Oracle Rushes Out Java Security Patch


Oracle has issued an emergency Java security update, following calls to disable the software running in Web browsers to avoid attacks targeting the coding errors.

Java SE 7 update 11 was issued Sunday, repairing a Security Manager bypass vulnerability and a remote code execution flaw in Java running in Web browsers.

"Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools," the company said in its security advisory.

[Related: Attackers Targeting New Java Zero-Day Flaw]

The update changes the default Java Security Level setting from Medium to High, enabling a security feature that prompts the user before Java runs in the browser. Reports of attackers targeting a new Java zero-day vulnerability began surfacing last week. Security experts, including the U.S. Computer Emergency Readiness Team (US-CERT), said the only way to provide protection against the attack is to disable Java running in the browser.

US-CERT called the vulnerabilities patched by Oracle "equally severe." Exploit code was made publicly available and an exploit targeting one of the coding errors was incorporated into the Black Hole exploit kit, the Cool attack toolkit and several others, making attacks more widespread, according to US-CERT.

Oracle said Java needs to be re-enabled in order to apply the latest security update. Users running Java in the browser can get the latest update at Java.com. Windows users can get automatic updates, repairing the flaws.

Java is essentially running within a sandbox in the browser, but attackers have figured out a way to get around permissions and bypass security restrictions with the exploit code. Security researchers are tracking 15 to 20 different exploit kits, said Tim van der Horst, a senior malware researcher at Sunnyvale, Calif.-based Blue Coat Systems. Many attack toolkits have the same features, but most of them are a way to get people running attacks quickly and easily, he said.

"Java has a massive install base," van der Horst said. "Java is a large space for them to attack, and you attack where you know there will be a reasonable percentage of people who would be vulnerable because that's where the money is."

Disabling Java in the enterprise is difficult because many enterprise applications use the code, explained Gunter Ollmann, CTO of IOActive. Disabling Java also could cause the browser to crash in certain situations, he said.

"Over the years companies have been using the programming language in a variety of applications, so disabling it is sometimes easier said than done," Ollmann said in a recent interview with CRN.

PUBLISHED JAN. 14, 2013