Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Oracle Java: 20 new vulnerabilities patched - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oracle Java: 20 new vulnerabilities patched

Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE.  Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow.

Oracle/Java is probably by now one of the most successful charities in the world, it continues to do an outstanding job at enabling significant wealth transfer to support poor cyber criminals and their families. Except that the sources of the funds usually have no idea, and didn't agree to donate directly from their bank accounts ...

After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser.  Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don't want to skip or delay.

The full Oracle patch bulletin is available here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA  .

The other Oracle patches (for database, etc) released in today's patch CPU are still under analysis here at SANS ISC. I'll post about them later, if warranted.

Daniel

367 Posts
ISC Handler
Except for XP. Honestly though, does anyone outside of Android development use java?
Anonymous
Quoting Anonymous:Except for XP. Honestly though, does anyone outside of Android development use java?


Yes, unfortunately.

Lots of applications in the educational and public arena either run in a JVM, or utilize webpages that leverage Java.
One entity for which I consulted a while ago uses a product that, just a few months ago (around April of 2014 or so) finally OK'd the use of Java 7 Update 25 (from June 2013). Anything newer than that, and their app breaks.
A whole suite of special ed testing and scoring software that many school districts use still uses Java 1.4.x.

I could go on...
Jaybone

27 Posts
Some folks may have missed that from 7u51 onwwards you can add sites to the exceptions lists see https://www.java.com/en/download/exception_sitelist.jsp
Anonymous
I know, software in the ed sector is awful. We literally had one developer refuse to update their software because, "Oracle has made fundamental changes to the way applets work. For over 15 years, applets that followed the rules for applets were allowed to run in browsers; however, Oracle has now changed this."
John

88 Posts
Most every Cisco branded IP Phone running today uses embedded Java as its underlying OS.
Steven

12 Posts
We use a lot of banking applications from various banks. One in particular likes to check for the latest version of Java within a day of its release. Makes updating workstations particular difficult.

I HATE JAVA!!
Anonymous
I Love Java.. But HATE Securities Issues..
Anonymous
I love Java to,
as a software engineering student, i do follow this site based on
http://java.tv/how-to-learn-software-engineering/
article.
I hope i will be knowledgefull engineer
Anonymous

Sign Up for Free or Log In to start participating in the conversation!