Oracle's emergency Java patch blocks zero-day exploits, researchers confirm

[Firefox]

Oracle's emergency Java patch blocks zero-day exploits, researchers confirm

Fixes flaws that hackers have been using in an ever-increasing number of attacks

By Gregg Keizer

August 30, 2012 03:14 PM ET

Computerworld - Oracle today issued an emergency update to patch the critical vulnerabilities hackers have been using in increasing numbers to hijack Windows PCs.

According to Rapid7, the security firm that maintains the Metasploit open-source penetration framework, the so-called "out-of-band" update will stymie the current attack campaigns.

"It appears that it's effective in blocking the exploit," Tod Beardsley, the engineering manager for Metasploit, said early Thursday. "We just finished testing it 10 minutes ago."

Oracle posted the update -- designated "1.7.0_07-b10" -- published a bare-bones release note on its website, and followed that with an alert shortly after 1 p.m. ET listing the three security vulnerabilities addressed and a single defense-in-depth change it included.

The company also posted a short blog entry on the update.

Hackers had been exploiting two of the bugs for some time in targeted attacks, but in the last several days the scale of those campaigns had dramatically increased.

Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, who in early April reported the vulnerabilities, also confirmed that Thursday's Java update shuts down the in-use exploits.

"None of the original code that we sent to Oracle in April 2012 can be used to achieve a complete Java security sandbox bypass [after the update is applied]," said Gowdiak in an email reply to questions.

Yesterday, the IDG News Service, which like Computerworld is operated by IDG, reported that Gowdiak had told Oracle of the exploited flaws four months ago, on April 2.

Oracle did not give Gowdiak a heads-up that it would be shipping an out-of-band update today. "[but[ we expected that they would do this, taking into account the recent events surrounding the 0-day attack code and the widespread surprise that the serious security flaws we reported to the company in April 2012 had not been addressed earlier," said Gowdiak.

Gowdiak, Beardsley and others also commented on the unusual nature of an emergency update from Oracle.

"If we assume that they heard about [the vulnerabilities] the same time they went public, then getting a patch out in four days was lightning quick," said Beardsley. "And if the rumor is true that they've had it for several months, it's still pretty quick for them ... they usually take six months or more."

Andrew Storms, director of security operations at nCircle Security, also applauded Oracle's speed. "Let's give them a little credit and say they delivered the patch in about a week of it going public," said Storms. "I'd say not bad on the turn-around, [so] hat tip to the dev team."

Gowdiak agreed. "We are glad that Oracle didn't wait with the update till October," he said, referring to the next regularly-scheduled Oracle patch date of Oct. 16. "We hope that out-of-band patches will become more common and will be used whenever a need arises to protect users of Oracle software."

But Storms blasted Oracle's communication skills. "Talk to the hand for the [security] PR team," he said. "Oracle is so horrible at security PR, unless they want to let you know that their products are supposedly unbreakable."

Until today, Oracle had refused to comment on the bugs or the in-the-wild exploits.

Users can obtain the emergency update from Oracle's website.

[daledoc1]

Thanks, Firefox!

[Firefox]

Your welcome....

[ShyWriter]

.

Reposted to prevent confusion about Java 7u7 and 6u35 - They contain critical vulnerabilities...

Researchers find critical vulnerability in Java 7 patch hours after release

The new vulnerability allows a complete Java Virtual Machine sandbox escape in Java 7 Update 7, researchers from Security Explorations say

By Lucian Constantin

August 31, 2012 12:08 PM ET

IDG News Service - Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.

Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.

The patching of that "security-in-depth issue," which Gowdiak calls an "exploitation vector," rendered all of the proof-of-concept (PoC) Java Virtual Machine (JVM) security bypass exploits previously submitted by the Polish security firm to Oracle, ineffective.

According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.

The reports were accompanied by a total of 16 proof-of-concept exploits that combined those vulnerabilities to fully bypass the Java sandbox and execute arbitrary code on the underlying system.

The removal of the getField and getMethod methods from the implementation of the sun.awt.SunToolkit class in Java 7 Update 7 disabled all of Security Explorations' PoC exploits, Gowdiak said.

However, this only happened because the "exploitation vector" was removed, not because all vulnerabilities targeted by the exploits were patched, Gowdiak said.

The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.

"Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak said. "A new idea came, it was verified and it turned out that this was it."

Gowdiak doesn't know when Oracle plans to address the remaining vulnerabilities reported by Security Explorations in April or the new one submitted by the security company on Friday.

It's not clear if Oracle will release a new Java security update in October as it previously planned. Oracle declined to comment.

Security researchers have always warned that if vendors take too much time to address a reported vulnerability it might be discovered by the bad guys in the meantime, if they don't already know about it.

It happened on multiple occasions for different bug hunters to discover the same vulnerability in the same product independently and this is what might have also happened in the case of the two actively exploited Java vulnerabilities that were addressed by Java 7 Update 7.

"Independent discoveries can never be excluded," Gowdiak said. "This specific issue [the new vulnerability] might be however a little bit more difficult to find."

Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."

Gowdiak has echoed what many security researchers have said before: If you don't need Java, uninstall it from your system.

SOURCE: http://www.computerw...s_after_release

Steve

[Firefox]

Its gettting as bad as M$, a patch for a patch for a patch.... rolls eyes....

[DarkSnakeKobra]

To bad I need Java otherwise I'd ditch it in a heart beat!!!