Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Was Warned About Java Flaws Months Ago; CERT Issues Guidance

According to IDG News, who spoke to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, Oracle was told about the issues currently leaving Java users exposed to attack back in April. In response, US-CERT has come forward in order to urge users and IT teams to disable Java.

According to IDG News, who spoke to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, Oracle was told about the issues currently leaving Java users exposed to attack back in April. In response, US-CERT has come forward in order to urge users and IT teams to disable Java.

It may seem that we’re beating a dead horse here at SecurityWeek, but the risk that the latest Java vulnerability poses to corporate and home users cannot be overstated, and it’s worth repeating. The vulnerability works on Mac OS X, Windows, and Linux, it isn’t exploited in memory so the attackers need not bother with DEP or ASLR bypasses, and exploit itself is already part of the Blackhole Exploit Kit and it’s in the latest update to Metasploit.

“This vulnerability is bad news, at least for those of us trying to avoid phishing and drive-by browsing attacks. The vulnerability is caused by a logic bug that allows an applet to grant itself full privileges. Unfortunately, this type of vulnerability isn’t new,” wrote Art Manion on the US-CERT blog.

“Vulnerabilities exploited with Java applets are a great way to bypass browser and OS security restrictions. Attackers know this, as shown by the prevalence of Java exploits in attacker toolkits. If you’re running Java 7, it’s very important to disable the Java plug-in. Now…”

As mentioned, there is no patch for the issue from Oracle. At the earliest, Oracle may release one as a bug fix, but that is two months away (October 16). The software giant is already taking heat for the flaw as it is, but the flames were turned up a notch when it was reveled that two of the 19 vulnerabilities Security Explorations reported in April are the same ones being attacked today. SecurityWeek has contacted Oracle, but other than a “we will let you know” email from an Oracle spokesperson on Monday, the company has made no comment on any out-of-cycle patches, or the reasoning why the issues were not addressed earlier this year.

For now, US-CERT has issued guidance for IT teams who need help disabling Java, and ESET has instructions for home users. 

“If you must use Java applets in a browser, consider installing a browser with the Java plug-in enabled and only using that browser to visit sites that specifically require Java. And watch for an update from Oracle,” Manion added.

“This certainly aligns with our experiences reporting issues to Oracle,” Alex Rothacker, Director of Security Research for Application Security’s TeamSHATTER told SecurityWeek. “They tend to release fixes at their pace, based on many factors. Officially, they claim to prioritize fixes based on severity. However, the past has shown that other factors come into play as well, such as side effects of the patch on customers, how hard it potentially is to patch for a customer, and the testing required after applying the patch.”

“While the next official CPU for Java is not due for a while, there have been two occurrences for the database lately, one after the April CPU and one after the July CPU, where Oracle has released out of band patches as a reaction to vulnerability disclosures by security researchers,” Rothacker continued. “So, there is some silver lining on the horizon and chances are, with this vulnerability being actively exploited in the wild, that they will release an out of band patch.” 

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.