Oracle Patches Java for 40 Vulnerabilities
Once again, a slew of patches for Java which raises the question, can Java ever be secured?
If you use Java, you know the drill: It's time to update for security vulnerabilities once again.
Oracle is out with its latest Critical Patch Update (CPU) release with Java SE 7 Update 25. The June release is part of Oracle's regularly scheduled plan for Java updates, though don't let that fool you; this update fixes some very high-risk issues of immediate importance.
Ten of the 40 issues were privately reported to Oracle by HP's Zero Day Initiative (ZDI).
"These vulnerabilities cover a wide spectrum of software weaknesses including sandbox bypasses, heap-based buffer overflows, and out-of-bounds writes," Brian Gorenc, manager of the Zero Day Initiative at HP Security Research, wrote in an email to eSecurity Planet.
Gorenc noted that at the HP-sponsored Pwn2Own event earlier this year, the same vulnerability types were leveraged by attackers to compromise machines and execute arbitrary code. The specific issues that researchers found at Pwn2Own in March were fixed by Oracle in April with a Java update that included 41 fixes.
For the HP ZDI issues being fixed in the new Java SE 7 update 25, Gorenc noted that most of the issues his firm submitted were originally reported in early April.
"Oracle seems to be reacting quickly to high-severity vulnerabilities," Gorenc said. "We look forward to seeing this trend continue.”
While Gorenc is optimistic about Oracle responsiveness, the severity of the flaws cannot be understated. In total, of the 40 flaws in the Java SE 7 Update 25 release, 37 are remotely exploitable.
"The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7.
Barrett added that in addition to ZDI, there are a good number of researchers that have been credited for these fixes and it’s likely that Proof of Concept code will be released now that the patches are available.
The Java SE 7 Update 25 release is the latest in a long string of updates and bad news for Java security in 2013. Back in January, Oracle Java developers admitted that Java needed to be fixed.
Since January however, Java has been patched multiple times, including the 41 issues fixed in April. Oracle had to rush out a patch for 17 flaws in March, including one for the McRat trojan. In February, Oracle released updates patching a total of 55 flaws in Java. Oracle's year started off with the Java 7 update 11 (7u11), which was issued to patch another set of 0-day flaws.
Can Java Be Secured?
Oracle has made multiple efforts this year to try and secure Java. There is now a security settings option in Java and applets are supposed to be signed with valid X.509 code-signing certificates. Oracle also now has its own blacklist of of malicious applications and certificates.
Oracle's efforts notwithstanding, not everyone believes that Java can be secured.
"Java is definitely a cesspool of vulnerabilities waiting to be discovered, some of which will be patched and exploited," Jeremiah Grossman, founder and CTO of WhiteHat Security, told eSecurity Planet. " The thing to closely monitor is how fast end-users are actually patching, not just how many vulnerabilities are being addressed when the patch is made available."
Grossman added that, "the Java ecosystem is notoriously slow, which is why I recommend uninstalling Java unless you really need it, then you don't have to worry about the endless slew of patches."
Lamar Bailey, director of security research and development at Trustwave, told eSecurity Planet that given the widespread use of Java, he seriously doubts that we'll see a slowdown in exploits and patches anytime soon.
"Java is squarely in the crosshairs of many hackers and security researchers, and that’s not going to change in the short term," Bailey said.
Bailey said that while Oracle is doing a decent job of stepping up delivery of bug fixes, the company still has a long way to go.
"Since Java is used so widely, Oracle really needs to abandon the quarterly release cycle and get Java updates out to users at least monthly until the rising tide of vulnerabilities starts to recede," Bailey said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.