July 30, 2014

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Oracles releases critical security update for Java, Apple follows suit

java-square(LiveHacking.Com) – Oracle has released a critical patch update for Java that address at least 40 security vulnerabilities, 37 of which may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password.

The new version of Java is Java 7 update 25 and it is the recommend upgrade for all users using Java 7 Update 21 and earlier; Java 6 Update 45 and earlier; and Java 5.0 Update 45 and earlier. It seems that Oracle has is no longer shipping updates for Java 6, however Apple has released a security advisory about Java for OS X 2013-004 and Mac OS X v10.6 Update 16.

In its advisory Apple recommend that OS X 10.6 users update to Java version 1.6 update 51 to address multiple vulnerabilities in Java 1.6 update 45. According to Apple Java 6 update 45 has bugs which allow “an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.” This means that Java 6 has been updates but is only available for OS X 10.6 users.

It is important that you apply this Java updates as soon as possible. Research from Websense has revealed that over 90% of users don’t update their Java versions in a timely manner.

Java is prone to security vulnerabilities and it is recommended, even after applying the latest patches, that users disable Java in the browser completely. If you don’t need Java (which you likely don’t), you should strongly consider removing Java completely from your machines.

Oracle updates Java, as does Apple

java-square(LiveHacking.Com) – Oracle has released a Critical Patch Update (CPU) for Java SE. The update, which affects Java 5, Java 6 and Java 7,  fixes 42 vulnerabilities within Java, the vast majority of which have been rated as the Critical.

Besides the fixes, the biggest change is to the Java security dialogs. Now JavaScript code that calls code within a privileged applet triggers warning dialogs if the signed JAR files are not tagged with the Trusted-Library attribute.

“The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests,” said Oracle.

According to Oracle Executive Vice President Hasan Rizvi not all the known Java problems have been fixed, but there are no unpatched vulnerabilities that are being actively exploited in the wild.

Java has been prone to security vulnerabilities in the last few years and earlier this year a global hacking campaign managed to infected computers inside hundreds of companies, including Facebook, Apple and Twitter. In light of these threat the US Department of Homeland Security has previously recommended that users disable Java in the browser completely.

Apple

Gone are the days when Apple’s Java update would come several months after Oracle’s fixes. As is now becoming the norm, Apple released its updates on the same day as Oracle. Java for OS X 2013-003 and Mac OS X v10.6 Update 15 addresses multiple vulnerabilities Java, some of which could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. To exploit this a hacker need only convince a user to visit a specially crafted web page with an untrusted Java applet. For more information Apple recommend reading the Java 6 update 45 release notes.

Apple also released a new version of its Safari web browser for OS X Lion v10.7.5, OS X Lion Server v10.7.5 and OS X Mountain Lion v10.8.3. It fixes problems where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. The problem was an invalid cast that existed in the handling of SVG files. For more information see the Safari 6.0.4 page on Apple’s website.

Oracle patches Java vulnerabilities being exploited in the wild

java-square(LiveHacking.Com) – Oracle has rushed out an emergency patch to address two Java vulnerabilities, one of which is being actively exploited by attackers to maliciously install the McRat malware onto victim’s PCs.  Both vulnerabilities affect the 2D component of Java SE.  Targeting Java running in the browser, these vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.

Security Alert CVE-2013-1493 patches Java to fix the vulnerabilities, which although were reported to Oracle on February 1st 2013, came too late to be included in February’s Critical Patch Update for Java SE. The fix had originally been planned for the April Critical Patch Update for Java SE, but since the vulnerabilities are being exploited in the wild, the company decided to release this out-of-band fix. The Java run-time environment (JRE) and the development kit (JDK) are affected for Java 5, Java 6 and Java 7.

“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system,” said Oracle in a statement.

Apple simultaneously released an update for Java on OS X. OS X 2013-002 and Java for Mac OS X v10.6 Update 14 are availble for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7, OS X Mountain Lion 10.8 or later.

According to Apple, “Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.”

All users who don’t need to run Java in the browser should disable all Java plugins in all of the browsers on their PC or Mac. Also you should strongly considering removing Java completely from your machines.

More zero-day vulnerabilities found in Java

java-square(LiveHacking.Com) – Java was last updated only a few days ago when Oracle released an updated patch for Java SE to included five additional fixes that did not make it into the original patches delivered on February 1st. Now Adam Gowdiak, from Security Explorations, has posted to the full disclosure mailing list revealing details of two more zero-day vulnerabilities in the latest Java version.

According to Gowdiak, his company started to analyze the February 19th update and found two new security issues which when combined together can be successfully used to gain a complete Java security sandbox bypass. The company immediately reported the vulnerabilities to Oracle along with working Proof of Concept code.

Oracle did some investigation and has confirmed that the two issues when combined result in a full sandbox bypass for Java SE 7 Update 15. However, Oracle did note that one of the issues was actually the intended behavior, something that the team at Security Explorations reject. According to Gowdiak, there is a mirror case corresponding to the issue that leads to an access denied condition and a security exception.

“That alone seems to be enough to contradict the ‘allowed behavior’ claim,” said Adam Gowdiak. “Is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?”

It seems that Gowdiak is going to release details of the issue which he claims is a security vulnerability, but Oracle claim is the ‘allowed behavior’, if Oracle doesn’t change its stance.

