Two Java security vulnerabilities that can affect Java used within popular Web browsers received emergency patches Jan. 13 from Oracle to prevent unsuspecting users from being affected by malicious processes from attacking Websites.
In a weekend post on The Oracle Software Security Assurance Blog, spokesman Eric P. Maurice wrote that the company released Security Alert CVE-2012-0422 to fix two vulnerabilities in the Java code. A fix for an older issue, CVE-2012-3174, was also included.
“These vulnerabilities do not affect Java on servers, Java desktop applications or embedded Java,” Maurice wrote. “These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0,” meaning they have the highest severity scores on the Common Vulnerability Scoring System (CVSS) scale used by the National Vulnerability Database, which is maintained by the U.S. Department of Homeland Security. “Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited ‘in the wild’ and some exploits are available in various hacking tools.”
For either vulnerability, a successful attack on users’ computers must “trick an unsuspecting user into browsing a malicious Website,” Maurice wrote. “The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in Web browsers because they are exploitable through malicious browser applets.”
As part of the security alert, Oracle is also switching Java security settings to “high” by default, Maurice wrote. “The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed,” he wrote. “As a result, unsuspecting users visiting malicious Websites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.”
If users don’t patch their Java code immediately, they can also disable Java in their Web browsers by going through the Java Control panel on their computers, he wrote.
“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password,” according to the security alert. “To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious Web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user’s system.”
Both vulnerabilities are found in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries), according to Oracle. “Supported versions that are affected are 7 Update 10 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized operating system takeover including arbitrary code execution.”
Mozilla, the organizers of the Firefox Web browser, posted information Jan. 11 on the Mozilla Security Blog to advise users that due to the recent vulnerabilities, Firefox will not automatically load the Java applet for users. Instead, users will have to overrule Firefox on their own to use the Java applet through the “Click to Play” safeguards built into Firefox since last fall, according to the post by Michael Coates, Mozilla’s director of security assurance.
Click to Play “ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin,” Coates wrote. “This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.”
The Click to Play feature has been activated by Mozilla for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38), he wrote. “Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.”
On Jan. 11, security experts were again calling for computer users to disable the Java Web browser plugin and uninstall the software on their systems, following the discovery of a zero-day vulnerability in the latest version of the Java Runtime Environment.
Information about the vulnerability emerged Dec. 10, after a security professional discovered an exploit using the security hole to compromise systems. The vulnerability, which appears to only affect Java Runtime Environment (JRE) 1.7 and not prior versions, had not previously been known but appears to be similar to other Java security issues found in August 2012.