More Java Flaws Discovered

During our technology training last month we talked about the ongoing problems with Java's security. We also reviewed our options for dealing with this never ending problem. In fact I posted my recommendations in last month's technology newsletter.

Well Java is back in the news and here is the scoop on Java's latest flaw.

This latest flaw was first discovered by security firm FireEye, which says it has already been used “to attack multiple customers.” The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle’s plugin.

This confirms the flaw is indeed a 0-day. For those who don’t know, “0-day” or “zero-day” this refers to a security hole that has not been publicly disclosed yet, and so doesn’t have a patch available.
Oracle released Java SE 6 Update 41 and Java SE 7 Update 15 on February 19, addressing five security fixes. This was a scheduled release, but it succeeded a previous emergency update that addressed 50 (yes 50) vulnerabilities. In February, Java exploits have resulted in computers being compromised at multiple companies, including Apple, Facebook, and Microsoft.

Since the release of Java 7 Update 15, there has been at least one new vulnerability found in Oracle’s software. Unfortunately, it’s not clear if this exploit discovered by FireEye is related or not.
On February 25, Security Explorations, a Polish security firm responsible for identifying the majority of the latest Java security holes, sent Oracle yet another vulnerability notice, including proof of concept code for two additional flaws. Oracle began investigating the same day. On February 27, it declared the first alleged issue was not a vulnerability but confirmed the second issue.

Security Explorations disagreed with Oracle’s assessment regarding the first issue and provided Oracle with further examples as part of its argument. On February 28 (the same day FireEye discovered the latest version of Java was being exploited in the wild), Oracle said it would investigate the first issue again.

I recommend that regardless of what browser and operating system you are using, you should uninstall Java if you don’t need it. If you do need it, set your Java security settings to “High” so that it prompts you before loading an applet. Check out last month's tech newsletter for more information.