Home Business IT Security Oracle's recent Java patch is broken

Within hours of the out-of-cycle Java patch's release, the experts declared it broken. You are no better off whether you install it or not. Our strong advice is, disable Java. NOW.

Following the April discovery of a set of major vulnerabilities in Java, Oracle has been endlessly criticised for its tardy response. In fact it has widely been reported that exploits targeting these vulnerabilities have been included in both Metasploit and Blackhole, making the exploitation of these security holes nothing more than point-and-click.

Note that Oracle has a rolling 4-month patching cycle for Java: patches are released every two months with security patches occupying one two-month slot and bug fixes / enhancements the other slot. This of course means that we can be forced to wait many months for an issue to be addressed, especially if the resolution is not ready when the security update is released.

Having previously announced that the public would have to wait until the regular October security patch cycle, late last week, Oracle rushed a patch to market.

Rushed is the key-word here.

It quickly became apparent that the patch addressed only some of the attack vectors; soon after, it became clear it didn't even do that.

Polish security organisation Security Explorations discovered the original flaws and communicated them directly to Oracle (who acquired ownership of Java as part of the merger with Sun Microsystems) in April. Some months later, Oracle was being criticised for not addressing the issue. Security Explorations' diary of the events lends credence to the criticism.

Things rapidly came to a head when active exploitations were observed in the wild.

It would seem that in the past few days, Oracle was finally stung into action and released the patch kit widely reported in the Tech Media.

Most commentators (myself included in a comment to the above link) suggested users rush to apply the patched version of Java.

I hereby rescind that advice.

Just a few hours after the patch was made available, Security Exploration's Adam Gowdiak posted to Seclists his thoughts that the patch contains a bug which makes some of the not-yet-patched vulnerabilities easier to exploit.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

One might suggest that this is just a tiny bit embarrassing for Oracle. Be that as it may, it's closer to a disaster for the rest of us.

Unless it is crucial to your web operations, we strongly suggest you disable java wherever it is in use on your computer. Sophos' Graham Cluley offers instructions on how to do that.

Alternately, Brian Krebs suggests that, if you must use Java in a browser, you should run it ONLY in a secondary browser which is used for nothing more than to access the locations which require it; all other web access should be through a browser with Java disabled.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities