Oracle's Java Fix Fizzles
Jan 14, 2013 1:41 PM PT
Oracle released a fix over the weekend for two serious vulnerabilities in Java, but this doesn't seem to have improved matters much.
The vulnerabilities, which affect Web browsers using Java 7 plugins, let attackers remotely exploit target systems without needing a username or password.
Oracle learned of the exploit on Jan. 10 and pushed out a patch three days later, which "is a very quick turnaround time to release a fix," Gavin O'Gorman, senior threat intelligence analyst at Symantec Security Response, remarked.
"Oracle did what any software company would do under high pressure: the minimum necessary to solve the problem," Sorin Mustaca, data security expert at Avira, told TechNewsWorld.
How the Fix Works -- or Doesn't
In addition to releasing patches for the two vulnerabilities -- CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to "high" by default. Users now must expressly authorize the execution of applets that are either unsigned or self-signed.
So, if users visit malicious websites -- which are the latest exploit's vector of attack -- they will be notified before an applet is run and will be able to stop it before it begins to execute, Oracle said.
However, US-CERT suggests users disable Java in their Web browsers even if they've applied Oracle's fix, to be sure they're secure.
"Disabling Java browser plug-ins for untrusted sites ensures that criminals cannot take advantage of Java to deliver malware, yet a user need not uninstall Java or completely disable the Java plug-in," O'Gorman told TechNewsWorld.
US-CERT and its parent agency, the U.S. Department of Homeland Security, did not respond to our requests for further details.
Patchworking is for Quilts
While the patch offers an immediate fix for Oracle's Java vulnerability, "developing critical software under pressure has only one consequence -- even more bugs," Mustaca pointed out. "I expect to soon see even more bugs and vulnerabilities related to this quick fix."
A solid fix "should mitigate all possible attack vectors so that, in the long term, they make the [Java] platform secure by design, default and deployment," Mustaca continued.
Oracle should rethink its software development strategy for Java because the language "was acquired, and was developed by many people over many years, meaning the code has become close to impossible to maintain," Mustaca suggested.
Oracle did not respond to our request for further details.
How to Protect Yourself
Users should monitor their systems for increased CPU activity, network traffic or hard drive activity and report any suspicious activity to their system administrators and antivirus companies for analysis, Mustaca said. If they're running important systems such as industrial systems, or systems managing personally identifiable information or life-support systems, "it's advisable to reinstall the system or revert to a previous version in order to achieve maximum certainty."
If you don't really need Java, uninstall it from all the computers in your organization, Mustaca advised. If you do need it, seek out articles on how to uninstall Java.
Occasionally, Java will crash if it has been disabled in the Web browser and then re-enabled, US-CERT stated. Reinstalling Java appears to resolve this problem.
Re-enable Java with caution, O'Gorman said. "As with all security decisions, technology needs to be managed judiciously to ensure a high level of security but at the same time not stifle the user. It's perfectly reasonable for users to re-enable Java in their browser, but we'd suggest only for those sites they trust."