Oracle started February with a massive patch update, including no less than 50 fixes for its much maligned Java technology. Apparently they missed a few.
Oracle today released a patch update providing an additional five fixes for Java. Three of the five fixes carry the highest possible CVSS base score of 10, and all five exploits are remotely exploitable without user authentication.
“The purpose of this update is to deliver five additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th,” Eric Maurice, Manager for Oracle’s global technology business unit, stated.
As was the case with Oracle’s big 50 patch update for Java earlier this month, 80 percent of the patches are for client side issues with Java.
One of the fixes is for a newly reported server security risk.
“The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE),” Maurice noted. “This fix is for a vulnerability commonly referred to as the ‘Lucky Thirteen’ vulnerability in SSL/TLS (CVE-2013-0169).”
The Lucky Thirteen attack is an SSL cryptographic timing attack that could potentially enable an attacker to intercept and decrypt secured data.
Facebook Exploited by Java
The vulnerabilities patched by Oracle this month are not just exercises in security prudence. As it turns out, Java vulnerabilities have been directly used in a number of high-profile attacks. Late last week, Facebook revealed it had been breached and blamed an Oracle Java exploit.
“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day’ (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware,” Facebook stated. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”
Richard Wang, manager, SophosLabs, told eSecurity Planet that Facebook’s openness about this should be applauded. The fact that Facebook shared their experience means that it can potentially serve as a lesson to others.
“Java in the browser is a security problem,” Wang said. “Despite Oracle’s ongoing efforts, criminal hackers continue to find and exploit vulnerabilities in Java.”
Alex Horan, senior product manager at CORE Security, told eSecurity Planet that he wonders if the Facebook disclosure is the beginning of the end of Java being enabled in browsers within corporate environments.
“Of course life without Java is a chicken-and-egg situation,” Horan said. “If the Web apps they need for critical work requires Java. then they cannot get rid of it.”
Both Horan and Wang suggest that users that don’t need Java remove it from their devices. Wang advises that users use a different browser just for Java apps on trusted sites to help further minimize risk.
“And of course, make sure any Java that you use, on the desktop or in the browser, is fully patched and up to date,” Wang said. “The criminals don’t give up on a vulnerability when a patch is issued. They will keep using it because they know that there are plenty of aspiring victims who are slow to apply security updates.”
Users can update Java via the built-in auto-update mechanism in Java or by obtaining the latest version from Java.com.