February 3, 2013

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

javaiconThe original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchers have shown that the new feature can be easily bypassed.

The latest versions — Java 7 Update 13 and Java 6 to Update 39 — are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java.com homepage.

Most end users who have Java on their systems probably don’t need it and can safely remove it (this advice does not scale for users of corporate systems, which may have specific applications that rely on Java). This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.

If you do need it, unplug it from the browser unless and until you need it. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Apple has been taking steps to block Java on OS X systems when new unpatched vulnerabilities have been detected. According to MacRumors, for the second time in a month, Apple blacklisted the current version of the Java Web plugin on OS X, using the “Xprotect” anti-malware system built into OS X to enforce a minimum version number that had yet to be released. However, 9to5Mac.com now writes that Java 7 Update 13 for Mac OS X brings Java on the Mac to the correct version number enforced by Xprotect, meaning Mac users who need Java can use it again without having to monkey with Terminal command-line workarounds.

This is the final set of updates for Java 6 — Oracle is phasing it out and has already taken steps to begin migrating Java 6 users to Java 7. Overall, this probably a good thing. Lawrence Garvin, the self-described “head geek” at Austin, Texas based network management and monitoring firm SolarWinds, said that while media attention to Java 7’s security issues may be influencing the decision by some organizations to delay upgrading their Java 6 installations, only 18 of the security issues identified since Java 7’s release are unique to Java 7.

“Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,” Garvin said. “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities. Oracle has announced that no new updates will be forthcoming for Java 6 after February 2013, so that any additional vulnerability discovered in Java 7 – and also existing in Java 6 – will never be patched.”


56 thoughts on “Critical Java Update Fixes 50 Security Holes

  1. AndrzejL

    What’s new then? 😀 JAVA… “Just Another Vulnerability Announcement”*… Hehe…

    Regards.

    Andrzej

    * I didn’t came up with that.

  2. Rabid Howler Monkey

    From the article:
    Garvin said: “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities.

    Of course Java 6 has vulnerabilities. That’s why those who use Java 6 apply the security updates Oracle releases every 4 months. In addition, it’s possible that there are Java 6 exploits in-the-wild that have not been made public. Of course, this is true with *any* software (including Adobe Flash Player, Adobe Reader, Microsoft Internet Explorer, Microsoft Office, Mozilla Firefox, etc.).

    Java 7, however, has been hit particularly hard with in-the-wild exploits in 2012, especially the latter half, and early 2013 that were very public, resulting in multiple “out-of-band” patches by Oracle and culminating in a Java 7 warning by the U.S. DHS.

    That said, there will be no excuse for not upgrading to Java 7 in June, 2013, or earlier if a Java 6 Update 39 in-the-wild exploit surfaces before then.

    1. JCitizen

      I have my HIPS set to watch java like a hawk(along with Skype, etc, etc); so any manipulation of its file structure will more than likely result in an alert to such activity.

      Perhaps you could answer this, can java be used to attack the NT system of Windows without changing the code of java to exploit a vulnerability? This is my only question on the subject. I have done programming in the past, but I really have no idea if actually morphing the code on java, adobe products, or any other likely vector is the way it is used for an exploit.

      So far, I’ve not noticed this HIPS is vulnerable to file manipulation on its own defense, as it is one of many kernel based solutions that resist such manipulation. I have notice attempts to attack several such solutions without success.

      1. mechBgon

        Your question was:

        “Perhaps you could answer this, can java be used to attack the NT system of Windows without changing the code of java to exploit a vulnerability? This is my only question on the subject.”

        I’m not a coder, but from reading security researchers’ articles on a recent Java zero-day, that one boiled down to logic loopholes in Java’s security model. So I think the answer to your question is “it wouldn’t necessarily require changing Java’s code if the attacker can find a loophole that makes Java do what they want.”

        If you want an additional safeguard, my thoughts turn to Software Restriction Policy, which I have a how-to page at mechbgon.com/srp covering that. If you can’t necessarily stop the exploit, then arbitrarily preventing its payload from executing is good backup. Power-user territory, but if you’re reading this blog, you can probably handle it.

