Oracle Leaves Fix for Java SE Zero Day Until February Patch Update

Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Oracle patchOracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Gowdiak’s team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.

The vulnerability and exploit were announced in late September. Gowdiak’s exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.

Oracle did not respond to a request for comments.

Gowdiak’s Java vulnerability was the second severe issue found on the platform since August. Another critical vulnerability was found in Java 7 and exploits were successful in dropping the Poison Ivy remote access Trojan on vulnerable machines. The attacks were attributed to the Nitro group of hackers based in China.

Java users meanwhile are left exposed until the next CPU scheduled for Feb. 19 for a fix, unless Oracle decides to release an out-of-band fix.

“It looks [like] the only guys that are able to force Oracle to action are not their customers, not security researchers, but the Chinese hackers,” Gowdiak said.

Oracle’s CPU yesterday did fix 30 Java vulnerabilities, one third of them given the highest criticality score on the CVSS Risk Matrix. All but one of the vulnerabilities are remotely exploitable and affect Java SE 7 and earlier.

Oracle urged customers to apply the patches as soon as possible because of their remote exploitability. In the meantime, Oracle recommended several workarounds, including restricting network protocols required by an attack, or removing the privileges or the ability to access the packages from unprivileged users. Oracle cautions either workaround could break an application.

On top of the Java vulnerabilities, Oracle also released 109 fixes for flaws on a variety of platforms, including Oracle Database Server, Fusion Middleware, MySQL Server, PeopleSoft and Siebel CRM, Sun Products Suite, Oracle Financial Services Software, Oracle E-Business Suite and more.

A remotely exploitable password cracking vulnerability is being addressed in Oracle 11g. According to CVE 2012-3137, Oracle 11g 1 and 2 has a critical flaw in its authentication protocol that allows an attacker to learn a session key and salt hash. The vulnerability leaks hash information and simplifies brute-force attacks against passwords. Four other flaws in the database server are also being repaired, none remotely exploitable.

The CPU also fixes 26 vulnerabilities in Oracle Fusion middleware, half of which are remotely reachable. Oracle said in its release the exposure of the middleware products depends on the Oracle Database version being used.

Oracle patched 18 vulnerabilities in Sun products, including remotely exploitable bugs in Solaris, including a kernel and COMSTAR component problem. Another remote vulnerability was addressed in Oracle GlassFishServer, Sun GlassFish Enterprise Server, and Sun Java System Application Server.

There are also 14 fixes for Oracle MySQL Server, two of which repair remote execution vulnerabilities in the MySQL client and protocol.

 

This article was updated Oct. 18 to remove a reference to Adam Gowdiak presenting technical details of the Java sandbox exploit escape at a conference next month. Gowdiak will be speaking at the event, but will not share exploit details unless a patch is provded by Oracle beforehand.

Suggested articles