Risk
1/14/2013
10:17 AM
50%
50%

Oracle Fixes Zero Day Java Flaws: Patch Now

Java 7 update, released Sunday, fixes bugs widely targeted by crimeware toolkits. Other critical bug updates coming later this week from Oracle and Microsoft.

Oracle released an out-of-band patch Sunday to fix two zero-day vulnerabilities in Java that are being actively exploited by attackers.

A security alert from Oracle said that the patched vulnerabilities include CVE-2013-0422 (Oracle Java 7 Security Manager Bypass Vulnerability) as well as "another vulnerability affecting Java running in Web browsers." The Java update also changes the default security level for browser-based Java applets and applications from "medium" to "high," which means that any unsigned Java Web apps won't run without a user's approval. Oracle said the change is meant "to prevent silent exploitation.”

All Java users should apply the update as soon as possible, according to the Oracle security advisory, "due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 'in the wild.'" Indeed, in recent days Symantec has reported seeing about 300,000 related attacks per day launched by exploit kits. The attacks predominantly target PC users based in the United States.

The patched Java vulnerabilities were first spotted last week by security researchers, who warned that they were being actively exploited by attackers. By Friday, related exploit capabilities had been added to the Blackhole, Cool Exploit Kit, Impact and Redkit crimeware toolkits, and also incorporated into Metasploit, a free, open source penetration testing framework.

[ Is hacktivism protected by the First Amendment? See Anonymous Says DDoS Attacks Like Free Speech. ]

Which versions of Java are at risk? Oracle said Sunday that the two zero-day vulnerabilities affect only Java 7 running in Web browsers. "These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications," according to the security advisory. "They also do not affect Oracle server-based software." Specifically, Oracle said the vulnerabilities are present in Java Development Kit (JDK) and Java Runtime Environment (JRE) version 7, update 10 and earlier -- but not in Java 6, 5.0 or 1.4.2. In addition, "Java SE Embedded JRE releases are not affected," said Oracle.

Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle's fix is sound. "The version released [Sunday] blocks the recent Java 0-day exploit code," he said.

Interestingly, at least one of the flaws patched by Oracle resulted from the company failing to fully fix a previous flaw -- disclosed to the company last year by Gowdiak -- that it supposedly patched in October. The episode recalls a Java 7 fix from Oracle released last year that patched one flaw, but introduced another.

The zero-day bugs in Java that were publicly disclosed last week are the latest in a long line of zero-day vulnerabilities that have been discovered in the software. Since Java is widely installed and runs on multiple platforms, it appears to have become a favorite target of attackers, who can potentially exploit new vulnerabilities not only on Windows systems, but also Mac OS X and Linux systems.

After last week's discovery of the latest zero-day vulnerabilities, the Department of Homeland Security (DHS) Thursday recommended temporarily disabling Java until an effective mitigation technique or patch was released. The DHS recommendation appears to be its standard advice for any critical flaw in widely used software that's being actively exploited by attackers, for which no mitigation techniques or patches are immediately available.

Apple, meanwhile, Friday took the unusual step of updating its OS X malware definitions list to not block a virus, but rather all versions of Java prior to 1.7.10.19. "This updated definition temporarily disabled the Java Web Start browser plug-in that enables Java applications to run inside of Safari/Firefox/Chrome," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Similarly, Mozilla updated its click-to-play settings list to include Java, meaning that any attempt to launch Java -- malicious or not -- will require that a user authorize the request.

It will be a big month for Oracle patches, as the company's next critical patch update release is scheduled for Tuesday. According to Oracle's pre-release announcement, "this Critical Patch Update contains 86 new security vulnerability fixes across hundreds of Oracle products." Oracle said one of the patches is for a flaw in Oracle Database Mobile Server -- as well as Database Lite Server -- which may allow attackers to remotely execute arbitrary code with no user input.

Oracle isn't the only technology giant set to issue emergency patches for zero-day flaws this month. Microsoft announced Sunday that it plans to release a fix Monday for a zero-day vulnerability in Internet Explorer. While Microsoft hasn't detailed which bug it's fixing, the company noted that the critical vulnerability could be automatically exploited to run arbitrary code without any user interaction, meaning that it could be used to exploit PCs via self-propagating worms, drive-by attacks from malicious Web pages or when a user opens an email.

According to Paul Ducklin, head of technology for Sophos in the Asia Pacific region, the patch is most likely for a zero-day flaw in IE that was confirmed on Dec. 29 by Microsoft. The company had already published a FixIt tool to mitigate the vulnerability, and recommended that businesses harden their Windows installation by using its Enhanced Mitigation Experience Toolkit (EMET).

Even so, "there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's abovementioned FixIt, said Ducklin in a blog post. But luckily, the bug that Microsoft is most likely patching isn't present in the latest versions of IE. "The 2794220 vulnerability affects neither IE 9 nor IE 10. If you're already using one of those versions, you're sitting pretty," he said.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
majenkins
50%
50%
majenkins,
User Rank: Apprentice
1/14/2013 | 9:19:53 PM
re: Oracle Fixes Zero Day Java Flaws: Patch Now
The Java update also changes the default security level for browser-based Java applets and applications from "medium" to "high,"

Actually the change in the security level is all the fix does, that is why many folks are still advising to uninstall JAVA comletely.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/15/2013 | 2:25:56 PM
re: Oracle Fixes Zero Day Java Flaws: Patch Now
Thanks for your comment. Good point -- one of the flaws was "addressed" (as in, not really solved) by changing the default security levels. The other flaw was fixed outright. We'll be addressing this in a forthcoming story.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
1/15/2013 | 9:34:57 PM
re: Oracle Fixes Zero Day Java Flaws: Patch Now
Any explanation yet as to why Apple did what they did? From what I've seen/heard, if you drop back to an older version of Java that isn't prone to this exploit, you should be fine - as long as you don't allow it to auto-update. But, Apple now has them marked as "bad actors" as well.

Microsoft putting out a patch that fixes something under very specific circumstances isn't new.

I have to wonder if Oracle should look into a third party validating their patches prior to release - especially since the entire world runs on Java these days.

Andrew Hornback
InformationWeek Contributor

Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/16/2013 | 10:27:52 AM
re: Oracle Fixes Zero Day Java Flaws: Patch Now
Andrew, Apple Friday blocked all then-current/former versions of the Java browser plug-in. That meant that anyone who wanted to use the Java browser plug-in needed to wait until Java issued its fix (which it did Sunday), then download and install it. So it was a proactive security move on Apple's part, which isn't surprising given how many people the Flashback malware infected.
DavidGP
50%
50%
DavidGP,
User Rank: Apprentice
1/18/2013 | 4:49:36 PM
re: Oracle Fixes Zero Day Java Flaws: Patch Now
I see 7u11 but no new 6 yet, 6u38 is older.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?