Security Market Segment LS
Sunday, 02 September 2012 11:47

Oracle's recent Java patch is broken Featured


Within hours of the out-of-cycle Java patch's release, the experts declared it broken. You are no better off whether you install it or not. Our strong advice is, disable Java. NOW.

Following the April discovery of a set of major vulnerabilities in Java, Oracle has been endlessly criticised for its tardy response. In fact it has widely been reported that exploits targeting these vulnerabilities have been included in both Metasploit and Blackhole, making the exploitation of these security holes nothing more than point-and-click.

Note that Oracle has a rolling 4-month patching cycle for Java: patches are released every two months with security patches occupying one two-month slot and bug fixes / enhancements the other slot. This of course means that we can be forced to wait many months for an issue to be addressed, especially if the resolution is not ready when the security update is released.

Having previously announced that the public would have to wait until the regular October security patch cycle, late last week, Oracle rushed a patch to market.

Rushed is the key-word here.

It quickly became apparent that the patch addressed only some of the attack vectors; soon after, it became clear it didn't even do that.

Polish security organisation Security Explorations discovered the original flaws and communicated them directly to Oracle (who acquired ownership of Java as part of the merger with Sun Microsystems) in April. Some months later, Oracle was being criticised for not addressing the issue. Security Explorations' diary of the events lends credence to the criticism.

Things rapidly came to a head when active exploitations were observed in the wild.

It would seem that in the past few days, Oracle was finally stung into action and released the patch kit widely reported in the Tech Media.

Most commentators (myself included in a comment to the above link) suggested users rush to apply the patched version of Java.

I hereby rescind that advice.

Just a few hours after the patch was made available, Security Exploration's Adam Gowdiak posted to Seclists his thoughts that the patch contains a bug which makes some of the not-yet-patched vulnerabilities easier to exploit.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

One might suggest that this is just a tiny bit embarrassing for Oracle. Be that as it may, it's closer to a disaster for the rest of us.

Unless it is crucial to your web operations, we strongly suggest you disable java wherever it is in use on your computer. Sophos' Graham Cluley offers instructions on how to do that.

Alternately, Brian Krebs suggests that, if you must use Java in a browser, you should run it ONLY in a secondary browser which is used for nothing more than to access the locations which require it; all other web access should be through a browser with Java disabled.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News