Oracle Allegedly Knew About Latest Java Security Flaw In April

JAVA = Just Awaiting Vulnerability Attack? Sophos and others have found more evidence that cybercriminals are already using the latest zero-day security flaw in Java to infect computers with malware.

The exploit has even been included in some popular hacking tools and KrebsonSecurity note that “the latest figures suggest that these vulnerabilities have exposed more than a billion users to attack”.

I reviewed this flaw on Tuesday after it came to light and noted that Oracle’s next scheduled critical patch update for Java is not until October 16 – the last one was in June.

So it’s even more annoying to find out that Oracle were apparently warned way back in April of this vulnerability – and a host of others, 31 Java security issues in total. That should have been ample time to fix them in the June update but apparently they only fixed 2 of the 31 issues…

Oracle do not appear to have issued any public statement and there’s no mention of this security fiasco on their (very active) Twitter account.

UPDATED August 31 – Oracle have just released a new version of Java 7 (Update 7) to fix the zero day flaw (4 fixes in total) and a new Java 6 version (Update 35) to fix 1 security issue. Only another 25 to go then…

Java is a huge target for malware writers to attack – it is especially attractive because it is installed on so many computers (84% of visitors to TechLogon) and it is cross-platform i.e. can be installed on Windows, Mac OS X and Linux computers.

Microsoft do not come out of this mess smelling of roses either. Best security advice is to disable Java in your web browser at least (preferably uninstall it completely) but Microsoft’s Internet Explorer makes that almost impossible.

I have updated how to disable Java in IE with new research from US-CERT that adds even more complex steps. Their conclusion (my italics):

“Due to the complexity and impracticality of disabling Java in Internet Explorer, you may wish to uninstall Java to protect against this vulnerability. If Java is still needed, consider installing the latest version of Java 6”.

Why So Difficult to Disable In IE?

IE’s security is poor – it ignores settings you make in ‘Manage Add-ons’ to disable Java. In IE there are several ways to invoke a Java applet – and several ways to configure Java support. There are multiple scenarios – webpages can use Object, Embed or Applet tags to invoke Java so all possibilities must be disabled.

What can we learn from this debacle?

Uninstall Java 7 completely. Don’t replace it if at all possible – this latest breach of security is just one of 29 security issues still to be fixed – after 4 months…

If you absolutely must, install the latest version of Java 6 (Update 34 at time of writing) from Oracle here.

Disable Java in Chrome, Firefox, Safari etc.

Don’t use IE.

2 Responses to: "Oracle Allegedly Knew About Latest Java Security Flaw In April"

  1. Maurice Bernier says:

    You know? This really pis#$ me off to say the least. Not you guys! Fricken Oracle!
    Just recently I found a sweet little software called Jing to take screenshots and capture web images and now I can’t use it because it needs Java to work.

    I have to wonder why the US government doesn’t intervene here and make them fix it?
    Especially if they’ve had plenty of time to do so.

    Guess I’ll have to suffer and kiss that software goodbye since I’ve done as you suggest and taken Java right off my system!

    In thanks for all you guys do for us, I have created a feed to one of my sites promoting you to my entire membership.

    On behalf of all them and myself,

    Thanks For All You Do!

    Maurice