Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Out-of Order Java Update

Oracle released an emergency update for Java [1]. The nature of the flaw, and how the update fixes the flaw, is somewhat obscured. According to Oracle's advisory, the user would first have to install malicious software, then install Java. So it doesn't appear to be exploitable on any system that has Java already installed. The Oracle advisory also states that an exploit is complex.

At this point, I don't see a compelling reason to "rush out" this patch. Deal with it as part of your regular patch process. Some of the Microsoft patches to be released later today are likely more important.

[1] https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

 Johannes

4343 Posts
ISC Handler
Feb 9th 2016
Thread locked Subscribe Feb 9th 2016
5 years ago
Quote:The Oracle advisory also states that an exploit is complex.


Given that almost all users run executable installers they downloaded from the 'Net from their "Downloads" directory, the attack is rather trivial: see http://www.securityfocus.com/archive/1/537462
 Anonymous
Quote Feb 9th 2016
5 years ago
Technical people might be even more susceptible. We rebuild our systems more often, and also like to use proven, tested software rather than newly downloaded. I could foresee someone rebuilding their system, restore their personal profile folders, then using their known "good" installers from their Downloads directory.
 Juice

12 Posts
Quote Feb 9th 2016
5 years ago
I have to agree with Juice on this one.
There are likely many enterprise (all sizes) operations that will utilize "known good" installers, even old versions, as part of their software inventory.
The reasons this may happen are numerous, but generally boil down to bad maintenance practices, if any.
So many times I have walked into a customer engagement and I get blank looks when I ask about their patching and software version management practices. I have almost come to expect the same response in many small to medium operations that do not have an established IT security program or office.
Oracle is likely trying to cover their butts on this one with regards to customers who are in such a situation.
 AlSitte

30 Posts
Quote Feb 9th 2016
5 years ago

Sign Up for Free or Log In to start participating in the conversation!