Severity: High
Summary:
- These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 11 and earlier, on all platforms
- How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
- Impact: In the worst case, an attacker can gain complete control of your computer
- What to do: Install JRE and JDK 7 Update 13
Exposure:
Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Today, many operating systems (OS) implement a Java interpreter to recognize and process Java code from websites and other sources, although some operating systems are beginning to depreciate their Java support for security reasons. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.
This week, Oracle released an out-of-cycle security update that fixes 50 different security vulnerabilities in Java. Though the flaws differ technically, many of them share the same scope and impact. If an attacker can entice you into running specially crafted Java code, either directly or from a booby-trapped web site, he can leverage many of these flaws to execute code on your computer, with your privileges. For Windows users, this typically means the attacker gains full control of your machine.
Oracle rates 26 these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Furthermore, attackers are currently leveraging some of these vulnerabilities in the wild. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.
In related news, Apple has also released a Java update for OS X. However, Apple’s update also disables or blocks older versions of Java (6) in your browser. OS X users should also update Java, but be aware the update may prevent you from using some Java content.
Solution Path:
Oracle has released JRE and JDK Update 13 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the updates in the Patch Table section of Oracle’s alert.
Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.
For All WatchGuard Users:
WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:
- If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
- WatchGuard’s AV partner, AVG, has developed signatures to catch some Java exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
- WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
- WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.
Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.
Status:
Oracle has issued updates to correct these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)
What did you think of this alert? Let us know at lsseditor@watchguard.com.
Need help with the jargon? Try the LiveSecurity Online Glossary.