January 16, 2019

In brief: Apple updates Java after Oracle’s October patches

(LiveHacking.Com) – Apple has once again updated the versions of Java running on its Mac OS X operating system soon after Oracle released its patches. This is in contrast to the fiasco which took place earlier this year which Apple took until April 2012 to push out a patch that had been available to Windows users since February.

This time Apple has been quick off the mark. According to the security advisory: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37.

Additionally, for OS X 10.6 and OS X 10.7 this update removes the Apple-provided Java applet plug-in from all web browsers. It also removes the Java Preferences application, which is no longer required to configure applet settings. For Mac users who need a Java plugin (and you really must need it, other wise don’t bother) click on the region labeled “Missing plug-in” to download the latest version of the Java applet plug-in directly from Oracle.

The update is available for the last three versions of Mac OS X: Mac OS X Snow Leopard v10.6.8, OS X Lion v10.7 or later, and OS X Mountain Lion v10.8 or later.

Oracle’s latest Critical Patch Update fixes over 30 security vulnerabilities in Java

(LiveHacking.Com) – Oracle has released its latest Critical Patch Update (CPU) which addresses multiple security vulnerabilities in multiple Oracle products including Java. In total the software giant has fixed almost 140 vulnerabilities in a range of its products including Oracle Database, Fusion Middleware, MySQL, Solaris and VirtualBox.

For Java, Oracle has patched a total of 30 holes, all but one of which can be exploited remotely without authentication  This means that just visiting a web page which starts a Java app can cause a PC to be breached and infected with malware. This is the way several types of malware have been spreading in recent times. At the end of August Oracle was forced to release an out-of-band update for Java due to some severe Java vulnerabilities which were being exploited in the wild.

Many of the vulnerabilities were reported to Oracle by Adam Gowdiak of Security Explorations. Adam and his team have reported dozen of vulnerabilities to Oracle. Just under three weeks ago Adam reported a vulnerability that if successfully exploited would completely bypass the Java security sandbox. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

There are lots of concerns in the security industry about the level of vulnerabilities which exist in Java. It you don’t need Java it is best to remove it completely from your system. As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

If you need to keep Java on your machine then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

 

In brief: Another critical security issue found affecting Java SE 5/6/7

(LiveHacking.Com) – Adam Gowdiak, founder and CEO of Security Explorations, has posted information on the Full Disclosure mailing list about yet another security vulnerability affecting all the latest versions of Oracle’s Java SE software. He and his team have been able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

The following Java SE versions were verified to be vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

It appears that all the major browsers (with Java plugins) are vulnerable. Tests on a fully patched Windows 7 32-bit system were able to compromise Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.10.

Details have been given to Oracle along with a technical description of the issue found plus the source code for a Proof of Concept demonstrating the complete Java security sandbox bypass.

Apple releases Java update for OS X including Snow Leopard

(LiveHacking.Com) – There has been a flurry of activity over the last few weeks, both by hackers and by the Java engineers at Oracle, around a series of critical vulnerabilities in Java 7 which has allowed hackers to run arbitrary code on a victim’s computer. Oracle recently released a patch for the flaws in Java 7 but they also released an update to Java 6 (update 35) at the same time. Now Apple has released the update to Java 6 for OS X Snow Leopard and OS X Lion. The Java 6 update addresses a related flaw CVE-2012-0547.

Apple’s advisory reads as follows “This update configures web browsers to not automatically run Java applets. Re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.”

According to Oracle, update 35 addresses CVE-2012-4681 and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. The vulnerabilities may be remotely exploitable without authentication if an unsuspecting user visits a malicious web page that leverages this vulnerability. However there is some confusion as CVE-2012-4681 only affects Java 7.

It seems that the confusion is spreading as Brian Krebs, the renowned and respected security expert, didn’t quite understand Apple’s somewhat hazy advisory either. In an update to his blog post he confirms that the OS X update addresses CVE-2012-0547. “Upon closer inspection, it looks like this patch applies just to CVE-2012-0547,” wrote Krebs.

