Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Java Zero-Day

Last week, researchers discovered a Java vulnerability being widely exploited online, as it was included in several crime kits, including Blackhole and Cool Exploit. On Sunday, Oracle released a patch in order to address the issue, but some experts doubt it will help.

Last week, researchers discovered a Java vulnerability being widely exploited online, as it was included in several crime kits, including Blackhole and Cool Exploit. On Sunday, Oracle released a patch in order to address the issue, but some experts doubt it will help.

SecurityWeek reported on the issue last Thursday. Jamie Blasco, the labs manager at AlienVault, wrote that they were able to confirm details sent to them by a researcher in France, and that the newly-minted flaw in Java was similar to one uncovered last year. Their announcement was followed by others, including one from DHS, which urged users to disable to third-party software.

“By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability,” an advisory from US-CERT explains. 

This latest threat, as is the case with most Java vulnerabilities, opens the floodgates for attackers because Java itself is cross-platform. Thus, with a little work, the same vulnerability can be used to target Windows systems, Mac OS X, and Linux at the same time. Though, this rarely happens.  

Oracle, in their patch announcement on Sunday, urged all users to update as soon as possible. However, Adam Gowdiak, a researcher in Poland with Security Explorations, says his firm will hold-off from telling their customers that Java is safe to use again. The decision is due to the sheer volume of issues his firm discovered over the last year. 

If Java isn’t needed, the recommendation is that it be uninstalled from a given system. If it needs to be installed, then Oracle has offered guidance for disabling it in the browser, the details of which are here

“This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately,” Ross Barrett, Senior Manager of Security Engineering at Rapid7 said in an emailed statement. “This fix also changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed. This indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the *next* time a Java vulnerability is exploited in the wild.” 

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.