Oracle pushed out another 40 Java patches Tuesday night bringing the total number of Java security updates for 2013 to well over 100, exceeding already the number of Java patches released in 2012.
Attackers have had a field day this year exploiting previously unreported vulnerabilities in Java, in particular in the browser plug-in. Attacks against Java have been used against government, human rights and business targets with impunity, forcing Oracle to delay the release of Java 8 because of the platform’s security issues.
Oracle stressed in its advisory that because of risks, administrators should ensure that updates are applied; four of the 40 patches released on Tuesday are for server deployments.
HP’s Brian Gorenc, manager of the Zero Day Initiative, said 10 of the vulnerabilities patched Tuesday were reported by HP in April, resulting in a fairly quick patch turnaround for Oracle.
“These vulnerabilities cover a wide spectrum of software weaknesses including sandbox bypasses, heap-based buffer overflows, and out-of-bounds writes,” Gorenc said. “As we saw earlier this year at Pwn2Own, these specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code.”
Of the 40 vulnerabilities, 37 can enable an attacker to remotely execute code and compromise the underlying system.
“An attacker can achieve this by using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox,” said Amol Sarwate, Qualys Vulnerability Labs director.
Java sandbox exploits have been child’s play so far in 2013. The sandbox is a built-in protection where code is executed and analyzed before it’s pushed through; anything malicious is supposed to be quarantined there. Attackers have figured out ways to bypass the sandbox, primarily with attacks exploiting weaknesses in the Reflection API. Researcher Adam Gowdiak of Polish security company Security Explorations said that dozens of insecure Reflection API calls were introduced into Java 7.
Attackers have also been able to combine exploits against multiple vulnerabilities to break previous Java updates and gain privilege elevation in addition to remote code execution.
Fourteen of yesterday’s 40 patches were given a criticality rating of 9.3 on a scale of 10; most of those 14 were rated 10 and all 40 of the vulnerabilities affect Java 7 Update 21 and before, including Java 6 and 5 for some.
“The recommendation here, as always, is for all users to patch as quickly as possible,” said Ross Barrett, senior manager of security engineering at Rapid 7. “There are a good number of researchers that have been credited for these fixes and it’s likely that Proof of Concept code will be released now that that patches are available.”
Oracle also released a fix for the Javadoc Tool.
“API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server,” Oracle said in its advisory. “Sites hosting such pages should re-generate the API documentation using the latest Javadoc tool and replace the current pages with the re-generated Javadoc output (see CVE-2013-1571 below). In cases where regenerating API documentation is not feasible, a Java API Documentation Updater Tool that updates API documentation “in place” is available here.”