OS X 10.8 Mountain Lion isn’t affected as Apple no longer ship Java by default with OS X, however there are Oracle builds available for the platform. However this update is Apple’s first patch for OS X Snow Leopard since June 12. Apple seems to have abandon the older OS, with out any notifications or end of lifetime announcements which is typical of Apple. The odd thing is that OS X Snow Leopard still powers around a third of all Macs.

Java 6 version 35 can be downloaded from Apple’s website for OS X Snow Leopard and Lion.

Oracle releases out-of-band update for Java to fix vulnerabilities which are being exploited in the wild

(LiveHacking.Com) – In a surprise move, which security researchers hoped for – but dared believe it would happen, Oracle has released an out-of-band update to Java to fix several security vulnerabilities which are being exploited in the wild. The update addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities (CVE-2012-3136, and CVE-2012-0547) affecting Java running in web browsers on desktops.

These vulnerabilities, which are not applicable to Java running on servers or standalone Java desktop applications, can be exploited remotely without authentication. The exploit happens when an unsuspecting user visits a malicious web page designed to leverages the vulnerabilities. Upon successful exploitation the attackers can run arbitrary code on the victim’s computer.

“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” wrote Oracle’s Eric P. Maurice in a blog post.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Users can download Java 7 Update 7 for Windows, Linux, Mac OS X, Solaris x86 and Solaris SPARC. The update is available in 32-bit and 64-bit versions for all platforms except OS X which is 64-bit only. New versions of the Java SE Development Kit are with the updated Java runtimes are also available.

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Oracle to patch 88 new security vulnerabilities

(LiveHacking.Com) – Oracle has published a pre-release announcement for a Critical Patch Update that the company intends to make public on Tuesday, July 17, 2012. Oracle’s Critical Patch Updates are a collection of patches designed to address security vulnerabilities in the Oracle product range. July’s Critical Patch Update contains 88 security vulnerabilities.

The most significant products to be patched include Oracle Database 11g, Oracle Database 10g, GlassFish Enterprise Server, Solaris and MySQL. This Critical Patch Update contains four security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication, however none of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

25 vulnerabilities will also be patched in the Oracle Sun Products Suite (which includes the GlassFish Enterprise Server and Solaris). 17 of these vulnerabilities may be remotely exploitable without authentication. Oracle will also fix 6 security problems in MySQL, however none of these vulnerabilities may be remotely exploitable without authentication.

The full list of affected products is:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Secure Backup, version 10.3.0.3, 10.4.0.1
  • Oracle Fusion Middleware 11g Release 2, version 11.1.2.0
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6
  • Oracle Application Server 10g Release 3, version 10.1.3.5
  • Oracle Identity Management 10g, version 10.1.4.3
  • Hyperion BI+, version 11.1.1.x
  • Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier
  • Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
  • Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
  • Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
  • Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle AutoVue, versions 20.0.2, 20.1
  • Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
  • Oracle Siebel CRM, versions 8.1.1, 8.2.2
  • Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3
  • Oracle Sun Product Suite
  • Oracle MySQL Server, versions 5.1, 5.5

Incredibly Apple releases Java update for OS X on the same day as Oracle

(LiveHacking.Com) – In the past Apple has come under heavy criticism due to the unacceptable amount of time it takes the Cupertino company to release Java updates for its OS X operating system. April and May saw a massive malware breakout on OS X due to a vulnerability in Java. The problem was that Oracle fixed the vulnerability in February but Apple didn’t release a patch until April. In the intervening months over half a million Macs got infected with the Flashback Trojan.

This time around Oracle has patched a number of Critical vulnerabilities in Java and Apple has stepped up its game. On the same day as Oracle, Apple released a Java update for  Mac OS X v10.6 Snow Leopard and OS X Lion v10.7 Lion.

