We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.
Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.
So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.
Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.
Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.
Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.
Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.
Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.
You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.
Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).
Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.
Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.
Google encourages security researchers to discover security vulnerabilities in its web browser, Chrome. The recently-concluded Pwnium 2 contest revealed one new vulnerability. A $60,000 prize was awarded to its discoverer, and within hours, a new version of Chrome (22.0.1229.94) that addresses the vulnerability was released.
It’s Patch Tuesday and Microsoft has released seven security bulletins, affecting Windows, Word, Internet Explorer and other Microsoft software. A total of 20 vulnerabilities are addressed by the updates. We covered the details in a previous post. As always, we encourage everyone running affected software to apply the updates as soon as possible.
Released yesterday, version 11.4.402.287 addresses security, performance and stability issues in the previous versions of Flash. Users are encouraged to install the new Flash as soon as possible.
Note that at the time of this post, the Flash Player Update Announcement on Adobe’s site shows the wrong version in the first paragraph. It should show the new version as 11.4.402.287 but instead shows it as 11.4.402.278.
Another month, another batch of updates from Microsoft. On October 9, starting at about 10 am PDT, Microsoft will release patches that address a total of twenty vulnerabilities in Windows and Office. Seven security bulletins will cover the defects being patched, one of which is a critical vulnerability in Word.
Also included in the upcoming updates will be Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length. This update is the final step in a series of actions taken by Microsoft to improve Internet-based security for its products. This update will force RSA-encrypted communications in Internet Explorer and Outlook to use keys that are 1024 bits in length or greater. If you access secure web sites with Internet Explorer or use encrypted email with Outlook, this update may cause those services to stop working. For further details, see: