Attacks/Breaches
9/6/2012
11:07 AM
50%
50%

Java Still Not Safe, Security Experts Say

Oracle needs to fix holes faster, say some security experts. Leave Java disabled for now, because Oracle's emergency patch is insufficient.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Is Java 7 currently safe to use?

Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.

For businesses that absolutely must use Java, he recommended that users "do not access untrusted Web content with Java enabled," and also that they use Web browser extensions such as NoScript for Firefox, which can "implement whitelisting of websites that can run scripts and access Java," meaning that only sites explicitly granted the use of Java will be allowed to run it. Finally, he said, "think of Java 6 as an alternative."

But is Java 6 safe to use? In fact, as noted above, Oracle's emergency patch release also included Java 6 update 35. But unlike the Java 7 update, it doesn't include any known vulnerabilities.

[ Read Java Zero-Day Malware Attack: 6 Facts. ]

Might Windows User Access Control (UAC) settings protect users from Java 7 attacks--for example, if they're logged onto Windows via an account that doesn't enjoy administrator-level rights? Gowdiak said the answer to that question isn't clear, and pointed to a recent Twitter post from a Microsoft employee, which said that "we are working on a Fix It tool now to completely disable java in the browser."

"This might indicate that UAC is not sufficient to block the most serious vulnerabilities that allow for the complete escape of a Java security sandbox," Gowdiak said. "In such a case, attackers might be able to execute code with the permissions of a user that started a Web browser process--[or] the container for a Java plug-in." In other words, with Microsoft working to make it easier to remove Java from Internet Explorer, don't trust UAC to block Java exploits.

But for any Windows users who must employ Java 7, do install the latest update, said Sean Sullivan, security advisor at F-Secure Labs. The update addresses the three vulnerabilities--labeled CVE-2012-4681--which Oracle has rated as being a "10" on its common vulnerability scoring system, meaning that the bugs can be exploited to remotely execute code on a compromised system.

"Even though the latest Java update might have a new vulnerability, it is still always worth running the latest release, as it takes commoditized exploits off the table," said Sullivan via email. "As it stands now, the CVE-2012-4681 vulnerability is being exploited by Blackhole," he said, referring to the popular Blackhole crimeware toolkit.

Apple, meanwhile, Wednesday released an updated version of Java for OS X that addresses at least one critical vulnerability in the software. As spotted by security reporter Brian Krebs, the update fails to fix the CVE-2012-4681 vulnerability used in attacks against Windows machines. However, it's still important for all Java-using Mac users to update their software, because attackers were able to construct the Flashback malware that successfully infected an estimated 600,000 OS X devices earlier this year. That malware reverse-engineered a flaw that was disclosed by Oracle in a Java security bulletin for Windows, before Apple fixed the flaw in Java for OS X.

Including the most recent in-the-wild attacks targeting zero-day Java vulnerabilities, Gowdiak at Security Explorations said that of 29 issues reported this year to Oracle, and two reported to Apple, there are still 25 issues remaining to be addressed by Oracle.

Given that time delay, is Oracle patching Java flaws quickly enough? "We expected that the company would address the most serious issues in its Jun [2012] Java CPU cycle," said Gowdiak. "We, however, take the release of a recent out-of-band patch as a good sign for the future."

F-Secure's Sullivan, however, said Oracle simply hasn't been patching quickly enough. "Adobe used to be the weakest [link] that was being targeted on PCs," he said. But then, "Adobe started making patch cycles more regular, predictable, and really shifted/focused its efforts into automatic updates. It knew that it was the weakest link--and that was fixed."

The lesson for Oracle, accordingly, is that it needs to learn from Adobe. "[I'm] not sure if Oracle can do exactly the same thing for its Java Runtime Environment, but it really needs to do something different," said Sullivan.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mark patterson
50%
50%
mark patterson,
User Rank: Apprentice
1/14/2013 | 9:29:21 AM
re: Java Still Not Safe, Security Experts Say
ONE COULD SAY THAT,UNLESS THEIR COMPUTER CRASHES,AND IT COSTS THEM HUNDREDS OF DOLLARS.i sure don't know what happened,never before in fifteen years,""Microsoft updating itself?",oh well, 14 updates,and I didn't stop it,WHEN IT WAS DONE,NO ICONS,NO NOTHING!,IT'S FIXED,I GUESS,BUT here is the damn problem,THE WORLD TOOK ON ALL THIS,COMPUTERAMA,and without checking the ""fine print",HERE IS A PERFECT EXAMPLE,go to "internet explorer 10" site,READ WHAT THEY SAY,"""IT'S NOT COMPLETE,DAAHH,THAT MEANS IT'S STILL SWISS CHEESE WITH HOLES!!,and they then say,""weeehhhlll,it's good for some,not for others,but """AND GET THIS!!!,THE BASTARDS ACTUALLY SAY,""""our new 10 users will be on the front line helping us make it a better internet explorer,(TRANSLATION,THEY PUT THAT CRAP OUT,KNOWING IT WAS NOT FINISHED,AND TRIED OUT,BUT THE ""USERS"",WILL BE GIVING FEEDBACK,LIKE ""COMPUTER CRASHES,IDENTITY THEFT,OVER AND OVER,AND MORE'",it's outrageous,now google tries to think for you,after being fined millions,try going to a foreign language site,WITHOUT THE DAMN THING TRANSLATING,WHEN YOU DON'T WANT IT TOO
ozzy64
50%
50%
ozzy64,
User Rank: Apprentice
10/8/2012 | 8:04:22 AM
re: Java Still Not Safe, Security Experts Say
People act like java is now a doomsday product. But boasting so much default libraries in jse and running crossplatform is a feat of itself. I am suprised there hasnt been made complete swiss cheese of java. Either way. I am still going to use it. Java is without doubt the best language created.
Wonderer
50%
50%
Wonderer,
User Rank: Apprentice
9/24/2012 | 6:09:32 PM
re: Java Still Not Safe, Security Experts Say
Wow, time has gone by without a fix. Surprising! What is the current recommendation? Back out to Java 6? Is that easy to do after one has installed 7 ?
jharby
50%
50%
jharby,
User Rank: Apprentice
9/8/2012 | 3:23:44 PM
re: Java Still Not Safe, Security Experts Say
I would point out that these security risks are coming from a very small, unused aspect of Java. Most Java is running server-side and the exploit is not applicable.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/6/2012 | 4:46:40 PM
re: Java Still Not Safe, Security Experts Say
Oracle boasts 3 billion plus installs of Java. One would think that they would take security a bit more seriously than they apparently do. Shame on them.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.