Patch Monday? Oracle and Microsoft Scramble IT Patch Cycle
Out-of-band updates from Microsoft and Oracle address critical zero-day flaws.
It's not every Monday when IT administrators need to patch for not one, but two zero-day vulnerabilities. But both Oracle and Microsoft have patches out today that will require immediate attention from millions of users and enterprise IT admins.
In the case of the Oracle Java flaw, the issue was first publicly reported late Thursday and triggered a US CERT alert. The vulnerability in question enables unprivileged code to access restricted classes and potentially execute arbitrary code. The Java vulnerability is particularly dangerous because it affects all versions of Java across all Windows, Mac and Linux operating systems.
Oracle issued a fix for the issue with Java 7 update 11 (7u11) which also makes a significant change to the default security level setting. The default security setting is now at high, moving up from the medium setting in use for 7u10.
"By changing the default security level to 'high' it ensures that, by default, users will need to click on a Java applet to allow it to run," Alex Kirk, senior research engineer with Sourcefire, told eSecurity Planet.
Kirk added that while there will be users who are compromised by exploit kits and other attack types after they've manually allowed a malicious applet to run, this new setting gives users the opportunity to pause, assess the website they're visiting, and make a decision about whether to proceed or not.
"This moment of reflection should cut down dramatically on total successful attacks, since users who see domains that are clearly unrelated to what they thought they were trying to access will have the chance to simply close the tab and keep their systems safe," Kirk said.
New Java Controls
This isn't the first time Oracle has tried to stop Java attacks with new controls. The Java 7 update 10 (7u10) release that debuted in December was intended to do much the same thing.
The 7u10 Java release included a version checker and a "best-before" date to ensure that users are running the most up-to-date version of Java. The 7u10 release also introduced a new control panel for security setting but unfortunately left the default at medium, an issue that has now been fixed in the 7u11 update.
Java has been one of the most exploited and vulnerable applications in recent years, with multiple studies identifying it as being the least secure plugin. Though Java has more than its fair share of challenges, some security experts commend Oracle for its quick response to this most recent issue.
"As far as we are aware, Oracle was informed of the exploit on January 10," Gavin O’Gorman, senior threat intelligence analyst at Symantec Security Response, told eSecurityPlanet. "A patch was made available three days later. In general, that is a very quick turnaround time to release a fix."
Sourcefire's Kirk noted that the general sense in the security community was one of pleasant surprise when a full patch was issued in just three days, as opposed to the more common three weeks or more.
"While response times and response communications can always improve, this out-of-band patch is a clear sign that they are improving their process when it comes to critical zero-day issues," Kirk said.
Microsoft's IE Issue
While Oracle patched its zero-day vulnerability in three days with a full patch, Microsoft has taken a bit longer. Microsoft today issued an out-of-band patch update for a critical flaw in its Internet Explorer (IE) Web browser.
Microsoft wasn't able to complete the full IE patch in time for its January Patch Tuesday update that came out last week.
The IE flaw was first identified on Dec. 28 and Microsoft offered some initial mitigation for the flaw within days. The IE flaw affects versions 6-8 and not the newer IE 9 and 10 releases.
"While the impact has been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled," Dustin Childs, group manager at Microsoft Trustworthy Computing, said in a statement.
While Microsoft's full patch for the IE issue was not quite as fast as Oracle's Java response, the fix is still considered to be responsive.
"Microsoft continues its trend from the past couple of years of being very responsive to zero-day attacks discovered in the wild," Kirk said. "Through both its cooperation with security vendors as part of the MAPP program and its public advisories and patches, Microsoft is actually a leader in the security industry today in terms of proper vendor response."