Last week, I posted an alert about some highly critical flaws in Oracle Java; especially one in particular (CVE-2012-4681), which attackers have aggressively exploited in the wild. If an attacker can lure you to a web page or link containing malicious Java content, he can exploit these flaws to execute code on your computer, potentially gaining complete control of it. Oracle released an out-of-cycle update last week to fix this vulnerability, and two others.
This week brings two new updates to this critical Java vulnerability story.
First, and most importantly, Apple has released Java updates for OS X, which fix these vulnerabilities. Technically, OS X is not vulnerable to the primary exploit (CVE-2012-4681) that made all the headlines last week. That particular flaw only affects Java 1.7, and OS X ships with Java 1.6. However, OS X machines do suffer from the two other serious flaws Oracle corrected. This OS X update fixes those two flaws. If you manage OS X Snow Leopard, Lion, or Mountain Lion computers, download and install Apple’s Java updates, or let the Automatic Updater do it for you.
Second, the Polish researchers who originally warned Oracle of some of these Java flaws have claimed that Oracle’s newly released update introduces even more vulnerabilities. In a Bugtraq post, a researcher from Security Explorations warns that the latest Java update introduces a new Java Sandbox bypass vulnerability. This sandbox bypass flaw makes other less exploitable Java flaws much more exploitable. The good news is, Security Explorations has withheld the details of these new issues until Oracle patches. So unlike the zero day vulnerability from last week, attackers are not exploiting this new issue yet. Nonetheless, using Java is risky. If you have no business purpose for Java, I recommend disabling it if you can.
Finally, a quick update for WatchGuard XTM appliance users. In my original advisory, I mentioned that we had both IPS and GAV signatures that will block many of these exploits. I just wanted to add that our latest IPS update (signature set v4.232) has added six more signatures that protect against CVE-2012-4681 exploits. If you have a WatchGuard XTM Appliance with the UTM bundle, you fairly well protected against this flaw (but you should still patch). — Corey Nachreiner, CISSP (@SecAdept)