Oracle Leaves Fix for Java SE Zero Day Until February Patch Update

Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Oracle patchOracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Gowdiak’s team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.

The vulnerability and exploit were announced in late September. Gowdiak’s exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.

Oracle did not respond to a request for comments.

Gowdiak’s Java vulnerability was the second severe issue found on the platform since August. Another critical vulnerability was found in Java 7 and exploits were successful in dropping the Poison Ivy remote access Trojan on vulnerable machines. The attacks were attributed to the Nitro group of hackers based in China.

Java users meanwhile are left exposed until the next CPU scheduled for Feb. 19 for a fix, unless Oracle decides to release an out-of-band fix.

“It looks [like] the only guys that are able to force Oracle to action are not their customers, not security researchers, but the Chinese hackers,” Gowdiak said.

Oracle’s CPU yesterday did fix 30 Java vulnerabilities, one third of them given the highest criticality score on the CVSS Risk Matrix. All but one of the vulnerabilities are remotely exploitable and affect Java SE 7 and earlier.

Oracle urged customers to apply the patches as soon as possible because of their remote exploitability. In the meantime, Oracle recommended several workarounds, including restricting network protocols required by an attack, or removing the privileges or the ability to access the packages from unprivileged users. Oracle cautions either workaround could break an application.

On top of the Java vulnerabilities, Oracle also released 109 fixes for flaws on a variety of platforms, including Oracle Database Server, Fusion Middleware, MySQL Server, PeopleSoft and Siebel CRM, Sun Products Suite, Oracle Financial Services Software, Oracle E-Business Suite and more.

A remotely exploitable password cracking vulnerability is being addressed in Oracle 11g. According to CVE 2012-3137, Oracle 11g 1 and 2 has a critical flaw in its authentication protocol that allows an attacker to learn a session key and salt hash. The vulnerability leaks hash information and simplifies brute-force attacks against passwords. Four other flaws in the database server are also being repaired, none remotely exploitable.

The CPU also fixes 26 vulnerabilities in Oracle Fusion middleware, half of which are remotely reachable. Oracle said in its release the exposure of the middleware products depends on the Oracle Database version being used.

Oracle patched 18 vulnerabilities in Sun products, including remotely exploitable bugs in Solaris, including a kernel and COMSTAR component problem. Another remote vulnerability was addressed in Oracle GlassFishServer, Sun GlassFish Enterprise Server, and Sun Java System Application Server.

There are also 14 fixes for Oracle MySQL Server, two of which repair remote execution vulnerabilities in the MySQL client and protocol.

 

This article was updated Oct. 18 to remove a reference to Adam Gowdiak presenting technical details of the Java sandbox exploit escape at a conference next month. Gowdiak will be speaking at the event, but will not share exploit details unless a patch is provded by Oracle beforehand.

Suggested articles

Discussion

  • Lou Lange on

    Oracle should reconsider their decision about this patch.  Postponing it until February leaves hacker licking their chops and will cause them to try hard to exploit this flaw.  Does Oracle want to wait until there is a massive exploit for a unfixed flaw when they could patch it?

  • Anonymous on

    Frankly, this guy is a jackass. He reported the problem about two weeks ago, and is going to publish how to exploit it in two more unless the bug is INSTANTLY fixed? Jeopardizing the fixes for the 30 bugs they JUST got through QA and out? Finding security bugs is a great thing ... but sometimes you've got to be reasonable.

  • Anonymous on

    TILLLLLLLLLLLLL FEBUARY
    FUCK SHIT DAMMIT DO YOU KNOW HOW MUCH HAVE I WAITED

  • FinerRhyner on

    No point patching

    So what? They can wait till Feb 2014 too.. As soon as they release the patch one more bug will surface and get exploited. Apple took a wise step banishing them from their OS. Oracle Java, Adobe Flash, other Adobe products and Mozilla Firefox. These are products coded and patched in a hurry. Steer clear from them and you might stay safe for quite some time.

    Don't use Linux. Don't use Windows. Use something uncommon.. like NetBSD on RISC or ARM architecture based Tablet or Server. There are barely any smart shellcodes for uncommon Operating systems and underlying hardware.

  • Anonymous on

    I am going to use my Barbie Touch Screen Tablet until this thing is fixed! 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.