Vulnerabilities / Threats
7/18/2013
01:02 PM
50%
50%

Java Dregs Create Unappetizing Enterprise Security Problem

Why is Java still such a security weakspot? Java updates don't nuke all older versions, leaving plenty of well-known vulnerabilities for online attackers to exploit.

Why is it so hard for businesses to secure themselves against Java exploits? In part, the difficulty can be traced to accurately identifying and eliminating older versions of Java that sport dozens or hundreds of known and easily exploitable vulnerabilities.

In fact, according to a new study, 42% of all enterprise endpoints sport more than one version of Java and 20% have more than two versions installed, while 82% had a version of Java 6 and only 1% ran Java 7 update 21 -- which at the time of the study was the latest and most secure version of the software.

Those findings come from information security monitoring vendor Bit9, which Thursday released a report based on data gathered from about 1 million Microsoft Windows endpoints, comprising hundreds of the company's customers.

[ Why aren't software vendors more proactive about patching? Read Overcome The Microsoft Mindset: Patch Faster. ]

Bit9 found that Java versions proliferate. "The average organization has more than 50 versions of Java, and five of the ones we surveyed had over 100 versions of Java -- and we're just talking about the ones we could verify came from Oracle or Sun," said Harry Sverdlove, CTO of Bit9, speaking by phone. As a result, the study's findings are conservative since they don't include the plethora of alternate versions of Java that have been distributed over the years from the likes of SAP, IBM and others. Even so, more than one-third of the Java versions counted by Bit9 were more than 10 years old, meaning they date from the Windows 95 era. "So we're dealing with a lot of historical cruft," said Sverdlove.

Having anything but the latest version of Java 7 installed exposes users to an increased risk of being exploited. Despite those risks, however, newer versions of Java haven't historically been good at excising older versions. "With Java, updating is not upgrading," said Sverdlove. As a result, when users run a Java update, they're often leaving outdated versions of Java on their system, meaning they're still at risk. Anyone with Java 6 version 20 on their system, for example, could be exploited using any one of the 93 known flaws that Bit9 counted in the software. "It only takes one vulnerability -- it only takes one unlocked window for a criminal to break in," said Sverdlove. "But when you have 93 unlocked windows, certainly your risk isn't any better."

Furthermore, attackers can designate precisely which installed Java clients they'd like to target. "What most people don't realize is, when you're accessing a Java vulnerability, in many cases you can specify an older version of Java to target, and in many cases do so without the user even knowing," said Sverdlove.

That's one reason online attackers and automated crimeware toolkit developers love exploiting Java. In addition, the "write once, run anywhere" software works cross-platform, meaning that one attack can be used to compromise not just Windows machines, but also computers running Apple OS X and Linux. "Our joke is, write once, pwn anywhere," said Sverdlove.

What can businesses do to better secure themselves against Java exploits? For starters, ask if the business really requires the Java runtime environment on PCs or the Java browser plug-in. If not, create related security policies that use tools to block one or both of those forms of Java. Also consider using software to catalog what's running on endpoints -- Bit9, perhaps not surprisingly, sells such software -- as well as Web application firewalls to restrict which websites Java browser plug-ins can access. Another option is to use a software distribution or patch management system to nuke all versions of Java, and either keep a lockdown on Java or ensure that only the most recent version is installed.

Even so, businesses can still be at risk, thanks to the furious pace with which new vulnerabilities are discovered in the Java browser plug-in. Notably, Bit9's report was released the same day as a new vulnerability was reported in Java 7 by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations. The reflection flaw, dubbed "issue 69," affects the Java virtual machine (VM), and could be exploited by an attacker to escape the sandbox. Gowdiak said he reported details of the flaw, together with a working exploit, to Oracle on Thursday.

The same day, in a post to the Full Disclosure mailing list, Gowdiak said the flaw -- when a security system can be tricked into revealing secret credentials -- was found in the reflection API introduced with Java 7 and described the bug as involving a "classic attack" against a VM. "What's ... interesting is that the attack itself has been in the public knowledge for at least 10+ years," he said. "It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.