Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Wake Up and Smell the Coffee – Key Lessons From Java Vulnerabilities

Lately, there has been a lot of commotion around Java vulnerabilities. Late last month, security researchers discovered zero-day java vulnerabilities being actively exploited in the wild.

Lately, there has been a lot of commotion around Java vulnerabilities. Late last month, security researchers discovered zero-day java vulnerabilities being actively exploited in the wild. Shortly after, a group of researchers reported that they had informed the vendor (Oracle) on the existence of such vulnerabilities in Java back in April. As a result, Oracle was essentially forced to release an out of cycle emergency patch, something the database giant rarely does. I would like to discuss some key lessons learned from this most recent Java incident.

Protect data and not end points

Java Zero Day Vulnerability

The exploits of the recently discovered Java vulnerabilities puts the compromised insider threat in the spotlight again. While this threat was initially demonstrated in the narrow context of APT attacks (Stuxnet, Flame, Doqu and Gauss) as a targeted effort launched by state sponsored actors, it raised the awareness to this type of threat on a wider scope. Our experience shows that many of the commercial malware operations share the same type of infrastructure complexity that Stuxnet was based on. We recently tracked down a single malware instance that was tied to 40 different command and control servers. The list was initially small but was updated on a daily basis. These attacks taught us about the potential damage that can be the result of an infected machine operated within our “secure perimeter”, but many organizations have been responding to the threat the wrong way. Trying to close the perimeter even tighter or regain control of end-user devices (while BYOD is clearly winning the stage) is the wrong way to respond.

The lesson that I have seen too few organizations learn from such attacks, is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Looking for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter is the answer.

Patching right away might be dangerous

As I discussed in my previous column, patching the vulnerability right away with a vendor supplied “hot-fix”, may not be the best security policy. Java users’ learned that lesson again, when the security update provided by Oracle had covered some known issues, but opened some new opportunities for the attackers.

We can only imagine the reaction of system administrators, going through all the trouble of installing the patch across many devices, just to find out, that now the updated devices are even more exposed to attacks, as the new vulnerability is not recognized by antivirus solutions yet. And the really sad part is that they will probably need to go through the same agonizing and possibly futile update process, again, with a new patch to address the new vulnerabilities.

Beware of low genetic diversity

Advertisement. Scroll to continue reading.

In nature, having a genetic diversity is a key for the survival of the specie. When such does not exist, the specie is exposed to extinction due to a single disease. A prominent example is Ireland’s 19th century “Great famine” caused by the potato blight. The famine had some grave consequences on Ireland population, as during the famine approximately 1 million people died and a million more emigrated from Ireland, causing the island’s population to fall by more than 20%.  

In software, there are several areas suffering for a “shallow gene pool”. Attackers are actively targeting these areas, as a successful attack on them can lead to massive exploitation. Microsoft’s Internet explorer used to be such when it ruled the Web browser world, but now as new players have emerged (Google’s Chome and Firefox) and the browser market is mostly shared between a handful of browsers, the damage to Internet users from a single browser exploit has largely subsided.

As a result, hackers have shown a greater interest in some more ubiquitous browsing related components, such as Adobe’s Flash and Oracle’s Java. The Java case is even more serious than Flash, as it serves as a critical component in many business related software products and thus cannot be disabled without damaging the business continuity.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.