Oracle Rushes Out Java Security Fix For Zero-Day Flaw

Security community breathes a sigh of relief as Oracle reacts to pressure

Oracle has issued out-of-band Java security fixes, after hackers started exploiting flaws and security experts pleaded for the US giant to get patching.

Larry Ellison’s firm was under considerable pressure to fix Java security problems, as the vendor was not scheduled to issue updates until 16 October. Most importantly, it has moved to patch the CVE-2012-4681 vulnerability that was being exploited in the wild, as well as three other flaws: CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.

“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” a blog from Oracle read.

“Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.”

Users have been urged to either install the update or disable Java in their browsers. Oracle’s alert page can be found here.

A little late?

Oracle also gave credit to two researchers for reporting the vulnerabilities:Adam Gowdiak of Polish start-up Security Explorations and James Forshaw via TippingPoint. Security Explorations has claimed it told Oracle about the Java security flaws four months ago, which has attracted yet more criticism for the vendor.

Hackers have exploited the vulnerabilities in various ways. Symantec found  that a round of attacks exploiting the CVE-2012-4681 vulnerability was carried out by a gang who were seen hitting chemical and defence companies in 2011. The Nitro gang was seen exploiting the flaw by having users visit specially-crafted websites and infecting them with the Darkmoon backdoor by chucking a .jar file at them.

The zero-day flaw was also added to the widely-used Blackhole exploit kit. Subsequently, Seculert saw an increase in the numbers of infections due to the new Blackhole version. “A good exploit kit like Blackhole has a success rate of around 10 percent for infecting machines visiting the servers. In the new version of Blackhole infection servers, we have seen up to a 25 percent success rate,” it said.

The Blackhole exploit kit is one of the most commonly-used tools used by cyber criminals to infect machines.  Sophos believes 28 percent of the web threats it detects are due to the exploit kit.

Are you a security guru? Try our quiz!