Feeds

Rotten hackers feast on mouldy Java flaws

Updates don't remove the elderly versions...

The Power of One eBook: Top reasons to choose HP BladeSystem

Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw.

Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities.

The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed.

This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology.

Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java.

All these factors make Java a hacker and cyberspy favourite or the "endpoint technology most targeted by cyber attacks," as Bit 9 puts it.

Bit9's study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide.

Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created.

“For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9's chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.

"Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added.

Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers.

Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the 'net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions.

A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here.

Groundhog 0-day

Separately‎‎, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list.

Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology.

The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against.

"If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect."

Gowdiak's find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.