Do you really need Java?

Date of publication: 14/09/2012, CERT Polska

cup

In late August, Oracle has decided to release Java updates before the planned publication date on October 16 CPU (Critical Patch Update). According to reports update contains four security fixes. This year Oracle has already introduced 32 security fixes across all Java SE products. The immediate cause for the release of the new version was vulnerability marked up as CVE-2012-4681. But there is no sign that we can expect no further reports of vulnerabilities in Java in the near future.

GetClass(”sun.awt.SunToolkit”) – new mandatory position in exploit packs?

At the end of August ( FireEye 26.08 , Gowdiak 28.08 ) newly discovered vulnerability in Oracle Java was reported. The fact that the PoC (Proof of Concept) was publicly available soon after, significantly eased vulnerability adaptation to infect users with malware. In a short time the appropriate exploit has been added to the nowadays most popular exploit pack – Blackhole. It fulfilled previously used Java vulnerability, labeled as CVE-2012-0507.

CVE-2012-4681

The use of the vulnerability is not particularly difficult. It is based on the use of an

<span class="text">execute()</span>

method for Expression object in order to bypass the restrictions of the

<span class="text">GetField()</span>

function from class

<span class="text">sun.awt.SunToolkit</span>

. As a result, untrusted Java applet may escalate its privileges, by calling the

<span class="text">setSecurityManager()</span>

function to run any application with full privileges.

The solution is to install an updated version of Java. I would not count on absence of upcoming Java vulnerabilities. Shortly after the fix was released by Oracle, new vulnerabilities were reported ( Gowdiak 31.08 ). They were confirmed by the manufacturer. Details have not been published so far, but the knowledge of its existence probably induces looking for it more intensively . This new vulnerability should have been removed along with the version 1.7 update 9 (scheduled for October 16). Let us hope that if new exploit is spotted in the wild, Oracle once again decides to release an update out-of-cycle. Meanwhile you should consider uninstalling or disabling Java browser plugin.

How to disable Java in web browser?

Mozilla Firefox

Open Tools menu and choose Add-ons.

Firefox1

Then select Java plugin(s) and disable it.

Firefox2

Internet Explorer

Open menu and choose Add-ons.

Firefox1

Then select Java plugin and click disable.

Firefox1

Confirm disabling Java plugin along with related plugins.

Firefox1

Google Chrome

Type: chrome://plugins in address bar.

Firefox1

Then select Java plugin(s) and disable it.

Firefox1

Opera

Type: opera:plugins in address bar.

Firefox1

Then select Java plugin(s) and disable it.

Firefox1