Category Archives: Java

No surprise: latest Java still not secure

It looks like Java is currently the target of choice for malware authors, which must be a relief for Microsoft, since Windows was the target of choice for years. That means Java’s developer (Oracle/Sun) is in for a rough ride: the rate at which new Java vulnerabilities are found and exploits developed to use them is going to increase. The only thing that will reverse the trend is a big push by Oracle/Sun to make the core of Java a lot more healthy in terms of security. Until that happens, you’re going to keep hearing the same advice: don’t enable Java in your web browser unless you need it, limit Java use in the browser to sites and applications that require it, and even remove Java completely if you really don’t need it at all.

Relevant links:

Java Update (hopefully) fixes recent 0-day vulnerability

A new update for Java (Version 7, Update 11) was released today. This update is supposed to fix the serious 0-day vulnerability discovered last week. Anyone using Java 7 in a web browser should install this update immediately. Given the recent track record of Oracle/Sun (Java’s developer), it remains to be seen whether this update actually fixes the vulnerability. I will wait for Adam Gowdiak to weigh in before I’m certain one way or the other.

Technical details:

Update 2013Jan17: An interesting post over at NetworkWorld reviews what’s being said about the state of Java’s vulnerability.

Latest Java still vulnerable, new exploits in the wild

A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.

The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.

Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.

For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.

Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.

And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.

Java still vulnerable even with recent batch of security fixes

We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.

Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.

So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.

Java on the desktop: safe or not?

Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.

ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.

On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.

Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.

Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.

Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.

Another Java vulnerability revealed

As if things weren’t bad enough for Java on the web, security researcher Adam Gowdiak of Security Explorations yesterday announced yet another critical security flaw.

The new flaw apparently affects all versions of Java, including the most recent updates of Java 5, 6 and 7.

How does this affect users? Nothing has really changed: users are strongly urged to disable Java in their web browsers, since web sites are the most likely vector for attacks based on Java vulnerabilities. If that isn’t possible or practical for you, then your best course of action is to be extremely cautious when deciding whether to click any kind of link, in email or anywhere else. Simply visiting a web site can be enough to infect your computer.

Oracle has not responded to this latest report, and they have yet to respond to the previous Java vulnerability reports.

That was fast… vulnerability found in latest Java

Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.

Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.

Your move, Oracle.

UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.

New patch for Java plugs recently-discovered security hole

Much to their credit, Oracle has released a patch for Java that fixes a recently-discovered security hole in Java.

CERT confirms that the new patch does indeed resolve the problem. All Java users – and that’s you, unless you’re absolutely certain Java is disabled – should apply this update as soon as possible. This affects Windows, Linux and MacOS users.

This is a welcome reaction from Oracle. Until this patch was released, it was assumed that the hole would not be fixed until the next regular patch cycle in October 2012.