Oracle has released a new version of Java to address the serious security flaws that attackers have been exploiting all week.
Users are encouraged to immediately apply the latest Java update to close the zero-day vulnerabilities in the Java Runtime Environment, Oracle said in its advisory on Thursday.
If exploited, these security holes allow attackers to download and execute arbitrary code on victim computers. Researchers have identified two flaws in JRE 1.7 which attackers were chaining together to push the Poison Ivy Remote Access Tool (RAT) onto victims.
The out-of-band Security Alert CVE-2012-4681 includes fixes for "three distinct but related vulnerabilities and one security-in-depth issue" affecting Java running within the browser, said Eric Maurice, director of Oracle software security assurance, in a blog post on Thursday.
CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547 don't affect standalone Java desktop applications or Java running on servers. They only affect applications accessed through the browser using plugins.
"Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," Maurice wrote.
Oracle's latest update fixes both reported zero-days, Tod Beardsley , the Metasploit engineering manager at Rapid7, told Security Watch. The team verified the flaws were fixed in the latest Java update (Update 7) with the open-source Metasploit penetration framework, Beardsley said.
"At this point, I'm confident that the patched code eliminates the vulnerability," Beardsley said.
The United States Computer Emergency Readiness Team (US CERT) has advised users to disable the browser's Java plugin, or uninstalling Java entirely. Security Watch outlined the steps to disable Java earlier this week. Even with the patch in place, if users don't need Java, it's worth still keeping it disabled. Why give attackers a potential avenue of attack if it's not necessary?
Security researchers have long been saying users should not be running Java or have the plugin installed unless they regularly access websites that still require the technology (many consumer-focused sites no longer require Java although there are a few that still do).
Most browsers allow for whitelisting of known-good sites, and most web sites don't rely on Java for dynamic content, so it doesn't cause much inconvenience to disable Java entirely until you learn that you need it for a particular site, Beardsley said.
"This is not likely the last Java zero-day we'll see," Beardsley said.
Oracle Be Nimble, Oracle be Quick
It's very rare for Oracle to do an emergency patch, Beardsley said, as the company "almost never" deviates from its Critical Patch Update cycle. The fact that they released this Java update early shows that they are getting more flexible in their approach to securing their products, Beardsley said.
"I'm thrilled that we went from a malicious, in-the-wild exploit on Sunday, to a safe and effective exploit on Monday, to a new Java update on Thursday," Beardsley said, calling it a "a huge success story."
Andrew Storms, director of security operations at nCircle, had some strong words for Oracle, calling the entire incident a "complete security communication fail on Oracle's part."
The company didn't release much information in the release notes and there was a bit of a lag time between when the update went live and when Maurice posted his blog post. The company was also deafeningly silent over the past four days, giving no indication that an out-of-band update was coming.