Security Experts:

Oracle Was Warned About Java Flaws Months Ago; CERT Issues Guidance

According to IDG News, who spoke to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, Oracle was told about the issues currently leaving Java users exposed to attack back in April. In response, US-CERT has come forward in order to urge users and IT teams to disable Java.

It may seem that we’re beating a dead horse here at SecurityWeek, but the risk that the latest Java vulnerability poses to corporate and home users cannot be overstated, and it’s worth repeating. The vulnerability works on Mac OS X, Windows, and Linux, it isn’t exploited in memory so the attackers need not bother with DEP or ASLR bypasses, and exploit itself is already part of the Blackhole Exploit Kit and it’s in the latest update to Metasploit.

“This vulnerability is bad news, at least for those of us trying to avoid phishing and drive-by browsing attacks. The vulnerability is caused by a logic bug that allows an applet to grant itself full privileges. Unfortunately, this type of vulnerability isn't new,” wrote Art Manion on the US-CERT blog.

“Vulnerabilities exploited with Java applets are a great way to bypass browser and OS security restrictions. Attackers know this, as shown by the prevalence of Java exploits in attacker toolkits. If you're running Java 7, it's very important to disable the Java plug-in. Now...”

As mentioned, there is no patch for the issue from Oracle. At the earliest, Oracle may release one as a bug fix, but that is two months away (October 16). The software giant is already taking heat for the flaw as it is, but the flames were turned up a notch when it was reveled that two of the 19 vulnerabilities Security Explorations reported in April are the same ones being attacked today. SecurityWeek has contacted Oracle, but other than a "we will let you know" email from an Oracle spokesperson on Monday, the company has made no comment on any out-of-cycle patches, or the reasoning why the issues were not addressed earlier this year.

For now, US-CERT has issued guidance for IT teams who need help disabling Java, and ESET has instructions for home users. 

“If you must use Java applets in a browser, consider installing a browser with the Java plug-in enabled and only using that browser to visit sites that specifically require Java. And watch for an update from Oracle,” Manion added.

"This certainly aligns with our experiences reporting issues to Oracle," Alex Rothacker, Director of Security Research for Application Security's TeamSHATTER told SecurityWeek. "They tend to release fixes at their pace, based on many factors. Officially, they claim to prioritize fixes based on severity. However, the past has shown that other factors come into play as well, such as side effects of the patch on customers, how hard it potentially is to patch for a customer, and the testing required after applying the patch."

"While the next official CPU for Java is not due for a while, there have been two occurrences for the database lately, one after the April CPU and one after the July CPU, where Oracle has released out of band patches as a reaction to vulnerability disclosures by security researchers," Rothacker continued. "So, there is some silver lining on the horizon and chances are, with this vulnerability being actively exploited in the wild, that they will release an out of band patch." 

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.