Severity: High
Summary:
- These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 21 and earlier, on all platforms
- How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
- Impact: In the worst case, an attacker can gain complete control of your computer
- What to do: Install JRE and JDK 7 Update 25 (or Apple’s OS X update)
Exposure:
Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.
Today, Oracle released a Java update to fix 40 vulnerabilities in the popular web plugin. Oracle doesn’t describe these flaws in much technical detail, but they do share a Risk Matrix, which describes the severity and impact of each flaw. In a nutshell, most of the flaws are remote code execution issues. Furthermore, Oracle assigns a dozen of them with the maxium CVSS score of ten. By enticing you to a web site with malicious content, attackers can leverage many of these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.
Java is very dangerous right now. Attackers are currently leveraging many Java vulnerabilities in the wild. Cyber criminals are even selling Java exploit kits on the underground market. In short, we highly recommend you apply Oracle’s Java update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.
In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.
Solution Path:
Oracle has released JRE and JDK Update 25 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the updates in the Patch Table section of Oracle’s alert.
Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.
For All WatchGuard Users:
WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:
- If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
- WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
- WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
- WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.
Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.
Status:
Oracle has issued updates to correct these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)
What did you think of this alert? Let us know at lsseditor@watchguard.com.
Need help with the jargon? Try the LiveSecurity Online Glossary.