Oracle pushed out patches for 40 security vulnerabilities in Java SE today.
Virtually all of the vulnerabilities can be exploited over a network without authentication, and four of the bugs are applicable to server deployments of Java, according to the company.
Several of the vulnerabilities in the Java Runtime Environment have a ranking of 10.0, the highest CVSS severity ranking available. According to Oracle, the list of affected products includes numerous versions of the Java Development Kit (JDK), the Java Runtime Environment (JRE) and the JavaFX development platform.
“The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system,” noted Ross Barrett, senior manager of security engineering at Rapid7. “The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It’s highly likely that earlier versions are also vulnerable.”
“The recommendation here, as always, is for all users to patch as quickly as possible,” he said. “There are a good number of researchers that have been credited for these fixes and it’s likely that Proof of Concept code will be released now that that patches are available.”
Several high-risk vulnerabilities fixed by the update were discovered by researchers working with HP’s Zero Day Initiative [ZDI].
“These vulnerabilities cover a wide spectrum of software weaknesses including sandbox bypasses, heap-based buffer overflows, and out-of-bounds writes,” said Brian Gorenc, manager of ZDI. “As we saw earlier this year at Pwn2Own, these specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code. With most of these issues originally reported by ZDI in early April, Oracle seems to be reacting quickly to high severity vulnerabilities. We look forward to seeing this trend continue.”
Java security has been under heavy scrutiny due to the attention Java vulnerabilities continue to garner from attackers. This year, the company promised to improve security and work with Java’s user community to improve awareness.
“All of these changes are for the better – Oracle is acknowledging that there have been challenges when it comes to Java security in the past, and they’re working hard to improve it moving forward,” blogged Pawan Kinger, vulnerability research manager at Trend Micro. “We appreciate these efforts and hope that they succeed in reducing the threat from Java exploits, which is completely in line with Trend Micro’s goal of creating a world safe for exchanging digital information.”
Given the wide spread use of Java, there is unlikely to be a slowdown in exploits and patches anytime soon, said Lamar Bailey, director of security research and development at Tripwire.
“Java is squarely in the crosshairs of many hackers and security researchers and that’s not going to change in the short term,” he said. “Many companies and vendors are moving away from or disabling Java for their end users. Apple turned Java off in their browser by default and Microsoft released a fix-it last week to allows IE users to disable Java in IE.”
“Since Java is used so widely Oracle really needs to abandon the quarterly release cycle and get Java updates out to users at least monthly until the rising tide of vulnerabilities starts to recede,” he said.
Oracle strongly recommends customers apply the patches as soon as possible.
*This story was updated with additional commentary.
