Oracle Rushes Out Java Patch But ‘Serious’ Flaws Left Open

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Java palaver as Oracle fails to satisfy security circles

Oracle has pushed out a patch for a Java zero-day flaw, which had been used to serve up malware via websites, but there remain a number of exploitable security holes in the technology.

The zero-day vulnerability came to light last week and appeared in numerous exploit kits, including the prevalent Blackhole tool.

It was believed the flaw was being exploited, through compromised websites, to infect users’ machines with the Reveton ransomware, which locks victims out of their machines and demands payment.

Java palaver

As the threat escalated, government departments, including the US Department for Homeland Security, issued warnings about the danger of running Java.

Security professionals had recommended users stop Java running on their systems altogether, but Oracle’s action should allay some fears.

“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 ‘in the wild’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company said in its advisory, in which it revealed it had fixed another serious vulnerability.

Oracle also announced it was increasing the default security level for Java applets and web start applications from ‘Medium’ to ‘High’. That means the user is always warned before any unsigned application runs to prevent “silent exploitation”.

It was a “quick reaction to a rapidly expanding threat”, said Wolfgang Kandek, CTO of security firm Qualys. However, he still recommended disabling Java in the browser, using the Java Control Panel. And others believe unless users absolutely need it for their app portfolio, Java should be ditched altogether.

Other flaws open

That would provide better security against future Java-enabled threats. And it would come as no surprise if more Java zero-days emerged in the coming months, given how prevalent they have been of late.

Indeed, Oracle is being urged to address other vulnerabilities highlighted months ago. One of those flaws, uncovered by Polish firm Security Explorations, was shown to Oracle back in September. Security Explorations said it had shown how easy it would be for Oracle to address the issue, but it has been ignored.

The security hole allows for remote code execution, and remains in Java despite the most recent update. The vulnerability affects all Java SE versions released over the past eight years, said Adam Gowdiak, CEO of Security Explorations.

“Oracle didn’t bother to respond to our claims posted on 19 October 2012 regarding the possibility to fix [the vulnerability] quickly and without the need to wait five extra months till the next Java SE CPU date,” Gowdiak told TechWeekEurope.

But Gowdiak isn’t convinced Larry Ellison’s firm will deliver a fix for the flaw in the next couple of months, even though it has some patching planned.

Oracle is due to push out its critical patch update tomorrow, although that is separate from its Java SE update cycle. The next Java SE updates won’t arrive until February.

What do you know about online security? Try our quiz and find out!