WebProNews

Tag: exploits

  • Oracle Says It’s Making Progress On Java Security

    Oracle Says It’s Making Progress On Java Security

    Java became somewhat of a punching bag in the security researcher community earlier this year after numerous vulnerabilities were found in the software. After what must have been an embarrassing few months, Oracle announced in June that it would make Java security a priority going forward. So, how’s that working out for them?

    InfoWorld reports that Oracle officials spoke on Java security in late September at the JavaOne technical conference in San Francisco. They said that the main problem with Java security is that most of the vulnerabilities existed long before Oracle purchased Sun Microsystems, and that they’re having to go back and fix decade old problems. It also didn’t help that Java, when under the care of Sun, didn’t receive the kind of security support or funding that Oracle is now pumping into it.

    Of course, the blame can’t fall all on Sun. Oracle’s Vice President of Cloud Applications and Java EE, Cameron Purdy, said that some of the blame falls on Oracle for not building a Java security team fast enough after his company acquired Java in 2010.

    Sun and Oracle may have made some mistakes in keeping Java secure, but the blame for poor Java security ultimately falls on users. Oracle notes that it’s putting out security updates, but it’s up to the user to update to the latest version of Java. If they don’t upgrade, it’s not Oracle’s fault if a hacker uses an exploit to take over their machine.

    With its renewed focus on security, Oracle seems to have gained the favor of developers. One such developer told InfoWorld that Oracle had made a lot of progress over the past year in the field. That progress came in the form of Oracle announcing that it would put out four annual security fixes for Java instead of three. It will also work to release emergency updates whenever a zero-day exploit rears its ugly head.

    [Image: Java]

  • Oracle Will Make Java Security A Priority Going Forward

    Oracle Will Make Java Security A Priority Going Forward

    To say Java is vulnerable to exploits would be the understatement of the year. In the first two months of 2013, the software was hit with three zero-day exploits. Oracle eventually fixed all of these exploits, but Oracle should have worked harder to make it more secure in the first place. In a better late than never move, the software maker will be doing just that.

    Oracle announced in a blog post that it will align Java with its Critical Patch Update schedule in October of this year. In other words, Oracle will release four annual security fixes for Java instead of the three it releases now. For zero-days and other sudden exploits, Oracle will “retain the ability to issue emergency “out of band” security fixes.”

    The above is part of a larger push to move Java into the Oracle Software Security Assurance program. The hope is that this will help prevent “the introduction of new vulnerabilities in the Java code base.” Oracle says that its developers will use more automated security testing tools alongside new analysis tools that will find certain types of vulnerabilities.

    For consumers running Java on their browsers, Oracle will be introducing three changes into how it interacts with the browser:

  • (1) The security model for signed applets was changed. Previously, signing applets was only used to request increased application privileges. With this update, signing applets establishes identity of the signer, but does not necessarily grant additional privileges. As a result, it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed.
  • (2) The default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets. This change is likely to impact most Java users, and Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations. Note, however, that users and administrators will be able to specifically opt out of this setting and choose a less secure deployment mode to allow for the execution of unsigned applets. In the near future, by default, Java will no longer allow the execution of self-signed or unsigned code.
  • (3) While Java provides the ability to check the validity of signed certificates through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) calls before the execution of signed applets, the feature is not enabled by default because of a potential negative performance impact. Oracle is making improvements to standardized revocation services to enable them by default in a future release. In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism including daily updates for both blacklisted jar files and certificates.

    • On a final note, Oracle will also be increasing security for Java on servers to increase enterprise consumer trust in its services. The software maker points out that Java on servers is rarely affected by exploits, but it wants to take a better safe than sorry approach to the matter. It will do this by introducing what it calls Server JRE – a new Java distribution that removes vulnerable plugins. It will also work towards removing certain code libraries that are unnecessary for server distributions of Java.

    All of the above makes it sound like Oracle is taking Java security very seriously. Of course, words and actions are two different things so we’ll have to see how Oracle reacts to emerging threats later this year when it implements its new security policies.

  • Yet Another Java Exploit Discovered

    Yet Another Java Exploit Discovered

    It’s been quite a hard month for Oracle’s Java.

    First, back in late August the Java browser plug-in was found to be vulnerable to an exploit that could make all PCs using browsers with the Java plug-in installed open to malware by visiting a malicious website. Thankfully, Oracle didn’t wait for its October patch to fix the issue, and released a patch just a few days later.

    Only that wasn’t the end of it. A security company announced the day after the patch that another vulnerability in the Java software had been found. Meanwhile, the news came that Oracle knew about the exploits but did not fix them until news of them forced their hand.

    Today, security company Security Explorations has once again called out Oracle for an exploit found in Java. The new exploit affects all the latest versions of Java SE software, including Java SE 5, 6, and 7. The company’s CEO, Adam Gowdiak stated that their tests were able to bypass Java’s security sandbox. The tests used a fully updated version of 32-bit Windows 7 and modern browsers. Anyone using Firefox, Chrome, Internet Explorer, Opera, or Safari is vulnerable.

    Gowdiak said in an email that the company has notified Oracle of the exploit. He also told ComputerWorld in an interview that, thankfully, there is not yet any evidence of attacks that use the newly revealed exploit.

    (via BGR)

  • Oracle Knew About Java Exploits Since April

    Oracle Knew About Java Exploits Since April

    We brought you news on Monday that hackers were using two big zero-day exploits in Java to install malware on victims’ PCs. Due to Oracle’s tiered update process, we won’t see a potential fix until October. As it turns out, they may not have been zero-day exploits at all. In fact, Oracle may have known about the current exploits for months.

    PC World is reporting that a security firm, Security Explorations, warned Oracle about the current exploits in Java back in April. The firm published a press release on April 2 that said they found 19 weaknesses in the Java platform. On that same day, they sent a notice to Oracle containing all 19 of the vulnerabilities. Among those 19 were the two that are being used now in hacking attacks.

    After receiving the notice, Oracle only patched three of the 19 reported vulnerabilities in the June update. The company sent Security Explorations a notice in August saying that they were going to fix the two currently exploited weaknesses alongside 17 other flaws in the October patch.

    Of course, this brings up the question of how hackers got a hold of these weaknesses. Security Explorations says that the recent attacks exploit the flaw in a different way from their report. They don’t suspect anybody of leaking critical security information, but they aren’t ruling it out either. Somebody on the black market would probably pay a pretty penny for such exploits, but there’s nothing to suggest such a scenario.

    As for now, we can only wait on Oracle for a fix. They will definitely patch the problems in October, if not sooner. It would look bad on Oracle if they waited to fix such a critical security hole though. For now, your best off just disabling the Java plugins in your browser.