Oracle has released a slew of patches for its Java platform, fixing a total of 29 bugs in Java SE and Java for Business. Several of the flaws allow a remote attacker to take complete control of a vulnerable machine.
Java is among the more widely deployed technologies on the Web and it is now a favored vector for attackers looking for a common and easy way into machines. It’s very difficult to browse the Web these days without having Java enabled in your browser, as millions of sites rely on the technology for portions of their functionality.
Among the 29 bugs that Oracle fixed in its quarterly Critical Patch Update for Java are 28 vulnerabilities that are remotely exploitable with no authentication, and more than half of them offer a low barrier to exploitation for attackers. Some of the bugs that Oracle patched Tuesday are issues raised by security researcher Sami Koivu, who earlier this year talked about a class of bugs in Java called “serialization” flaws.
“Several of the serialization issues
were addressed. It looks like they created a cute little mechanism for
preventing external calls to defaultReadObject/defaultWriteObject. And
the problem of repeated fields also seems to be addressed. The early
reference stuff can’t really be fixed, because it is a feature. And that
means you can still create an Integer object that has 0 as its value
and then later at an arbitrary moment changes it’s value to something
else,” Koivu wrote in a blog post on the Java update.
Because so many of the Java bugs are relatively easily exploitable, Oracle is urging customers to install the fixes immediately.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the CPU fixes as soon as possible.
Until you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by restricting network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages
from unprivileged users may help reduce the risk of successful attack.
Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems.
Neither approach should be considered a long-term solution as neither
corrects the underlying problem,” the company said in its advisory.