• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Another Emergency Java Update Fixes Two New Flaws

March 5, 2013 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 15 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 17 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

I’ll keep this short since Oracle has been releasing many Java updates lately. Yesterday, Oracle released yet another emergency Java update to fix two critical vulnerabilities in the popular web plugin. By enticing you to a web site with malicious content, attackers can leverage these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging these vulnerabilities in the wild. Other research organizations have also found additional Java vulnerabilities. Cyber criminals are even selling a Java exploit kit on the underground market. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 17 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

  • Oracle’s Out-of-Cycle March Java Security Advisory

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at [email protected].

Need help with the jargon? Try the LiveSecurity Online Glossary.

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple, drive-by download, Oracle, sun, Updates and patches, Zero day exploit

Comments

  1. stevebrazill says

    March 5, 2013 at 12:06 pm

    Java again.

    Steve Brazill [email address redacted]

    ____________________________

    Sent from my iPhone (thus the brevity & typos)

    Reply
    • Corey Nachreiner says

      March 5, 2013 at 12:13 pm

      Yeah, tell me about it. I just read this article suggesting that researchers and attackers are finding the flaws at a rate of one per day:

      http://www.infoworld.com/t/java-programming/java-zero-day-holes-appearing-the-rate-of-one-day-213898?,

      As much as I wish we could all strip Java from our systems, it is sometimes a necessary evil though. There are many legitimate programs that need it. Some of our products even use Java. I think you will find many vendors will move off of Java as they can. But for now, it looks like we might have to install a Java update at least a few times a month.

      Cheers

      Reply
  2. Alexander Kushnarev (Rainbow Security) says

    March 5, 2013 at 8:10 pm

    Here is a little IT-verse for Java 🙂

    Patch your Java twice a day
    be secure and don’t obey
    to the hackers, who bring up
    with the Java – 0-day

    Reply
    • Corey Nachreiner says

      March 25, 2013 at 10:37 am

      heh! Classic!

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use