The Java update fixes 14 security issues, 12 of these vulnerabilities can be remotely exploitable without authentication. This means that they can be exploited over a network without the need for a username and password. The most serious of the vulnerabilities allows an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The OS X update also includes some security hardening measures. First, the Java browser plugin and Java Web Start are deactivated if they are no used for 35 days. By default they are automatically deactivated. Secondly, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. To re-enable Java a newer versions needs to be installed.

The update from Oracle affects the following versions of Java:

  • JDK and JRE 7 Updates 4 and earlier
  • JDK and JRE 6 Update 32 and earlier
  • JDK and JRE 5.0 Update 35 and earlier
  • SDK and JRE 1.4.2_37 and earlier
  • JavaFX 2.1 and earlier

Oracle to patch 14 security vulnerabilities in Java this week

Java has become a consistent target for hackers in their attempts to find system vulnerabilities which allow them to execute arbitrary code on a victim’s machine. Recently a vulnerability in Java was responsible for one of the largest outbreaks of malware on Apple’s OS X operating system. Oracle has now announced that it will patch a further 14 security vulnerabilities in Java this week, 12 of these can be remotely exploited without authentication.

This Critical Patch Update contains 14 new security fixes for Oracle Java SE.  12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” wrote Oracle.

Affected versions are JDK and JRE 7 Update 4 and earlier, JDK and JRE 6 Update 32 and earlier, JDK and JRE 5.0 Update 35 and earlier, SDK and JRE 1.4.2_37 and earlier and JavaFX 2.1 and earlier.

Once Oracle has released it patches the questions remains – will Apple update its built-in version of Java quickly and will users upgrade to the latest version?

I’ve repeatedly encouraged readers to uninstall this program,” said Brian Krebs former in house security expert for The Washington Post. “Not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

 

 

Details of Zero Day Oracle Vulnerability Published After Patch Misunderstanding

(LiveHacking.Com) – The details of a zero day (0day) vulnerability in Oracle’s Database product have been published when the researcher, who originally found the problem, mistakenly believed that Oracle told him it had been fixed.

Almost two weeks ago Oracle released 88 security patches for a whole range of its products including Oracle Database 10g and 11g. Included in the security advisories published Joxean Koret was credited by Oracle for work submitted under the “Security-In-Depth” program. The relevant vulnerability was submitted to Oracle in 2008 and has taken Oracle four years to fix. Joxean contacted Oracle to be double sure that the vulnerability was fixed. The reply from Oracle said the vulnerability “was fixed in future releases of the product”. Since he was credited in the security advisories for the patch and Oracle said it was fixed, Joxean went ahead and published his own advisory explaining the vulnerability and a proof of concept.

However it turns out that Oracle didn’t fix the problem and in fact has no intention of fixing the problem in released versions of Oracle Database but will only release a fix in the next version of the product. The reason Oracle give for this is that “the fix is very complex and it is extremely risky to backport” and that there are concerns over regression. According to Joxean this means that “there is no patch at all for this vulnerability and Oracle refuses to write a patch for any existing versions, even for Oracle 11g R2. All versions are vulnerable and will remain vulnerable”.

The bug, which is now known as the TNS Poison Vulnerability, exists in all versions of Oracle Database since 1999 (Oracle 8i) and includes the latest one (Oracle 11g). The vulnerability is in the TNS Listener, which is responsible of for connection establishment. To exploit the vulnerability no privilege is needed, just network access to the TNS Listener.

Since Oracle 8i the database has supported a load balancing feature known as “remote registration” where a remote network listener is used to forward client requests to the actual database server responsible for handling requests for a given database. The problem is that using a man in the middle attack it is possible to trick the database into accepting commands from another rogue listener. This is possible because new requests to register a remote listener, that has already been registered with the database server, are seen as requests from a a cluster from a node after a fail over. The result is that the attacker has full access to the database.

Ironically, Joxean wrote concerning the patch from Oracle: “I didn’t test it myself and, to be honest, I’m very tired of the Oracle world so I did not test it myself. I would not be surprised if the patch doesn’t correctly/completely fix the vulnerability.” And how right he was!