        I hope the crescendo of bad PR is sufficient to get Oracle onto the security development bandwagon. They’re creating a de facto dependency on their product, so for the sake of their captive audience, they should stop simply patching stuff, and begin doing root-cause analysis of WHY DID THIS EVER HAPPEN IN THE FIRST PLACE, fire some people 😉 and rebuild their software-development process from the ground up if they have to. IMHO.

        1. JCitizen

          Good link – much simpler to understand compared to older pages I’ve visited. I have EMET, but haven’t found the templates I wan’t to use to limit java or other prime suspects like Adobe flash. I understand they are out there somewhere.

          I have seen malware try to attack using Adobe Reader, and then *splat*, get shot down by the UAC because I use Foxit instead. HA!

          1. JimboC

            Hi JCitizen,

            The All.xml file located in your EMET installation folder contains the template for protecting Java executable files with EMET. For me the All.xml file is located at:

            C:\Program Files (x86)\EMET\Deployment\Protection Profiles

            However I would instead suggest adding the following files yourself using the GUI of EMET (like you would for any custom programs that you wanted to protect) since the code in that XML file is for Java 6 and not 7. The same 3 files are present in Java 7:

            C:\Program Files (x86)\Java\jre7\bin\java.exe
            C:\Program Files (x86)\Java\jre7\bin\javaw.exe
            C:\Program Files (x86)\Java\jre7\bin\javaws.exe

            To protect Adobe Flash, you most likely already are since the plugin is contained within your browser. This is the case with Google Chrome and IE.

            So if you are protecting your browser with EMET, you are also protecting Adobe Flash. For Firefox, you also need to protect plugin-container.exe to protect Flash.

            This is explained in more detail at the following links:

            http://www.rationallyparanoid.com/articles/microsoft-emet-2.html

            http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

            http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

            I hope this helps. Thank you.

            1. JCitizen

              Thank you very much JimboC: I should have taken your advice earlier, but I got tied up and didn’t follow up.

              You’re a scholar and a gentleman! KUDOS! 🙂

        2. JimboC

          Hi mechBgon,

          They don’t just need to do a root cause analysis; they also need to as you say code from the ground up but also to implement security throughout the development lifecycle. Just like Microsoft and Adobe do with the SDL.

          http://www.microsoft.com/security/sdl/default.aspx

          I know this isn’t perfect but both companies have securer products as a result.

          Oracle already have a secure coding practice called, Oracle Secure Coding Standards but it needs to be extended a lot more to be effective.

          Thanks.

    2. jdmurray

      The excuse I have to not upgrade to Java 7 is the need to run several legacy, enterprise Java apps that only run under Java 6.

      1. Stratocaster

        We have been informed by at least one third-party corporate app vendor that they won’t be Java-7 compliant until Q3 this year.

        1. Rabid Howler Monkey

          February, 2013, is the last “Public Update” for Java SE 6. Enterprises have options for continued Java SE support that are not available to the general public:

          “Oracle Java SE Support Roadmap
          http://www.oracle.com/technetwork/java/eol-135779.html

          “Oracle Java SE Support
          http://www.oracle.com/us/technologies/java/standard-edition/support/overview/index.html

          Of course, their will be a cost associated with continued support.

          As an example, here is a link to Secunia’s security advisories for Java SE 5:

          “Vulnerability Report: Sun Java JRE 1.5.x / 5.x
          http://secunia.com/advisories/product/4228/?task=advisories

          The most recent advisory is dated 2013-02-02 and users are advised to apply the vendor patch. Note that Public Updates for Java SE 5 ended in October, 2009.

    3. Lawrence Garvin

      @Rabid Howler Monkey — The point of my remarks is that the upgrade to Java 7 needs to occur now, not next month, and not in June. While Java 7 has been the brunt of most of the exploits, the fact is that the vulnerabilities also exist in earlier versions. After February, the earlier version known as Java 6 isn’t going to get any patches. Once it’s known that those vulnerabilities are not going to be patched at all, I’d be surprised if there wasn’t an increase in exploits of the JRE6 installations.

  3. Ray

    “Most end users who have Java on their systems probably don’t need it and can safely remove it”

    Hi Brian,
    Based largely on your advice I disabled Java on all my browsers. However, I take issue with your claim that most do not use or need it.
    A small example: I attend webinars regularly. Every time gotomeeting starts it asks me to enable java.

    1. JCitizen

      What part of Brian’s exception,”(this advice does not scale for users of corporate systems, which may have specific applications that rely on Java).” ; is not understood here?

    2. BrianKrebs Post author

      Ray, glad to hear you’ve disabled Java when you’re not using it. Clearly, you have a use for it. It also sounds like a business use, which I included a caveat about. And I stand by my statement that most end users can do just fine without Java.

      1. Matt

        While I may agree with you Brian, what you an I perceive as “need” doesn’t matter. If the user hits a website that says it needs Java and prompts to install it, By God then that person “needs” Java. I’m hopeful that the latest changes in major browsers will make things so difficult for users they’ll just give up on Java and Flash entirely.

        1. Richard Steven Hack

          The question is what percentage of users run into sites that need Java.

          I haven’t seen any specific figures but the consensus among most experts is that a overwhelming percentage of Web sites don’t use it – and many that do are converting to HTML5 or advanced JavaScript which offers much of the functionality previously requiring Java.

          So the fact that a service like gotomeeting – which isn’t really a “Web site” but actually a “protocol” anyway – requires Java really isn’t relevant to the general advice.

          1. Matt

            Well, according to actual statistics about Java plug-in penetration, probably close to 65%. Java is still in widespread use. I can tell you anecdotally, I have uninstalled it countless times from user machines, usually in the course of cleaning up an infection, only to find it re-installed later. How exactly do you think it got installed on all these machines in the first place?

            I do agree with the recommendation and hope more sites continue to convert from Java/Flash to HTML 5.

            1. jjjdavidson

              I manage a very small business network, and I uninstalled Java network-wide several years ago without any noticeable consequences.

              As for finding it reinstalled: I started adding “Deny” permissions to the Java install folder for admins and power users. Anybody reasonably technical (meaning me) can fix it, but an ordinary user just sees an incomprehensible error when trying to reinstall Java. Yay!

              (That’s the same technique that used to keep out-of-date Flash modules from getting properly deleted, by the way.)

            2. Richard Steven Hack

              Is that percentage the percentage of Web sites using Java or the percentage of people who have the plugin installed? If the latter, it’s meaningless.

              I used to regularly install Java on new installs on client machines. I won’t be doing that anymore.

              I did it for the same reason every one else installs Java – because I figured it would be a good idea to have it installed in case a Web site needed it. I also install Microsoft .NET for the same reason, despite there being very few programs that actually are built with it.

              As it turns out, not so much. According to W3Techs Web Technology Surveys, quote:

              “Java is used by 4.1% of all the websites whose server-side programming language we know.”

              On the client side only .2% use Java!

              I’d say that completely eliminates “need” as a concern. Disable the plugin and re-enable it when you run into one of the 4% of Websites that need it.

          2. Ralph Erskine

            Most Danish banks (and probably most Norwegian banks) require Java for e-banking. According to one Dane, ‘e-post (salary papers, tax papers and all official formalities)’ also require Java in Denmark.

            Certainly Danske Bank does in the UK. I doubt if the average user of its e-banking appreciates how vulnerable he is, especially if children are using his computer.

  4. JCitizen

    This has been a very educational article for me, and I thank Brian for his continued efforts to disseminate important information everywhere. I’m always behind in keeping up with all things Apple, and find it interesting to learn that they have this active protection system built into the browser. At long last we see such corporations taking an active approach instead of just sitting on their laurels and riding on old hype and conjecture.

  5. Ray

    Re: What Part…
    I’m not a ‘user of corporate systems’. I’m just an average user with an above average security concern which is why I subscribe to Brian 🙂

  6. Can't We All Just Get Along?

    When I saw the headine ‘Critical Java Update Fixes 50 Security Holes’ I thought, “Criminy, don’t they fix them one at a time as they come along?” The last paragraph in this article especially floored me… UNBELIEVABLE.

    I’m glad I jettisoned the Java plug-in a while ago, based on Brian’s advice — if only I could do the same with Flash … 😉

    Thanks for your advice and all the heads ups, Brian. KrebsOnSecurity.com is the Best Blog in Computer Security!

    1. R. Hamilton

      While I’m no fan of Oracle (I miss the Sun of old), here are a couple of points that are, if not in their defense, at least a bit differently critical than yours:

      * given the testing before release (however much it may fail to find vulnerabilities, it should at least assure that it doesn’t break existing Java code), one release per vulnerability is not reasonable. (OTOH, that some of those vulnerabilities are ancient is NOT acceptable!)

