Oracle Shores Up 14 Major Java Vulnerabilities

February 15, 2012 by Corey Nachreiner 3 Comments

Severity: High

Summary:

  • These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before today
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate JRE (or JDK) update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters used today.

Yesterday, Oracle released a security alert warning of 14 vulnerabilities that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ technically, an attacker can exploit many of them in a similar manner – by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute code on those users’ computers, with their privileges. If your users have local administrative or root privileges, the attacker could potentially leverage these flaws to gain complete control of their machines.

Attackers are increasingly targeting Java vulnerabilities in drive-by download attacks — even more so than web browser flaws. For that reason, we consider this Java update as critical. If you have installed Java, which most users have, we recommend you download and install Oracle’s updates as soon as you can.

Solution Path:

Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible. You can find the updates in the “Patch Availability Table” within Oracle’s alert.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Sun JRE updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these vulnerabilities, but not all of them. Oracle’s update is the best solution.

To learn how your Firebox’s HTTP proxy can block Java bytecode, see this help page.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Security Updates
, , , , ,

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word. Previous Meetings core
View all posts by Corey Nachreiner

Trackbacks/Pingbacks

  1. WatchGuard Security Week in Review: Episode 5 | WatchGuard Security Center - February 17, 2012

    [...] Oracle Java JRE update  - WatchGuard Security Center [...]
  2. Update OS X Java to Avoid Spreading Mac Malware | WatchGuard Security Center - April 5, 2012

    [...] Apple update finally brings the Java updates Oracle released in February to OS X users. Unfortunately, attackers have already been exploiting one of these Java [...]
  3. Update OS X Java to Avoid Spreading Mac Malware « microreksa - April 8, 2012

    [...] Apple update finally brings the Java updates Oracle released in February to OS X users. Unfortunately, attackers have already been exploiting one of these Java [...]

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 6,939 other followers