Oracle to patch 14 security vulnerabilities in Java next Tuesday, 12 June

[Xircal]

I don't have Java installed anymore on my own system since it seems to have more holes in it than a second hand dartboard, but for the benefit of those that do, Oracle will release a large number of patches next Tuesday: Oracle to patch 14 critical Java SE holes on Tuesday

[satrow]

No Java here either, for similar reasons; for those that do need to use it, get this update installed as soon as you can - especially if you use IE!

Anyone that's unsure whether they need Java or not, uninstall it.

[BruceR]

... get this update installed as soon as you can - especially if you use IE!

Why especially if you use IE?

Bruce

[satrow]

Why especially if you use IE?

Even if the Java plugins are all disabled in IE, a malformed request to IE can still trigger at least 2 Java processes to be started by Windows - if your Java is a targeted version, you're at risk of losing control of your computer.

[BruceR]

Even if the Java plugins are all disabled in IE, a malformed request to IE can still trigger at least 2 Java processes to be started by Windows - if your Java is a targeted version, you're at risk of losing control of your computer.

Do Microsoft know about that vulnerability? It sounds like one they would want to fix.

Is it documented somewhere?

Bruce

[satrow]

It's possibly this one (though there could well be others that are capable of pulling similar stunts): http://cve.mitre.org/cgi-bin/cvename...=CVE-2012-0507. The one I checked out was within a few days of this being published: http://krebsonsecurity.com/2012/03/n...exploit-packs/

I read that a site I sometimes visit that was having problems, someone had picked up a security warning from it. I checked my plugins were all off, my security programs set to high and loaded it in several Mozilla and Chrome -based browsers, each one set off a BIG Google Safe Browsing (or whatever it's called) page, I bypassed the warning and carefully checked for any strange activity - nothing.

Next I double-checked all 3rd party plugins, add-ons, etc. were still disabled in IE9, had Process Explorer and TaskMan at the ready and then loaded the suspect page - no warning from the IE Smart filter (or whatever it's called) but within a few seconds, one then two Java-related processes had started running. Naturally, I did a kill all, emptied all browser caches and ran some thorough scans and manual checks, nothing found - I guess the fact that my PC was fully updated and I hit the kill switch fast was enough to keep me safe.

Note in the Brian Krebs article:

Update, March 28, 3:48 p.m. ET: Marcus Carey, a security researcher at Rapid7, adds a bit more perspective on the severity of the situation with this exploit. He estimates that upwards of 60 to 80 percent of users probably are not yet patched against this flaw. Here’s what he wrote:

Anytime an exploit, such as one for CVE-2012-0507, is added to mass exploit kits it goes from being a “hypothetical risk” to becoming a real risk. This particular exploit can be found in the widely used BlackHole Exploit kit.

Based on the Java patching habits of 28 million unique Internet users, Rapid7 estimates that 60-80% of computers running Java are vulnerable to this attack today.

Looking long term, upwards of 60% of Java installations are never up to the current patch level. Since so many computers aren’t updated, even older exploits can be used to compromise victims.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior. We found that during the first month after a Java patch is released, adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, we found that more than 30% are patched. We determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.

Since this is only about a month since the patch was released (February 15), it’s likely that only approximately 10% of users have applied the patch.

[BruceR]

It's possibly this one (though there could well be others that are capable of pulling similar stunts): http://cve.mitre.org/cgi-bin/cvename...=CVE-2012-0507. The one I checked out was within a few days of this being published: http://krebsonsecurity.com/2012/03/n...exploit-packs/

No documentation of Internet Explorer being any more of a problem with Java than any other browser though?

Bruce

[satrow]

Well, I'd been pre- warned by another commentator on a (different?) Krebsonsecurity topic around that time that (because of Windows file associations?) this kind of thing could happen, so it doesn't appear to be a big secret, I didn't go searching for any specific vulnerabilities - all those words and numbers hurt my brain. I just tell it like i see it.

On a fully-patched W7, an exploit triggered 2x Java processes via IE. It didn't happen with SRWare Iron, Chrome, Pale Moon or Firefox.