      * dropping support for older versions, even critical security fixes, can be a good thing IF it increases the resources _effectively_ applied to maintain the current version.

      I think someone needs to look at whether the model is such that it CAN be secure even if the implementation were correct. If not, find ways to adjust that with minimal breakage. Once that’s done, do what can be done in terms of verifying correctness in those portions of the code where that might be possible and advantageous.

      As for the PR side, Sun was a bunch of happy fluffy bunnies compared to the arrogance of Oracle. When stuff goes wrong (which happens to everyone), the karma or whatever goes into payback mode on those who brought a bad attitude to the table.

  7. Chika

    Reminds me of using IE back during the 90’s, you would get all types of stuff on your computer just by using it. Back then malware was more annoying than harmful, but I don’t mess around with the Java stuff today.

  8. Oleg

    “Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,”

    Yo ho, why people are still using it ?!
    This software is just a joke.

  9. BillC

    As I posted last week (much disliked — probably by Java developers), 99+% of of internet users (including me) should just uninstall Java, and not do business with sites that require it. Unfortunately, the remaining (less than 1%) who “require” it will need to waste precious time protecting themselves.

  10. Ray

    Gotomeeting happens to be the most popular webinar service on the web. Used by (my guess) 100,000+ people every single day.

    This problem will not go away until the web site owners and services like gotomeeting decide to make a change.
    Let’s hope they are paying attention.

    The good thing about having to enable java every time an app requires it is that it doesn’t stay enabled. As soon as you close the app it goes away.

    1. Ray

      By the way. It’s not specifically for business.
      I believe most attendees are not businesses.
      But I’ve been known to be wrong once or twice before 🙂

      1. Robert

        I’ve got Java disabled in the browser and Gotomeeting works fine. It yells at you that it cannot find java but if you ignore that it still runs even though it isn’t in the browser.

  11. Eric Z

    I see:
    “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.”

    I use Java in a second browser (eg: for IPMI virtual console access or trusted video conferencing sites). I would add to your statement: “The other browser should only be opened for known trusted websites that don’t have third-party content like ads.” It’s still unfortunately too easy and too tempting for someone to open their second Java-enabled browser to click on the playful fluffy kitten game or video requiring Java to continue. At least the second-browser approach gives us the opportunity to stop and think *before* we connect.

  12. Ray

    I’m not a programmer.
    But I’m wondering if HTML 5 will really solve this issue or if it will become susceptible to attack when it becomes popular as well.

    1. Richard Steven Hack

      I’d say that it will be almost certain than HTML5 will have similar problems.

      What’s not certain is whether there will be more or less problems.

      Right now the issue is that too many end users have a software platform installed that they don’t need and which has too many vulnerabilities. We need to reduce the attack surface for those end users by having them disable the browser plugin.

      When HTML5 is in wide use, there won’t be any easy fix because everyone will have to use it.

      Six of one, half a dozen of the other.

      And my meme remains supreme!

  13. Debbie Kearns

    Thank you. Just two days ago, I got an automatic update of Java 7 Update 13 and installed it, uninstalling Java 6 in the process. Now, when I go to the Java Control Panel and click on “Security”, I now see that the “Enable Java Content in the Browser” check box has finally appeared, along with the Advanced Security Settings! Sweet! 🙂

  14. Keith Bates

    Until there is an easy way to access the microphone on a computer with HTML5, Java and Flash will remain in use in some form. I would love to rid my life of Java, but I work on development of a web based interface that requires Java for microphone access.

  15. Stratocaster

    Brian properly points out that “this advice does not scale for users of corporate systems”. However, many of those same corporate systems are sufficiently locked down that end users can’t unplug Java from their browser(s). I have full administrator rights (because I pestered IT for it), but as I have stated in earlier posts, I have NEVER seen an update for JRE pushed out by our corporate IT. I keep mine updated myself.

  16. Dave

    Only 50? I guess the team of monkeys coding Java were taking a lot of comp time for the holidays.

  17. A Jenner

    I’m an update a patch freak when it comes to Java, any update in fact, but I increasingly notice many corporations who leave their updates/patches for over a year… Everyone should do the basics at the very least!

