Oracle Patches Java Zero Day with Out-of-Cycle Update

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 10 and earlier, on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 11

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

During last week’s WatchGuard Security Week in Review video, I warned you about a critical zero day vulnerably in the latest version of Java (JRE and JDK 7 Update 10 and earlier), which attackers are actively exploiting in the wild. If an attacker can lure you to a web site containing a malicious Java applet, he could exploit this flaw to gain complete control of you computer.

This week, Oracle released an out-of-cycle security update that fixes the zero day vulnerability, and a second one to boot. They rate each of these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Since attackers are exploiting these flaws very actively, and have already built them into popular web exploit frameworks, we highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK Update 11 to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well
  • WatchGuard’s AV partner, AVG, has developed signatures to catch these zero day exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
  • WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

4 Responses to “Oracle Patches Java Zero Day with Out-of-Cycle Update”

Trackbacks/Pingbacks

  1. WatchGuard Security Week in Review: Episode 48 – 0day Updates | WatchGuard Security Center - January 19, 2013

    […] Oracle releases emergency Java update for 0day attacks – WGSC […]

  2. Eric Bodden, Ph.D. » One step closer to modularizing security code - January 29, 2013

    […] effects, but this is especially true when talking about security. The repeated news reports about zero-day vulnerabilities in the JDK, for example, are just one instance of that […]

  3. WatchGuard Security Week in Review: Episode 48 – 0day Updates - Arlington, Fort Worth, Dallas | Marjen Technology Group - September 29, 2015

    […] Oracle releases emergency Java update for 0day attacks – WGSC […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: