Sophos: Oracle Releases Java Fixes for CVEs

Original Author: Editorial Team;Chester Wisniewski
Approved by PR Firm: Inter-Asia

Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.

Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.

According to Sophos, the good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk. The bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch, not just those who were running Java 7.

Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.

The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That's as bad as it gets. The fourth affects both Java 6 and Java 7, but by itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.

The fact that Oracle included this fourth vulnerability implies that they are seeing it used in conjunction with other vulnerabilities in the wild. You are strongly encouraged to apply the fix right away.

The bigger question is, "Do you really need Java?" If you can get by without it, you should. That is true for any application that interfaces with the internet. Fewer programs means fewer vulnerabilities.

Unfortunately, many organizations do require Java, but sometimes there are alternatives. All you need to do is ask.

According to Sophos’ Chester Wisniewski, a Senior Security Advisor at Sophos Canada, “I tweeted complaining about Java requirements to @GoToMeeting yesterday and they responded with, ‘We're in the process of replacing Java currently. On Windows you can always select the manual DL after disabling Java.’ Excellent.”

“Don't wait for your auto update program to trigger, download Java 7 Update 7 or Java 6 update 35 now, he said.

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later. In addition to CVE 2012-4681, SophosLabs noted that Blackhole still includes an exploit of CVE 2012-1723, which is a vulnerability in earlier versions of Java. Criminals are equal opportunity exploiters and don't want to miss out on the opportunity to attack any/all Java users.

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is "Maybe." The version officially distributed by Apple is Java 6, which is not vulnerable.

However, Oracle has made Java 7 available directly for OS X users, so if you installed the official Oracle version, you could be at risk.

Some Twitter users have reported that OS X users with Java 7 are being attacked, but the Blackhole kit is serving up Windows malware. I suppose this could be a blessing in disguise, as users are alerted to their insecure Java, but dodge the infection bullet. . . for now.

SophosLabs has increased the threat level to high after seeing this exploited both by the Blackhole exploit kit and in specific targeted attacks.

We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.

PC World is reporting that a Polish security company called Security Explorations reported these 2 vulnerabilities and 17 others to Oracle back in April.

Why critical remote code execution vulnerabilities were not fixed in Oracle's June patch is unknown. Oracle has yet to acknowledge these publicly, but had set expectations with Security Explorations that they were to be fixed in October.