Security Market Segment LS
Sunday, 02 September 2012 11:47

Oracle's recent Java patch is broken Featured

By

Within hours of the out-of-cycle Java patch's release, the experts declared it broken. You are no better off whether you install it or not. Our strong advice is, disable Java. NOW.

Following the April discovery of a set of major vulnerabilities in Java, Oracle has been endlessly criticised for its tardy response. In fact it has widely been reported that exploits targeting these vulnerabilities have been included in both Metasploit and Blackhole, making the exploitation of these security holes nothing more than point-and-click.

Note that Oracle has a rolling 4-month patching cycle for Java: patches are released every two months with security patches occupying one two-month slot and bug fixes / enhancements the other slot. This of course means that we can be forced to wait many months for an issue to be addressed, especially if the resolution is not ready when the security update is released.

Having previously announced that the public would have to wait until the regular October security patch cycle, late last week, Oracle rushed a patch to market.

Rushed is the key-word here.

It quickly became apparent that the patch addressed only some of the attack vectors; soon after, it became clear it didn't even do that.

Polish security organisation Security Explorations discovered the original flaws and communicated them directly to Oracle (who acquired ownership of Java as part of the merger with Sun Microsystems) in April. Some months later, Oracle was being criticised for not addressing the issue. Security Explorations' diary of the events lends credence to the criticism.

Things rapidly came to a head when active exploitations were observed in the wild.

It would seem that in the past few days, Oracle was finally stung into action and released the patch kit widely reported in the Tech Media.

Most commentators (myself included in a comment to the above link) suggested users rush to apply the patched version of Java.

I hereby rescind that advice.

Just a few hours after the patch was made available, Security Exploration's Adam Gowdiak posted to Seclists his thoughts that the patch contains a bug which makes some of the not-yet-patched vulnerabilities easier to exploit.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

One might suggest that this is just a tiny bit embarrassing for Oracle. Be that as it may, it's closer to a disaster for the rest of us.

Unless it is crucial to your web operations, we strongly suggest you disable java wherever it is in use on your computer. Sophos' Graham Cluley offers instructions on how to do that.

Alternately, Brian Krebs suggests that, if you must use Java in a browser, you should run it ONLY in a secondary browser which is used for nothing more than to access the locations which require it; all other web access should be through a browser with Java disabled.


Subscribe to ITWIRE UPDATE Newsletter here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments