Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Wake Up and Smell the Coffee – Key Lessons From Java Vulnerabilities

Lately, there has been a lot of commotion around Java vulnerabilities. Late last month, security researchers discovered zero-day java vulnerabilities being actively exploited in the wild.

Lately, there has been a lot of commotion around Java vulnerabilities. Late last month, security researchers discovered zero-day java vulnerabilities being actively exploited in the wild. Shortly after, a group of researchers reported that they had informed the vendor (Oracle) on the existence of such vulnerabilities in Java back in April. As a result, Oracle was essentially forced to release an out of cycle emergency patch, something the database giant rarely does. I would like to discuss some key lessons learned from this most recent Java incident.

Protect data and not end points

Java Zero Day Vulnerability

The exploits of the recently discovered Java vulnerabilities puts the compromised insider threat in the spotlight again. While this threat was initially demonstrated in the narrow context of APT attacks (Stuxnet, Flame, Doqu and Gauss) as a targeted effort launched by state sponsored actors, it raised the awareness to this type of threat on a wider scope. Our experience shows that many of the commercial malware operations share the same type of infrastructure complexity that Stuxnet was based on. We recently tracked down a single malware instance that was tied to 40 different command and control servers. The list was initially small but was updated on a daily basis. These attacks taught us about the potential damage that can be the result of an infected machine operated within our “secure perimeter”, but many organizations have been responding to the threat the wrong way. Trying to close the perimeter even tighter or regain control of end-user devices (while BYOD is clearly winning the stage) is the wrong way to respond.

The lesson that I have seen too few organizations learn from such attacks, is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Looking for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter is the answer.

Patching right away might be dangerous

As I discussed in my previous column, patching the vulnerability right away with a vendor supplied “hot-fix”, may not be the best security policy. Java users’ learned that lesson again, when the security update provided by Oracle had covered some known issues, but opened some new opportunities for the attackers.

We can only imagine the reaction of system administrators, going through all the trouble of installing the patch across many devices, just to find out, that now the updated devices are even more exposed to attacks, as the new vulnerability is not recognized by antivirus solutions yet. And the really sad part is that they will probably need to go through the same agonizing and possibly futile update process, again, with a new patch to address the new vulnerabilities.

Beware of low genetic diversity

Advertisement. Scroll to continue reading.

In nature, having a genetic diversity is a key for the survival of the specie. When such does not exist, the specie is exposed to extinction due to a single disease. A prominent example is Ireland’s 19th century “Great famine” caused by the potato blight. The famine had some grave consequences on Ireland population, as during the famine approximately 1 million people died and a million more emigrated from Ireland, causing the island’s population to fall by more than 20%.  

In software, there are several areas suffering for a “shallow gene pool”. Attackers are actively targeting these areas, as a successful attack on them can lead to massive exploitation. Microsoft’s Internet explorer used to be such when it ruled the Web browser world, but now as new players have emerged (Google’s Chome and Firefox) and the browser market is mostly shared between a handful of browsers, the damage to Internet users from a single browser exploit has largely subsided.

As a result, hackers have shown a greater interest in some more ubiquitous browsing related components, such as Adobe’s Flash and Oracle’s Java. The Java case is even more serious than Flash, as it serves as a critical component in many business related software products and thus cannot be disabled without damaging the business continuity.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.