February 4, 2013
U.S. Computer Emergency Readiness Team Issues Warning
Oracle has issued a critical patch update for Java to, yet again, fix vulnerabilities in the much-plagued platform.
Although originally set for release Feb. 19, Oracle released the new patch two-and-a-half weeks early due to “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”
According to the U.S. Computer Emergency Readiness Team, any system using Oracle Java 7 (1.7, 1.7.0) including Java Platform Standard Edition 7, Java SE Development Kit or Java SE Runtime Environment are affected.
“All versions of Java 7 before Update 13 are affected,” reads the US-CERT website. “Web browsers using the Java 7 plug-in are at high risk. Multiple vulnerabilities in Java 7 could allow an attacker to execute arbitrary code on a vulnerable system. Reports indicate that at least one of these vulnerabilities is being actively exploited.”
The patch address 50 different issues, 44 of which pertain to the Java Runtime Environment in web browsers, Oracle says. In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.
“After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers,” writes Software Security Assurance Director Eric Maurice in a blog post.
“Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.”
One of the vulnerabilities affects the installation process of client deployment of Java — for example installation of the Java Runtime Environment on desktops.
Also fixed with the new patch are three security issues that apply to client and server deployment of Java.
“That means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components,” writes Maurice. “In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.”
Another two vulnerabilities fixed with the patch affected server deployment of the Java Secure Socket Extension (JSSE).
“The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0,” Maurice adds. “This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.”
In a bid to lessen the threat of malicious applets, Oracle has set its Java security settings to “high” by default.
Java was plagued by similar problems last month that left Oracle scrambling to fix the platform’s vulnerabilities.
The U.S. Computer Emergency Readiness Team, under Homeland Security, issued a warning at the time urging Java users to disable the program.
“Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11,” the U.S. Computer Emergency Readiness Team’s (CERT) website read. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”