Oracle Rushes Out Java Patch But ‘Serious’ Flaws Left Open

Oracle has pushed out a patch for a Java zero-day flaw, which had been used to serve up malware via websites, but there remain a number of exploitable security holes in the technology.

The zero-day vulnerability came to light last week and appeared in numerous exploit kits, including the prevalent Blackhole tool.

It was believed the flaw was being exploited, through compromised websites, to infect users’ machines with the Reveton ransomware, which locks victims out of their machines and demands payment.

Java palaver

As the threat escalated, government departments, including the US Department for Homeland Security, issued warnings about the danger of running Java.

Security professionals had recommended users stop Java running on their systems altogether, but Oracle’s action should allay some fears.

“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 ‘in the wild’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company said in its advisory, in which it revealed it had fixed another serious vulnerability.

Oracle also announced it was increasing the default security level for Java applets and web start applications from ‘Medium’ to ‘High’. That means the user is always warned before any unsigned application runs to prevent “silent exploitation”.

It was a “quick reaction to a rapidly expanding threat”, said Wolfgang Kandek, CTO of security firm Qualys. However, he still recommended disabling Java in the browser, using the Java Control Panel. And others believe unless users absolutely need it for their app portfolio, Java should be ditched altogether.

Other flaws open

That would provide better security against future Java-enabled threats. And it would come as no surprise if more Java zero-days emerged in the coming months, given how prevalent they have been of late.

Indeed, Oracle is being urged to address other vulnerabilities highlighted months ago. One of those flaws, uncovered by Polish firm Security Explorations, was shown to Oracle back in September. Security Explorations said it had shown how easy it would be for Oracle to address the issue, but it has been ignored.

The security hole allows for remote code execution, and remains in Java despite the most recent update. The vulnerability affects all Java SE versions released over the past eight years, said Adam Gowdiak, CEO of Security Explorations.

“Oracle didn’t bother to respond to our claims posted on 19 October 2012 regarding the possibility to fix [the vulnerability] quickly and without the need to wait five extra months till the next Java SE CPU date,” Gowdiak told TechWeekEurope.

But Gowdiak isn’t convinced Larry Ellison’s firm will deliver a fix for the flaw in the next couple of months, even though it has some patching planned.

Oracle is due to push out its critical patch update tomorrow, although that is separate from its Java SE update cycle. The next Java SE updates won’t arrive until February.

What do you know about online security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago