Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Security Work Remains, Bug Hunter Says

Proof-of-concept attack can be used to run arbitrary Java apps, despite Oracle's recent security fix.

The current version of Java 7 includes a bug that can be used to bypass all security defenses in the Java browser plug-in, allowing an attacker to execute arbitrary code using the Java runtime environment installed on a PC.

That warning was sounded Sunday by veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations in a post to the Bugtraq mailing list, subject-lined "an issue with new Java SE 7 security features."

His warning comes despite Oracle changing the Java 7 security controls -- with the release of update 10 in Oct. 2012 -- to allow users to select low (run most unsigned apps without warning), medium (only run unsigned apps if Java looks secure), high (require user authorization before executing unsigned apps) and very high (unsigned apps not allowed to run) security settings. With the release of Java 7 update 11 this month, furthermore, Oracle set Java 7 to the "high" level by default, which it said would block the in-the-wild attacks seen earlier this month.

[ What do you need to know about the recent Java security breaches? See Java Security Warnings: Cut Through The Confusion. ]

But according to Gowdiak, he's discovered a new vulnerability in Java 7 that can be used to bypass those security settings and silently execute attack code. "What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above," he said. "Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings."

As a result, he said, the vulnerability could be used by an attacker "to execute an unsigned (and malicious!) Java code" without the user seeing any warnings before the app is allowed to run. But Gowdiak noted that "click to play" technology built into some browsers -- Chrome, Firefox and Opera -- would mitigate the vulnerability and prevent silent exploits. The feature, however, is not necessarily enabled by default.

Oracle has been moving to address growing security concerns over Java, including the efficacy of its Java 7 update 11. That update reportedly fixed one of two zero-day flaws being actively exploited by attackers but failed to fully mitigate the other vulnerability. "As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or embedded Java," said Oracle's "Java EE/GlassFish evangelist" Reza Rahman Friday in a blog post. "You may also have been frustrated with Oracle's relative silence on the issue."

To address that, Oracle on Friday released an audio recording of a call between Oracle security lead Martin Smith and Doland Smith from the OpenJDK team, with worldwide leaders of the Java user group. Rahman billed it as "a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues."

"The plan for Java security is really simple," said Smith on the call. "It's to get Java fixed up, number one, and then number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy. We have to fix Java."

In the past year, Security Explorations has spotted 53 flaws in Java 7, all of which it has disclosed to Oracle. According to the Security Explorations website, the latest vulnerability notice (for bug 53) -- and proof-of-concept exploitation code -- were sent to Oracle Sunday. By Monday, Oracle had confirmed receipt of the vulnerability report and promised to investigate the bug.

Interestingly, on Friday Oracle told Security Explorations that three of the four still-outstanding flaws (vulnerabilities 29, 50 and 52) that Gowdiak found -- including one of two disclosed to Oracle on Jan. 18 -- have been remediated in the Java code base and are scheduled to be released in a forthcoming critical patch update for Java. (Oracle said it's still investigating the fourth bug, which is number 51 in the Security Explorations count.)

The next regularly scheduled update from Oracle would be April 16, although the company has previously released "out of band" patches to correct serious vulnerabilities.

In the interim, how can users mitigate the zero-day flaw spotted by Gowdiak -- which, to be clear, hasn't been seen in any known attacks to date? Of course, users can take their chances and wait for Oracle's fix. Alternately, they can disable in-browser Java altogether, which is the current recommendation from the Department of Homeland Security, provided Java isn't required. If it is, security experts have recommended maintaining one Java-free browser and another browser with the Java plug-in enabled, and using the latter only to visit trusted websites that require in-browser Java.

Utilities such as the Firefox extension NoScript can also help secure users against attacks launched via untrusted sites. "NoScript does block any Java attack from sites which have not been explicitly whitelisted by the user," said developer Giorgio Maone, co-founder of Italian software development firm InformAction, via email. "Therefore, even if Java may be required by an application of your company or your online banking site, you can use it while being protected from third-party attacks."

To date, however, NoScript is available only for Firefox. "Even though I'd like to port it to Chrome due to its popularity, no browser besides Firefox yet has the level of extensibility needed to make a reliable and complete clone," said Maone.

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
1/29/2013 | 4:32:12 PM
re: Java Security Work Remains, Bug Hunter Says
Glad to see the Smiths at Oracle stepping up to address this issue. In addition to identifying and patching security holes (which invariably pop up at some juncture for any evolving Web-based application), any and all efforts to fix security problems are moot if people assume Java is broken and stop using anything Java-related. Communication. Communication. Communication.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.