Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix

Oracle released an emergency patch for Java, but security experts warn the patch doesn't fix all critical vulnerabilities. Not counting future Java exploits, the current Java bugs may take '2 years' to fully fix. In fact, vulnerability experts at the CMU SEI CERT Program advise, "Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11."

After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday.

Last week, Carnegie Mellon University (CMU) Software Engineering Institute (SEI) CERT Program warned that the newest Java "vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected."

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Oracle said to update immediately since the vulnerabilities were being exploited in the wild. According to Oracle's security blog:

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to "high" by default. The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

But vulnerability experts at the CMU SEI CERT Program advised, "Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11." The agency also thanked security researcher Kafeine for reporting the latest Java vulnerability.

HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. "The safest thing to do at this point is just assume that Java is always going to be vulnerable," Moore said. "Folks don't really need Java on their desktop."

Polish security firm Security Explorations has discovered numerous critical Java zero-days, about 50 so far, including the one in Sept 2012 that placed 1 billion Java users at risk. Regarding Java holes, Security Explorations researcher Adam Gowdiak previously explained that if you surf onto a maliciously crafted webpage that has a tainted Java applet or application exploiting Java, then "an attacker could then install programs, view, change, or delete data with the privileges of a logged-on user."

Despite the fact that Oracle has changed the default to high, so users will be prompted "to authorize the execution of applets which are either unsigned or are self-signed," Gowdiak said, "We don't dare to tell users that it's safe to enable Java again." He took a look at the newest Java patch and told Reuters that Oracle's update still leaves "several critical security flaws" unfixed.  

Some experts advise using a separate browser just for sites that require Java, such as for web meetings, or Oracle's plethora of other "Java in action" reasons. Learn about Java states, "From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!" Kaspersky said that in 2012, Java was responsible for 50% of all cyberattacks where hackers broke into computers by exploiting software bugs.

Apply Oracle's patch immediately, but if you choose to leave Java enabled, keep in mind that the current known security vulnerabilities may be around for a couple years, the latest patch doesn't fix all critical flaws, and attackers will continue to exploit the low hanging Java fruit in the future.

Update: The vulnerability note was published on the website of the CERT Program of the Carnegie Mellon University (CMU) Software Engineering Institute (SEI) but was attributed to US-CERT. "It is the position of vulnerability experts at the CMU SEI CERT Program that Java be disabled unless it is absolutely necessary." The Carnegie Mellon CERT Program advisory site states that is sponsored by the DHS Office of Cybersecurity and Communications.

Like this? Here's more posts:
  • Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
  • Police State starts in tiny Arkansas town
  • IE fix easily broken; Espionage hacker gang has endless supply of zero-days
  • Chrome, Firefox, IE to block fraudulent digital certificate
  • Don't faint: Microsoft applauds hacker for Windows RT jailbreaking attempt
  • Microsoft issues quick fix for critical zero-day hole in IE
  • Valve's Steam Box controllers may use biometrics and gaze tracking
  • 20 Seconds to jailbreak Windows RT
  • Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
  • Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)