Q&A over Oracle’s Java in regard to the zero-day exploit

1. This is your standard take-victims-to-a-malicious-Web-page kind of
attack. Why the excitement? Because of the high danger of the breach? What?

This vulnerability in Java is the second one in the last 6 months (first one
on August 29, 2012).
The problem with Java is that it is cross platform and it is installed on
over 1 billion devices (according to Oracle) on a multitude of platforms and
operating systems. If something so wide-spread like Java gets affected and
misused to spread malware or worse (imagine what an impact would a DDOS
started by this would have) it is absolutely normal to be so much in the
mass media.

2. Oracle’s fix switches Java security settings to high by default. This
requires users to expressly authorize the execution of applets which are
either unsigned or self-signed. Doesn’t any decent AV system already do that
if it’s set up to do that by the user?

Not necessarily the AV software should do this. That there are millions of
applets out there which are not signed or self-signed. If the AV producers
would only report something like this, they would do nothing else than
whitelist these applets.
In my opinion it is the responsibility of the platform (Java in this case)
to have such a configurable functionality built-in.

3. US-CERT recommends that users temporarily disable Java even after
applying Oracle’s Java 7 Update 11 unless it’s absolutely necessary to run
Java in Web browsers. It also says there’s potentially a bug in the Java
installer. And it states that there have been situations where Java will
crash if it’s been disabled in the Web browser after being updated to &u11
and then re-enabled, and needs a reinstall.
So has Oracle done enough? What doesn’t the fix do? What more should Oracle
do?

In my opinion, Oracle did what any software company would do under high
pressure: the minimum necessary to solve the problem.
With each such vulnerability they are in the news, they lose market share in
favor of Microsoft (Silverlight) and Adobe(Flash).
But, when developing critical software under pressure has only one
consequence: even more bugs.
I am expecting to see soon even more bugs and vulnerabilities related to
this quick fix or similar to it.
I can’t say what the fix doesn’t do as I don’t know the internals of Java.
I can say, however, what it should do: it should mitigate all possible
attack vectors so that on the long term they make the platform secure by
design, default and deployment.

On the long term, I think that the best thing what Oracle should do is to
rethink its entire software development strategy.
Java is something that was acquired and was developed during many years by
many people. In time, this means that the code has become close to
impossible to maintain.

4. Apparently there’s already malicious code in the wild that exploits this
vulnerability and thousands of people have been affected, or so it seems. Is
this correct?

We don’t have exact data, but considering how wide-spread Java is, it is to
be expected that many people got affected without knowing it.
If somebody used this vulnerability to spread new malware, it is possible
that we will see in the medium term future some malware like Stuxnet or
Flame.
Think of it like a targeted malware attack. It is not needed to infected
millions, it is enough to infected only those who matter.

5. What can victims who’ve been affected do? Reinstall their systems
perhaps?

Everybody who was in contact with Java in a browser (applets) should keep an
eye on their systems.
Any suspicious activity like increased CPU activity, network traffic or hard
drive activity should be reported to system administrators and AV producers
for analysis.
In case of important systems where it is not acceptable to risk anything
(systems managing PII, life critical systems, industrial systems) it is
advisable to reinstall (or revert) the system in order to achieve maximum
certainty.

6. What steps should businesses and consumers take to protect themselves?
First of all, analyze if they really need Java. If not, uninstall it from
all computers in your company.
If you do need it, consider the advices written here
http://techblog.avira.com/2013/01/14/how-to-disable-the-java-web-plug-in-in-
all-browsers/en/

and in the other articles referenced in it.


© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close