Both the issues are specific to Java SE 7 only as they abuse the Reflection API in a particularly interesting way.

Another zero-day Java exploit for sale on Internet

Java(LiveHacking.Com) –  Less than a day after Oracle patched the zero-day vulnerability in Java 7, security journalist Brian Krebs has discovered that a new Java zero-day exploit is now available to purchase, in a crimeware and malware Internet forum, for US$5,000 per sale.

At the beginning of this week, an administrator of an exclusive cybercrime forum revealed that he is offering exploit code for a new zero-day vulnerability in Java, but he is only willing to sell it twice.

The seller was offering source files to the exploit plus an encrypted, weaponized version, ready for use. Since spotting the forum post, Krebs has noticed that the thread has since been deleted from the forum. This most likely means that buyers were found.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” wrote Krebs.

The current frequency of Java exploit has led many to declare Java unsafe. Even after the latest update for Java 7, Adam Gowdiak, the founder and CEO of Security Explorations - who has found several critical vulnerabilities in Java, said that “We don’t dare to tell users that it’s safe to enable Java again.”

This was a sentiment echoed by HD Moore, chief security officer with Rapid7 – the custodians of Metasploit, “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.”

It looks like Gowdiak and Moore are right!

Oracle has released a security update that fixes more than 80 vulnerabilities in its products

oracle(LiveHacking.Com) –  Oracle has released its Critical Patch Update (CPU) for January 2013. This month’s set of patches address 86 vulnerabilities across multiple Oracle products, excluding Java which Oracle patches separately. This update contains the following security fixes:

  • 6 for Oracle Database Server
  • 7 for Oracle Fusion Middleware
  • 13 for Oracle Enterprise Manager Grid Control
  • 9 for Oracle E-Business Suite
  • 1 for Oracle Supply Chain Products Suite
  • 12 for Oracle PeopleSoft Products
  • 1 for Oracle JD Edwards Products
  • 10 for Oracle Siebel CRM
  • 8 for Oracle Sun Products Suite
  • 1 for Oracle Visualization
  • 18 for Oracle MySQL

For the Oracle Database Server the CPU contains 6 new security fixes, a fix for a non remotely exploitable vulnerability in the traditional Oracle Database Server and five security fixes for the Oracle Database Mobile/Lite Server – all of which may be remotely exploitable without authentication.

There are also 7 security fixes Solaris, none of which may be exploited remotely without authentication and one fix for the Sun Storage Common Array Manager (CAM) which is remotely exploitable without authentication.

MySQL has been patched to fix two vulnerabilities that may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The flaws in the MySQL protocol are present in MySQL 5.1.66 and earlier as well as 5.5.28 and earlier.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” said the company in the update advisory.

After latest vulnerability gets patched in Java, is it now seen as just too dangerous?

java-square(LiveHacking.Com) –  Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.

To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).

As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.

Since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations - who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7  - the custodians of Metasploit.

New zero-day Java 7 vulnerability being exploited in the wild

Java(LiveHacking.Com) – US-CERT has issued a security advisory about an unspecified vulnerability in the most up to date version of Java ( Java 7 Update 10) that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. According to TrendLabs the zero-day exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). Brain Krebs has noted that the author of the Blackhole exploit kit is calling the new exploit a ‘New Year’s Gift,’ to customers who use Blackhole.

Initial analysis of the exploit shows that it is probably bypassing certain security checks  tricking the permissions of certain Java classes like  in CVE-2012-4681 . According to US-CERT, the exploit works by leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.

The only good bits of news are that Java 6 doesn’t seem to affected and that since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

US-CERT (and others) where alerted to the existance of the zero-day vulnerability by a blogger named Kafeine at the site Malware don’t need Coffee.

“We can confirm that this is a new vulnerability,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, in an email to Computerworld. “We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Java SE 7u10 can disable applets in the browser

(LiveHacking.Com) – Oracle has released an update to its Java 7 platform with a number of new security features. Java has been a topic of much debate recently due to the number of zero-day vulnerabilities found in its run time libraries. The result of all these security problems has been two-fold. First, Java has been used by malware writers as a way to infect PCs by using drive-by downloads. Second, security professionals and publications (including this one) have been encouraging users to disable or uninstall Java completely unless it is absolutely necessary to have it running.

Update 10 adds three security enhancements: 1) the ability to disable any Java application from running in the browser, 2) the ability to select the desired level of security for unsigned applets, 3) warnings when the JRE is insecure.

Apple was the first to add these kinds of enhancements to Java (for OS X) when it released a Java update for OS X that configured all installed web browsers to not automatically run Java applets. It also added the feature to disable the web plug-in if no applets had been run for an extended period of time.

The new ability to disable any Java applications from running in the browser can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument. Although enabled by default, de-selecting the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab) will prevent any Java application from running in the browser.

There are now four new levels of security which can be set to control the level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. This to is set from the Java Control Panel.

Finally, if the installed JRE is deemed to be insecure because it has expired or is below a predefined (by Oracle) security baseline, then newly implemented dialogs will be displayed urging the user to upgrade to a newer version of Java. The expiry date is hard coded and if the Java updater has not been able to check for an update prior to this date, the Java runtime will assume that it is insecure and start warning the user prior to executing any applets.

The Java SE 7 run time can be downloaded from here, while the JDK is available here.