August 31, 2012 at 9:47 am

    Med Vänliga Hälsningar Per-Anders Fasth Office IT-Partner Borås Direkt: 033-430 09 15 Mobil: 0766-43 04 34

    Skickat från min iPhone

    31 aug 2012 kl. 17:53 skrev WatchGuard Security Center :

    > >

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use