Oracle and Apple Struggle to Deal with Java Security Issues
Java has been in the news a lot recently thanks to a rather messy response to a high profile Java security issue, CVE-2012-4681. This, and a related set of vulnerabilities which target the Java browser plug-in (CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547), have been generating headlines, particularly since attack code has been added to Blackhole, a notorious hacker's tool that bundles a large number of exploits and tries each in turn until it finds one that will work against a given machine. All four vulnerabilities affect Oracle Java SE 7 update 6 and earlier. 0547 also affects Java 6 update 34 and earlier.
Polish security start-up Security Explorations privately disclosed the flaw to both Oracle and Apple back in April. Oracle issued a patch on August the 30th (Java 7 update 7), shortly after news of the exploit first garnered significant media attention, but it now appears that the patch issued by Oracle is itself vulnerable. "I can confirm that a patched version of Java 7 update 7, released by Oracle on Aug 30, contains security vulnerabilities that can be used by attackers for a complete compromise of a Java security sandbox," Adam Gowdiak, founder and CEO of Security Explorations told InfoQ via email. "This includes the flaw discovered after the patch release and that was reported to Oracle on Aug 31."
Unlike the earlier vulnerabilities, no active attacks of the new flaw have yet been found in the wild, but Security Explorations' status page says that the firm included proof-of-concept code with the report to demonstrate that an exploit is possible.
Whilst Oracle is now providing Java SE 7 for OS X along with its other platforms, Apple still maintains Java 6 for its OS, and released a Java update on Wednesday 5th September which closes 0547. Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 also configures web browsers to not automatically run Java applets, and in addition will de-activate the Java web plug-in if no applets have been run for an extended period of time.
Apple has faced criticism for releasing Java updates months after they were already available to platforms supported by Oracle. Flashback, the infamous Trojan, demonstrates how real the risk is. It used a Java hole fixed by Oracle in February, but which was left unpatched on OS X until April, to create a 670,000 strain botnet of OS X machines. Since then however the firm has been faster to respond, and in June they issued an update in sync with Oracle for the first time.
The 4681 vulnerability also exists in IBM's Java runtime. A vulnerability notice and proof-of-concept code was sent to the vendor on 11th September.
Since the issue does not impact standalone Java desktop applications or Java running on servers, Java 7 users are advised, at a minimum, to disable the Java browser plugins, and either re-enable, or use an alternative browser, when Java is required. The United States Computer Emergency Readiness Team (US-CERT) provides further advice and instructions, and also recommends the more drastic measure of uninstalling Java entirely where possible.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015