  18. Amber Reynolds

    I have a rather newb-ish question. Avast has informed me that I do indeed have a version of [one of the many] Java exploits embedded in my laptop. It’s currently sitting in Avast’s chest, and I have been working for the last week on hardening my laptop against all sorts of invasions.

    Now that I know I have the exploit, and it’s tucked away in a chest, what should I do to ensure that nothing else will come of the exploit? I’ve been periodically checking which ports I have open at any given time, and which services I have running, and nothing seems unusual, but I have this feeling at the back of my mind that when I relax, my bank password will be stolen.

    Thanks much for all your hard work. I’m new to IT (taking college classes now), and I’ve definitely been learning a lot. Both in a good and scary way.

    1. BrianKrebs Post author

      You can instruct Avast to empty the items in its quarantine (or chest, as you put it). That should delete the exploit or malware dropper.

      Did you update Java? Did you consider getting rid of it, or at least unplugging it from your main browser? Even when it’s fully patched, Java is often a doorway into your PC for bad guys because it has so many zero days. Heck, Facebook just disclosed that its networks were hacked recently because of a Java zero day.

      1. Amber Reynolds

        Thanks for the quick response, Brian.

        I’ve deleted the exploit from the chest.

        I attempted to uninstall Java last night, actually (I don’t ever use it, and it’s been disabled in FF for months), but most of the methods I could find didn’t work on my system (Windows 7 Uninstall programs panel, using third-party Java uninstallers, etc). So I simply renamed all the Java files I could find with the extension .oldexe or .olddll. I didn’t want to delete them outright in case of system issues or mess with the registry keys for the same reason. I admit I’m rather ignorant when it comes to this sort of thing.

        1. JCitizen

          I use Revo Uninstaller myself; I like how it gets rid of any entanglements in the registry and the folders too. The free version is just as good as the Pro version. The only advantage to the pro version is that it has an installation tracker that makes it easier to do a cleanup after the uninstall reboot some applications require. But you can do the same thing by not rebooting and simply cleanup all the crud leftover manually.

          Revo highlights with bold type all registry entries so that process is made much easier. It also highlights all entries you shouldn’t touch in red. This makes it really easy for newbies, and it backs the registry up automatically. It really is a no brainer.

          1. Amber Reynolds

            I’ll give that a try this afternoon, JCitizen–thanks much.

          2. BrianKrebs Post author

            Don’t you have to have installed a software title using Revo to take full advantage of its uninstaller?

            1. JCitizen

              I guess I’m lost Brian; Revo reads the files and recognizes the proper uninstaller, activates it, then afterward scans and lists the registry entries automatically. I don’t understand “title” – sorry. :p

  19. Jim

    My wife’s main business software won’t run with Java 7 unless she updates to the latest version for several hundred dollars. She’s currently running version 6 update 37. I want to update her to the latest, presumably last version 6 update 39 before support dries up the end of February. However, the Java web site has no version 6 updates that I can find, let alone update 39. Any help finding 6.39 would be greatly appreciated.

    1. JimboC

      Hi Jim,

      The Java runtime environment (JRE) version 6 update 39 can be downloaded from the following link:

      http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

      The Java Development Kit(JDK) version 6 update 39 can be downloaded from the following link:

      http://www.oracle.com/technetwork/java/javase/downloads/jdk6downloads-1902814.html

      In addition, archive Java versions e.g. v6 update 38 and older can be obtained from:

      http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html

      For older versions e.g. v5, v4 etc.:

      http://www.oracle.com/technetwork/java/archive-139210.html

      If I can provide any further clarification, please let me know. I hope this helps. Thank you.

    2. JimboC

      Hi Jim,

      I should also mention that Oracle is planning on releasing another Java update tomorrow most likely Java v6 Update 40 and Java v7 Update 14.

      “Please note above: Oracle is planning to release an updated version of the February 2013 Java Critical Patch Update. This updated February 2013 Java Critical Patch Update will be published on February 19th and will include the fixes that were originally planned for distribution but were not ready in time to be released on February 1st”

      Here is the link to the source of this info:

      http://www.oracle.com/technetwork/topics/security/alerts-086861.html

      These updates should be available from the following link tomorrow (it has the current versions right now):

      http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html

      Thank you.

Comments are closed.