Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Was Warned About Java Flaws Months Ago; CERT Issues Guidance

According to IDG News, who spoke to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, Oracle was told about the issues currently leaving Java users exposed to attack back in April. In response, US-CERT has come forward in order to urge users and IT teams to disable Java.

According to IDG News, who spoke to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, Oracle was told about the issues currently leaving Java users exposed to attack back in April. In response, US-CERT has come forward in order to urge users and IT teams to disable Java.

It may seem that we’re beating a dead horse here at SecurityWeek, but the risk that the latest Java vulnerability poses to corporate and home users cannot be overstated, and it’s worth repeating. The vulnerability works on Mac OS X, Windows, and Linux, it isn’t exploited in memory so the attackers need not bother with DEP or ASLR bypasses, and exploit itself is already part of the Blackhole Exploit Kit and it’s in the latest update to Metasploit.

“This vulnerability is bad news, at least for those of us trying to avoid phishing and drive-by browsing attacks. The vulnerability is caused by a logic bug that allows an applet to grant itself full privileges. Unfortunately, this type of vulnerability isn’t new,” wrote Art Manion on the US-CERT blog.

“Vulnerabilities exploited with Java applets are a great way to bypass browser and OS security restrictions. Attackers know this, as shown by the prevalence of Java exploits in attacker toolkits. If you’re running Java 7, it’s very important to disable the Java plug-in. Now…”

As mentioned, there is no patch for the issue from Oracle. At the earliest, Oracle may release one as a bug fix, but that is two months away (October 16). The software giant is already taking heat for the flaw as it is, but the flames were turned up a notch when it was reveled that two of the 19 vulnerabilities Security Explorations reported in April are the same ones being attacked today. SecurityWeek has contacted Oracle, but other than a “we will let you know” email from an Oracle spokesperson on Monday, the company has made no comment on any out-of-cycle patches, or the reasoning why the issues were not addressed earlier this year.

For now, US-CERT has issued guidance for IT teams who need help disabling Java, and ESET has instructions for home users. 

“If you must use Java applets in a browser, consider installing a browser with the Java plug-in enabled and only using that browser to visit sites that specifically require Java. And watch for an update from Oracle,” Manion added.

“This certainly aligns with our experiences reporting issues to Oracle,” Alex Rothacker, Director of Security Research for Application Security’s TeamSHATTER told SecurityWeek. “They tend to release fixes at their pace, based on many factors. Officially, they claim to prioritize fixes based on severity. However, the past has shown that other factors come into play as well, such as side effects of the patch on customers, how hard it potentially is to patch for a customer, and the testing required after applying the patch.”

Advertisement. Scroll to continue reading.

“While the next official CPU for Java is not due for a while, there have been two occurrences for the database lately, one after the April CPU and one after the July CPU, where Oracle has released out of band patches as a reaction to vulnerability disclosures by security researchers,” Rothacker continued. “So, there is some silver lining on the horizon and chances are, with this vulnerability being actively exploited in the wild, that they will release an out of band patch.” 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.